Re: [Freeipa-users] Installed OpenSSH server does not support dynamically loading authorized user keys - no key login support

2014-11-11 Thread Vaclav Adamec 
openssh-6.1p1-5.el6.1.x86_64
libssh2-1.4.2-1.el6.x86_64
openssh-clients-6.1p1-5.el6.1.x86_64
openssh-server-6.1p1-5.el6.1.x86_64


it's up2date centos66 with 6.1 openssh, but same issue is for 6.7. I'll
check rpmspec if there is no issue with dynamically loading authorized user
keys, I'm not aware about any disabled functionality. Also I'll try fresh
CentOS 6.6 with default 5.3 openssh.

Vasek


On Tue, Nov 11, 2014 at 3:44 PM, Rob Crittenden  wrote:

> Vaclav Adamec wrote:
> > Here it is:
> >
> > 2014-11-11T11:45:33Z DEBUG stderr=
> > 2014-11-11T11:45:33Z DEBUG Backing up system configuration file
> > '/etc/ssh/ssh_config'
> > 2014-11-11T11:45:33Z DEBUG Saving Index File to
> > '/var/lib/ipa-client/sysrestore/sysrestore.index'
> > 2014-11-11T11:45:33Z INFO Configured /etc/ssh/ssh_config
> > 2014-11-11T11:45:33Z DEBUG Backing up system configuration file
> > '/etc/ssh/sshd_config'
> > 2014-11-11T11:45:33Z DEBUG Saving Index File to
> > '/var/lib/ipa-client/sysrestore/sysrestore.index'
> > 2014-11-11T11:45:33Z DEBUG args=sshd -t -f /dev/null -o
> > AuthorizedKeysCommand=
> > 2014-11-11T11:45:33Z DEBUG stdout=
> > 2014-11-11T11:45:33Z DEBUG stderr=command-line line 0:
> > AuthorizedKeysCommand must be an absolute path
> >
> > 2014-11-11T11:45:33Z DEBUG args=sshd -t -f /dev/null -o PubKeyAgent=
> > 2014-11-11T11:45:33Z DEBUG stdout=
> > 2014-11-11T11:45:33Z DEBUG stderr=command-line: line 0: Bad
> > configuration option: PubKeyAgent
> >
> > 2014-11-11T11:45:33Z WARNING Installed OpenSSH server does not support
> > dynamically loading authorized user keys. Public key authentication of
> > IPA users will not be available.
> > 2014-11-11T11:45:33Z INFO Configured /etc/ssh/sshd_config
> > 2014-11-11T11:45:33Z DEBUG args=/sbin/service sshd status
> > 2014-11-11T11:45:33Z DEBUG stdout=openssh-daemon (pid  24698) is
> running...
>
> Seems to be different behavior from sshd. What version do you have
> installed?
>
> On my RHEL-6.x box I see:
>
> 2014-11-11T14:40:00Z DEBUG args=sshd -t -f /dev/null -o
> AuthorizedKeysCommand=
> 2014-11-11T14:40:00Z DEBUG stdout=
> 2014-11-11T14:40:00Z DEBUG stderr=
> 2014-11-11T14:40:00Z INFO Configured /etc/ssh/sshd_config
>
> rob
>
> >
> >
> > On Tue, Nov 11, 2014 at 3:15 PM, Rob Crittenden  > > wrote:
> >
> > Vaclav Adamec wrote:
> > > Hi,
> > >  I'm getting "Installed OpenSSH server does not support dynamically
> > > loading authorized user keys. Public key authentication of IPA
> users
> > > will not be available" during ipa client install on CentOS 6.6
> > >
> > > Packages openssh-server-6.1p1-5.el6.1.x86_64 and
> > > ipa-client-3.0.0-42.el6.centos.x86_64
> > >
> > > Manual setup of  "AuthorizedKeysCommand
> > /usr/bin/sss_ssh_authorizedkeys"
> > > in /etc/ssh/sshd_config is ok.
> > >
> > > Any reason for that ?
> > >
> >
> > I'd check the client install log for more details,
> > /var/log/ipaclient-install.log
> >
> > A number of different permutations are tried and the log should have
> > more details on which ones failed (and hopefully why).
> >
> > rob
> >
> >
> >
> >
> > --
> > -- May the fox be with you ...
> >/\
> >   (~(
> >) ) /\_/\
> >   (_=---_(@ @)
> > (  \   /
> > /|/\|\  V
> > " " " "
> >
> >
> >
> >
>
>


-- 
-- May the fox be with you ...
   /\
  (~(
   ) ) /\_/\
  (_=---_(@ @)
(  \   /
/|/\|\  V
" " " "
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Installed OpenSSH server does not support dynamically loading authorized user keys - no key login support

2014-11-11 Thread Rob Crittenden 
Vaclav Adamec wrote:
> Here it is:
> 
> 2014-11-11T11:45:33Z DEBUG stderr=
> 2014-11-11T11:45:33Z DEBUG Backing up system configuration file
> '/etc/ssh/ssh_config'
> 2014-11-11T11:45:33Z DEBUG Saving Index File to
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> 2014-11-11T11:45:33Z INFO Configured /etc/ssh/ssh_config
> 2014-11-11T11:45:33Z DEBUG Backing up system configuration file
> '/etc/ssh/sshd_config'
> 2014-11-11T11:45:33Z DEBUG Saving Index File to
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> 2014-11-11T11:45:33Z DEBUG args=sshd -t -f /dev/null -o
> AuthorizedKeysCommand=
> 2014-11-11T11:45:33Z DEBUG stdout=
> 2014-11-11T11:45:33Z DEBUG stderr=command-line line 0:
> AuthorizedKeysCommand must be an absolute path
> 
> 2014-11-11T11:45:33Z DEBUG args=sshd -t -f /dev/null -o PubKeyAgent=
> 2014-11-11T11:45:33Z DEBUG stdout=
> 2014-11-11T11:45:33Z DEBUG stderr=command-line: line 0: Bad
> configuration option: PubKeyAgent
> 
> 2014-11-11T11:45:33Z WARNING Installed OpenSSH server does not support
> dynamically loading authorized user keys. Public key authentication of
> IPA users will not be available.
> 2014-11-11T11:45:33Z INFO Configured /etc/ssh/sshd_config
> 2014-11-11T11:45:33Z DEBUG args=/sbin/service sshd status
> 2014-11-11T11:45:33Z DEBUG stdout=openssh-daemon (pid  24698) is running...

Seems to be different behavior from sshd. What version do you have
installed?

On my RHEL-6.x box I see:

2014-11-11T14:40:00Z DEBUG args=sshd -t -f /dev/null -o
AuthorizedKeysCommand=
2014-11-11T14:40:00Z DEBUG stdout=
2014-11-11T14:40:00Z DEBUG stderr=
2014-11-11T14:40:00Z INFO Configured /etc/ssh/sshd_config

rob

> 
> 
> On Tue, Nov 11, 2014 at 3:15 PM, Rob Crittenden  > wrote:
> 
> Vaclav Adamec wrote:
> > Hi,
> >  I'm getting "Installed OpenSSH server does not support dynamically
> > loading authorized user keys. Public key authentication of IPA users
> > will not be available" during ipa client install on CentOS 6.6
> >
> > Packages openssh-server-6.1p1-5.el6.1.x86_64 and
> > ipa-client-3.0.0-42.el6.centos.x86_64
> >
> > Manual setup of  "AuthorizedKeysCommand
> /usr/bin/sss_ssh_authorizedkeys"
> > in /etc/ssh/sshd_config is ok.
> >
> > Any reason for that ?
> >
> 
> I'd check the client install log for more details,
> /var/log/ipaclient-install.log
> 
> A number of different permutations are tried and the log should have
> more details on which ones failed (and hopefully why).
> 
> rob
> 
> 
> 
> 
> -- 
> -- May the fox be with you ...
>/\
>   (~(
>) ) /\_/\
>   (_=---_(@ @)
> (  \   / 
> /|/\|\  V
> " " " "
> 
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Installed OpenSSH server does not support dynamically loading authorized user keys - no key login support

2014-11-11 Thread Vaclav Adamec 
Here it is:

2014-11-11T11:45:33Z DEBUG stderr=
2014-11-11T11:45:33Z DEBUG Backing up system configuration file
'/etc/ssh/ssh_config'
2014-11-11T11:45:33Z DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2014-11-11T11:45:33Z INFO Configured /etc/ssh/ssh_config
2014-11-11T11:45:33Z DEBUG Backing up system configuration file
'/etc/ssh/sshd_config'
2014-11-11T11:45:33Z DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2014-11-11T11:45:33Z DEBUG args=sshd -t -f /dev/null -o
AuthorizedKeysCommand=
2014-11-11T11:45:33Z DEBUG stdout=
2014-11-11T11:45:33Z DEBUG stderr=command-line line 0:
AuthorizedKeysCommand must be an absolute path

2014-11-11T11:45:33Z DEBUG args=sshd -t -f /dev/null -o PubKeyAgent=
2014-11-11T11:45:33Z DEBUG stdout=
2014-11-11T11:45:33Z DEBUG stderr=command-line: line 0: Bad configuration
option: PubKeyAgent

2014-11-11T11:45:33Z WARNING Installed OpenSSH server does not support
dynamically loading authorized user keys. Public key authentication of IPA
users will not be available.
2014-11-11T11:45:33Z INFO Configured /etc/ssh/sshd_config
2014-11-11T11:45:33Z DEBUG args=/sbin/service sshd status
2014-11-11T11:45:33Z DEBUG stdout=openssh-daemon (pid  24698) is running...


On Tue, Nov 11, 2014 at 3:15 PM, Rob Crittenden  wrote:

> Vaclav Adamec wrote:
> > Hi,
> >  I'm getting "Installed OpenSSH server does not support dynamically
> > loading authorized user keys. Public key authentication of IPA users
> > will not be available" during ipa client install on CentOS 6.6
> >
> > Packages openssh-server-6.1p1-5.el6.1.x86_64 and
> > ipa-client-3.0.0-42.el6.centos.x86_64
> >
> > Manual setup of  "AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys"
> > in /etc/ssh/sshd_config is ok.
> >
> > Any reason for that ?
> >
>
> I'd check the client install log for more details,
> /var/log/ipaclient-install.log
>
> A number of different permutations are tried and the log should have
> more details on which ones failed (and hopefully why).
>
> rob
>



-- 
-- May the fox be with you ...
   /\
  (~(
   ) ) /\_/\
  (_=---_(@ @)
(  \   /
/|/\|\  V
" " " "
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Installed OpenSSH server does not support dynamically loading authorized user keys - no key login support

2014-11-11 Thread Rob Crittenden 
Vaclav Adamec wrote:
> Hi,
>  I'm getting "Installed OpenSSH server does not support dynamically
> loading authorized user keys. Public key authentication of IPA users
> will not be available" during ipa client install on CentOS 6.6
> 
> Packages openssh-server-6.1p1-5.el6.1.x86_64 and
> ipa-client-3.0.0-42.el6.centos.x86_64
> 
> Manual setup of  "AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys"
> in /etc/ssh/sshd_config is ok.
> 
> Any reason for that ?
>

I'd check the client install log for more details,
/var/log/ipaclient-install.log

A number of different permutations are tried and the log should have
more details on which ones failed (and hopefully why).

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project