Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication
Thank you Lukas. The issue , not being able to login to some servers in our setup with ssh keys, was due to incorrect permissions on /usr directory,per the following entry in /var/log/secure. *sshd[12856]: error: bad ownership or modes for AuthorizedKeysCommand path component "/usr"* After setting up the permissions for /usr to 755, I was able to login to these servers with ssh private keys. Thank you again,Lukas, for your help. Regards Venkataramana On Fri, Sep 16, 2016 at 11:51 AM, Lukas Slebodnikwrote: > On (15/09/16 11:46), Venkataramana Kintali wrote: > >Hi Lukas, > >ssh_config is also same on all servers. > >Our need is to do it both ways, to be able to login with ssh public > >keys(uploaded in IPA) and disable password login, and be able to access > >allhosts within the same IPA domain silently from any host. > >Hoping the configs will help, I am including the configurations here. > > > >ssh_config file : http://pastebin.com/MWHyH1Qw > >sshd_config file: http://pastebin.com/gpn5XhXM > >sssd_config file: http://pastebin.com/5Pby6xKp > > > Looks good to me > > >I just used some placeholders for sssd_config file in pastebin instead of > >actual values. > > > > In initial mail you wrote: > >I am able to login to some IPA clients but not able to login to other IPA > >clients with putty using private key and passphrase. > Therefore your previous test case is wrong. > If you want to test authentication with public keys > then you cannot obtain krb5 ticket with kinit. > > I would also recommend to call kdestory before > authentication with ssh to be sure that gssapi > authentication will not be used. > > I would recomment to set "debug_level = 7" in domain and ssh section > on the server where you woudl like to authenticate. > then restart sssd and try to authenticate with ssh + verbose mode > e.g. ssh -v u...@remote.host > > Then I would recommend to compare logs from working server > and from broken server. > > LS > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication
On (15/09/16 11:46), Venkataramana Kintali wrote: >Hi Lukas, >ssh_config is also same on all servers. >Our need is to do it both ways, to be able to login with ssh public >keys(uploaded in IPA) and disable password login, and be able to access >allhosts within the same IPA domain silently from any host. >Hoping the configs will help, I am including the configurations here. > >ssh_config file : http://pastebin.com/MWHyH1Qw >sshd_config file: http://pastebin.com/gpn5XhXM >sssd_config file: http://pastebin.com/5Pby6xKp > Looks good to me >I just used some placeholders for sssd_config file in pastebin instead of >actual values. > In initial mail you wrote: >I am able to login to some IPA clients but not able to login to other IPA >clients with putty using private key and passphrase. Therefore your previous test case is wrong. If you want to test authentication with public keys then you cannot obtain krb5 ticket with kinit. I would also recommend to call kdestory before authentication with ssh to be sure that gssapi authentication will not be used. I would recomment to set "debug_level = 7" in domain and ssh section on the server where you woudl like to authenticate. then restart sssd and try to authenticate with ssh + verbose mode e.g. ssh -v u...@remote.host Then I would recommend to compare logs from working server and from broken server. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication
Hi Lukas, ssh_config is also same on all servers. Our need is to do it both ways, to be able to login with ssh public keys(uploaded in IPA) and disable password login, and be able to access allhosts within the same IPA domain silently from any host. Hoping the configs will help, I am including the configurations here. ssh_config file : http://pastebin.com/MWHyH1Qw sshd_config file: http://pastebin.com/gpn5XhXM sssd_config file: http://pastebin.com/5Pby6xKp I just used some placeholders for sssd_config file in pastebin instead of actual values. Thanks Venkataramana On Thu, Sep 15, 2016 at 10:09 AM, Lukas Slebodnikwrote: > On (15/09/16 09:56), Venkataramana Kintali wrote: > >Hi Lukas, > >Thank you for responding. > >I compared the configs.(sshd_config and sssd.conf ),they are same. > Is /etc/ssh/ssh_config the same as well? > NOTE: (ssh_config is not the same as sshd_config //extra 'd' in name) > > >sssd and sshd services are running on all the servers(IPA clients). > >PubKey Authentication is enabled on all the servers. > >I am not able to login with sshkeys. > > > >But I am able to ssh to these servers from the other IPA clients I am able > >to connect to with ssh keys(after doing a kinit). > > > If I remeber correctly GSSAPI has higher priority then public keys. > So the behaviour is expected. > > You should decide whether you want to authenticate > with ssh keys stored in IPA or with kerberos ticket (GSSAPI) > or you can change sshd configuration to allow only authentication > with public keys. > > LS > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication
On (15/09/16 09:56), Venkataramana Kintali wrote: >Hi Lukas, >Thank you for responding. >I compared the configs.(sshd_config and sssd.conf ),they are same. Is /etc/ssh/ssh_config the same as well? NOTE: (ssh_config is not the same as sshd_config //extra 'd' in name) >sssd and sshd services are running on all the servers(IPA clients). >PubKey Authentication is enabled on all the servers. >I am not able to login with sshkeys. > >But I am able to ssh to these servers from the other IPA clients I am able >to connect to with ssh keys(after doing a kinit). > If I remeber correctly GSSAPI has higher priority then public keys. So the behaviour is expected. You should decide whether you want to authenticate with ssh keys stored in IPA or with kerberos ticket (GSSAPI) or you can change sshd configuration to allow only authentication with public keys. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication
Hi Lukas, Thank you for responding. I compared the configs.(sshd_config and sssd.conf ),they are same. sssd and sshd services are running on all the servers(IPA clients). PubKey Authentication is enabled on all the servers. I am not able to login with sshkeys. But I am able to ssh to these servers from the other IPA clients I am able to connect to with ssh keys(after doing a kinit). Thanks Venkataramana On Fri, Sep 9, 2016 at 1:22 PM, Lukas Slebodnikwrote: > On (07/09/16 17:39), Venkataramana Kintali wrote: > >Hi, > >Of late, I am learning FreeIPA . I have installed IPA server and few > >clients (Version 3.0.0) > >I am facing an issue with ssh key authentication in my setup. > >I generated a putty ssh private key (using putty keygen) ,and uploaded it > >under a user through IPA GUI. > I assume you uploaded public key to the IPA > otherwise you did something wrong and I wonder why it works on some > machines. > > >I am able to login to some IPA clients but not able to login to other IPA > >clients with putty using private key and passphrase. > > > Is sssd_ssh running on all clients? (Is sssd.conf almost the same on all > machines) > Is sshd configuration the same on all machines? > /etc/ssh/ssh_config /etc/ssh/sshd_config > > >Public Key Authentication is enabled on all clients. > >I am able to from one client to other clients successfully (after doing > >kinit) without promting password. > > > >Can someone please throw some light on this as to what the issue could be > >here and what else I can check to understand where the problem is ? > > > >I searched this online but couldn't find any solution in the context of > IPA. > > > > LS > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication
On (07/09/16 17:39), Venkataramana Kintali wrote: >Hi, >Of late, I am learning FreeIPA . I have installed IPA server and few >clients (Version 3.0.0) >I am facing an issue with ssh key authentication in my setup. >I generated a putty ssh private key (using putty keygen) ,and uploaded it >under a user through IPA GUI. I assume you uploaded public key to the IPA otherwise you did something wrong and I wonder why it works on some machines. >I am able to login to some IPA clients but not able to login to other IPA >clients with putty using private key and passphrase. > Is sssd_ssh running on all clients? (Is sssd.conf almost the same on all machines) Is sshd configuration the same on all machines? /etc/ssh/ssh_config /etc/ssh/sshd_config >Public Key Authentication is enabled on all clients. >I am able to from one client to other clients successfully (after doing >kinit) without promting password. > >Can someone please throw some light on this as to what the issue could be >here and what else I can check to understand where the problem is ? > >I searched this online but couldn't find any solution in the context of IPA. > LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication
On Sep 7, 2016 8:09 PM, "Venkataramana Kintali" < venkataramana.kint...@gmail.com> wrote: > > Hi, > Of late, I am learning FreeIPA . I have installed IPA server and few clients (Version 3.0.0) > I am facing an issue with ssh key authentication in my setup. > I generated a putty ssh private key (using putty keygen) ,and uploaded it under a user through IPA GUI. > I am able to login to some IPA clients but not able to login to other IPA clients with putty using private key and passphrase. I forgot to mention the error . I am getting "server refused our key" for the servers I am unable to login to. > > Public Key Authentication is enabled on all clients. > I am able to from one client to other clients successfully (after doing kinit) without promting password. > > Can someone please throw some light on this as to what the issue could be here and what else I can check to understand where the problem is ? > > I searched this online but couldn't find any solution in the context of IPA. > > > Thanks > Venkataramana > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project