Re: [Freeipa-users] PasswordAuthentication option for SSH

Thu, 17 Apr 2014 14:37:29 -0700 

On 04/16/2014 04:28 PM, David Kreuter wrote:
On client side the valid Kerberos ticket is present. The following SSH configuration is used on the machine where the IPA client is running: 

/etc/ssh/sshd_config
---cut---
PasswordAuthentication yes
KerberosAuthentication no
PubkeyAuthentication yes
UsePAM yes
GSSAPIAuthentication yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
---cut---


Just checked the machine again, password authentication is used as 
fallback, because the Keberos setup on this machine seems to be messed 
up. I have tried to uninstall the client and reinstalled it. During 
the installation I'm getting following message:


"A RA is not configured on the server. Not requesting host certificate."

Trying to request the certificate manually leads in:


ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/<host> -N 
'CN=<host>,O=EXAMPLE.INFO' -v



Error org.fedorahosted.certmonger.duplicate: Certificate at same 
location is already used by request with nickname "20140416200517"



When you removed the client certmonger was still tracking certs from the 
previous install.
Use cermonger to un-track old cert(s) and try to re-install again. That 
should solve this problem.

I think is fixed in the latest version of IPA client.


As for SSH I think a quick search on the net renders several guides that 
show how to setup OpenSSH with GSSAPI.





So to certificate is already there. Do you have some hints?


------------------------------------------------------------------------
*From: *"Simo Sorce" <s...@redhat.com>
*To: *"David Kreuter" <david.kreu...@bytesource.net>
*Cc: *freeipa-users@redhat.com
*Sent: *Wednesday, 16 April, 2014 8:50:39 PM
*Subject: *Re: [Freeipa-users] PasswordAuthentication option for SSH

On Wed, 2014-04-16 at 20:08 +0200, David Kreuter wrote:
> Hi,
>
>
> Today I faced the issue that Kerberos authentication stopped working
> after disabling PasswordAuthentication in /etc/ssh/sshd_config on a
> FreeIPA client. The deactivation of this option was done due to
> security issues.
>
>
> Is it really necessary to have this option set to yes when using
> Keberos authentication?

No, GSSAPI authentication does not need PasswordAuthentication, of
course it requires valid kerberos credentials on the client and a valid
keytab on the server.

Simo.

--
Simo Sorce * Red Hat, Inc * New York




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users





















					Reply via email to