Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication

2016-09-20 Thread Venkataramana Kintali 
Thank you Lukas.
The issue , not being able to login to some servers in our setup with ssh
keys, was due to incorrect permissions on /usr directory,per the following
entry in /var/log/secure.

*sshd[12856]: error: bad ownership or modes for AuthorizedKeysCommand path
component "/usr"*

After setting up the permissions for /usr to 755, I was able to login to
these servers with ssh private keys.

Thank you again,Lukas, for your help.

Regards
Venkataramana






On Fri, Sep 16, 2016 at 11:51 AM, Lukas Slebodnik 
wrote:

> On (15/09/16 11:46), Venkataramana Kintali wrote:
> >Hi Lukas,
> >ssh_config is also same on all servers.
> >Our need is to do it both  ways, to be able to login with ssh public
> >keys(uploaded in IPA) and disable password login, and be able to access
> >allhosts within the same IPA domain silently from any host.
> >Hoping the configs will help, I am including the configurations here.
> >
> >ssh_config file :  http://pastebin.com/MWHyH1Qw
> >sshd_config file: http://pastebin.com/gpn5XhXM
> >sssd_config file: http://pastebin.com/5Pby6xKp
> >
> Looks good to me
>
> >I just used some placeholders for sssd_config file in pastebin instead of
> >actual values.
> >
>
> In initial mail you wrote:
> >I am able to login to some IPA clients but not able to login to other IPA
> >clients with putty using private key and passphrase.
> Therefore your previous test case is wrong.
> If you want to test authentication with public keys
> then you cannot obtain krb5 ticket with kinit.
>
> I would also recommend to call kdestory before
> authentication with ssh to be sure that gssapi
> authentication will not be used.
>
> I would recomment to set "debug_level = 7" in domain and ssh section
> on the server where you woudl like to authenticate.
> then restart sssd and try to authenticate with ssh + verbose mode
> e.g. ssh -v u...@remote.host
>
> Then I would recommend to compare logs from working server
> and from broken server.
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication

2016-09-16 Thread Lukas Slebodnik 
On (15/09/16 11:46), Venkataramana Kintali wrote:
>Hi Lukas,
>ssh_config is also same on all servers.
>Our need is to do it both  ways, to be able to login with ssh public
>keys(uploaded in IPA) and disable password login, and be able to access
>allhosts within the same IPA domain silently from any host.
>Hoping the configs will help, I am including the configurations here.
>
>ssh_config file :  http://pastebin.com/MWHyH1Qw
>sshd_config file: http://pastebin.com/gpn5XhXM
>sssd_config file: http://pastebin.com/5Pby6xKp
>
Looks good to me

>I just used some placeholders for sssd_config file in pastebin instead of
>actual values.
>

In initial mail you wrote:
>I am able to login to some IPA clients but not able to login to other IPA
>clients with putty using private key and passphrase.
Therefore your previous test case is wrong.
If you want to test authentication with public keys
then you cannot obtain krb5 ticket with kinit.

I would also recommend to call kdestory before
authentication with ssh to be sure that gssapi
authentication will not be used.

I would recomment to set "debug_level = 7" in domain and ssh section
on the server where you woudl like to authenticate.
then restart sssd and try to authenticate with ssh + verbose mode
e.g. ssh -v u...@remote.host

Then I would recommend to compare logs from working server
and from broken server.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication

2016-09-15 Thread Venkataramana Kintali 
Hi Lukas,
ssh_config is also same on all servers.
Our need is to do it both  ways, to be able to login with ssh public
keys(uploaded in IPA) and disable password login, and be able to access
allhosts within the same IPA domain silently from any host.
Hoping the configs will help, I am including the configurations here.

ssh_config file :  http://pastebin.com/MWHyH1Qw
sshd_config file: http://pastebin.com/gpn5XhXM
sssd_config file: http://pastebin.com/5Pby6xKp

I just used some placeholders for sssd_config file in pastebin instead of
actual values.


Thanks
Venkataramana



On Thu, Sep 15, 2016 at 10:09 AM, Lukas Slebodnik 
wrote:

> On (15/09/16 09:56), Venkataramana Kintali wrote:
> >Hi Lukas,
> >Thank you for responding.
> >I compared the configs.(sshd_config and sssd.conf ),they are same.
> Is /etc/ssh/ssh_config the same as well?
> NOTE: (ssh_config is not the same as sshd_config //extra 'd' in name)
>
> >sssd  and sshd services are running on all the servers(IPA clients).
> >PubKey Authentication is enabled on all the servers.
> >I am not able to login with sshkeys.
> >
> >But I am able to ssh to these servers from the other IPA clients I am able
> >to connect to with ssh keys(after doing a kinit).
> >
> If I remeber correctly GSSAPI has higher priority then public keys.
> So the behaviour is expected.
>
> You should decide whether you want to authenticate
> with ssh keys stored in IPA or with kerberos ticket (GSSAPI)
> or you can change sshd configuration to allow only authentication
> with public keys.
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication

2016-09-15 Thread Lukas Slebodnik 
On (15/09/16 09:56), Venkataramana Kintali wrote:
>Hi Lukas,
>Thank you for responding.
>I compared the configs.(sshd_config and sssd.conf ),they are same.
Is /etc/ssh/ssh_config the same as well?
NOTE: (ssh_config is not the same as sshd_config //extra 'd' in name)

>sssd  and sshd services are running on all the servers(IPA clients).
>PubKey Authentication is enabled on all the servers.
>I am not able to login with sshkeys.
>
>But I am able to ssh to these servers from the other IPA clients I am able
>to connect to with ssh keys(after doing a kinit).
>
If I remeber correctly GSSAPI has higher priority then public keys.
So the behaviour is expected.

You should decide whether you want to authenticate
with ssh keys stored in IPA or with kerberos ticket (GSSAPI)
or you can change sshd configuration to allow only authentication
with public keys.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication

2016-09-15 Thread Venkataramana Kintali 
Hi Lukas,
Thank you for responding.
I compared the configs.(sshd_config and sssd.conf ),they are same.
sssd  and sshd services are running on all the servers(IPA clients).
PubKey Authentication is enabled on all the servers.
I am not able to login with sshkeys.

But I am able to ssh to these servers from the other IPA clients I am able
to connect to with ssh keys(after doing a kinit).


Thanks
Venkataramana

On Fri, Sep 9, 2016 at 1:22 PM, Lukas Slebodnik  wrote:

> On (07/09/16 17:39), Venkataramana Kintali wrote:
> >Hi,
> >Of late, I am learning FreeIPA . I have installed IPA server and few
> >clients (Version 3.0.0)
> >I am facing an issue with ssh key authentication in my setup.
> >I generated a putty ssh private key (using putty keygen) ,and uploaded it
> >under a user through IPA GUI.
> I assume you uploaded public key to the IPA
> otherwise you did something wrong and I wonder why it works on some
> machines.
>
> >I am able to login to some IPA clients but not able to login to other IPA
> >clients with putty using private key and passphrase.
> >
> Is sssd_ssh running on all clients? (Is sssd.conf almost the same on all
> machines)
> Is sshd configuration the same on all machines?
> /etc/ssh/ssh_config /etc/ssh/sshd_config
>
> >Public Key Authentication is enabled on all clients.
> >I am able to from one client to other clients successfully (after doing
> >kinit) without promting password.
> >
> >Can someone  please throw some light on this as to what the issue could be
> >here and what else I can check to understand where  the problem is ?
> >
> >I searched this online but couldn't find any solution in the context of
> IPA.
> >
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication

2016-09-09 Thread Lukas Slebodnik 
On (07/09/16 17:39), Venkataramana Kintali wrote:
>Hi,
>Of late, I am learning FreeIPA . I have installed IPA server and few
>clients (Version 3.0.0)
>I am facing an issue with ssh key authentication in my setup.
>I generated a putty ssh private key (using putty keygen) ,and uploaded it
>under a user through IPA GUI.
I assume you uploaded public key to the IPA
otherwise you did something wrong and I wonder why it works on some machines.

>I am able to login to some IPA clients but not able to login to other IPA
>clients with putty using private key and passphrase.
>
Is sssd_ssh running on all clients? (Is sssd.conf almost the same on all
machines)
Is sshd configuration the same on all machines?
/etc/ssh/ssh_config /etc/ssh/sshd_config

>Public Key Authentication is enabled on all clients.
>I am able to from one client to other clients successfully (after doing
>kinit) without promting password.
>
>Can someone  please throw some light on this as to what the issue could be
>here and what else I can check to understand where  the problem is ?
>
>I searched this online but couldn't find any solution in the context of IPA.
>

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues with FreeIPA SSH Key authentication

2016-09-07 Thread Venkataramana Kintali 
On Sep 7, 2016 8:09 PM, "Venkataramana Kintali" <
venkataramana.kint...@gmail.com> wrote:
>
> Hi,
> Of late, I am learning FreeIPA . I have installed IPA server and few
clients (Version 3.0.0)
> I am facing an issue with ssh key authentication in my setup.
> I generated a putty ssh private key (using putty keygen) ,and uploaded it
under a user through IPA GUI.
> I am able to login to some IPA clients but not able to login to other IPA
clients with putty using private key and passphrase.
I forgot to mention the error .
I am getting "server refused our key" for the servers I am unable to login
to.
>
> Public Key Authentication is enabled on all clients.
> I am able to from one client to other clients successfully (after doing
kinit) without promting password.
>
> Can someone  please throw some light on this as to what the issue could
be here and what else I can check to understand where  the problem is ?
>
> I searched this online but couldn't find any solution in the context of
IPA.
>
>
> Thanks
> Venkataramana
>
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project