David Miller wrote:
I'm in the process of evaluating RH IPA server and have run into two
problems. Before I begin here is the setup. One vanilla RHEL 5.2 server
install with IPA channel. One vanilla RHEL 5.2 desktop install with
workstation channel. Eventually I would like to have a couple of Linux
clusters and a few stand alone general compute nodes use an IPA server
for enforcing password policy and authenticating users that will only be
using SSH.
1. After getting my evaluation key entered into RHN I successfully
subscribed my RHEL5 server with the IPA sub channel and got the IPA
server up and running. However, I could not find a sub channel to
subscribe to for the IPA client for my RHEL 5 desktop with workstation.
I wound up installing the RPM's from the IPA server installation ISO
through yum. What is the channel used to grab the IPA client packages?
The desktop version of RHEL cannot subscribe to the IPA channel.
2. When I create a user account I cannot log into the RHEL workstation
using SSH. I must log the new account in at the console first. At the
console I'm prompted to change the password for the new account right
away. After changing the password I can login using SSH. I like the one
time password but is there a way to make it work over SSH without tying
the machine they are SSHing from to the IPA server's kerberos? Even
though the SSH works after the initial console login what will happen
when the password is due for changing? I have people SSHing in using all
sorts of SSH clients on various operating systems. Getting all of them
to work with kerberos just for SSH is unrealistic.
David,
I ran your post by a co-worker of mine who is relatively familiar with
IPA but unfortunately not subscribed to this list. He didn't have any
suggestions for Question #1, however for Question #2 he suggested adding
"ChallengeResponseAuthentication yes" to your /etc/ssh/sshd_config on
all machines that auth against IPA, restarting sshd after you make the
changes.
--
Scott
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
