On 23/05/2019 14:56, Rob Crittenden wrote: > lejeczek via FreeIPA-users wrote: >> hi guys, >> >> reading official guide one may assume - I do - that "Using SSH Without >> Passwords" should work out-of-box (centos 7.6) - is such assumption valid? >> >> For me this does not work - ssh still asks for passwords. >> >> If this is due to some failure/problem, then where to look and how to >> troubleshoot? > It's hard to know what you're doing, ssh from where to where, using what? > > rob
I made an assumption - which I see now was invalid - that some experts may know mentioned guide by heart and if I quoted something then the rest will be obvious - wrong, sorry. "Using SSH Without Passwords" is a paragraph of "Using SSH from Active Directory Machines for IdM Resources" which is about Kerberos I understand. My hope was to have AD's clients be able to ssh(and maybe get to other things like Samba) without password and with Kerberos. I see IPA's users can do that between IPA's servers ... debug1: PAM: initializing for "tester1" debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private" debug1: PAM: setting PAM_TTY to "ssh" debug1: userauth-request for user tester1 service ssh-connection method gssapi-with-mic [preauth] debug1: attempt 1 failures 0 [preauth] Postponed gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2 [preauth] debug1: Got no client credentials debug1: ssh_gssapi_k5login_exists: Checking existence of file /home/tester1/.k5login Authorized to tester1, krb5 principal tester1@private (ssh_gssapi_krb5_cmdok) debug1: do_pam_account: called Accepted gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2 ... But a Win10Pro which is AD member which I'm trying, when ssh as AD's user then I do not see above in the logs and such ssh(Win10 own feature) is asked for password. To sum up: AD's users off/from Win AD win-stations to IPA's members/clients with Kerberos if possible. (trust is already established and running) many thanks, L.
pEpkey.asc
Description: application/pgp-keys
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org