Re: [Freeipa-users] User can't login via ssh from external source
On Fri, 2012-07-20 at 15:21 -0400, Dmitri Pal wrote: > On 07/20/2012 03:03 PM, Joe Linoff wrote: > When you set the password on the server using the ipa passwd command > you make it know to the admin. This is why it is right away expired > and requires a change. > A user needs to log in through the client that allows changing the > password as a part of the authentication. > It looks like your ssh is not configured to do password change (I > suspect it uses GSSAPI but I might be wrong). > So either the ssh needs to be configured to do the password change > over the pam stack or you need to login as this user and change his > password and then you will be able to ssh. To clarify, what you need to do is make sure that the following options are set in /etc/ssh/sshd_config: UsePAM yes PasswordAuthentication no KerberosAuthentication no GSSAPIAuthentication yes ChallengeResponseAuthentication yes This should hopefully resolve the issue for you. Note: KerberosAuthentication is NOT the same as disabling the single-sign-on. That's done by GSSAPIAuthentication. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User can't login via ssh from external source
On 07/20/2012 03:03 PM, Joe Linoff wrote: > > Hi Everybody: > > > > I am using FreeIPA 2.2.0 on CentOS 6.3 and am having a challenging > problem with a new user that I just setup. > > > > That user cannot ssh into any host on the realm from an external > source. They get a permission denied problem but "old-user" with the > same HBAC configuration works. > > > > % ssh -A -t -o Port=9346 new-u...@somehost.example.com > > new-u...@somehost.example.com's password: > > Permission denied, please try again. > > % ssh -A -t -o Port=9346 old-u...@somehost.example.com > > old-u...@somehost.example.com's password: > > Last login: ... > > [old-user@somehost ~]$ > > > > I checked their password by setting up a TGT using kinit. It worked. I > was also able to ssh into another host on the network. > > > > % kinit new-user > > Password for new-u...@example.com > > % ssh new-user@somehost > > Last login: ... > > Could not chdir to home directory ... > > -bash-4.1$ exit > > > > That seems to indicate that the password is correct and that the > permissions are correct but to be sure I ran an hbactest on the server: > > > > % ipa hbactest --user=new-user --service=ssh --host=somehost > > > > Access granted: True > > > > ... > > > > I did see something strange in /var/log/messages: > > > > Jul 20 11:48:16 somehost [sssd[krb5_child[16478]]]: Decrypt integrity > check failed > > Jul 20 11:48:16 somehost [sssd[krb5_child[16478]]]: Decrypt integrity > check failed > > Jul 20 11:48:26 somehost [sssd[krb5_child[16481]]]: Decrypt integrity > check failed > > Jul 20 11:48:26 somehost [sssd[krb5_child[16481]]]: Decrypt integrity > check failed > > Jul 20 11:48:54 somehost [sssd[krb5_child[16488]]]: Password has expired > > Jul 20 11:48:55 somehost [sssd[krb5_child[16488]]]: Decrypt integrity > check failed > > Jul 20 11:49:05 somehost [sssd[krb5_child[16491]]]: Password has expired > > Jul 20 11:49:05 somehost [sssd[krb5_child[16491]]]: Decrypt integrity > check failed > > > > So I reset the password using the ipa passwd command: > > > > % ipa passwd new-user > > New Password: > > Etner New Password again to verify: > > --- > > Changed password for new-u...@example.com > > -- > > > > But I am still getting the Permission denied error. > > > > What am I doing wrong? How can I debug this? Any help would be greatly > appreciated. > > > When you set the password on the server using the ipa passwd command you make it know to the admin. This is why it is right away expired and requires a change. A user needs to log in through the client that allows changing the password as a part of the authentication. It looks like your ssh is not configured to do password change (I suspect it uses GSSAPI but I might be wrong). So either the ssh needs to be configured to do the password change over the pam stack or you need to login as this user and change his password and then you will be able to ssh. > Thanks, > > > > Joe > > > > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] User can't login via ssh from external source
Hi Everybody: I am using FreeIPA 2.2.0 on CentOS 6.3 and am having a challenging problem with a new user that I just setup. That user cannot ssh into any host on the realm from an external source. They get a permission denied problem but "old-user" with the same HBAC configuration works. % ssh -A -t -o Port=9346 new-u...@somehost.example.com new-u...@somehost.example.com's password: Permission denied, please try again. % ssh -A -t -o Port=9346 old-u...@somehost.example.com old-u...@somehost.example.com's password: Last login: ... [old-user@somehost ~]$ I checked their password by setting up a TGT using kinit. It worked. I was also able to ssh into another host on the network. % kinit new-user Password for new-u...@example.com % ssh new-user@somehost Last login: ... Could not chdir to home directory ... -bash-4.1$ exit That seems to indicate that the password is correct and that the permissions are correct but to be sure I ran an hbactest on the server: % ipa hbactest --user=new-user --service=ssh --host=somehost Access granted: True ... I did see something strange in /var/log/messages: Jul 20 11:48:16 somehost [sssd[krb5_child[16478]]]: Decrypt integrity check failed Jul 20 11:48:16 somehost [sssd[krb5_child[16478]]]: Decrypt integrity check failed Jul 20 11:48:26 somehost [sssd[krb5_child[16481]]]: Decrypt integrity check failed Jul 20 11:48:26 somehost [sssd[krb5_child[16481]]]: Decrypt integrity check failed Jul 20 11:48:54 somehost [sssd[krb5_child[16488]]]: Password has expired Jul 20 11:48:55 somehost [sssd[krb5_child[16488]]]: Decrypt integrity check failed Jul 20 11:49:05 somehost [sssd[krb5_child[16491]]]: Password has expired Jul 20 11:49:05 somehost [sssd[krb5_child[16491]]]: Decrypt integrity check failed So I reset the password using the ipa passwd command: % ipa passwd new-user New Password: Etner New Password again to verify: --- Changed password for new-u...@example.com -- But I am still getting the Permission denied error. What am I doing wrong? How can I debug this? Any help would be greatly appreciated. Thanks, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users