Re: [Freeipa-users] User can't login via ssh from external source

2012-07-20 Thread Dmitri Pal
On 07/20/2012 03:03 PM, Joe Linoff wrote:

 Hi Everybody:

  

 I am using FreeIPA 2.2.0 on CentOS 6.3 and am having a challenging
 problem with a new user that I just setup.

  

 That user cannot ssh into any host on the realm from an external
 source. They get a permission denied problem but old-user with the
 same HBAC configuration works.

  

 % ssh -A -t -o Port=9346 new-u...@somehost.example.com

 new-u...@somehost.example.com's password:

 Permission denied, please try again.

 % ssh -A -t -o Port=9346 old-u...@somehost.example.com

 old-u...@somehost.example.com's password:

 Last login: ...

 [old-user@somehost ~]$

  

 I checked their password by setting up a TGT using kinit. It worked. I
 was also able to ssh into another host on the network.

  

 % kinit new-user

 Password for new-u...@example.com

 % ssh new-user@somehost

 Last login: ...

 Could not chdir to home directory ...

 -bash-4.1$ exit

  

 That seems to indicate that the password is correct and that the
 permissions are correct but to be sure I ran an hbactest on the server:

  

 % ipa hbactest --user=new-user --service=ssh --host=somehost

 

 Access granted: True

 

 ...

  

 I did see something strange in /var/log/messages:

  

 Jul 20 11:48:16 somehost [sssd[krb5_child[16478]]]: Decrypt integrity
 check failed

 Jul 20 11:48:16 somehost [sssd[krb5_child[16478]]]: Decrypt integrity
 check failed

 Jul 20 11:48:26 somehost [sssd[krb5_child[16481]]]: Decrypt integrity
 check failed

 Jul 20 11:48:26 somehost [sssd[krb5_child[16481]]]: Decrypt integrity
 check failed

 Jul 20 11:48:54 somehost [sssd[krb5_child[16488]]]: Password has expired

 Jul 20 11:48:55 somehost [sssd[krb5_child[16488]]]: Decrypt integrity
 check failed

 Jul 20 11:49:05 somehost [sssd[krb5_child[16491]]]: Password has expired

 Jul 20 11:49:05 somehost [sssd[krb5_child[16491]]]: Decrypt integrity
 check failed

  

 So I reset the password using the ipa passwd command:

  

 % ipa passwd new-user

 New Password:

 Etner New Password again to verify:

 ---

 Changed password for new-u...@example.com

 --

  

 But I am still getting the Permission denied error.

  

 What am I doing wrong? How can I debug this? Any help would be greatly
 appreciated.

  


When you set the password on the server using the ipa passwd command you
make it know to the admin. This is why it is right away expired and
requires a change.
A user needs to log in through the client that allows changing the
password as a part of the authentication.
It looks like your ssh is not configured to do password change (I
suspect it uses GSSAPI but I might be wrong).
So either the ssh needs to be configured to do the password change over
the pam stack or you need to login as this user and change his password
and then you will be able to ssh.

 Thanks,

  

 Joe

  

  


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] User can't login via ssh from external source

2012-07-20 Thread Stephen Gallagher
On Fri, 2012-07-20 at 15:21 -0400, Dmitri Pal wrote:
 On 07/20/2012 03:03 PM, Joe Linoff wrote: 
 When you set the password on the server using the ipa passwd command
 you make it know to the admin. This is why it is right away expired
 and requires a change.
 A user needs to log in through the client that allows changing the
 password as a part of the authentication.
 It looks like your ssh is not configured to do password change (I
 suspect it uses GSSAPI but I might be wrong).
 So either the ssh needs to be configured to do the password change
 over the pam stack or you need to login as this user and change his
 password and then you will be able to ssh.

To clarify, what you need to do is make sure that the following options
are set in /etc/ssh/sshd_config:

UsePAM yes
PasswordAuthentication no
KerberosAuthentication no
GSSAPIAuthentication yes
ChallengeResponseAuthentication yes


This should hopefully resolve the issue for you.

Note: KerberosAuthentication is NOT the same as disabling the
single-sign-on. That's done by GSSAPIAuthentication.


signature.asc
Description: This is a digitally signed message part
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users