Re: [Freeipa-users] 14: No supported authentication methods available
On Thu, 2016-02-25 at 16:56 +, Terry John wrote: > Thanks for that. From what I've read there is no simple right answer. In 2013 > RedHat itself says to leave ChallengeResponseAuthentication set to no "due to > security reasons". > > https://access.redhat.com/solutions/336773 We'll investigate to see if this is still a concern, given upstream has it defaulting to yes. The reason it should be preferred is that it will allow prompting for multiple factors, something we have in the works and would brek without this options set to true. Password changes (when the password is expiring PAM may ask to change it) also break badly if no ChallengResponseauthentication is used Simo. > Setting PasswordAuthentication yes seems to leave all the other settings > within thee sshd_config file like "PermitRootLogin without-password" which > may be overridden elsewhere if ChallengeResponseAuthentication is set to yes > > Terry > > -Original Message- > From: Simo Sorce [mailto:s...@redhat.com] > Sent: 25 February 2016 15:01 > To: Terry John > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] 14: No supported authentication methods available > > On Thu, 2016-02-25 at 14:36 +, Terry John wrote: > > This turned out to be a setting in /etc/ssh/sshd_config which gets > > > overridden by ipa-client-install. Needed to un-comment > > > > > > PasswordAuthentication yes > > > This is disabled because we enable ChallengeResponseAuthentication which is a > superset of PasswordAuthentication. > > PasswordAuthentication can't deal with PAM prompts, it is a oneshot only > option (ie fails if PAM asks you to make a pasword change), while > ChallengeResponseAuthentication is the more modern method that properly deals > with PAM prompts. > > You should prefer ChallengeResponseAuthentication over PasswordAuthentication. > > HTH, > Simo. > > > > Terry > > > > > > From: freeipa-users-boun...@redhat.com > > > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Terry John > > > Sent: 18 February 2016 11:41 > > > To: freeipa-users@redhat.com > > > Subject: [Freeipa-users] 14: No supported authentication methods > > > available > > > > > > I have an AWS instance running Centos 6.7 correctly configured for freeipa > > but I needed to make a backup machine which would remain live. > > > > > > I created a clone of the machine and changed the host name and the settings > > in /etc/hosts. When I tried to run ipa-client-install it told me to run the > > uninstall which I did. This had the worrying effect of not being able to > > log into my original live server but thankfully after a while it came good. > > I don't know why. > > > > > > Back on the new server I ran 'ipa-client-install --enable-dns-updates > > -mkhomedir' and it seemed to run ok. The host was created on the freeipa > > GUI and I added it to the same host group as the original server. But when > > I try to log in via SSH I get the error 'No supported authentication > > methods available'. I do have root access via the AWS Key file. > > > > > > As far as I can tell all the relevant settings seem the same between the > > two servers but one works and the other doesn't. I can kinit and klist > > using my freeipa account. 'getent netgroup my-servergroup' works fine. > > > > > > I can't seem to find anything relevant in the sssd logs and > > > /var/log/secure just give me the same error of no supported > > > authentication methods available > > > > > > I have noticed in /var/log/messages when I restart sssd and error > > > which may be relevant but can't find anything useful so far > > > > > > sssd[be[my.domain.net]]: dereference processing failed : Input/output > > > error > > > > > > Thanks > > > > > > Terry > > > > > > > > > > > > The Manheim group of companies within the UK comprises: Manheim Europe > > Limited (registered number: 03183918), Manheim Auctions Limited (registered > > number: 00448761), Manheim Retail Services Limited (registered number: > > 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time > > Communications Limited (registered number: 04277845) and Complete > > Automotive Solutions Limited (registered number: 05302535). Each of these > > companies is registered in England and Wales with the registered office
Re: [Freeipa-users] 14: No supported authentication methods available
Thanks for that. From what I've read there is no simple right answer. In 2013 RedHat itself says to leave ChallengeResponseAuthentication set to no "due to security reasons". https://access.redhat.com/solutions/336773 Setting PasswordAuthentication yes seems to leave all the other settings within thee sshd_config file like "PermitRootLogin without-password" which may be overridden elsewhere if ChallengeResponseAuthentication is set to yes Terry -Original Message- From: Simo Sorce [mailto:s...@redhat.com] Sent: 25 February 2016 15:01 To: Terry John Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] 14: No supported authentication methods available On Thu, 2016-02-25 at 14:36 +, Terry John wrote: > This turned out to be a setting in /etc/ssh/sshd_config which gets > overridden by ipa-client-install. Needed to un-comment > > PasswordAuthentication yes This is disabled because we enable ChallengeResponseAuthentication which is a superset of PasswordAuthentication. PasswordAuthentication can't deal with PAM prompts, it is a oneshot only option (ie fails if PAM asks you to make a pasword change), while ChallengeResponseAuthentication is the more modern method that properly deals with PAM prompts. You should prefer ChallengeResponseAuthentication over PasswordAuthentication. HTH, Simo. > Terry > > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Terry John > Sent: 18 February 2016 11:41 > To: freeipa-users@redhat.com > Subject: [Freeipa-users] 14: No supported authentication methods > available > > I have an AWS instance running Centos 6.7 correctly configured for freeipa > but I needed to make a backup machine which would remain live. > > I created a clone of the machine and changed the host name and the settings > in /etc/hosts. When I tried to run ipa-client-install it told me to run the > uninstall which I did. This had the worrying effect of not being able to log > into my original live server but thankfully after a while it came good. I > don't know why. > > Back on the new server I ran 'ipa-client-install --enable-dns-updates > -mkhomedir' and it seemed to run ok. The host was created on the freeipa GUI > and I added it to the same host group as the original server. But when I try > to log in via SSH I get the error 'No supported authentication methods > available'. I do have root access via the AWS Key file. > > As far as I can tell all the relevant settings seem the same between the two > servers but one works and the other doesn't. I can kinit and klist using my > freeipa account. 'getent netgroup my-servergroup' works fine. > > I can't seem to find anything relevant in the sssd logs and > /var/log/secure just give me the same error of no supported > authentication methods available > > I have noticed in /var/log/messages when I restart sssd and error > which may be relevant but can't find anything useful so far > > sssd[be[my.domain.net]]: dereference processing failed : Input/output > error > > Thanks > > Terry > > > > The Manheim group of companies within the UK comprises: Manheim Europe > Limited (registered number: 03183918), Manheim Auctions Limited (registered > number: 00448761), Manheim Retail Services Limited (registered number: > 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time > Communications Limited (registered number: 04277845) and Complete Automotive > Solutions Limited (registered number: 05302535). Each of these companies is > registered in England and Wales with the registered office address of Central > House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of companies > operates under various brand/trading names including Manheim Inspection > Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim > Aftersales Solutions. > > V:0CF72C13B2AC > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] 14: No supported authentication methods available
On Thu, 2016-02-25 at 14:36 +, Terry John wrote: > This turned out to be a setting in /etc/ssh/sshd_config which gets overridden > by ipa-client-install. Needed to un-comment > > PasswordAuthentication yes This is disabled because we enable ChallengeResponseAuthentication which is a superset of PasswordAuthentication. PasswordAuthentication can't deal with PAM prompts, it is a oneshot only option (ie fails if PAM asks you to make a pasword change), while ChallengeResponseAuthentication is the more modern method that properly deals with PAM prompts. You should prefer ChallengeResponseAuthentication over PasswordAuthentication. HTH, Simo. > Terry > > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Terry John > Sent: 18 February 2016 11:41 > To: freeipa-users@redhat.com > Subject: [Freeipa-users] 14: No supported authentication methods available > > I have an AWS instance running Centos 6.7 correctly configured for freeipa > but I needed to make a backup machine which would remain live. > > I created a clone of the machine and changed the host name and the settings > in /etc/hosts. When I tried to run ipa-client-install it told me to run the > uninstall which I did. This had the worrying effect of not being able to log > into my original live server but thankfully after a while it came good. I > don't know why. > > Back on the new server I ran 'ipa-client-install --enable-dns-updates > -mkhomedir' and it seemed to run ok. The host was created on the freeipa GUI > and I added it to the same host group as the original server. But when I try > to log in via SSH I get the error 'No supported authentication methods > available'. I do have root access via the AWS Key file. > > As far as I can tell all the relevant settings seem the same between the two > servers but one works and the other doesn't. I can kinit and klist using my > freeipa account. 'getent netgroup my-servergroup' works fine. > > I can't seem to find anything relevant in the sssd logs and /var/log/secure > just give me the same error of no supported authentication methods available > > I have noticed in /var/log/messages when I restart sssd and error which may > be relevant but can't find anything useful so far > > sssd[be[my.domain.net]]: dereference processing failed : Input/output error > > Thanks > > Terry > > > > The Manheim group of companies within the UK comprises: Manheim Europe > Limited (registered number: 03183918), Manheim Auctions Limited (registered > number: 00448761), Manheim Retail Services Limited (registered number: > 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time > Communications Limited (registered number: 04277845) and Complete Automotive > Solutions Limited (registered number: 05302535). Each of these companies is > registered in England and Wales with the registered office address of Central > House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of companies > operates under various brand/trading names including Manheim Inspection > Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim > Aftersales Solutions. > > V:0CF72C13B2AC > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] 14: No supported authentication methods available
Terry John wrote: > This turned out to be a setting in /etc/ssh/sshd_config which gets > overridden by ipa-client-install. Needed to un-comment > > > > PasswordAuthentication yes Glad you got it fixed but I don't think ipa-client-install was responsible for this change. It does make changes to sshd_config but not to this directive. rob > > > > Terry > > > > *From:*freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Terry John > *Sent:* 18 February 2016 11:41 > *To:* freeipa-users@redhat.com > *Subject:* [Freeipa-users] 14: No supported authentication methods available > > > > I have an AWS instance running Centos 6.7 correctly configured for > freeipa but I needed to make a backup machine which would remain live. > > > > I created a clone of the machine and changed the host name and the > settings in /etc/hosts. When I tried to run ipa-client-install it told > me to run the uninstall which I did. This had the worrying effect of not > being able to log into my original live server but thankfully after a > while it came good. I dont know why. > > > > Back on the new server I ran ipa-client-install --enable-dns-updates > mkhomedir and it seemed to run ok. The host was created on the freeipa > GUI and I added it to the same host group as the original server. But > when I try to log in via SSH I get the error No supported > authentication methods available. I do have root access via the AWS Key > file. > > > > As far as I can tell all the relevant settings seem the same between the > two servers but one works and the other doesnt. I can kinit and klist > using my freeipa account. getent netgroup my-servergroup works fine. > > > > I cant seem to find anything relevant in the sssd logs and > /var/log/secure just give me the same error of no supported > authentication methods available > > > > I have noticed in /var/log/messages when I restart sssd and error which > may be relevant but cant find anything useful so far > > > > sssd[be[my.domain.net]]: dereference processing failed : Input/output error > > > > Thanks > > > > Terry > > > > The Manheim group of companies within the UK comprises: Manheim Europe > Limited (registered number: 03183918), Manheim Auctions Limited > (registered number: 00448761), Manheim Retail Services Limited > (registered number: 02838588), Motors.co.uk Limited (registered number: > 05975777), Real Time Communications Limited (registered number: > 04277845) and Complete Automotive Solutions Limited (registered number: > 05302535). Each of these companies is registered in England and Wales > with the registered office address of Central House, Leeds Road, > Rothwell, Leeds LS26 0JE. The Manheim group of companies operates under > various brand/trading names including Manheim Inspection Services, > Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim > Aftersales Solutions. > > V:0CF72C13B2AC > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] 14: No supported authentication methods available
This turned out to be a setting in /etc/ssh/sshd_config which gets overridden by ipa-client-install. Needed to un-comment PasswordAuthentication yes Terry From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Terry John Sent: 18 February 2016 11:41 To: freeipa-users@redhat.com Subject: [Freeipa-users] 14: No supported authentication methods available I have an AWS instance running Centos 6.7 correctly configured for freeipa but I needed to make a backup machine which would remain live. I created a clone of the machine and changed the host name and the settings in /etc/hosts. When I tried to run ipa-client-install it told me to run the uninstall which I did. This had the worrying effect of not being able to log into my original live server but thankfully after a while it came good. I don't know why. Back on the new server I ran 'ipa-client-install --enable-dns-updates -mkhomedir' and it seemed to run ok. The host was created on the freeipa GUI and I added it to the same host group as the original server. But when I try to log in via SSH I get the error 'No supported authentication methods available'. I do have root access via the AWS Key file. As far as I can tell all the relevant settings seem the same between the two servers but one works and the other doesn't. I can kinit and klist using my freeipa account. 'getent netgroup my-servergroup' works fine. I can't seem to find anything relevant in the sssd logs and /var/log/secure just give me the same error of no supported authentication methods available I have noticed in /var/log/messages when I restart sssd and error which may be relevant but can't find anything useful so far sssd[be[my.domain.net]]: dereference processing failed : Input/output error Thanks Terry The Manheim group of companies within the UK comprises: Manheim Europe Limited (registered number: 03183918), Manheim Auctions Limited (registered number: 00448761), Manheim Retail Services Limited (registered number: 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time Communications Limited (registered number: 04277845) and Complete Automotive Solutions Limited (registered number: 05302535). Each of these companies is registered in England and Wales with the registered office address of Central House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of companies operates under various brand/trading names including Manheim Inspection Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim Aftersales Solutions. V:0CF72C13B2AC -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
