Dear Team,

I am new to freeIPA and GSS authentication so maybe someone can shed a light on 
where the issue is when I perform below ssh?  Your help will be greatly 

host2$  ssh -F /home/user/config

I got below error in audit.log in host1  :

type=CRYPTO_SESSION msg=audit(1483753488.905:727): user pid=17872 uid=0 
auid=6974 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 
rport=36989 laddr= lport=22 id=4294967295 exe="/usr/sbin/sshd" 
(hostname=?, addr=, terminal=? res=success)'
type=USER_ERR msg=audit(1483753489.839:728): user pid=17872 uid=0 auid=6974 
msg='PAM: bad_ident acct="?" : exe="/usr/sbin/sshd" (hostname=, 
addr=, terminal=ssh res=failed)'


host2$ more /home/user/config
Host *
    Protocol 2

    # Options for Protocol 1 only
    #RSAAuthentication no
    #RhostsRSAAuthentication no

    HostbasedAuthentication no
    PubKeyAuthentication no
    PasswordAuthentication no

    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

    PreferredAuthentications gssapi-with-mic

    StrictHostKeyChecking no
    CheckHostIP no

    LogLevel FATAL

    UserKnownHostsFile /uhome/installer/.ssh/known_hosts
    IdentityFile /uhome/installer/.ssh/id_rsa

AND on host1:

# grep -v "^#" /etc/ssh/sshd_config |grep -v "^$"
Protocol 2
SyslogFacility AUTHPRIV
LogLevel INFO
PermitRootLogin no
PubkeyAuthentication yes
HostbasedAuthentication no
IgnoreRhosts yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
UsePAM yes
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
UseDNS no
Banner /etc/
Subsystem       sftp    /usr/libexec/openssh/sftp-server
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

host1# more krb5.conf

  default_realm = EXAMPLE.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  forwardable = yes

    kdc =
    kdc =
    admin_server =

    default_domain =
    pkinit_anchors = FILE:/etc/ipa/ca.crt

    auth_to_local = RULE:[2:$1;$2](.*;root)s/;root$//
    auth_to_local = RULE:[2:$1;$2](.*;admin)s/;admin$//
    auth_to_local = RULE:[1:$1@$0](.*@AD.CORP.EXAMPLE.COM)s/@.*$//
    auth_to_local = DEFAULT

[domain_realm] = EXAMPLE.COM = EXAMPLE.COM

  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false



Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to