On Mon, Feb 08, 2021 at 04:42:31PM -0500, Robert Kudyba via FreeIPA-users wrote:
We have freeipa-server-4.8.10-6.fc33 running on top of NIS and
I'm trying
to determine why ssh -k from any client is hanging and not even connecting.
Does sssd need to be configured as in this 2013 training document?
https://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf
The goal is to eliminate NIS so perhaps the issue is running both
concurrently? The good news is, thanks to tips here last week, all the NIS
users migrated along with their passwords. And kinit on the Free IPA server
even prompts to change their password.
sssd is running:
sssd_be[2329]: GSSAPI client step 1
sssd_be[2329]: GSSAPI client step 2
/etc/krb.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm =
ourserver.EDU
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
ourserver.EDU = {
kdc = ourserver.edu:88
master_kdc = ourserver.edu:88
admin_server = ourserver.edu:749
default_domain =
ourserver.edu
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.ourserver.edu =
ourserver.EDU
ourserver.edu =
ourserver.EDU
ourserver.edu =
ourserver.EDU
[dbmodules]
ourserver.EDU = {
db_library = ipadb.so
}
[plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}
HBAC is wide open:
ipa hbacrule-find
--------------------
2 HBAC rules matched
--------------------
Rule name: allow_all
User category: all
Host category: all
Service category: all
Description: Allow all users to access any host from any host
Enabled: TRUE
Rule name: allow_systemd-user
User category: all
Host category: all
Description: Allow pam_systemd to run user@.service to create a system
user session
Enabled: TRUE
Here are some debug ssh server logs:
Feb 8 16:23:27 ourserver sshd[381563]: debug1: Forked child 510395.
Feb 8 16:23:27 ourserver sshd[510395]: debug1: Set
/proc/self/oom_score_adj to 0
Feb 8 16:23:27 ourserver sshd[510395]: debug1: rexec start in 5 out 5
newsock 5 pipe 10 sock 11
Feb 8 16:23:27 ourserver sshd[510395]: debug1: inetd sockets after
dupping: 4, 4
Feb 8 16:23:27 ourserver sshd[510395]: Connection from 150.108.68.26 port
45806 on 150.108.64.156 port 22 rdomain ""
Feb 8 16:23:27 ourserver sshd[510395]: debug1: Local version string
SSH-2.0-OpenSSH_8.4
Feb 8 16:23:27 ourserver sshd[510395]: debug1: Remote protocol version
2.0, remote software version OpenSSH_8.4
Feb 8 16:23:27 ourserver sshd[510395]: debug1: match: OpenSSH_8.4 pat
OpenSSH* compat 0x04000000
Feb 8 16:23:27 ourserver sshd[510395]: debug1: SELinux support disabled
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: permanently_set_uid: 74/74
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: list_hostkey_types:
rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_KEXINIT sent
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_KEXINIT received
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: algorithm:
curve25519-sha256 [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: host key algorithm:
ecdsa-sha2-nistp256 [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: client->server cipher:
aes256-gcm(a)openssh.com MAC: <implicit> compression: none [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: server->client cipher:
aes256-gcm(a)openssh.com MAC: <implicit> compression: none [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: curve25519-sha256
need=32 dh_need=32 [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: curve25519-sha256
need=32 dh_need=32 [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: expecting
SSH2_MSG_KEX_ECDH_INIT [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: rekey out after 4294967296
blocks [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_NEWKEYS sent
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: Sending SSH2_MSG_EXT_INFO
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: expecting SSH2_MSG_NEWKEYS
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_NEWKEYS received
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: rekey in after 4294967296
blocks [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: KEX done [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: userauth-request for user
ouruser service ssh-connection method none [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: attempt 0 failures 0
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: PAM: initializing for
"ouruser"
Feb 8 16:23:27 ourserver sshd[510395]: debug1: PAM: setting PAM_RHOST to
"xx.xx.xx.xx"
Feb 8 16:23:27 ourserver sshd[510395]: debug1: PAM: setting PAM_TTY to
"ssh"
Feb 8 16:23:27 ourserver sshd[510395]: debug1: userauth-request for user
ouruser service ssh-connection method publickey [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: attempt 1 failures 0
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: userauth_pubkey: test pkalg
rsa-sha2-256 pkblob RSA SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: temporarily_use_uid:
5879/200 (e=0/0)
Feb 8 16:23:27 ourserver sshd[510395]: debug1: trying public key file
/home/ouruser/.ssh/authorized_keys
Hi,
looks like sshd is trying to read /home/ouruser/.ssh/authorized_keys and
is stuck. Can you read this file from the command line? Is it e.g. on
NFS which might not be properly mounted?
Does it work if you skip pubkey authentication
ssh -o PubkeyAuthentication=no -vv -k ouruser@ourserver
bye,
Sumit
and ssh -k from a Fedora client, note the user I'm logged in as is NOT the
same user I'm trying to log in to:
ssh -vv -k ouruser@ourserver
OpenSSH_8.4p1, OpenSSL 1.1.1i FIPS 8 Dec 2020
debug1: Reading configuration data /home/ouruser/.ssh/config
debug1: /home/ouruser/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host ourserver originally ourserver
debug2: match not found
debug1: Reading configuration data
/etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /home/ouruser/.ssh/config
debug1: /home/ouruser/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host ourserver originally ourserver
debug2: match found
debug1: Reading configuration data
/etc/crypto-policies/back-ends/openssh.config
debug1: auto-mux: Trying existing master
debug1: Control socket "/home/ouruser/.ssh/sockets/ouruser@ourserver-22"
does not exist
debug2: resolving "ourserver" port 22
debug2: ssh_connect_direct
debug1: Connecting to ourserver [150.108.64.156] port 22.
debug1: Connection established.
debug1: identity file /home/ouruser/.ssh/id_rsa type 0
debug1: identity file /home/ouruser/.ssh/id_rsa-cert type -1
debug1: identity file /home/ouruser/.ssh/id_dsa type -1
debug1: identity file /home/ouruser/.ssh/id_dsa-cert type -1
debug1: identity file /home/ouruser/.ssh/id_ecdsa type -1
debug1: identity file /home/ouruser/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/ouruser/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/ouruser/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/ouruser/.ssh/id_ed25519 type 3
debug1: identity file /home/ouruser/.ssh/id_ed25519-cert type -1
debug1: identity file /home/ouruser/.ssh/id_ed25519_sk type -1
debug1: identity file /home/ouruser/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/ouruser/.ssh/id_xmss type -1
debug1: identity file /home/ouruser/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4
debug1: match: OpenSSH_8.4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to ourserver:22 as 'ouruser'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256(a)libssh.org
,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01(a)openssh.com,
ecdsa-sha2-nistp384-cert-v01(a)openssh.com,
ecdsa-sha2-nistp521-cert-v01(a)openssh.com,
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01(a)openssh.com
,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01(a)openssh.com,
rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01(a)openssh.com
,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519(a)openssh.com
,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305(a)openssh.com
,aes256-ctr,aes128-gcm(a)openssh.com,aes128-ctr
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305(a)openssh.com
,aes256-ctr,aes128-gcm(a)openssh.com,aes128-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm(a)openssh.com,
umac-128-etm@openssh.com,hmac-sha2-512-etm(a)openssh.com
,hmac-sha2-256,hmac-sha1,umac-128(a)openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm(a)openssh.com,
umac-128-etm@openssh.com,hmac-sha2-512-etm(a)openssh.com
,hmac-sha2-256,hmac-sha1,umac-128(a)openssh.com,hmac-sha2-512
debug2: compression ctos: none,zlib(a)openssh.com,zlib
debug2: compression stoc: none,zlib(a)openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256(a)libssh.org
,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms:
rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305(a)openssh.com
,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm(a)openssh.com,
aes256-gcm(a)openssh.com
debug2: ciphers stoc: chacha20-poly1305(a)openssh.com
,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm(a)openssh.com,
aes256-gcm(a)openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm(a)openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm(a)openssh.com,
hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128(a)openssh.com
,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm(a)openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm(a)openssh.com,
hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128(a)openssh.com
,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib(a)openssh.com
debug2: compression stoc: none,zlib(a)openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes256-gcm(a)openssh.com MAC: <implicit>
compression: none
debug1: kex: client->server cipher: aes256-gcm(a)openssh.com MAC: <implicit>
compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256
SHA256:XUXhRKNYwxAGhwVIMa3fuo8uNMay6q4/qVeSWlQAOpM
debug1: Host 'ourserver' is known and matches the ECDSA host key.
debug1: Found key in /home/ouruser/.ssh/known_hosts:46
debug2: set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/ouruser/.ssh/id_rsa RSA
SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk
debug1: Will attempt key: /home/ouruser/.ssh/id_dsa
debug1: Will attempt key: /home/ouruser/.ssh/id_ecdsa
debug1: Will attempt key: /home/ouruser/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/ouruser/.ssh/id_ed25519 ED25519
SHA256:OoedE0VhmLFtl9nifW57Mca+GHDD0xKkJ2BCLGlV9xc
debug1: Will attempt key: /home/ouruser/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/ouruser/.ssh/id_xmss
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,
sk-ssh-ed25519(a)openssh.com
,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
sk-ecdsa-sha2-nistp256(a)openssh.com,
webauthn-sk-ecdsa-sha2-nistp256(a)openssh.com>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KCM:)
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KCM:)
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /home/ouruser/.ssh/id_rsa RSA
SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk
debug2: we sent a publickey packet, wait for reply
What am I missing? I appreciate the help last week!
Rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...