Thank you Lukas.
The issue , not being able to login to some servers in our setup with ssh
keys, was due to incorrect permissions on /usr directory,per the following
entry in /var/log/secure.

*sshd[12856]: error: bad ownership or modes for AuthorizedKeysCommand path
component "/usr"*

After setting up the permissions for /usr to 755, I was able to login to
these servers with ssh private keys.

Thank you again,Lukas, for your help.


On Fri, Sep 16, 2016 at 11:51 AM, Lukas Slebodnik <>

> On (15/09/16 11:46), Venkataramana Kintali wrote:
> >Hi Lukas,
> >ssh_config is also same on all servers.
> >Our need is to do it both  ways, to be able to login with ssh public
> >keys(uploaded in IPA) and disable password login, and be able to access
> >allhosts within the same IPA domain silently from any host.
> >Hoping the configs will help, I am including the configurations here.
> >
> >ssh_config file :
> >sshd_config file:
> >sssd_config file:
> >
> Looks good to me
> >I just used some placeholders for sssd_config file in pastebin instead of
> >actual values.
> >
> In initial mail you wrote:
> >I am able to login to some IPA clients but not able to login to other IPA
> >clients with putty using private key and passphrase.
> Therefore your previous test case is wrong.
> If you want to test authentication with public keys
> then you cannot obtain krb5 ticket with kinit.
> I would also recommend to call kdestory before
> authentication with ssh to be sure that gssapi
> authentication will not be used.
> I would recomment to set "debug_level = 7" in domain and ssh section
> on the server where you woudl like to authenticate.
> then restart sssd and try to authenticate with ssh + verbose mode
> e.g. ssh -v
> Then I would recommend to compare logs from working server
> and from broken server.
> LS
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to