For what it's worth, I possibly misunderstood the first 'authentication failure'.
If I try to login to a fresh VM, without having installed FreeIPA but with /etc/ssh/sshd_config:PermitEmptyPasswords yes then I still get the error but the login succeeds. # ssh root@localhost root@localhost's password: Last login: Fri Aug 14 03:20:52 2020 from 10.0.4.36 Aug 14 03:23:05 localhost sshd[32248]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=root Aug 14 03:23:05 localhost sshd[32248]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Aug 14 03:23:12 localhost sshd[32248]: Accepted password for root from ::1 port 50440 ssh2 Aug 14 03:23:12 localhost sshd[32248]: pam_unix(sshd:session): session opened for user root by (uid=0) Handwave: I suspect that AllowEmptyPassword=yes introduces an additional check (for a null password) and when that fails, it is leaving a 'failure' in pam, although that failure doesn't impact the final result if ipa-client-install hasn't been run. However, if ipa-client-install has been run, then that failure matters, for some reason I don't fully understand. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
