On Dec 16, 2008, at 7:52 AM, Scott Dodson wrote:
David Miller wrote:
I'm in the process of evaluating RH IPA server and have run into
two problems. Before I begin here is the setup. One vanilla RHEL
5.2 server install with IPA channel. One vanilla RHEL 5.2 desktop
install with workstation channel. Eventually I would like to have a
couple of Linux clusters and a few stand alone general compute
nodes use an IPA server for enforcing password policy and
authenticating users that will only be using SSH.
1. After getting my evaluation key entered into RHN I successfully
subscribed my RHEL5 server with the IPA sub channel and got the IPA
server up and running. However, I could not find a sub channel to
subscribe to for the IPA client for my RHEL 5 desktop with
workstation. I wound up installing the RPM's from the IPA server
installation ISO through yum. What is the channel used to grab the
IPA client packages? The desktop version of RHEL cannot subscribe
to the IPA channel.
2. When I create a user account I cannot log into the RHEL
workstation using SSH. I must log the new account in at the
console first. At the console I'm prompted to change the password
for the new account right away. After changing the password I can
login using SSH. I like the one time password but is there a way to
make it work over SSH without tying the machine they are SSHing
from to the IPA server's kerberos? Even though the SSH works after
the initial console login what will happen when the password is due
for changing? I have people SSHing in using all sorts of SSH
clients on various operating systems. Getting all of them to work
with kerberos just for SSH is unrealistic.
David,
I ran your post by a co-worker of mine who is relatively familiar
with IPA but unfortunately not subscribed to this list. He didn't
have any suggestions for Question #1, however for Question #2 he
suggested adding "ChallengeResponseAuthentication yes" to your /etc/
ssh/sshd_config on all machines that auth against IPA, restarting
sshd after you make the changes.
Thanks that seemed to do the trick. Now I'm trying to get host based
access working. I followed the instructions on doing host based access
control. Here is the URL to the section to see what I'm referring to.
http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_IPA/1.0/html/Administration_Guide/sect-Administration_Guide-Configuring_Access_Control-Configuring_Host_Based_Access_Control.html
I have a host setup to only allow root, a group called managers, a
group called theory, and deny all at the end. What I'm finding is that
if I create a user account that is not apart of either of those groups
it denies access like it should. However, if I add them to either of
those groups after the user as attempted login once it still won't let
them in. If I create a new user and add them to one of those groups at
creation time it will allow them in like it should. After logging in
once and removing the user from those groups it still allows them to
log in later. The machine using host based access control seems to be
caching whether the user belongs to a group or not the first time they
login. How do you force the machine to check the IPA server to se what
groups the user belongs to each time they SSH in?
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
