Re: [Freeipa-users] ssh_exchange_identification: Connection closed by remote host
On Fri, Aug 28, 2015 at 05:10:31PM +0200, Roberto Cornacchia wrote: Hi, I have two hosts, photon and hadron, and an LDAP user roberto. The user can login successfully on both machines. The SSH pub key is uploaded . Running sss_ssh_authorizedkeys roberto from both clients returns the same key. Port 22 is open on both clients, sshd is running on both clients. On both client, /etc/ssh/ssh_config is: Host * GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts PubkeyAuthentication yes ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h GSSAPIAuthentication yes On both clients, /etc/ssh/sshs_config is: KerberosAuthentication no PubkeyAuthentication yes UsePAM yes AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys GSSAPIAuthentication yes AuthorizedKeysCommandUser nobody However, ssh from hadron to photon works, the other way around doesn't: roberto@photon $ ssh -vv hadron OpenSSH_6.9p1, OpenSSL 1.0.1k-fips 8 Jan 2015 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 56: Applying options for * debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 hadron debug1: permanently_drop_suid: 117206 debug1: identity file /home/roberto/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.9 *ssh_exchange_identification: Connection closed by remote host* If I include a few other cases, this is the summary: - photon to hadron FAILS - photon to photon SUCCEEDS - photon to ipa server SUCCEEDS - photon to (non-ipa-client) FAILS before asking password (no keypair suthentication expected here) - hadron to photon SUCCEEDS - hadron to hadron FAILS - hadron to ipa server SUCCEEDS - hadron to (non-ipa-client) FAILS before asking password (no keypair suthentication expected here) I know that the error above is quite generic, so I don't expect someone can point out the exact cause, but perhaps someone can help me debug this? What could I look at? Do you have any HBAC rules for hadron activated on the IPA server? If not, can you activate sshd debug logging on hadron by setting LogLevel to DEBUG3 in sshd_config and restarting sshd? Maybe they have some useful information. HTH bye, Sumit Thanks, Roberto -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ssh_exchange_identification: Connection closed by remote host
Hi, I have two hosts, photon and hadron, and an LDAP user roberto. The user can login successfully on both machines. The SSH pub key is uploaded . Running sss_ssh_authorizedkeys roberto from both clients returns the same key. Port 22 is open on both clients, sshd is running on both clients. On both client, /etc/ssh/ssh_config is: Host * GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts PubkeyAuthentication yes ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h GSSAPIAuthentication yes On both clients, /etc/ssh/sshs_config is: KerberosAuthentication no PubkeyAuthentication yes UsePAM yes AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys GSSAPIAuthentication yes AuthorizedKeysCommandUser nobody However, ssh from hadron to photon works, the other way around doesn't: roberto@photon $ ssh -vv hadron OpenSSH_6.9p1, OpenSSL 1.0.1k-fips 8 Jan 2015 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 56: Applying options for * debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 hadron debug1: permanently_drop_suid: 117206 debug1: identity file /home/roberto/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.9 *ssh_exchange_identification: Connection closed by remote host* If I include a few other cases, this is the summary: - photon to hadron FAILS - photon to photon SUCCEEDS - photon to ipa server SUCCEEDS - photon to (non-ipa-client) FAILS before asking password (no keypair suthentication expected here) - hadron to photon SUCCEEDS - hadron to hadron FAILS - hadron to ipa server SUCCEEDS - hadron to (non-ipa-client) FAILS before asking password (no keypair suthentication expected here) I know that the error above is quite generic, so I don't expect someone can point out the exact cause, but perhaps someone can help me debug this? What could I look at? Thanks, Roberto -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ssh_exchange_identification: Connection closed by remote host
On Fri, 28 Aug 2015, Roberto Cornacchia wrote: Hi, I have two hosts, photon and hadron, and an LDAP user roberto. The user can login successfully on both machines. The SSH pub key is uploaded . Running sss_ssh_authorizedkeys roberto from both clients returns the same key. Port 22 is open on both clients, sshd is running on both clients. On both client, /etc/ssh/ssh_config is: Host * GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts PubkeyAuthentication yes ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h GSSAPIAuthentication yes On both clients, /etc/ssh/sshs_config is: KerberosAuthentication no PubkeyAuthentication yes UsePAM yes AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys GSSAPIAuthentication yes AuthorizedKeysCommandUser nobody However, ssh from hadron to photon works, the other way around doesn't: roberto@photon $ ssh -vv hadron OpenSSH_6.9p1, OpenSSL 1.0.1k-fips 8 Jan 2015 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 56: Applying options for * debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 hadron debug1: permanently_drop_suid: 117206 debug1: identity file /home/roberto/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.9 *ssh_exchange_identification: Connection closed by remote host* If I include a few other cases, this is the summary: - photon to hadron FAILS - photon to photon SUCCEEDS - photon to ipa server SUCCEEDS - photon to (non-ipa-client) FAILS before asking password (no keypair suthentication expected here) - hadron to photon SUCCEEDS - hadron to hadron FAILS - hadron to ipa server SUCCEEDS - hadron to (non-ipa-client) FAILS before asking password (no keypair suthentication expected here) I know that the error above is quite generic, so I don't expect someone can point out the exact cause, but perhaps someone can help me debug this? What could I look at? Launch the following command under root: /usr/bin/sss_ssh_knownhostsproxy --debug 10 -p 22 hadron echo $? and see what it returns You also will get debug output from the run in syslog or journaldb, like: Aug 28 15:25:37 m1.example.com sss_ssh_knownhostsproxy[17049]: sss_ssh_get_ent() failed (2): No such file or directory Aug 28 15:25:37 m1.example.com sss_ssh_knownhostsproxy[17049]: connect() failed (113): No route to host -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project