Re: [Freeipa-users] 14: No supported authentication methods available

2016-02-25 Thread Simo Sorce
On Thu, 2016-02-25 at 16:56 +, Terry John wrote:
> Thanks for that. From what I've read there is no simple right answer. In 2013 
> RedHat itself says to leave ChallengeResponseAuthentication set to no "due to 
> security reasons".
> 
> https://access.redhat.com/solutions/336773

We'll investigate to see if this is still a concern, given upstream has
it defaulting to yes.
The reason it should be preferred is that it will allow prompting for
multiple factors, something we have in the works and would brek without
this options set to true.
Password changes (when the password is expiring PAM may ask to change
it) also break badly if no ChallengResponseauthentication is used

Simo.

> Setting PasswordAuthentication yes seems to leave all the other settings 
> within thee sshd_config file like "PermitRootLogin without-password" which 
> may be overridden elsewhere if ChallengeResponseAuthentication is set to yes
> 
> Terry
> 
> -Original Message-
> From: Simo Sorce [mailto:s...@redhat.com] 
> Sent: 25 February 2016 15:01
> To: Terry John
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] 14: No supported authentication methods available
> 
> On Thu, 2016-02-25 at 14:36 +, Terry John wrote:
> > This turned out to be a setting in /etc/ssh/sshd_config which gets 
> 
> > overridden by ipa-client-install. Needed to un-comment
> 
> > 
> 
> > PasswordAuthentication yes
> 
> 
> This is disabled because we enable ChallengeResponseAuthentication which is a 
> superset of PasswordAuthentication.
> 
> PasswordAuthentication can't deal with PAM prompts, it is a oneshot only 
> option (ie fails if PAM asks you to make a pasword change), while 
> ChallengeResponseAuthentication is the more modern method that properly deals 
> with PAM prompts.
> 
> You should prefer ChallengeResponseAuthentication over PasswordAuthentication.
> 
> HTH,
> Simo.
> 
> 
> > Terry
> 
> > 
> 
> > From: freeipa-users-boun...@redhat.com 
> 
> > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Terry John
> 
> > Sent: 18 February 2016 11:41
> 
> > To: freeipa-users@redhat.com
> 
> > Subject: [Freeipa-users] 14: No supported authentication methods 
> 
> > available
> 
> > 
> 
> > I have an AWS instance running Centos 6.7 correctly configured for freeipa 
> > but I needed to make a backup machine which would remain live.
> 
> > 
> 
> > I created a clone of the machine and changed the host name and the settings 
> > in /etc/hosts. When I tried to run ipa-client-install it told me to run the 
> > uninstall which I did. This had the worrying effect of not being able to 
> > log into my original live server but thankfully after a while it came good. 
> > I don't know why.
> 
> > 
> 
> > Back on the new server I ran 'ipa-client-install --enable-dns-updates 
> > -mkhomedir' and it seemed to run ok. The host was created on the freeipa 
> > GUI and I added it to the same host group as the original server. But when 
> > I try to log in via SSH I get the error 'No supported authentication 
> > methods available'. I do have root access via the AWS Key file.
> 
> > 
> 
> > As far as I can tell all the relevant settings seem the same between the 
> > two servers but one works and the other doesn't. I can kinit and klist 
> > using my freeipa account. 'getent netgroup my-servergroup' works fine.
> 
> > 
> 
> > I can't seem to find anything relevant in the sssd logs and 
> 
> > /var/log/secure just give me the same error of no supported 
> 
> > authentication methods available
> 
> > 
> 
> > I have noticed in /var/log/messages when I restart sssd and error 
> 
> > which may be relevant but can't find anything useful so far
> 
> > 
> 
> > sssd[be[my.domain.net]]: dereference processing failed : Input/output 
> 
> > error
> 
> > 
> 
> > Thanks
> 
> > 
> 
> > Terry
> 
> > 
> 
> > 
> 
> > 
> 
> > The Manheim group of companies within the UK comprises: Manheim Europe 
> > Limited (registered number: 03183918), Manheim Auctions Limited (registered 
> > number: 00448761), Manheim Retail Services Limited (registered number: 
> > 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time 
> > Communications Limited (registered number: 04277845) and Complete 
> > Automotive Solutions Limited (registered number: 05302535). Each of these 
> > companies is registered in England and Wales with the registered office

Re: [Freeipa-users] 14: No supported authentication methods available

2016-02-25 Thread Terry John
Thanks for that. From what I've read there is no simple right answer. In 2013 
RedHat itself says to leave ChallengeResponseAuthentication set to no "due to 
security reasons".

https://access.redhat.com/solutions/336773

Setting PasswordAuthentication yes seems to leave all the other settings within 
thee sshd_config file like "PermitRootLogin without-password" which may be 
overridden elsewhere if ChallengeResponseAuthentication is set to yes

Terry

-Original Message-
From: Simo Sorce [mailto:s...@redhat.com] 
Sent: 25 February 2016 15:01
To: Terry John
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] 14: No supported authentication methods available

On Thu, 2016-02-25 at 14:36 +, Terry John wrote:
> This turned out to be a setting in /etc/ssh/sshd_config which gets 
> overridden by ipa-client-install. Needed to un-comment
> 
> PasswordAuthentication yes

This is disabled because we enable ChallengeResponseAuthentication which is a 
superset of PasswordAuthentication.

PasswordAuthentication can't deal with PAM prompts, it is a oneshot only option 
(ie fails if PAM asks you to make a pasword change), while 
ChallengeResponseAuthentication is the more modern method that properly deals 
with PAM prompts.

You should prefer ChallengeResponseAuthentication over PasswordAuthentication.

HTH,
Simo.


> Terry
> 
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Terry John
> Sent: 18 February 2016 11:41
> To: freeipa-users@redhat.com
> Subject: [Freeipa-users] 14: No supported authentication methods 
> available
> 
> I have an AWS instance running Centos 6.7 correctly configured for freeipa 
> but I needed to make a backup machine which would remain live.
> 
> I created a clone of the machine and changed the host name and the settings 
> in /etc/hosts. When I tried to run ipa-client-install it told me to run the 
> uninstall which I did. This had the worrying effect of not being able to log 
> into my original live server but thankfully after a while it came good. I 
> don't know why.
> 
> Back on the new server I ran 'ipa-client-install --enable-dns-updates 
> -mkhomedir' and it seemed to run ok. The host was created on the freeipa GUI 
> and I added it to the same host group as the original server. But when I try 
> to log in via SSH I get the error 'No supported authentication methods 
> available'. I do have root access via the AWS Key file.
> 
> As far as I can tell all the relevant settings seem the same between the two 
> servers but one works and the other doesn't. I can kinit and klist using my 
> freeipa account. 'getent netgroup my-servergroup' works fine.
> 
> I can't seem to find anything relevant in the sssd logs and 
> /var/log/secure just give me the same error of no supported 
> authentication methods available
> 
> I have noticed in /var/log/messages when I restart sssd and error 
> which may be relevant but can't find anything useful so far
> 
> sssd[be[my.domain.net]]: dereference processing failed : Input/output 
> error
> 
> Thanks
> 
> Terry
> 
> 
> 
> The Manheim group of companies within the UK comprises: Manheim Europe 
> Limited (registered number: 03183918), Manheim Auctions Limited (registered 
> number: 00448761), Manheim Retail Services Limited (registered number: 
> 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time 
> Communications Limited (registered number: 04277845) and Complete Automotive 
> Solutions Limited (registered number: 05302535). Each of these companies is 
> registered in England and Wales with the registered office address of Central 
> House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of companies 
> operates under various brand/trading names including Manheim Inspection 
> Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim 
> Aftersales Solutions.
> 
> V:0CF72C13B2AC
> 
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Simo Sorce * Red Hat, Inc * New York


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] 14: No supported authentication methods available

2016-02-25 Thread Simo Sorce
On Thu, 2016-02-25 at 14:36 +, Terry John wrote:
> This turned out to be a setting in /etc/ssh/sshd_config which gets overridden 
> by ipa-client-install. Needed to un-comment
> 
> PasswordAuthentication yes

This is disabled because we enable ChallengeResponseAuthentication which
is a superset of PasswordAuthentication.

PasswordAuthentication can't deal with PAM prompts, it is a oneshot only
option (ie fails if PAM asks you to make a pasword change), while
ChallengeResponseAuthentication is the more modern method that properly
deals with PAM prompts.

You should prefer ChallengeResponseAuthentication over
PasswordAuthentication.

HTH,
Simo.


> Terry
> 
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Terry John
> Sent: 18 February 2016 11:41
> To: freeipa-users@redhat.com
> Subject: [Freeipa-users] 14: No supported authentication methods available
> 
> I have an AWS instance running Centos 6.7 correctly configured for freeipa 
> but I needed to make a backup machine which would remain live.
> 
> I created a clone of the machine and changed the host name and the settings 
> in /etc/hosts. When I tried to run ipa-client-install it told me to run the 
> uninstall which I did. This had the worrying effect of not being able to log 
> into my original live server but thankfully after a while it came good. I 
> don't know why.
> 
> Back on the new server I ran 'ipa-client-install --enable-dns-updates 
> -mkhomedir' and it seemed to run ok. The host was created on the freeipa GUI 
> and I added it to the same host group as the original server. But when I try 
> to log in via SSH I get the error 'No supported authentication methods 
> available'. I do have root access via the AWS Key file.
> 
> As far as I can tell all the relevant settings seem the same between the two 
> servers but one works and the other doesn't. I can kinit and klist using my 
> freeipa account. 'getent netgroup my-servergroup' works fine.
> 
> I can't seem to find anything relevant in the sssd logs and /var/log/secure 
> just give me the same error of no supported authentication methods available
> 
> I have noticed in /var/log/messages when I restart sssd and error which may 
> be relevant but can't find anything useful so far
> 
> sssd[be[my.domain.net]]: dereference processing failed : Input/output error
> 
> Thanks
> 
> Terry
> 
> 
> 
> The Manheim group of companies within the UK comprises: Manheim Europe 
> Limited (registered number: 03183918), Manheim Auctions Limited (registered 
> number: 00448761), Manheim Retail Services Limited (registered number: 
> 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time 
> Communications Limited (registered number: 04277845) and Complete Automotive 
> Solutions Limited (registered number: 05302535). Each of these companies is 
> registered in England and Wales with the registered office address of Central 
> House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of companies 
> operates under various brand/trading names including Manheim Inspection 
> Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim 
> Aftersales Solutions.
> 
> V:0CF72C13B2AC
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] 14: No supported authentication methods available

2016-02-25 Thread Rob Crittenden
Terry John wrote:
> This turned out to be a setting in /etc/ssh/sshd_config which gets
> overridden by ipa-client-install. Needed to un-comment
> 
>  
> 
> PasswordAuthentication yes

Glad you got it fixed but I don't think ipa-client-install was
responsible for this change. It does make changes to sshd_config but not
to this directive.

rob

> 
>  
> 
> Terry
> 
>  
> 
> *From:*freeipa-users-boun...@redhat.com
> [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Terry John
> *Sent:* 18 February 2016 11:41
> *To:* freeipa-users@redhat.com
> *Subject:* [Freeipa-users] 14: No supported authentication methods available
> 
>  
> 
> I have an AWS instance running Centos 6.7 correctly configured for
> freeipa but I needed to make a backup machine which would remain live.
> 
>  
> 
> I created a clone of the machine and changed the host name and the
> settings in /etc/hosts. When I tried to run ipa-client-install it told
> me to run the uninstall which I did. This had the worrying effect of not
> being able to log into my original live server but thankfully after a
> while it came good. I don’t know why.
> 
>  
> 
> Back on the new server I ran ‘ipa-client-install --enable-dns-updates
> –mkhomedir’ and it seemed to run ok. The host was created on the freeipa
> GUI and I added it to the same host group as the original server. But
> when I try to log in via SSH I get the error ‘No supported
> authentication methods available’. I do have root access via the AWS Key
> file.
> 
>  
> 
> As far as I can tell all the relevant settings seem the same between the
> two servers but one works and the other doesn’t. I can kinit and klist
> using my freeipa account. ‘getent netgroup my-servergroup’ works fine.
> 
>  
> 
> I can’t seem to find anything relevant in the sssd logs and
> /var/log/secure just give me the same error of no supported
> authentication methods available
> 
>  
> 
> I have noticed in /var/log/messages when I restart sssd and error which
> may be relevant but can’t find anything useful so far
> 
>  
> 
> sssd[be[my.domain.net]]: dereference processing failed : Input/output error
> 
>  
> 
> Thanks
> 
>  
> 
> Terry
> 
>  
> 
> The Manheim group of companies within the UK comprises: Manheim Europe
> Limited (registered number: 03183918), Manheim Auctions Limited
> (registered number: 00448761), Manheim Retail Services Limited
> (registered number: 02838588), Motors.co.uk Limited (registered number:
> 05975777), Real Time Communications Limited (registered number:
> 04277845) and Complete Automotive Solutions Limited (registered number:
> 05302535). Each of these companies is registered in England and Wales
> with the registered office address of Central House, Leeds Road,
> Rothwell, Leeds LS26 0JE. The Manheim group of companies operates under
> various brand/trading names including Manheim Inspection Services,
> Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim
> Aftersales Solutions.
> 
> V:0CF72C13B2AC
> 
>  
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] 14: No supported authentication methods available

2016-02-25 Thread Terry John
This turned out to be a setting in /etc/ssh/sshd_config which gets overridden 
by ipa-client-install. Needed to un-comment

PasswordAuthentication yes

Terry

From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Terry John
Sent: 18 February 2016 11:41
To: freeipa-users@redhat.com
Subject: [Freeipa-users] 14: No supported authentication methods available

I have an AWS instance running Centos 6.7 correctly configured for freeipa but 
I needed to make a backup machine which would remain live.

I created a clone of the machine and changed the host name and the settings in 
/etc/hosts. When I tried to run ipa-client-install it told me to run the 
uninstall which I did. This had the worrying effect of not being able to log 
into my original live server but thankfully after a while it came good. I don't 
know why.

Back on the new server I ran 'ipa-client-install --enable-dns-updates 
-mkhomedir' and it seemed to run ok. The host was created on the freeipa GUI 
and I added it to the same host group as the original server. But when I try to 
log in via SSH I get the error 'No supported authentication methods available'. 
I do have root access via the AWS Key file.

As far as I can tell all the relevant settings seem the same between the two 
servers but one works and the other doesn't. I can kinit and klist using my 
freeipa account. 'getent netgroup my-servergroup' works fine.

I can't seem to find anything relevant in the sssd logs and /var/log/secure 
just give me the same error of no supported authentication methods available

I have noticed in /var/log/messages when I restart sssd and error which may be 
relevant but can't find anything useful so far

sssd[be[my.domain.net]]: dereference processing failed : Input/output error

Thanks

Terry



The Manheim group of companies within the UK comprises: Manheim Europe Limited 
(registered number: 03183918), Manheim Auctions Limited (registered number: 
00448761), Manheim Retail Services Limited (registered number: 02838588), 
Motors.co.uk Limited (registered number: 05975777), Real Time Communications 
Limited (registered number: 04277845) and Complete Automotive Solutions Limited 
(registered number: 05302535). Each of these companies is registered in England 
and Wales with the registered office address of Central House, Leeds Road, 
Rothwell, Leeds LS26 0JE. The Manheim group of companies operates under various 
brand/trading names including Manheim Inspection Services, Manheim Auctions, 
Manheim Direct, Manheim De-fleet and Manheim Aftersales Solutions.

V:0CF72C13B2AC


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project