Re: [Freeipa-users] Public Key Authentication Failing

[Yogesh Sharma]

Re-Enrolling the server has fixed it, but what has caused this, is still an
issue.

*Best Regards,*

*__________________________________________*

*Yogesh Sharma*
*Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in
<http://www.initd.in/> *

*RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*

<https://www.fb.com/yks0000>   <http://in.linkedin.com/in/yks0000>
<https://twitter.com/checkwithyogesh>
<http://google.com/+YogeshSharmaOnGooglePlus>

On Wed, Aug 19, 2015 at 1:23 AM, Yogesh Sharma <yks0...@gmail.com> wrote:

> Majority of sssd logs are filled with below error:
>
> (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
>
>
> *Best Regards,*
>
> *__________________________________________*
>
> *Yogesh Sharma*
> *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in
> <http://www.initd.in/> *
>
> *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*
>
> <https://www.fb.com/yks0000>   <http://in.linkedin.com/in/yks0000>
> <https://twitter.com/checkwithyogesh>
> <http://google.com/+YogeshSharmaOnGooglePlus>
>
> On Wed, Aug 19, 2015 at 12:44 AM, Yogesh Sharma <yks0...@gmail.com> wrote:
>
>> Team.
>>
>> We are using public key authentication instead of password. It was
>> working fine but a day latter it has stopped working. The same key is
>> working for if change the username.
>>
>> For eg:
>>
>> Initially we created a user - ipa1 with ssh public key, but after
>> sometime it has stopped working, now the same key is working if we create
>> ipa2 user but with ipa1 user it fail to accept the keys.
>>
>>
>>
>> Below are ssh logs of failed attempt:
>>
>> root@yogesh-ubuntu-pc:/home/yogesh# ssh -i /root/.ssh/id_rsa
>> vg4381@172.16.32.24 -vv
>> OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: /etc/ssh/ssh_config line 19: Applying options for *
>> debug2: ssh_connect: needpriv 0
>> debug1: Connecting to 172.16.32.24 [172.16.32.24] port 22.
>> debug1: Connection established.
>> debug1: permanently_set_uid: 0/0
>> debug1: identity file /root/.ssh/id_rsa type 1
>> debug1: identity file /root/.ssh/id_rsa-cert type -1
>> debug1: Enabling compatibility mode for protocol 2.0
>> debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.2
>> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
>> debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
>> debug2: fd 3 setting O_NONBLOCK
>> debug1: SSH2_MSG_KEXINIT sent
>> debug1: SSH2_MSG_KEXINIT received
>> debug2: kex_parse_kexinit: curve25519-sha...@libssh.org
>> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>> debug2: kex_parse_kexinit: ssh-rsa-cert-...@openssh.com,
>> ssh-rsa-cert-...@openssh.com,ssh-rsa,
>> ecdsa-sha2-nistp256-cert-...@openssh.com,
>> ecdsa-sha2-nistp384-cert-...@openssh.com,
>> ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com
>> ,ssh-dss-cert-...@openssh.com,ssh-dss-cert-...@openssh.com
>> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
>> debug2: kex_parse_kexinit:
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
>> aes128-...@openssh.com,aes256-...@openssh.com,
>> chacha20-poly1...@openssh.com
>> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
>> rijndael-...@lysator.liu.se
>> debug2: kex_parse_kexinit:
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
>> aes128-...@openssh.com,aes256-...@openssh.com,
>> chacha20-poly1...@openssh.com
>> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
>> rijndael-...@lysator.liu.se
>> debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,
>> hmac-sha1-...@openssh.com,umac-64-...@openssh.com,
>> umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,
>> hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,
>> hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com
>> ,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com
>> ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com
>> ,hmac-sha1-96,hmac-md5-96
>> debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,
>> hmac-sha1-...@openssh.com,umac-64-...@openssh.com,
>> umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,
>> hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,
>> hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com
>> ,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com
>> ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com
>> ,hmac-sha1-96,hmac-md5-96
>> debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
>> debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit: first_kex_follows 0
>> debug2: kex_parse_kexinit: reserved 0
>> debug2: kex_parse_kexinit:
>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>> debug2: kex_parse_kexinit:
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
>> rijndael-...@lysator.liu.se
>> debug2: kex_parse_kexinit:
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
>> rijndael-...@lysator.liu.se
>> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com
>> ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com
>> ,hmac-sha1-96,hmac-md5-96
>> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com
>> ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com
>> ,hmac-sha1-96,hmac-md5-96
>> debug2: kex_parse_kexinit: none,z...@openssh.com
>> debug2: kex_parse_kexinit: none,z...@openssh.com
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit: first_kex_follows 0
>> debug2: kex_parse_kexinit: reserved 0
>> debug2: mac_setup: setup hmac-md5
>> debug1: kex: server->client aes128-ctr hmac-md5 none
>> debug2: mac_setup: setup hmac-md5
>> debug1: kex: client->server aes128-ctr hmac-md5 none
>> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
>> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
>> debug2: bits set: 1554/3072
>> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>> debug1: Server host key: RSA
>> 78:1f:15:bf:d3:fb:1a:49:44:8c:3a:28:b0:1f:6b:15
>> debug1: Host '172.16.32.24' is known and matches the RSA host key.
>> debug1: Found key in /root/.ssh/known_hosts:2258
>> debug2: bits set: 1553/3072
>> debug1: ssh_rsa_verify: signature correct
>> debug2: kex_derive_keys
>> debug2: set_newkeys: mode 1
>> debug1: SSH2_MSG_NEWKEYS sent
>> debug1: expecting SSH2_MSG_NEWKEYS
>> debug2: set_newkeys: mode 0
>> debug1: SSH2_MSG_NEWKEYS received
>> debug1: Roaming not allowed by server
>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>> debug2: service_accept: ssh-userauth
>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>> debug2: key: /root/.ssh/id_rsa (0x7f646fa5b830), explicit
>> debug1: Authentications that can continue:
>> publickey,gssapi-keyex,gssapi-with-mic,password
>> debug1: Next authentication method: gssapi-keyex
>> debug1: No valid Key exchange context
>> debug2: we did not send a packet, disable method
>> debug1: Next authentication method: gssapi-with-mic
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>> No Kerberos credentials available
>>
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>> No Kerberos credentials available
>>
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>>
>>
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>> No Kerberos credentials available
>>
>> debug2: we did not send a packet, disable method
>> debug1: Next authentication method: publickey
>> debug1: Offering RSA public key: /root/.ssh/id_rsa
>> debug2: we sent a publickey packet, wait for reply
>> debug1: Authentications that can continue:
>> publickey,gssapi-keyex,gssapi-with-mic,password
>> debug2: we did not send a packet, disable method
>> debug1: Next authentication method: password
>>
>> *Best Regards,*
>>
>> *__________________________________________*
>>
>> *Yogesh Sharma*
>> *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in
>> <http://www.initd.in/> *
>>
>> *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*
>>
>> <https://www.fb.com/yks0000>   <http://in.linkedin.com/in/yks0000>
>> <https://twitter.com/checkwithyogesh>
>> <http://google.com/+YogeshSharmaOnGooglePlus>
>>
>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project