r -p /opt/ssh
# cd /opt/ssh
# wget
http://packages.us-east-1.amazonaws.com/2013.09/main/201309001984/x86_64/Pac
kages/openssh-server-6.2p2-4.34.amzn1.x86_64.rpm
# wget
http://packages.us-east-1.amazonaws.com/2013.09/main/201309001984/x86_64/Pac
kages/openssh-6.2p2-4.34.amzn1.x86_64.rpm
# wget
http://packages.us-east-1.amazonaws.com/2013.09/main/201309001984/x86_64/Pac
kages/openssh-clients-6.2p2-4.34.amzn1.x86_64.rpm
# rpm -Uvh *.rpm
# yum update -y
# ipa-client-install --server kdc1.iocs-systems.internal --server
kdc2.iocs-systems.internal --domain IOCS-SYSTEMS.INTERNAL --fixed-primary
--mkhomedir
# vi /etc/ssh/sshd_config
Add following lines at the end
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
# service sshd restart
# mkdir -p /etc/selinux/targeted/logins
That's it.
Regards,
Mohan
> -Original Message-
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Friday, October 04, 2013 2:03 PM
> To: Mohan Cheema; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] FreeIPA client setup in AWS
>
> Mohan Cheema wrote:
> > Hi,
> >
> > We are number of Amazon AMI (Amazon Linux) in AWS. As this is based
> on
> > RHEL we installed number of packages to enable user on those machine
> to
> > get authenticated against ipa. The client gets configured with below
> > warning.
> >
> > ---
> > WARNING Installed OpenSSH server does not support dynamically loading
> > authorized user keys. Public key authentication of IPA users will not
> be
> > available.
> > ---
> >
> > When user tries to authenticate the SSH connection is dropped, ipa
> > server issues the authentication ticket to the machine.
> >
> > Packages that has been installed.
> >
> > --
> > ipa-python-3.0.0-25.el6.x86_64.rpm
> >
> > python-ldap-2.3.10-1.el6.x86_64.rpm
> >
> > cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64.rpm
> >
> > pam_krb5-2.3.11-9.el6.i686.rpm
> >
> > sssd-1.9.2-82.el6.x86_64.rpm
> >
> > certmonger-0.61-3.el6.x86_64.rpm
> >
> > oddjob-mkhomedir-0.30-5.el6.x86_64.rpm
> >
> > python-krbV-1.0.90-3.el6.x86_64.rpm
> >
> > libsss_autofs-1.9.2-82.el6.x86_64.rpm
> >
> > autofs-5.0.5-73.el6.x86_64.rpm
> >
> > nfs-utils-1.2.3-36.el6.x86_64.rpm
> >
> > sssd-client-1.9.2-82.el6.x86_64.rpm
> >
> > python-kerberos-1.1-6.2.el6.x86_64.rpm
> >
> > python-nss-0.13-1.el6.x86_64.rpm
> >
> > python-lxml-2.2.3-1.1.el6.x86_64.rpm
> >
> > python-netaddr-0.7.5-4.el6.noarch.rpm
> >
> > pyOpenSSL-0.10-2.el6.x86_64.rpm
> >
> > libipa_hbac-python-1.9.2-82.el6.x86_64.rpm
> >
> > libgssglue-0.1-11.el6.x86_64.rpm
> >
> > nfs-utils-lib-1.1.5-6.el6.x86_64.rpm
> >
> > rpcbind-0.2.0-11.el6.x86_64.rpm
> >
> > oddjob-0.30-5.el6.x86_64.rpm
> >
> > libipa_hbac-1.9.2-82.el6.x86_64.rpm
> >
> > libldb-1.1.13-3.el6.x86_64.rpm
> >
> > libsss_idmap-1.9.2-82.el6.x86_64.rpm
> >
> > libevent-1.4.13-4.el6.x86_64.rpm
> >
> > libtalloc-2.0.7-2.el6.x86_64.rpm
> >
> > keyutils-1.4-4.el6.x86_64.rpm
> >
> > libdhash-0.4.2-9.el6.x86_64.rpm
> >
> > libtirpc-0.2.1-5.el6.x86_64.rpm
> >
> > ipa-client-3.0.0-25.el6.x86_64.rpm
> >
> > libtevent-0.9.17-1.el6.x86_64.rpm
> >
> > libtdb-1.2.10-1.el6.x86_64.rpm
> >
> > libini_config-0.6.1-9.el6.x86_64.rpm
> >
> > libcollection-0.6.0-9.el6.x86_64.rpm
> >
> > libpath_utils-0.2.1-9.el6.x86_64.rpm
> >
> > libref_array-0.1.1-9.el6.x86_64.rpm
> >
> > c-ares-1.7.0-6.el6.x86_64.rpm
> >
> > samba4-libs-4.0.0-55.el6.rc4.x86_64.rpm
> >
> > libnl-1.1-14.el6.x86_64.rpm
> > --
> >
> > Are there any other package that need to be installed to make it
> working.
> >
> > Below is the ssh version.
> >
> > # rpm -qa | grep ssh
> >
> > libssh2-1.4.2-1.10.amzn1.x86_64
> >
> > openssh-6.2p2-4.34.amzn1.x86_64
> >
> > openssh-clients-6.2p2-4.34.amzn1.x86_64
> >
> > openssh-server-6.2p2-4.34.amzn1.x86_64
>
> I'm guessing the problem is the Amazon-specific version of ssh. It
> needs
> to support one of these command combinations:
>
> AuthorizedKeysCommand and AuthorizedKeysCommandUser
> AuthorizedKeysCommand and AuthorizedKeysCommandRunAs
> PubKeyAgent and PubKeyAgentRunAs
>
> /var/log/ipaclient-install.log should contain the output of the probing
> for this support.
>
> rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users