Re: [Freeipa-users] ipa-client-install remove the passwordless connection with root
Thanks for update. Adding mailing list back, to be aware of the results.
Given this description, I wonder if this is hitting
https://bugzilla.redhat.com/show_bug.cgi?id=1201454
that is planned to be fixed in next RHEL-6 minor version.
On 06/03/2015 10:46 AM, bahan w wrote:
Hello again.
The problem was coming from the sshd_config file.
The parameter PubkeyAuthentication=yes was placed after the parameter
PasswordAuthentication=yes.
I uncomment the PubkeyAuthentication=yes before the PasswprdAuthentication
and now it works.
The problem is solved.
Best regards.
Bahan
On Wed, Jun 3, 2015 at 10:05 AM, bahan w bahanw042...@gmail.com wrote:
Hello Martin.
Unfortunately for me, I cannot migrate OS so I need to make it work with
RHEL 6.4. :-(
Best regards.
Le 3 juin 2015 09:39, Martin Kosek mko...@redhat.com a écrit :
On 06/02/2015 06:27 PM, bahan w wrote:
Hello !
I send you this mail because I have a problem linked with SSH and
FreeIPA.
I have multiple servers :
- One with FreeIPA server 3.0.0-26
- The others with FreeIPA client 3.0.0-26
They are running on RHEL 6.4.
I configured a root user on each of them.
On one specific server, I created an rsa key in order to connect
passwordlessly from a specific server to all the others
ssh-keygen -t rsa
I distributed the public key on all the others :
for i in ${my_server_list}; do scp /root/.ssh/id_rsa.pub
$i:/root/.ssh/authorized_keys; done
Once it was done, I modified the rights on these files :
for i in ${my_server_list}; do scp $i chmod 644
/root/.ssh/authorized_keys; done
And I was able to connect to all these servers without entering a
password.
The system was working well.
When I installed ipa-server on a specific server, this connection with
the
RSA key was not possible anymore.
Each time I tried to connect to the server through SSH, it keeps asking
me
for a password.
I tried to install the ipa-client on another server to just check if I
had
the same behaviour and indeed, each time I run ipa-client-install, I
can't
connect passwordlessly with root anymore.
Hello,
SSH with key with root account should work, SSSD (or the SSH public key
tools)
should not interfere with root user account at all. What I would suggest
is to
try to some newer version of sssd+ipa-client, RHEL-6.4 is quite old
already.
RHEL-6.6 (or even RHEL-7.1) would be a better starting point.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install remove the passwordless connection with root
On 06/02/2015 06:27 PM, bahan w wrote:
Hello !
I send you this mail because I have a problem linked with SSH and FreeIPA.
I have multiple servers :
- One with FreeIPA server 3.0.0-26
- The others with FreeIPA client 3.0.0-26
They are running on RHEL 6.4.
I configured a root user on each of them.
On one specific server, I created an rsa key in order to connect
passwordlessly from a specific server to all the others
ssh-keygen -t rsa
I distributed the public key on all the others :
for i in ${my_server_list}; do scp /root/.ssh/id_rsa.pub
$i:/root/.ssh/authorized_keys; done
Once it was done, I modified the rights on these files :
for i in ${my_server_list}; do scp $i chmod 644
/root/.ssh/authorized_keys; done
And I was able to connect to all these servers without entering a password.
The system was working well.
When I installed ipa-server on a specific server, this connection with the
RSA key was not possible anymore.
Each time I tried to connect to the server through SSH, it keeps asking me
for a password.
I tried to install the ipa-client on another server to just check if I had
the same behaviour and indeed, each time I run ipa-client-install, I can't
connect passwordlessly with root anymore.
Hello,
SSH with key with root account should work, SSSD (or the SSH public key tools)
should not interfere with root user account at all. What I would suggest is to
try to some newer version of sssd+ipa-client, RHEL-6.4 is quite old already.
RHEL-6.6 (or even RHEL-7.1) would be a better starting point.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-client-install remove the passwordless connection with root
Hello !
I send you this mail because I have a problem linked with SSH and FreeIPA.
I have multiple servers :
- One with FreeIPA server 3.0.0-26
- The others with FreeIPA client 3.0.0-26
They are running on RHEL 6.4.
I configured a root user on each of them.
On one specific server, I created an rsa key in order to connect
passwordlessly from a specific server to all the others
ssh-keygen -t rsa
I distributed the public key on all the others :
for i in ${my_server_list}; do scp /root/.ssh/id_rsa.pub
$i:/root/.ssh/authorized_keys; done
Once it was done, I modified the rights on these files :
for i in ${my_server_list}; do scp $i chmod 644
/root/.ssh/authorized_keys; done
And I was able to connect to all these servers without entering a password.
The system was working well.
When I installed ipa-server on a specific server, this connection with the
RSA key was not possible anymore.
Each time I tried to connect to the server through SSH, it keeps asking me
for a password.
I tried to install the ipa-client on another server to just check if I had
the same behaviour and indeed, each time I run ipa-client-install, I can't
connect passwordlessly with root anymore.
Here is the commannd I use for the ipa-client-install :
ipa-client-install -U --realm=MYREALM --domain=mydomain.com --server=
myipaserver.mydomain.com --principal=admin --password=X --mkhomedir -N
--ca-cert=/tmp/ca.crt --hostname=myipaclient1.mydomain.com
When I add the option --no-sshd, the ssh passwordless connection is still
operationnal, but if I don't put this option, then my ssh passwordless
connection does not work anymore.
Here is the content of the sshd_config file before (ssh pubkey connection
working) and after (ssh pubkey connection not working) :
Before :
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv XMODIFIERS
AllowGroups staff root
ChallengeResponseAuthentication no
ClientAliveCountMax 0
ClientAliveCountMax 9
ClientAliveInterval 300
DSAAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
HostbasedAuthentication no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
KerberosAuthentication no
LogLevel VERBOSE
MaxAuthTries 4
PasswordAuthentication yes
PermitEmptyPasswords no
PermitRootLogin yes
Protocol 2
PubkeyAuthentication yes
RhostsRSAAuthentication no
RSAAuthentication yes
StrictModes yes
Subsystem sftp/usr/libexec/openssh/sftp-server
SyslogFacility AUTHPRIV
TCPKeepAlive yes
UsePAM yes
X11Forwarding yes
After, when it does not work :
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv XMODIFIERS
AllowGroups staff root
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
ChallengeResponseAuthentication no
ClientAliveCountMax 0
ClientAliveCountMax 9
ClientAliveInterval 300
DSAAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
HostbasedAuthentication no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
KerberosAuthentication no
LogLevel VERBOSE
MaxAuthTries 4
PasswordAuthentication yes
PermitEmptyPasswords no
PermitRootLogin yes
Protocol 2
PubkeyAuthentication yes
RhostsRSAAuthentication no
RSAAuthentication yes
StrictModes yes
Subsystem sftp/usr/libexec/openssh/sftp-server
SyslogFacility AUTHPRIV
TCPKeepAlive yes
UsePAM yes
X11Forwarding yes
A quick diff -u shows me that the only difference between these
configurations is the following parameter in the new file (when it does not
work) :
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
Here is the log of the SSH connection when it works :
ssh -vvv myipaclient1.mydomain.com
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p
22 myipaclient1.mydomain.com
debug1: permanently_set_uid: 0/0
debug1: permanently_drop_suid: 0
debug3: Not a RSA1 key file /root/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing
