Re: [Freeipa-users] Getting error "Permission denied (publickey, gssapi-with-mic, password)" when running below ssh command

2017-01-09 Thread Robert Story 
On Mon, 9 Jan 2017 10:55:05 +0100 Sumit wrote:
SB> There are older reports that a similar audit message was triggered by
SB> wrong SELinux labels on $HOME/.ssh and the files within. Although none
SB> of the typical files in this directory are needed by GSSAPI
SB> authentication it might worth to check. Does authentication work if you
SB> temporally disable SELinux by calling 'setenforce 0' as root on the
SB> command line?

Or instead of disabling, fix the labels

  restorecon -rv ~/.ssh

With -v restorecon will report if it changed any labels.

or check for actual denials

  grep avc /var/log/audit/audit.log | grep ssh



Robert

-- 
Senior Software Engineer @ Parsons


pgpjym51Kq_KZ.pgp
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Getting error "Permission denied (publickey, gssapi-with-mic, password)" when running below ssh command

2017-01-09 Thread Sumit Bose 
On Sat, Jan 07, 2017 at 02:14:45AM +, Chen Lufan wrote:
> Dear Team,
> 
> I am new to freeIPA and GSS authentication so maybe someone can shed a light 
> on where the issue is when I perform below ssh?  Your help will be greatly 
> appreciated!
> 
> 
> host2$  ssh -F /home/user/config   u...@host1.example.com
> 
> 
> I got below error in audit.log in host1  :
> 
> type=CRYPTO_SESSION msg=audit(1483753488.905:727): user pid=17872 uid=0 
> auid=6974 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 
> rport=36989 laddr=67.217.92.20 lport=22 id=4294967295 exe="/usr/sbin/sshd" 
> (hostname=?, addr=10.22.6.70, terminal=? res=success)'
> type=USER_ERR msg=audit(1483753489.839:728): user pid=17872 uid=0 auid=6974 
> msg='PAM: bad_ident acct="?" : exe="/usr/sbin/sshd" (hostname=10.22.6.70, 
> addr=10.22.6.70, terminal=ssh res=failed)'

There are older reports that a similar audit message was triggered by
wrong SELinux labels on $HOME/.ssh and the files within. Although none
of the typical files in this directory are needed by GSSAPI
authentication it might worth to check. Does authentication work if you
temporally disable SELinux by calling 'setenforce 0' as root on the
command line?

HTH

bye,
Sumit

> 
> 
> where
> 
> host2$ more /home/user/config
> Host *
> Protocol 2
> 
> # Options for Protocol 1 only
> #RSAAuthentication no
> #RhostsRSAAuthentication no
> 
> HostbasedAuthentication no
> PubKeyAuthentication no
> PasswordAuthentication no
> 
> GSSAPIAuthentication yes
> GSSAPIDelegateCredentials yes
> 
> PreferredAuthentications gssapi-with-mic
> 
> StrictHostKeyChecking no
> CheckHostIP no
> 
> LogLevel FATAL
> 
> UserKnownHostsFile /uhome/installer/.ssh/known_hosts
> IdentityFile /uhome/installer/.ssh/id_rsa
> 
> 
> AND on host1:
> 
> # grep -v "^#" /etc/ssh/sshd_config |grep -v "^$"
> Protocol 2
> SyslogFacility AUTHPRIV
> LogLevel INFO
> PermitRootLogin no
> PubkeyAuthentication yes
> HostbasedAuthentication no
> IgnoreRhosts yes
> PermitEmptyPasswords no
> ChallengeResponseAuthentication no
> GSSAPIAuthentication yes
> UsePAM yes
> AllowTcpForwarding no
> X11Forwarding no
> PrintMotd no
> UseDNS no
> Banner /etc/issue.net
> Subsystem   sftp/usr/libexec/openssh/sftp-server
> Ciphers aes128-ctr,aes192-ctr,aes256-ctr
> 
> host1# more krb5.conf
> 
> [libdefaults]
>   default_realm = EXAMPLE.COM
>   dns_lookup_realm = false
>   dns_lookup_kdc = false
>   ticket_lifetime = 24h
>   forwardable = yes
> 
> [realms]
>   EXAMPLE.COM = {
> kdc = auth1.iad.example.com.
> kdc = auth2.iad.example.com.
> admin_server = auth1.iad.example.com.
> 
> default_domain = example.com
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> 
> auth_to_local = RULE:[2:$1;$2](.*;root)s/;root$//
> auth_to_local = RULE:[2:$1;$2](.*;admin)s/;admin$//
> auth_to_local = RULE:[1:$1@$0](.*@AD.CORP.EXAMPLE.COM)s/@.*$//
> auth_to_local = DEFAULT
> }
> 
> [domain_realm]
>   .example.com = EXAMPLE.COM
>   example.com = EXAMPLE.COM
> 
> [appdefaults]
>   pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
>   }
> 
> 
> Thanks,
> 
> Lufan
> 
> 
> 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Getting error "Permission denied (publickey, gssapi-with-mic, password)" when running below ssh command

2017-01-06 Thread Chen Lufan 
Dear Team,

I am new to freeIPA and GSS authentication so maybe someone can shed a light on 
where the issue is when I perform below ssh?  Your help will be greatly 
appreciated!


host2$  ssh -F /home/user/config   u...@host1.example.com


I got below error in audit.log in host1  :

type=CRYPTO_SESSION msg=audit(1483753488.905:727): user pid=17872 uid=0 
auid=6974 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 
rport=36989 laddr=67.217.92.20 lport=22 id=4294967295 exe="/usr/sbin/sshd" 
(hostname=?, addr=10.22.6.70, terminal=? res=success)'
type=USER_ERR msg=audit(1483753489.839:728): user pid=17872 uid=0 auid=6974 
msg='PAM: bad_ident acct="?" : exe="/usr/sbin/sshd" (hostname=10.22.6.70, 
addr=10.22.6.70, terminal=ssh res=failed)'


where

host2$ more /home/user/config
Host *
Protocol 2

# Options for Protocol 1 only
#RSAAuthentication no
#RhostsRSAAuthentication no

HostbasedAuthentication no
PubKeyAuthentication no
PasswordAuthentication no

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

PreferredAuthentications gssapi-with-mic

StrictHostKeyChecking no
CheckHostIP no

LogLevel FATAL

UserKnownHostsFile /uhome/installer/.ssh/known_hosts
IdentityFile /uhome/installer/.ssh/id_rsa


AND on host1:

# grep -v "^#" /etc/ssh/sshd_config |grep -v "^$"
Protocol 2
SyslogFacility AUTHPRIV
LogLevel INFO
PermitRootLogin no
PubkeyAuthentication yes
HostbasedAuthentication no
IgnoreRhosts yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
UsePAM yes
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
UseDNS no
Banner /etc/issue.net
Subsystem   sftp/usr/libexec/openssh/sftp-server
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

host1# more krb5.conf

[libdefaults]
  default_realm = EXAMPLE.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  EXAMPLE.COM = {
kdc = auth1.iad.example.com.
kdc = auth2.iad.example.com.
admin_server = auth1.iad.example.com.

default_domain = example.com
pkinit_anchors = FILE:/etc/ipa/ca.crt

auth_to_local = RULE:[2:$1;$2](.*;root)s/;root$//
auth_to_local = RULE:[2:$1;$2](.*;admin)s/;admin$//
auth_to_local = RULE:[1:$1@$0](.*@AD.CORP.EXAMPLE.COM)s/@.*$//
auth_to_local = DEFAULT
}

[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM

[appdefaults]
  pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
  }


Thanks,

Lufan



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project