Re: [Freeipa-users] Getting error "Permission denied (publickey, gssapi-with-mic, password)" when running below ssh command
On Mon, 9 Jan 2017 10:55:05 +0100 Sumit wrote: SB> There are older reports that a similar audit message was triggered by SB> wrong SELinux labels on $HOME/.ssh and the files within. Although none SB> of the typical files in this directory are needed by GSSAPI SB> authentication it might worth to check. Does authentication work if you SB> temporally disable SELinux by calling 'setenforce 0' as root on the SB> command line? Or instead of disabling, fix the labels restorecon -rv ~/.ssh With -v restorecon will report if it changed any labels. or check for actual denials grep avc /var/log/audit/audit.log | grep ssh Robert -- Senior Software Engineer @ Parsons pgpjym51Kq_KZ.pgp Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Getting error "Permission denied (publickey, gssapi-with-mic, password)" when running below ssh command
On Sat, Jan 07, 2017 at 02:14:45AM +, Chen Lufan wrote: > Dear Team, > > I am new to freeIPA and GSS authentication so maybe someone can shed a light > on where the issue is when I perform below ssh? Your help will be greatly > appreciated! > > > host2$ ssh -F /home/user/config u...@host1.example.com > > > I got below error in audit.log in host1 : > > type=CRYPTO_SESSION msg=audit(1483753488.905:727): user pid=17872 uid=0 > auid=6974 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 > rport=36989 laddr=67.217.92.20 lport=22 id=4294967295 exe="/usr/sbin/sshd" > (hostname=?, addr=10.22.6.70, terminal=? res=success)' > type=USER_ERR msg=audit(1483753489.839:728): user pid=17872 uid=0 auid=6974 > msg='PAM: bad_ident acct="?" : exe="/usr/sbin/sshd" (hostname=10.22.6.70, > addr=10.22.6.70, terminal=ssh res=failed)' There are older reports that a similar audit message was triggered by wrong SELinux labels on $HOME/.ssh and the files within. Although none of the typical files in this directory are needed by GSSAPI authentication it might worth to check. Does authentication work if you temporally disable SELinux by calling 'setenforce 0' as root on the command line? HTH bye, Sumit > > > where > > host2$ more /home/user/config > Host * > Protocol 2 > > # Options for Protocol 1 only > #RSAAuthentication no > #RhostsRSAAuthentication no > > HostbasedAuthentication no > PubKeyAuthentication no > PasswordAuthentication no > > GSSAPIAuthentication yes > GSSAPIDelegateCredentials yes > > PreferredAuthentications gssapi-with-mic > > StrictHostKeyChecking no > CheckHostIP no > > LogLevel FATAL > > UserKnownHostsFile /uhome/installer/.ssh/known_hosts > IdentityFile /uhome/installer/.ssh/id_rsa > > > AND on host1: > > # grep -v "^#" /etc/ssh/sshd_config |grep -v "^$" > Protocol 2 > SyslogFacility AUTHPRIV > LogLevel INFO > PermitRootLogin no > PubkeyAuthentication yes > HostbasedAuthentication no > IgnoreRhosts yes > PermitEmptyPasswords no > ChallengeResponseAuthentication no > GSSAPIAuthentication yes > UsePAM yes > AllowTcpForwarding no > X11Forwarding no > PrintMotd no > UseDNS no > Banner /etc/issue.net > Subsystem sftp/usr/libexec/openssh/sftp-server > Ciphers aes128-ctr,aes192-ctr,aes256-ctr > > host1# more krb5.conf > > [libdefaults] > default_realm = EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > forwardable = yes > > [realms] > EXAMPLE.COM = { > kdc = auth1.iad.example.com. > kdc = auth2.iad.example.com. > admin_server = auth1.iad.example.com. > > default_domain = example.com > pkinit_anchors = FILE:/etc/ipa/ca.crt > > auth_to_local = RULE:[2:$1;$2](.*;root)s/;root$// > auth_to_local = RULE:[2:$1;$2](.*;admin)s/;admin$// > auth_to_local = RULE:[1:$1@$0](.*@AD.CORP.EXAMPLE.COM)s/@.*$// > auth_to_local = DEFAULT > } > > [domain_realm] > .example.com = EXAMPLE.COM > example.com = EXAMPLE.COM > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > > > Thanks, > > Lufan > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Getting error "Permission denied (publickey, gssapi-with-mic, password)" when running below ssh command
Dear Team, I am new to freeIPA and GSS authentication so maybe someone can shed a light on where the issue is when I perform below ssh? Your help will be greatly appreciated! host2$ ssh -F /home/user/config u...@host1.example.com I got below error in audit.log in host1 : type=CRYPTO_SESSION msg=audit(1483753488.905:727): user pid=17872 uid=0 auid=6974 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 rport=36989 laddr=67.217.92.20 lport=22 id=4294967295 exe="/usr/sbin/sshd" (hostname=?, addr=10.22.6.70, terminal=? res=success)' type=USER_ERR msg=audit(1483753489.839:728): user pid=17872 uid=0 auid=6974 msg='PAM: bad_ident acct="?" : exe="/usr/sbin/sshd" (hostname=10.22.6.70, addr=10.22.6.70, terminal=ssh res=failed)' where host2$ more /home/user/config Host * Protocol 2 # Options for Protocol 1 only #RSAAuthentication no #RhostsRSAAuthentication no HostbasedAuthentication no PubKeyAuthentication no PasswordAuthentication no GSSAPIAuthentication yes GSSAPIDelegateCredentials yes PreferredAuthentications gssapi-with-mic StrictHostKeyChecking no CheckHostIP no LogLevel FATAL UserKnownHostsFile /uhome/installer/.ssh/known_hosts IdentityFile /uhome/installer/.ssh/id_rsa AND on host1: # grep -v "^#" /etc/ssh/sshd_config |grep -v "^$" Protocol 2 SyslogFacility AUTHPRIV LogLevel INFO PermitRootLogin no PubkeyAuthentication yes HostbasedAuthentication no IgnoreRhosts yes PermitEmptyPasswords no ChallengeResponseAuthentication no GSSAPIAuthentication yes UsePAM yes AllowTcpForwarding no X11Forwarding no PrintMotd no UseDNS no Banner /etc/issue.net Subsystem sftp/usr/libexec/openssh/sftp-server Ciphers aes128-ctr,aes192-ctr,aes256-ctr host1# more krb5.conf [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] EXAMPLE.COM = { kdc = auth1.iad.example.com. kdc = auth2.iad.example.com. admin_server = auth1.iad.example.com. default_domain = example.com pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[2:$1;$2](.*;root)s/;root$// auth_to_local = RULE:[2:$1;$2](.*;admin)s/;admin$// auth_to_local = RULE:[1:$1@$0](.*@AD.CORP.EXAMPLE.COM)s/@.*$// auth_to_local = DEFAULT } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Thanks, Lufan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project