Re: [Freeipa-users] ipa-client-install remove the passwordless connection with root

2015-06-03 Thread Martin Kosek 
Thanks for update. Adding mailing list back, to be aware of the results.

Given this description, I wonder if this is hitting
https://bugzilla.redhat.com/show_bug.cgi?id=1201454
that is planned to be fixed in next RHEL-6 minor version.

On 06/03/2015 10:46 AM, bahan w wrote:
 Hello again.
 
 The problem was coming from the sshd_config file.
 The parameter PubkeyAuthentication=yes was placed after the parameter
 PasswordAuthentication=yes.
 I uncomment the PubkeyAuthentication=yes before the PasswprdAuthentication
 and now it works.
 
 The problem is solved.
 
 Best regards.
 
 Bahan
 
 
 On Wed, Jun 3, 2015 at 10:05 AM, bahan w bahanw042...@gmail.com wrote:
 
 Hello Martin.

 Unfortunately for me, I cannot migrate OS so I need to make it work with
 RHEL 6.4. :-(

 Best regards.
 Le 3 juin 2015 09:39, Martin Kosek mko...@redhat.com a écrit :

 On 06/02/2015 06:27 PM, bahan w wrote:
 Hello !

 I send you this mail because I have a problem linked with SSH and
 FreeIPA.

 I have multiple servers :
 - One with FreeIPA server 3.0.0-26
 - The others with FreeIPA client 3.0.0-26

 They are running on RHEL 6.4.

 I configured a root user on each of them.
 On one specific server, I created an rsa key in order to connect
 passwordlessly from a specific server to all the others
 
 ssh-keygen -t rsa
 

 I distributed the public key on all the others :
 
 for i in ${my_server_list}; do scp /root/.ssh/id_rsa.pub
 $i:/root/.ssh/authorized_keys; done
 

 Once it was done, I modified the rights on these files :
 
 for i in ${my_server_list}; do scp $i chmod 644
 /root/.ssh/authorized_keys; done
 

 And I was able to connect to all these servers without entering a
 password.
 The system was working well.

 When I installed ipa-server on a specific server, this connection with
 the
 RSA key was not possible anymore.
 Each time I tried to connect to the server through SSH, it keeps asking
 me
 for a password.
 I tried to install the ipa-client on another server to just check if I
 had
 the same behaviour and indeed, each time I run ipa-client-install, I
 can't
 connect passwordlessly with root anymore.

 Hello,

 SSH with key with root account should work, SSSD (or the SSH public key
 tools)
 should not interfere with root user account at all. What I would suggest
 is to
 try to some newer version of sssd+ipa-client, RHEL-6.4 is quite old
 already.
 RHEL-6.6 (or even RHEL-7.1) would be a better starting point.


 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install remove the passwordless connection with root

2015-06-03 Thread Martin Kosek 
On 06/02/2015 06:27 PM, bahan w wrote:
 Hello !
 
 I send you this mail because I have a problem linked with SSH and FreeIPA.
 
 I have multiple servers :
 - One with FreeIPA server 3.0.0-26
 - The others with FreeIPA client 3.0.0-26
 
 They are running on RHEL 6.4.
 
 I configured a root user on each of them.
 On one specific server, I created an rsa key in order to connect
 passwordlessly from a specific server to all the others
 
 ssh-keygen -t rsa
 
 
 I distributed the public key on all the others :
 
 for i in ${my_server_list}; do scp /root/.ssh/id_rsa.pub
 $i:/root/.ssh/authorized_keys; done
 
 
 Once it was done, I modified the rights on these files :
 
 for i in ${my_server_list}; do scp $i chmod 644
 /root/.ssh/authorized_keys; done
 
 
 And I was able to connect to all these servers without entering a password.
 The system was working well.
 
 When I installed ipa-server on a specific server, this connection with the
 RSA key was not possible anymore.
 Each time I tried to connect to the server through SSH, it keeps asking me
 for a password.
 I tried to install the ipa-client on another server to just check if I had
 the same behaviour and indeed, each time I run ipa-client-install, I can't
 connect passwordlessly with root anymore.

Hello,

SSH with key with root account should work, SSSD (or the SSH public key tools)
should not interfere with root user account at all. What I would suggest is to
try to some newer version of sssd+ipa-client, RHEL-6.4 is quite old already.
RHEL-6.6 (or even RHEL-7.1) would be a better starting point.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project