Dan Scott wrote:
Hi,I'm having problems with users accessing their accounts for the first time using SSH. I create their account in FreeIPA and set a (expired) password. Then I have them ssh into one of our computers to setup their password. The connection displays the following: djsc...@pc35:~$ ssh gu...@pc20 gu...@pc20's password: Warning: Your password will expire in less than one hour. Warning: password has expired. WARNING: Your password has expired. You must change your password now and login again! Changing password for user guser. Kerberos 5 Password: Warning: Your password will expire in less than one hour. New password: Retype new password: passwd: Authentication token manipulation error Connection to pc20 closed. And the password change fails. Here is the relevant section from the Kerberos logfile. There is no entry in the LDAP log in dirsrv. Nov 08 14:48:21 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.20: CLIENT KEY EXPIRED: [email protected] for krbtgt/[email protected], Password has expired Nov 08 14:48:21 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.20: NEEDED_PREAUTH: [email protected] for kadmin/[email protected], Additional pre-authentication required Nov 08 14:48:22 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.20: ISSUE: authtime 1289245702, etypes {rep=18 tkt=18 ses=18}, [email protected] for kadmin/[email protected] Nov 08 14:48:23 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.20: NEEDED_PREAUTH: [email protected] for kadmin/[email protected], Additional pre-authentication required Nov 08 14:48:23 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.20: ISSUE: authtime 1289245703, etypes {rep=18 tkt=18 ses=18}, [email protected] for kadmin/[email protected] This appears to work fine when using kinit to login for the first time. Shouldn't it work using SSH too? This will be a problem for our remote users, since they have to connect remotely, using SSH. Thanks, Dan Scott
You need to enable Challenge-Response in sshd. See: http://freeipa.org/page/Administrators_Guide#Using_Password_Authentication rob _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
