Hello.
I've encountered an issue with ssh login to freeipa clients in trusted
environment.
getent/id commands working as expected, but password/publickey auth for
user from ipa or AD domain does not work (gssapi works, by the way)
Seems like sss_ssh_authorizedkeys not working properly in this case.
$ getent passwd admin
admin:*:217600000:217600000:Administrator:/home/admin:/bin/bash
$ getent passwd admin@cloud
admin:*:217600000:217600000:Administrator:/home/admin:/bin/bash
$ getent passwd [email protected]
[email protected]:*:1742600500:1742600500:Administrator:/home/zone.local/administrator:/bin/bash
Establishing connection:
$ ssh -l admin@CLOUD 192.168.13.103 -i key.openssh
Received disconnect from 192.168.13.103: 2: Too many authentication
failures for admin@CLOUD
Here's the log of connection:
/var/log/secure
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned
status 1
Disconnecting: Too many authentication failures for admin@CLOUD
[preauth]
Trying to get the public key manually:
$ /usr/bin/sss_ssh_authorizedkeys admin@CLOUD
ssh-rsa AAAAB3NzaC~~
$ /usr/bin/sss_ssh_authorizedkeys admin
Error looking up public keys
Trying to connect with password auth:
$ ssh -l admin@CLOUD 192.168.13.103
admin@[email protected]'s password:
X11 forwarding request failed on channel 0
Connection to 192.168.13.103 closed by remote host.
Connection to 192.168.13.103 closed.
/var/log/secure
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned
status 1
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.13.106 user=admin@CLOUD
pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.13.106 user=admin@CLOUD
Accepted password for admin@CLOUD from 192.168.13.106 port 63054 ssh2
pam_unix(sshd:session): session opened for user admin@CLOUD by (uid=0)
fatal: login_init_entry: Cannot find user "admin"
pam_unix(sshd:session): session closed for user admin@CLOUD
fatal: login_init_entry: Cannot find user "admin"
fatal: mm_request_send: write: Broken pipe
Connection closed by 192.168.13.106 [preauth]
Auth succeeded, but login failed.
Versions:
Centos 7.1.1503
sssd 1.12.2
freeipa 4.1.0
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
