Hi Jan
I tried to flow this
https://fedoraproject.org/wiki/QA:Testcase_FreeIPA_realmd_ssh
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/openssh-sssd.html
still unable to loggin via ssh keys
Please kindly suggest
OpenSSH_6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 55: Applying options for *
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 -d
ENG.SWITCHLAB.COM ldap1.eng.switchlab.net --debug 40
debug1: identity file /home/np/.ssh/id_rsa type 1
debug1: identity file /home/np/.ssh/id_rsa-cert type -1
debug1: identity file /home/np/.ssh/id_dsa type -1
debug1: identity file /home/np/.ssh/id_dsa-cert type -1
debug1: permanently_drop_suid: 1000
(Thu Apr 25 17:45:58:088846 2013) [/usr/bin/sss_ssh_knownhostsproxy] [main]
(0x0040): sss_ssh_get_ent() failed (2): No such file or directory
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1
debug1: match: OpenSSH_6.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 22:fd:38:1c:25:80:fc:15:87:31:7b:b9:7b:59:f6:07
debug1: Host 'ldap1.eng.switchlab.net' is known and matches the RSA host key.
debug1: Found key in /home/np/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Ticket expired
debug1: Unspecified GSS failure. Minor code may provide more information
Ticket expired
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
Matching credential not found
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/np/.ssh/id_rsa
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /home/np/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
[np@ldap0 ~]$ ssh -v n...@eng.switchlab.net@ldap1.eng.switchlab.net
OpenSSH_6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 55: Applying options for *
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 -d
ENG.SWITCHLAB.COM ldap1.eng.switchlab.net --debug 40
debug1: identity file /home/np/.ssh/id_rsa type 1
debug1: identity file /home/np/.ssh/id_rsa-cert type -1
debug1: identity file /home/np/.ssh/id_dsa type -1
debug1: identity file /home/np/.ssh/id_dsa-cert type -1
debug1: permanently_drop_suid: 1000
(Thu Apr 25 18:06:04:463614 2013) [/usr/bin/sss_ssh_knownhostsproxy] [main]
(0x0040): sss_ssh_get_ent() failed (2): No such file or directory
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1
debug1: match: OpenSSH_6.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 22:fd:38:1c:25:80:fc:15:87:31:7b:b9:7b:59:f6:07
debug1: Host 'ldap1.eng.switchlab.net' is known and matches the RSA host key.
debug1: Found key in /home/np/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Ticket expired
debug1: Unspecified GSS failure. Minor code may provide more information
Ticket expired
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
Matching credential not found
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/np/.ssh/id_rsa
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /home/np/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Nareshchandra Paturi
14, St. Augustine’s Court,
Mornington Road,
london.
E11 3BQ.
Mob:07466666001,07856918100
Ph:02082579579
________________________________
From: naresh reddy <nareshbt...@yahoo.com>
To: Jan Cholasta <jchol...@redhat.com>
Cc: Rob Crittenden <rcrit...@redhat.com>; "freeipa-users@redhat.com"
<freeipa-users@redhat.com>
Sent: Thursday, April 25, 2013 4:24 PM
Subject: Re: [Freeipa-users] Freeipa -ssh keys
Hi Jan
yes thats correct clinet is ldap1 and server is ldap1.
root@ldap1 ssh]# /usr/bin/sss_ssh_knownhostsproxy -p 22 ldap1.eng.switchlab.net
--debug 10
SSH-2.0-OpenSSH_6.1
Protocol mismatch.
[root@ldap1 ssh]# /usr/bin/sss_ssh_authorizedkeys test@eng
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAzvp0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxDW9X6hJjbcoaY25HrzYvfNOZ37IUe5gvlhO1i+bMhj8vhwlKZN6OKeMW6AM37aJhd7jxhz1R+Cod18YTB+gHkrfwe75kkEKfVyvTjpp9j5DRPeTyGMyWt4VbbyYq1Po4BZT7wOtUjwFq320QD5QnNKU6nbQKsB61xCMQy1Peu0nV/33dQTWHzlGi4uV0MN/KBvaWHmTwN6ZJ34uyEQ8kQ+fStd9XNFREw0iYglk42mNd/SA35njqNlsUbtBAR9ZokruAwAVVZqrfQw==
te...@ldap.eng.
ssh-rsa
AAAAB3NzaC1yc2EAAAAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4yb3prkr4oobGuyKJj/yd+S4Pf7OUzZT2xXzpy0TZAjiLnqlioxnhyZqgLO/Rdg5o+wt3R7H7L9kGDfMtAyBqUBrRqQeYgfGWvoVrm2UhkTcq/jxxACbYZq0Jg7OTFXodV40uAuRKqVgev6W4V+ozrTxpeVRElqTM4cEJ96V0UxLUpZUHvT1exFKk4F1crZ2hLEuPVWOlOj8NS/sQX3DDuDS69+CH89z5ftzZZCmohY89y2AsJXfA0piHxg2XE+n
test@ubuntu
ssh-rsa
AAAAB3NzaC1yc2EAAAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxsYsB/hx3gm2fIoKq6fm0g976L26oAmclDi12CpVFYbI/osIjsq6mIpr9de5Qus/n9kIoxTZLHTRuoCEj7xc4PSPG78oE7JoWKLMvBDiwyhXNa+O9X1RgYhfYmS2m+1nGJYC9DG4xo7K60nO6WogBg3T+EwuDjYrVIfB5Rfe4D8iWKqOTNlJ+MzK4Dk8W8hqSJvuQFq5155DsbeqDy00EY1dMaGYVUq81lHEM91oz
t...@ldap0.eng.
Nareshchandra Paturi
14, St. Augustine’s Court,
Mornington Road,
london.
E11 3BQ.
Mob:07466666001,07856918100
Ph:02082579579
________________________________
From: Jan Cholasta <jchol...@redhat.com>
To: naresh reddy <nareshbt...@yahoo.com>
Cc: Rob Crittenden <rcrit...@redhat.com>; "freeipa-users@redhat.com"
<freeipa-users@redhat.com>
Sent: Wednesday, April 24, 2013 11:30 AM
Subject: Re: [Freeipa-users] Freeipa -ssh keys
On 23.4.2013 20:20, naresh reddy wrote:
> Hi Rob
>
> I am sorry for coming back again
> i can see client can get the ssh keys from the server but still fails
> please suggest.
>
>
By "client" you mean the machine that you are trying to ssh to, i.e. the
machine that has sshd running? If not, make sure sss_ssh_authorizedkeys
works on the machine with sshd, because that's the one
that matters here.
Also, what version of OpenSSH do you have installed?
Honza
--
Jan Cholasta
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
