On Sat, Jan 07, 2017 at 02:14:45AM +0000, Chen Lufan wrote:
> Dear Team,
> 
> I am new to freeIPA and GSS authentication so maybe someone can shed a light 
> on where the issue is when I perform below ssh?  Your help will be greatly 
> appreciated!
> 
> 
> host2$  ssh -F /home/user/config   u...@host1.example.com
> 
> 
> I got below error in audit.log in host1  :
> 
> type=CRYPTO_SESSION msg=audit(1483753488.905:727): user pid=17872 uid=0 
> auid=6974 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 
> rport=36989 laddr=67.217.92.20 lport=22 id=4294967295 exe="/usr/sbin/sshd" 
> (hostname=?, addr=10.22.6.70, terminal=? res=success)'
> type=USER_ERR msg=audit(1483753489.839:728): user pid=17872 uid=0 auid=6974 
> msg='PAM: bad_ident acct="?" : exe="/usr/sbin/sshd" (hostname=10.22.6.70, 
> addr=10.22.6.70, terminal=ssh res=failed)'

There are older reports that a similar audit message was triggered by
wrong SELinux labels on $HOME/.ssh and the files within. Although none
of the typical files in this directory are needed by GSSAPI
authentication it might worth to check. Does authentication work if you
temporally disable SELinux by calling 'setenforce 0' as root on the
command line?

HTH

bye,
Sumit

> 
> 
> where
> 
> host2$ more /home/user/config
> Host *
>     Protocol 2
> 
>     # Options for Protocol 1 only
>     #RSAAuthentication no
>     #RhostsRSAAuthentication no
> 
>     HostbasedAuthentication no
>     PubKeyAuthentication no
>     PasswordAuthentication no
> 
>     GSSAPIAuthentication yes
>     GSSAPIDelegateCredentials yes
> 
>     PreferredAuthentications gssapi-with-mic
> 
>     StrictHostKeyChecking no
>     CheckHostIP no
> 
>     LogLevel FATAL
> 
>     UserKnownHostsFile /uhome/installer/.ssh/known_hosts
>     IdentityFile /uhome/installer/.ssh/id_rsa
> 
> 
> AND on host1:
> 
> # grep -v "^#" /etc/ssh/sshd_config |grep -v "^$"
> Protocol 2
> SyslogFacility AUTHPRIV
> LogLevel INFO
> PermitRootLogin no
> PubkeyAuthentication yes
> HostbasedAuthentication no
> IgnoreRhosts yes
> PermitEmptyPasswords no
> ChallengeResponseAuthentication no
> GSSAPIAuthentication yes
> UsePAM yes
> AllowTcpForwarding no
> X11Forwarding no
> PrintMotd no
> UseDNS no
> Banner /etc/issue.net
> Subsystem       sftp    /usr/libexec/openssh/sftp-server
> Ciphers aes128-ctr,aes192-ctr,aes256-ctr
> 
> host1# more krb5.conf
> 
> [libdefaults]
>   default_realm = EXAMPLE.COM
>   dns_lookup_realm = false
>   dns_lookup_kdc = false
>   ticket_lifetime = 24h
>   forwardable = yes
> 
> [realms]
>   EXAMPLE.COM = {
>     kdc = auth1.iad.example.com.
>     kdc = auth2.iad.example.com.
>     admin_server = auth1.iad.example.com.
> 
>     default_domain = example.com
>     pkinit_anchors = FILE:/etc/ipa/ca.crt
> 
>     auth_to_local = RULE:[2:$1;$2](.*;root)s/;root$//
>     auth_to_local = RULE:[2:$1;$2](.*;admin)s/;admin$//
>     auth_to_local = RULE:[1:$1@$0](.*@AD.CORP.EXAMPLE.COM)s/@.*$//
>     auth_to_local = DEFAULT
> }
> 
> [domain_realm]
>   .example.com = EXAMPLE.COM
>   example.com = EXAMPLE.COM
> 
> [appdefaults]
>   pam = {
>     debug = false
>     ticket_lifetime = 36000
>     renew_lifetime = 36000
>     forwardable = true
>     krb4_convert = false
>   }
> 
> 
> Thanks,
> 
> Lufan
> 
> 
> 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to