[Freeipa-users] Getting error "Permission denied (publickey, gssapi-with-mic, password)" when running below ssh command

Fri, 06 Jan 2017 18:21:07 -0800 

Dear Team,

I am new to freeIPA and GSS authentication so maybe someone can shed a light on 
where the issue is when I perform below ssh?  Your help will be greatly 
appreciated!


host2$  ssh -F /home/user/config   u...@host1.example.com


I got below error in audit.log in host1  :

type=CRYPTO_SESSION msg=audit(1483753488.905:727): user pid=17872 uid=0 
auid=6974 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 
rport=36989 laddr=67.217.92.20 lport=22 id=4294967295 exe="/usr/sbin/sshd" 
(hostname=?, addr=10.22.6.70, terminal=? res=success)'
type=USER_ERR msg=audit(1483753489.839:728): user pid=17872 uid=0 auid=6974 
msg='PAM: bad_ident acct="?" : exe="/usr/sbin/sshd" (hostname=10.22.6.70, 
addr=10.22.6.70, terminal=ssh res=failed)'


where

host2$ more /home/user/config
Host *
    Protocol 2

    # Options for Protocol 1 only
    #RSAAuthentication no
    #RhostsRSAAuthentication no

    HostbasedAuthentication no
    PubKeyAuthentication no
    PasswordAuthentication no

    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

    PreferredAuthentications gssapi-with-mic

    StrictHostKeyChecking no
    CheckHostIP no

    LogLevel FATAL

    UserKnownHostsFile /uhome/installer/.ssh/known_hosts
    IdentityFile /uhome/installer/.ssh/id_rsa


AND on host1:

# grep -v "^#" /etc/ssh/sshd_config |grep -v "^$"
Protocol 2
SyslogFacility AUTHPRIV
LogLevel INFO
PermitRootLogin no
PubkeyAuthentication yes
HostbasedAuthentication no
IgnoreRhosts yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
UsePAM yes
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
UseDNS no
Banner /etc/issue.net
Subsystem       sftp    /usr/libexec/openssh/sftp-server
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

host1# more krb5.conf

[libdefaults]
  default_realm = EXAMPLE.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  EXAMPLE.COM = {
    kdc = auth1.iad.example.com.
    kdc = auth2.iad.example.com.
    admin_server = auth1.iad.example.com.

    default_domain = example.com
    pkinit_anchors = FILE:/etc/ipa/ca.crt

    auth_to_local = RULE:[2:$1;$2](.*;root)s/;root$//
    auth_to_local = RULE:[2:$1;$2](.*;admin)s/;admin$//
    auth_to_local = RULE:[1:$1@$0](.*@AD.CORP.EXAMPLE.COM)s/@.*$//
    auth_to_local = DEFAULT
}

[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }


Thanks,

Lufan




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to