On client side the valid Kerberos ticket is present. The following SSH configuration is used on the machine where the IPA client is running:
/etc/ssh/sshd_config ---cut--- PasswordAuthentication yes KerberosAuthentication no PubkeyAuthentication yes UsePAM yes GSSAPIAuthentication yes AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys ---cut--- Just checked the machine again, password authentication is used as fallback, because the Keberos setup on this machine seems to be messed up. I have tried to uninstall the client and reinstalled it. During the installation I'm getting following message: "A RA is not configured on the server. Not requesting host certificate." Trying to request the certificate manually leads in: ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/<host> -N 'CN=<host>,O=EXAMPLE.INFO' -v Error org.fedorahosted.certmonger.duplicate: Certificate at same location is already used by request with nickname "20140416200517" So to certificate is already there. Do you have some hints? ----- Original Message ----- From: "Simo Sorce" <[email protected]> To: "David Kreuter" <[email protected]> Cc: [email protected] Sent: Wednesday, 16 April, 2014 8:50:39 PM Subject: Re: [Freeipa-users] PasswordAuthentication option for SSH On Wed, 2014-04-16 at 20:08 +0200, David Kreuter wrote: > Hi, > > > Today I faced the issue that Kerberos authentication stopped working > after disabling PasswordAuthentication in /etc/ssh/sshd_config on a > FreeIPA client. The deactivation of this option was done due to > security issues. > > > Is it really necessary to have this option set to yes when using > Keberos authentication? No, GSSAPI authentication does not need PasswordAuthentication, of course it requires valid kerberos credentials on the client and a valid keytab on the server. Simo. -- Simo Sorce * Red Hat, Inc * New York
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
