On 04/16/2014 04:28 PM, David Kreuter wrote:
On client side the valid Kerberos ticket is present. The following SSH
configuration is used on the machine where the IPA client is running:
/etc/ssh/sshd_config
---cut---
PasswordAuthentication yes
KerberosAuthentication no
PubkeyAuthentication yes
UsePAM yes
GSSAPIAuthentication yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
---cut---
Just checked the machine again, password authentication is used as
fallback, because the Keberos setup on this machine seems to be messed
up. I have tried to uninstall the client and reinstalled it. During
the installation I'm getting following message:
"A RA is not configured on the server. Not requesting host certificate."
Trying to request the certificate manually leads in:
ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/<host> -N
'CN=<host>,O=EXAMPLE.INFO' -v
Error org.fedorahosted.certmonger.duplicate: Certificate at same
location is already used by request with nickname "20140416200517"
When you removed the client certmonger was still tracking certs from the
previous install.
Use cermonger to un-track old cert(s) and try to re-install again. That
should solve this problem.
I think is fixed in the latest version of IPA client.
As for SSH I think a quick search on the net renders several guides that
show how to setup OpenSSH with GSSAPI.
So to certificate is already there. Do you have some hints?
------------------------------------------------------------------------
*From: *"Simo Sorce" <s...@redhat.com>
*To: *"David Kreuter" <david.kreu...@bytesource.net>
*Cc: *freeipa-users@redhat.com
*Sent: *Wednesday, 16 April, 2014 8:50:39 PM
*Subject: *Re: [Freeipa-users] PasswordAuthentication option for SSH
On Wed, 2014-04-16 at 20:08 +0200, David Kreuter wrote:
> Hi,
>
>
> Today I faced the issue that Kerberos authentication stopped working
> after disabling PasswordAuthentication in /etc/ssh/sshd_config on a
> FreeIPA client. The deactivation of this option was done due to
> security issues.
>
>
> Is it really necessary to have this option set to yes when using
> Keberos authentication?
No, GSSAPI authentication does not need PasswordAuthentication, of
course it requires valid kerberos credentials on the client and a valid
keytab on the server.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users