I think I just realised that my expectation may be wrong: GSSAPI login with a FreeIPA user logged in on an AD host to a FreeIPA host works. So is it correct to also expect passwordless login with an AD user to a FreeIPA host?
On 2 May 2017 at 17:40, Jason B. Nance <[email protected]> wrote: > Hi Tiemen, > > To be clear, what I'm trying to do: log in from an AD account > (adm.tiemen), from an AD host (leon.clients.rdmedia.com) to a FreeIPA > host (neodymium.test.ams.i.rdmedia.com) with the same AD account. I > expect to be logged in through GSSAPI, instead I get a password prompt. > > I'm assuming that you are coming from a Windows client that is domain > joined and logged into that Windows client with the same domain credentials > that you are using to connect to the IPA-joined host. Do you also have > your SSH client configured to attempt GSSAPI? It appears that you do from > the logs you provided but I'm just double-checking. > > In my setup I've found that this feature does not work all of the time. > I've not yet been able to track it down and I'm assuming it has something > to do with connections to domain controllers timing out, but at this point > that is speculation. > > So to answer your question, yes, that should work. Sorry I don't have > more information for you, I guess I'm basically "me too"ing your post. > > Regards, > > j > > Is this supposed to work? Did I miss something? > > Below the SSH log from the FreeIPA host with LogLevel DEBUG3: > > May 2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK > May 2 17:10:32 neodymium sshd[572]: debug1: Forked child 752. > May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: entering fd > = 8 config len 922 > May 2 17:10:32 neodymium sshd[572]: debug3: ssh_msg_send: type 0 > May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: done > May 2 17:10:32 neodymium sshd[752]: debug3: oom_adjust_restore > May 2 17:10:32 neodymium sshd[752]: Set /proc/self/oom_score_adj to 0 > May 2 17:10:32 neodymium sshd[752]: debug1: rexec start in 5 out 5 > newsock 5 pipe 7 sock 8 > May 2 17:10:32 neodymium sshd[752]: debug1: inetd sockets after dupping: > 3, 3 > May 2 17:10:32 neodymium sshd[752]: Connection from 192.168.10.155 port > 53106 on 192.168.50.63 port 22 > May 2 17:10:32 neodymium sshd[752]: debug1: Client protocol version 2.0; > client software version PuTTY_KiTTY > May 2 17:10:32 neodymium sshd[752]: debug1: no match: PuTTY_KiTTY > May 2 17:10:32 neodymium sshd[752]: debug1: Enabling compatibility mode > for protocol 2.0 > May 2 17:10:32 neodymium sshd[752]: debug1: Local version string > SSH-2.0-OpenSSH_6.6.1 > May 2 17:10:32 neodymium sshd[752]: debug2: fd 3 setting O_NONBLOCK > May 2 17:10:32 neodymium sshd[752]: debug3: ssh_sandbox_init: preparing > rlimit sandbox > May 2 17:10:32 neodymium sshd[752]: debug2: Network child is on pid 753 > May 2 17:10:32 neodymium sshd[752]: debug3: preauth child monitor started > May 2 17:10:32 neodymium sshd[752]: debug1: SELinux support disabled > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: privsep user:group 74:74 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: permanently_set_uid: 74/74 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: list_hostkey_types: > ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > type 42 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect > entering: type 43 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking > request 42 > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > type 43 > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT sent > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT received > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+ > al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,curve > [email protected],ecdh-sha2-nistp256,ecdh-sha2- > nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange- > sha256,diffie-hellman-group-exchange-sha1,diffie-hellman- > group14-sha1,diffie-hellman-group1-sha1 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1 > [email protected],[email protected],[email protected] > ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, > aes192-cbc,aes256-cbc,arcfour,[email protected] [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1 > [email protected],[email protected],[email protected] > ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, > aes192-cbc,aes256-cbc,arcfour,[email protected] [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > [email protected],[email protected],[email protected] > ,[email protected],[email protected],hmac-sha2-512-etm@ > openssh.com,[email protected],[email protected], > [email protected],hmac-md5,hmac-sha1,[email protected],umac- > [email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,h > [email protected],hmac-sha1-96,hmac-md5-96 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > [email protected],[email protected],[email protected] > ,[email protected],[email protected],hmac-sha2-512-etm@ > openssh.com,[email protected],[email protected], > [email protected],hmac-md5,hmac-sha1,[email protected],umac- > [email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,h > [email protected],hmac-sha1-96,hmac-md5-96 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none, > [email protected] [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none, > [email protected] [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > first_kex_follows 0 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: reserved 0 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > [email protected],ecdh-sha2-nistp256,ecdh-sha2- > nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange- > sha256,diffie-hellman-group-exchange-sha1,diffie-hellman- > group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, > ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > aes256-ctr,aes256-cbc,[email protected],aes192- > ctr,aes192-cbc,aes128-ctr,aes128-cbc,[email protected] > ,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > aes256-ctr,aes256-cbc,[email protected],aes192- > ctr,aes192-cbc,aes128-ctr,aes128-cbc,[email protected] > ,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2- > [email protected],[email protected],[email protected] > ,[email protected] [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2- > [email protected],[email protected],[email protected] > ,[email protected] [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,zlib > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,zlib > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > first_kex_follows 0 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: reserved 0 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup > hmac-sha2-256 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: kex: client->server > aes256-ctr hmac-sha2-256 none [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup > hmac-sha2-256 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: kex: server->client > aes256-ctr hmac-sha2-256 none [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: kex: > [email protected] need=32 dh_need=32 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > type 120 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect > entering: type 121 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking > request 120 > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > type 121 > May 2 17:10:32 neodymium sshd[752]: debug1: kex: > [email protected] need=32 dh_need=32 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > type 120 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect > entering: type 121 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking > request 120 > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > type 121 > May 2 17:10:32 neodymium sshd[752]: debug1: expecting > SSH2_MSG_KEX_ECDH_INIT [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign entering [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > type 6 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign: waiting for > MONITOR_ANS_SIGN [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect > entering: type 7 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking > request 6 > May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign > May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign: signature > 0x7f7ea34ed250(83) > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > type 7 > May 2 17:10:32 neodymium sshd[752]: debug2: monitor_read: 6 used once, > disabling now > May 2 17:10:32 neodymium sshd[752]: debug2: kex_derive_keys [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: set_newkeys: mode 1 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS sent > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: expecting SSH2_MSG_NEWKEYS > [preauth] > May 2 17:10:33 neodymium sshd[752]: debug2: set_newkeys: mode 0 [preauth] > May 2 17:10:33 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS received > [preauth] > May 2 17:10:33 neodymium sshd[752]: debug1: KEX done [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user > [email protected] service ssh-connection method none > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 0 failures 0 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow entering > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > type 8 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow: waiting for > MONITOR_ANS_PWNAM [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect > entering: type 9 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > request 8 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow > May 2 17:10:42 neodymium sshd[752]: debug3: Trying to reverse map address > 192.168.10.155. > May 2 17:10:42 neodymium sshd[752]: debug2: parse_server_config: config > reprocess config len 922 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow: sending > MONITOR_ANS_PWNAM: 1 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > type 9 > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 8 used once, > disabling now > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: > setting up authctxt for [email protected] [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_start_pam entering > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > type 100 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authserv entering > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > type 4 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authrole entering > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > type 80 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try > method none [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: userauth_finish: failure > partial=0 next > methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive" > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > request 100 > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: initializing for " > [email protected]" > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_RHOST to > "192.168.10.155" > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_TTY to "ssh" > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 100 used once, > disabling now > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user > [email protected] service ssh-connection method > gssapi-with-mic [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 1 failures 0 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try > method gssapi-with-mic [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > type 42 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect > entering: type 43 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > request 4 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authserv: > service=ssh-connection, style= > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 4 used once, > disabling now > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > request 80 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authrole: role= > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 80 used once, > disabling now > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > request 42 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > type 43 > May 2 17:10:42 neodymium sshd[752]: Postponed gssapi-with-mic for > [email protected] from 192.168.10.155 port 53106 ssh2 > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user > [email protected] service ssh-connection method > keyboard-interactive [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 2 failures 0 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try > method keyboard-interactive [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: keyboard-interactive devs > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge: user= > [email protected] devs= [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: kbdint_alloc: devices 'pam' > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug2: auth2_challenge_start: > devices pam [preauth] > May 2 17:10:42 neodymium sshd[752]: debug2: kbdint_next_device: devices > <empty> [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge_start: trying > authentication method 'pam' [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > type 104 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx: waiting > for MONITOR_ANS_PAM_INIT_CTX [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect > entering: type 105 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > request 104 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_init_ctx > May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_init_ctx entering > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > type 105 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > type 106 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: waiting for > MONITOR_ANS_PAM_QUERY [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect > entering: type 107 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > request 106 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_query > May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_query entering > May 2 17:10:42 neodymium sshd[752]: debug3: ssh_msg_recv entering > May 2 17:10:42 neodymium sshd[766]: debug3: PAM: sshpam_thread_conv > entering, 1 messages > May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_send: type 1 > May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_recv entering > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > type 107 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: pam_query > returned 0 [preauth] > May 2 17:10:42 neodymium sshd[752]: Postponed keyboard-interactive for > [email protected] from 192.168.10.155 port 53106 ssh2 > [preauth] > > > > > > > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > -- Tiemen Ruiten Systems Engineer R&D Media
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
