Hi Alexander
Thank you very much it worked.
its fantastic and I really appreciate your help.
but this scenario is to use the kerboros ticket for each time to login
what we are trying to establish is
users will have priviate and public ssh keys
public sssh keys will be updated to the freeipa server and
then users will connect to the remotes servers via the private ssh keys, remote
servers need to authenticate via the keys recieved from the freeipa server
but the present working condition doesn't satisfy this as user needs to get the
kerborse ticket every life time.
remote server getting the keys from free ipa
[root@ldap1-eng-switchlab-net ipa]# /usr/bin/sss_ssh_authorizedkeys np
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxOZ37IUe5gvlhO1i+bMhj8vhwlKZN6OKeMW6AM37aJhd7jxhz1R+Cod18YTB+gHkrfwe75kkEKfVyvTjpp9j5DRPeTyGMyWt4VbbyYq1Po4BZT7wOtUjwFq320QD5QnNKU6nbQKsB61xCMQy1Peu0nV/33dQTWHzlGi4uV0MN/KBvaWHmTwN6ZJ34uyEQ8kQ+fStd9XNFREw0iYglk42mNd/SA35njqNlsUbtBAR9ZokruAwAVVZqrfQw==
n...@ldap.eng.switchlab.net
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQCxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxDS69+CH89z5ftzZZCmohY89y2AsJXfA0piHxg2XE+n
np@ubuntu
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDFyO8uxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxMLGVqIwR8Ps5m6sYsB/hx3gm2fIoKq6fm0g976L26oAmclDi12CpVFYbI/osIjsq6mIpr9de5Qus/n9kIoxTZLHTRuoCEj7xc4PSPG78oE7JoWKLMvBDiwyhXNa+O9X1RgYhfYmS2m+1nGJYC9DG4xo7K60nO6WogBg3T+EwuDjYrVIfB5Rfe4D8iWKqOTNlJ+MzK4Dk8W8hqSJvuQFq5155DsbeqDy00EY1dMaGYVUq81lHEM91oz
n...@ldap0.eng.switchlab.net
[root@ldap1-eng-switchlab-net ipa]#
debug log of present ssh session
debug2: key: /home/np/.ssh/id_rsa (0x7f495ef25d60)
debug2: key: /home/np/.ssh/id_dsa ((nil))
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred:
gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).
Nareshchandra Paturi
14, St. Augustine’s Court,
Mornington Road,
london.
E11 3BQ.
Mob:07466666001,07856918100
Ph:02082579579
________________________________
From: Alexander Bokovoy <aboko...@redhat.com>
To: naresh reddy <nareshbt...@yahoo.com>
Cc: Jan Cholasta <jchol...@redhat.com>; "freeipa-users@redhat.com"
<freeipa-users@redhat.com>
Sent: Friday, April 26, 2013 11:44 AM
Subject: Re: [Freeipa-users] Freeipa -ssh keys
On Fri, 26 Apr 2013, naresh reddy wrote:
>Hi Alex
>
>I had tried tshoot and so i have changed GSSAPIAuthentication to no
>because i was getting
>debug1: Unspecified GSS failure. Minor code may provide more information
>Ticket expired
^^^ Ticket expired means your ticket on the machine from which you are
trying to connect to ssh server.
You need to maintain actual credentials:
[client]$ kinit n...@eng.switchlab.net
Password: <...>
[client]$ ssh -K -l n...@eng.switchlab.net ldap1.eng.switchlab.net
You can read basics about Kerberos here:
http://www.kerberos.org/software/tutorial.html
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
