looks like sshd is trying to read /home/ouruser/.ssh/authorized_keys and
is stuck. Can you read this file from the command line? Is it e.g. on
NFS which might not be properly mounted?
Does it work if you skip pubkey authentication
ssh -o PubkeyAuthentication=no -vv -k ouruser@ourserver
bye,
Sumit
Thanks for the suggestion. What happens is the NIS password works. The
FreeIPA password, which I update with:
ipa user-mod ouruser --setattr "userpassword=xxxx", fails with the below
errors/logs
Feb 9 11:10:34 ourserver sshd[381563]: debug1: Forked child 536086.
Feb 9 11:10:34 ourserver sshd[536086]: debug1: Set
/proc/self/oom_score_adj to 0
Feb 9 11:10:34 ourserver sshd[536086]: debug1: rexec start in 5 out 5
newsock 5 pipe 7 sock 8
Feb 9 11:10:34 ourserver sshd[536086]: debug1: inetd sockets after
dupping: 4, 4
Feb 9 11:10:34 ourserver sshd[536086]: Connection from x.x.x.x port 53332
on 150.108.64.156 port 22 rdomain ""
Feb 9 11:10:34 ourserver sshd[536086]: debug1: Local version string
SSH-2.0-OpenSSH_8.4
Feb 9 11:10:34 ourserver sshd[536086]: debug1: Remote protocol version
2.0, remote software version OpenSSH_8.4
Feb 9 11:10:34 ourserver sshd[536086]: debug1: match: OpenSSH_8.4 pat
OpenSSH* compat 0x04000000
Feb 9 11:10:35 ourserver sshd[536086]: debug1: SELinux support disabled
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: permanently_set_uid: 74/74
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: list_hostkey_types:
rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT sent
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT received
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: algorithm:
curve25519-sha256 [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: host key algorithm:
ecdsa-sha2-nistp256 [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: client->server cipher:
aes256-gcm(a)openssh.com MAC: <implicit> compression: none [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: server->client cipher:
aes256-gcm(a)openssh.com MAC: <implicit> compression: none [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: curve25519-sha256
need=32 dh_need=32 [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: curve25519-sha256
need=32 dh_need=32 [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: expecting
SSH2_MSG_KEX_ECDH_INIT [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: rekey out after 4294967296
blocks [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS sent
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: Sending SSH2_MSG_EXT_INFO
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: expecting SSH2_MSG_NEWKEYS
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS received
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: rekey in after 4294967296
blocks [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: KEX done [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for user
ouruser service ssh-connection method none [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: attempt 0 failures 0
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: initializing for
"ouruser"
Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting PAM_RHOST to
"x.x.x.x"
Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting PAM_TTY to
"ssh"
Feb 9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for user
ouruser service ssh-connection method keyboard-interactive [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: attempt 1 failures 0
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: keyboard-interactive devs
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge:
user=ouruser devs= [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: kbdint_alloc: devices 'pam'
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge_start:
trying authentication method 'pam' [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: Postponed keyboard-interactive for
ouruser from x.x.x.x port 53332 ssh2 [preauth]
Feb 9 11:10:39 ourserver sshd[536091]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser
Feb 9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser
Feb 9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): received for
user ouruser: 9 (Authentication service cannot retrieve authentication info)
Feb 9 11:10:41 ourserver sshd[536086]: error: PAM: Authentication failure
for ouruser from x.x.x.x
Feb 9 11:10:41 ourserver sshd[536086]: Failed keyboard-interactive/pam for
ouruser from x.x.x.x port 53332 ssh2
Feb 9 11:10:41 ourserver sshd[536086]: debug1: userauth-request for user
ouruser service ssh-connection method keyboard-interactive [preauth]
Feb 9 11:10:41 ourserver sshd[536086]: debug1: attempt 2 failures 1
[preauth]
Feb 9 11:10:41 ourserver sshd[536086]: debug1: keyboard-interactive devs
[preauth]
Feb 9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge:
user=ouruser devs= [preauth]
Feb 9 11:10:41 ourserver sshd[536086]: debug1: kbdint_alloc: devices 'pam'
[preauth]
Feb 9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge_start:
trying authentication method 'pam' [preauth]
Feb 9 11:10:41 ourserver sshd[536086]: Postponed keyboard-interactive for
ouruser from x.x.x.x port 53332 ssh2 [preauth]
Feb 9 11:10:34 ourserver sshd[381563]: debug1: Forked child 536086.
Feb 9 11:10:34 ourserver sshd[536086]: debug1: Set
/proc/self/oom_score_adj to 0
Feb 9 11:10:34 ourserver sshd[536086]: debug1: rexec start in 5 out 5
newsock 5 pipe 7 sock 8
Feb 9 11:10:34 ourserver sshd[536086]: debug1: inetd sockets after
dupping: 4, 4
Feb 9 11:10:34 ourserver sshd[536086]: Connection from x.x.x.x port 53332
on 150.108.64.156 port 22 rdomain ""
Feb 9 11:10:34 ourserver sshd[536086]: debug1: Local version string
SSH-2.0-OpenSSH_8.4
Feb 9 11:10:34 ourserver sshd[536086]: debug1: Remote protocol version
2.0, remote software version OpenSSH_8.4
Feb 9 11:10:34 ourserver sshd[536086]: debug1: match: OpenSSH_8.4 pat
OpenSSH* compat 0x04000000
Feb 9 11:10:35 ourserver sshd[536086]: debug1: SELinux support disabled
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: permanently_set_uid: 74/74
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: list_hostkey_types:
rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT sent
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT received
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: algorithm:
curve25519-sha256 [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: host key algorithm:
ecdsa-sha2-nistp256 [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: client->server cipher:
aes256-gcm(a)openssh.com MAC: <implicit> compression: none [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: server->client cipher:
aes256-gcm(a)openssh.com MAC: <implicit> compression: none [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: curve25519-sha256
need=32 dh_need=32 [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: curve25519-sha256
need=32 dh_need=32 [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: expecting
SSH2_MSG_KEX_ECDH_INIT [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: rekey out after 4294967296
blocks [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS sent
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: Sending SSH2_MSG_EXT_INFO
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: expecting SSH2_MSG_NEWKEYS
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS received
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: rekey in after 4294967296
blocks [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: KEX done [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for user
ouruser service ssh-connection method none [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: attempt 0 failures 0
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: initializing for
"ouruser"
Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting PAM_RHOST to
"x.x.x.x"
Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting PAM_TTY to
"ssh"
Feb 9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for user
ouruser service ssh-connection method keyboard-interactive [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: attempt 1 failures 0
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: keyboard-interactive devs
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge:
user=ouruser devs= [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: kbdint_alloc: devices 'pam'
[preauth]
Feb 9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge_start:
trying authentication method 'pam' [preauth]
Feb 9 11:10:35 ourserver sshd[536086]: Postponed keyboard-interactive for
ouruser from x.x.x.x port 53332 ssh2 [preauth]
Feb 9 11:10:39 ourserver sshd[536091]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser
Feb 9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser
Feb 9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): received for
user ouruser: 9 (Authentication service cannot retrieve authentication info)
Feb 9 11:10:41 ourserver sshd[536086]: error: PAM: Authentication failure
for ouruser from x.x.x.x
Feb 9 11:10:41 ourserver sshd[536086]: Failed keyboard-interactive/pam for
ouruser from x.x.x.x port 53332 ssh2
Feb 9 11:10:41 ourserver sshd[536086]: debug1: userauth-request for user
ouruser service ssh-connection method keyboard-interactive [preauth]
Feb 9 11:10:41 ourserver sshd[536086]: debug1: attempt 2 failures 1
[preauth]
Feb 9 11:10:41 ourserver sshd[536086]: debug1: keyboard-interactive devs
[preauth]
Feb 9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge:
user=ouruser devs= [preauth]
Feb 9 11:10:41 ourserver sshd[536086]: debug1: kbdint_alloc: devices 'pam'
[preauth]
Feb 9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge_start:
trying authentication method 'pam' [preauth]
Feb 9 11:10:41 ourserver sshd[536086]: Postponed keyboard-interactive for
ouruser from x.x.x.x port 53332 ssh2 [preauth]
With the NIS password the logs show this:
Feb 9 11:16:57 debug1: do_pam_account: called
Feb 9 11:16:57 ourserver sshd[536226]: debug1: PAM: num PAM env strings 2
Feb 9 11:16:57 ourserver sshd[536226]: Postponed keyboard-interactive/pam
for cai from 150.108.68.26 port 53646 ssh2 [preauth]
Feb 9 11:16:57 ourserver sshd[536226]: debug1: do_pam_account: called
Feb 9 11:16:57 ourserver sshd[536226]: Accepted keyboard-interactive/pam
for cai from 150.108.68.26 port 53646 ssh2
Feb 9 11:16:57 ourserver sshd[536226]: debug1: monitor_child_preauth: cai
has been authenticated by privileged process
Feb 9 11:16:57 ourserver sshd[536226]: debug1: monitor_read_log: child log
fd closed
Feb 9 11:16:57 ourserver sshd[536226]: debug1: audit_event: unhandled
event 2
Feb 9 11:16:57 ourserver sshd[536226]: debug1: temporarily_use_uid:
5879/200 (e=0/0)
Feb 9 11:16:57 ourserver sshd[536226]: debug1: ssh_gssapi_storecreds: Not
a GSSAPI mechanism
Feb 9 11:16:57 ourserver sshd[536226]: debug1: restore_uid: 0/0
Feb 9 11:16:57 ourserver sshd[536226]: debug1: SELinux support disabled
Feb 9 11:16:57 ourserver sshd[536226]: debug1: PAM: establishing
credentials
Feb 9 11:16:57 ourserver systemd[536237]: pam_unix(systemd-user:session):
session opened for user cai(uid=5879) by (uid=0)
What options should be set in /etc/ssh/sshd_config? Is sssd necessary for
this to work with the FreeIPA password?