Dear Team, I am new to freeIPA and GSS authentication so maybe someone can shed a light on where the issue is when I perform below ssh? Your help will be greatly appreciated!
host2$ ssh -F /home/user/config u...@host1.example.com I got below error in audit.log in host1 : type=CRYPTO_SESSION msg=audit(1483753488.905:727): user pid=17872 uid=0 auid=6974 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 rport=36989 laddr=67.217.92.20 lport=22 id=4294967295 exe="/usr/sbin/sshd" (hostname=?, addr=10.22.6.70, terminal=? res=success)' type=USER_ERR msg=audit(1483753489.839:728): user pid=17872 uid=0 auid=6974 msg='PAM: bad_ident acct="?" : exe="/usr/sbin/sshd" (hostname=10.22.6.70, addr=10.22.6.70, terminal=ssh res=failed)' where host2$ more /home/user/config Host * Protocol 2 # Options for Protocol 1 only #RSAAuthentication no #RhostsRSAAuthentication no HostbasedAuthentication no PubKeyAuthentication no PasswordAuthentication no GSSAPIAuthentication yes GSSAPIDelegateCredentials yes PreferredAuthentications gssapi-with-mic StrictHostKeyChecking no CheckHostIP no LogLevel FATAL UserKnownHostsFile /uhome/installer/.ssh/known_hosts IdentityFile /uhome/installer/.ssh/id_rsa AND on host1: # grep -v "^#" /etc/ssh/sshd_config |grep -v "^$" Protocol 2 SyslogFacility AUTHPRIV LogLevel INFO PermitRootLogin no PubkeyAuthentication yes HostbasedAuthentication no IgnoreRhosts yes PermitEmptyPasswords no ChallengeResponseAuthentication no GSSAPIAuthentication yes UsePAM yes AllowTcpForwarding no X11Forwarding no PrintMotd no UseDNS no Banner /etc/issue.net Subsystem sftp /usr/libexec/openssh/sftp-server Ciphers aes128-ctr,aes192-ctr,aes256-ctr host1# more krb5.conf [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] EXAMPLE.COM = { kdc = auth1.iad.example.com. kdc = auth2.iad.example.com. admin_server = auth1.iad.example.com. default_domain = example.com pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[2:$1;$2](.*;root)s/;root$// auth_to_local = RULE:[2:$1;$2](.*;admin)s/;admin$// auth_to_local = RULE:[1:$1@$0](.*@AD.CORP.EXAMPLE.COM)s/@.*$// auth_to_local = DEFAULT } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Thanks, Lufan
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project