Re: [Freeipa-users] ipa-client-install remove the passwordless connection with root
Thanks for update. Adding mailing list back, to be aware of the results. Given this description, I wonder if this is hitting https://bugzilla.redhat.com/show_bug.cgi?id=1201454 that is planned to be fixed in next RHEL-6 minor version. On 06/03/2015 10:46 AM, bahan w wrote: Hello again. The problem was coming from the sshd_config file. The parameter PubkeyAuthentication=yes was placed after the parameter PasswordAuthentication=yes. I uncomment the PubkeyAuthentication=yes before the PasswprdAuthentication and now it works. The problem is solved. Best regards. Bahan On Wed, Jun 3, 2015 at 10:05 AM, bahan w bahanw042...@gmail.com wrote: Hello Martin. Unfortunately for me, I cannot migrate OS so I need to make it work with RHEL 6.4. :-( Best regards. Le 3 juin 2015 09:39, Martin Kosek mko...@redhat.com a écrit : On 06/02/2015 06:27 PM, bahan w wrote: Hello ! I send you this mail because I have a problem linked with SSH and FreeIPA. I have multiple servers : - One with FreeIPA server 3.0.0-26 - The others with FreeIPA client 3.0.0-26 They are running on RHEL 6.4. I configured a root user on each of them. On one specific server, I created an rsa key in order to connect passwordlessly from a specific server to all the others ssh-keygen -t rsa I distributed the public key on all the others : for i in ${my_server_list}; do scp /root/.ssh/id_rsa.pub $i:/root/.ssh/authorized_keys; done Once it was done, I modified the rights on these files : for i in ${my_server_list}; do scp $i chmod 644 /root/.ssh/authorized_keys; done And I was able to connect to all these servers without entering a password. The system was working well. When I installed ipa-server on a specific server, this connection with the RSA key was not possible anymore. Each time I tried to connect to the server through SSH, it keeps asking me for a password. I tried to install the ipa-client on another server to just check if I had the same behaviour and indeed, each time I run ipa-client-install, I can't connect passwordlessly with root anymore. Hello, SSH with key with root account should work, SSSD (or the SSH public key tools) should not interfere with root user account at all. What I would suggest is to try to some newer version of sssd+ipa-client, RHEL-6.4 is quite old already. RHEL-6.6 (or even RHEL-7.1) would be a better starting point. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install remove the passwordless connection with root
On 06/02/2015 06:27 PM, bahan w wrote: Hello ! I send you this mail because I have a problem linked with SSH and FreeIPA. I have multiple servers : - One with FreeIPA server 3.0.0-26 - The others with FreeIPA client 3.0.0-26 They are running on RHEL 6.4. I configured a root user on each of them. On one specific server, I created an rsa key in order to connect passwordlessly from a specific server to all the others ssh-keygen -t rsa I distributed the public key on all the others : for i in ${my_server_list}; do scp /root/.ssh/id_rsa.pub $i:/root/.ssh/authorized_keys; done Once it was done, I modified the rights on these files : for i in ${my_server_list}; do scp $i chmod 644 /root/.ssh/authorized_keys; done And I was able to connect to all these servers without entering a password. The system was working well. When I installed ipa-server on a specific server, this connection with the RSA key was not possible anymore. Each time I tried to connect to the server through SSH, it keeps asking me for a password. I tried to install the ipa-client on another server to just check if I had the same behaviour and indeed, each time I run ipa-client-install, I can't connect passwordlessly with root anymore. Hello, SSH with key with root account should work, SSSD (or the SSH public key tools) should not interfere with root user account at all. What I would suggest is to try to some newer version of sssd+ipa-client, RHEL-6.4 is quite old already. RHEL-6.6 (or even RHEL-7.1) would be a better starting point. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-client-install remove the passwordless connection with root
Hello ! I send you this mail because I have a problem linked with SSH and FreeIPA. I have multiple servers : - One with FreeIPA server 3.0.0-26 - The others with FreeIPA client 3.0.0-26 They are running on RHEL 6.4. I configured a root user on each of them. On one specific server, I created an rsa key in order to connect passwordlessly from a specific server to all the others ssh-keygen -t rsa I distributed the public key on all the others : for i in ${my_server_list}; do scp /root/.ssh/id_rsa.pub $i:/root/.ssh/authorized_keys; done Once it was done, I modified the rights on these files : for i in ${my_server_list}; do scp $i chmod 644 /root/.ssh/authorized_keys; done And I was able to connect to all these servers without entering a password. The system was working well. When I installed ipa-server on a specific server, this connection with the RSA key was not possible anymore. Each time I tried to connect to the server through SSH, it keeps asking me for a password. I tried to install the ipa-client on another server to just check if I had the same behaviour and indeed, each time I run ipa-client-install, I can't connect passwordlessly with root anymore. Here is the commannd I use for the ipa-client-install : ipa-client-install -U --realm=MYREALM --domain=mydomain.com --server= myipaserver.mydomain.com --principal=admin --password=X --mkhomedir -N --ca-cert=/tmp/ca.crt --hostname=myipaclient1.mydomain.com When I add the option --no-sshd, the ssh passwordless connection is still operationnal, but if I don't put this option, then my ssh passwordless connection does not work anymore. Here is the content of the sshd_config file before (ssh pubkey connection working) and after (ssh pubkey connection not working) : Before : AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv XMODIFIERS AllowGroups staff root ChallengeResponseAuthentication no ClientAliveCountMax 0 ClientAliveCountMax 9 ClientAliveInterval 300 DSAAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes HostbasedAuthentication no IgnoreRhosts yes IgnoreUserKnownHosts yes KerberosAuthentication no LogLevel VERBOSE MaxAuthTries 4 PasswordAuthentication yes PermitEmptyPasswords no PermitRootLogin yes Protocol 2 PubkeyAuthentication yes RhostsRSAAuthentication no RSAAuthentication yes StrictModes yes Subsystem sftp/usr/libexec/openssh/sftp-server SyslogFacility AUTHPRIV TCPKeepAlive yes UsePAM yes X11Forwarding yes After, when it does not work : AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv XMODIFIERS AllowGroups staff root AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys ChallengeResponseAuthentication no ClientAliveCountMax 0 ClientAliveCountMax 9 ClientAliveInterval 300 DSAAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes HostbasedAuthentication no IgnoreRhosts yes IgnoreUserKnownHosts yes KerberosAuthentication no LogLevel VERBOSE MaxAuthTries 4 PasswordAuthentication yes PermitEmptyPasswords no PermitRootLogin yes Protocol 2 PubkeyAuthentication yes RhostsRSAAuthentication no RSAAuthentication yes StrictModes yes Subsystem sftp/usr/libexec/openssh/sftp-server SyslogFacility AUTHPRIV TCPKeepAlive yes UsePAM yes X11Forwarding yes A quick diff -u shows me that the only difference between these configurations is the following parameter in the new file (when it does not work) : AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys Here is the log of the SSH connection when it works : ssh -vvv myipaclient1.mydomain.com OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 myipaclient1.mydomain.com debug1: permanently_set_uid: 0/0 debug1: permanently_drop_suid: 0 debug3: Not a RSA1 key file /root/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing