Martin,
I found out the cause. It was just one of the reverse lookups.
Thanks,
Jesse P. Johnson CISSP RHC{A,DS,E,SA}
ISC^2: 384989
RH: 120-117-320
C: 757-232-3110
- Original Message -
From: Martin Kosek mko...@redhat.com
To: Jesse Johnson jesse.john...@redhat.com, freeipa-users@redhat.com
Sent: Thursday, April 23, 2015 6:32:18 AM
Subject: Re: [Freeipa-users] IdM Replica Install SSH failure.
On 04/22/2015 04:57 PM, Jesse Johnson wrote:
ALL,
I'm attempting to complete a replica install and the system is bombing out on
the gssapi portion of the SSH key configuration. I can ssh and selinux is
permissive.
You mean right before beginning of the installation in the connection check?
Could not SSH into remote host. Error output:
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to IDM_master_name [IdM_master_ip] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x0400
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server-client aes128-ctr hmac-md5-...@openssh.com none
debug1: kex: client-server aes128-ctr hmac-md5-...@openssh.com none
debug1: kex: curve25519-sha...@libssh.org need=16 dh_need=16
debug1: kex: curve25519-sha...@libssh.org need=16 dh_need=16
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA key
Warning: Permanently added 'IDM_master_name,IdM_master_ip' (ECDSA) to
the list of known hosts.
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
Connection closed by IdM_master_ip
Could not SSH to remote host.
Any help would be appreciated.
Jesse P. Johnson CISSP RHC{A,DS,E,SA}
ISC^2: 384989
RH: 120-117-320
C: 757-232-3110
There is most likely some problem, the conncheck is already quite proven. You
can skip it with --skip-conncheck, but the installation will probably blow up
in later stages anyway.
So it is good you are investigating the root cause. I would try:
- checking that DNS records from your client to the server are OK (both forward
DNS record and reverse DNS record for it's IP address). Also check the other
side, from master to client, there was a bug in the past.
- checking that you can ssh as admin user and via Kerberos (you can copy
functional krb5.conf from other replica) - ssh via other account and different
means (SSH key) may not be sufficient
Also, what is the FreeIPA and platform version you are testing this on?
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
