What is ourserver.edu? In order to log in using Kerberos/GSSAPI then the
machine acting as the server needs to be enrolled as an IPA client so it
has a keytab.
rob 

OK I added a Fedora server as a client. From ipa host-show client.ourserver.edu
  Host name: client.ourserver.edu
  Platform: x86_64
  Operating system: 5.10.13-200.fc33.x86_64
  Principal name: host/client.ourserver.edu@OLDDSM.DSM.FORDHAM.EDU
  Principal alias: host/client.ourserver.edu@OLDDSM.DSM.FORDHAM.EDU
  SSH public key fingerprint: SHA256:xxx(ecdsa-sha2-nistp256),
                              SHA256:xxx (ssh-ed25519),
                              SHA256:xxx (ssh-rsa)
  Password: False
  Keytab: True
  Managed by: client.ourserver.edu

ssh -k still fails.

I created a new user in via ipa user-add and that user also fails even with a su -:

su: user testuser does not exist or the user entry does not contain all the required fields

Feb 11 15:07:21 ourserver sshd[609424]: debug1: rekey out after 4294967296 blocks [preauth]
Feb 11 15:07:21 ourserver sshd[609424]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Feb 11 15:07:21 ourserver sshd[609424]: debug1: Sending SSH2_MSG_EXT_INFO [preauth]
Feb 11 15:07:21 ourserver sshd[609424]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Feb 11 15:07:21 ourserver sshd[609424]: debug1: SSH2_MSG_NEWKEYS received [preauth]
Feb 11 15:07:21 ourserver sshd[609424]: debug1: rekey in after 4294967296 blocks [preauth]
Feb 11 15:07:21 ourserver sshd[609424]: debug1: KEX done [preauth]
Feb 11 15:07:21 ourserver sshd[609424]: debug1: userauth-request for user yume service ssh-connection method none [preauth]
Feb 11 15:07:21 ourserver sshd[609424]: debug1: attempt 0 failures 0 [preauth]
Feb 11 15:07:21 ourserver sshd[609424]: Invalid user testuser from x.x.x.x port 36264
Feb 11 15:07:21 ourserver sshd[609424]: debug1: PAM: initializing for "testuser"
Feb 11 15:07:21 ourserver sshd[609424]: debug1: PAM: setting PAM_RHOST to "x.x.x.x"
Feb 11 15:07:21 ourserver sshd[609424]: debug1: PAM: setting PAM_TTY to "ssh"
Feb 11 15:07:21 ourserver sshd[609424]: debug1: userauth-request for user testuser service ssh-connection method keyboard-interactive [preauth]
Feb 11 15:07:21 ourserver sshd[609424]: debug1: attempt 1 failures 0 [preauth]
Feb 11 15:07:21 ourserver sshd[609424]: debug1: keyboard-interactive devs  [preauth]
Feb 11 15:07:21 ourserver sshd[609424]: debug1: auth2_challenge: user=testuser devs= [preauth]
Feb 11 15:07:21 ourserver sshd[609424]: debug1: kbdint_alloc: devices 'pam' [preauth]
Feb 11 15:07:21 ourserver sshd[609424]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]
Feb 11 15:07:21 ourserver sshd[609424]: Postponed keyboard-interactive for invalid user testuser from x.x.x.x port 36264 ssh2 [preauth]
Feb 11 15:07:24 ourserver sshd[609424]: Connection closed by invalid user testuser x.x.x.x port 36264 [preauth]

are you sure the sssd.conf you have send earlier it the right one?
SSSD'S 'proxy_child' should be only be called if the proxy provider is
configured?

bye,
Sumit


Sorry, you are correct. I'm testing between 2 test NIS servers to see if there's a difference in behavior but the same problem, ssh -k never works with the FreeIPA/Kerberos password
 

> Feb 10 14:36:31 ourserver sshd[3084344]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser
> Feb 10 14:36:31 ourserver sshd[3084344]: pam_sss(sshd:auth): received for
> user ouruser: 7 (Authentication failure)
> Feb 10 14:36:33 ourserver sshd[3084339]: error: PAM: Authentication failure
> for ouruser from x.x.x.x
> Feb 10 14:36:33 ourserver sshd[3084339]: Failed keyboard-interactive/pam
> for ouruser from x.x.x.x port 34160 ssh2
> Feb 10 14:36:33 ourserver sshd[3084339]: debug1: userauth-request for user
> ouruser service ssh-connection method keyboard-interactive [preauth]
> Feb 10 14:36:33 ourserver sshd[3084339]: debug1: attempt 3 failures 1
> [preauth]
> Feb 10 14:36:33 ourserver sshd[3084339]: debug1: keyboard-interactive devs
>  [preauth]
> Feb 10 14:36:33 ourserver sshd[3084339]: debug1: auth2_challenge:
> user=ouruser devs= [preauth]
> Feb 10 14:36:33 ourserver sshd[3084339]: debug1: kbdint_alloc: devices
> 'pam' [preauth]
> Feb 10 14:36:33 ourserver sshd[3084339]: debug1: auth2_challenge_start:
> trying authentication method 'pam' [preauth]
> Feb 10 14:36:33 ourserver sshd[3084339]: Postponed keyboard-interactive for
> ouruser from x.x.x.x port 34160 ssh2 [preauth]
>
> I verified the FreeIPA password in both the GUI and via ipa user-mod. The
> only time the user is able to log in is using the NIS password. ldapsearch
> -x -D and kinit username work successfully. klist displays the user details
> correctly.
>
> I can see that the installation script edits /etc/ssh/sshd_config with:
> Include /etc/ssh/sshd_config.d/04-ipa.conf
>
> which has:
> PubkeyAuthentication yes
> KerberosAuthentication no
> GSSAPIAuthentication yes
> UsePAM yes
> ChallengeResponseAuthentication yes
> AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
> AuthorizedKeysCommandUser nobody
>
> When the NIS password is used successfully here are the server logs:
> Feb 10 14:56:39 ourserver sshd[3085147]: debug1: userauth-request for user
> ouruser service ssh-connection method none [preauth]
> Feb 10 14:56:39 ourserver sshd[3085147]: debug1: attempt 0 failures 0
> [preauth]
> Feb 10 14:56:39 ourserver sshd[3085147]: debug1: connection from x.x.x.x
> matched 'Address 192.168.0.*,127.0.0.1,10.10.1.*' at line 158
> Feb 10 14:56:39 ourserver sshd[3085147]: debug1: PAM: initializing for
> "ouruser"
> Feb 10 14:56:39 ourserver sshd[3085147]: debug1: PAM: setting PAM_RHOST to
> "x.x.x.x"
> Feb 10 14:56:39 ourserver sshd[3085147]: debug1: PAM: setting PAM_TTY to
> "ssh"
> Feb 10 14:56:39 ourserver sshd[3085147]: debug1: userauth-request for user
> ouruser service ssh-connection method gssapi-with-mic [preauth]
> Feb 10 14:56:39 ourserver sshd[3085147]: debug1: attempt 1 failures 0
> [preauth]
> Feb 10 14:56:39 ourserver sshd[3085147]: debug1: userauth-request for user
> ouruser service ssh-connection method keyboard-interactive [preauth]
> Feb 10 14:56:39 ourserver sshd[3085147]: debug1: attempt 2 failures 0
> [preauth]
> Feb 10 14:56:39 ourserver sshd[3085147]: debug1: keyboard-interactive devs
>  [preauth]
> Feb 10 14:56:39 ourserver sshd[3085147]: debug1: auth2_challenge:
> user=ouruser devs= [preauth]
> Feb 10 14:56:39 ourserver sshd[3085147]: debug1: kbdint_alloc: devices
> 'pam' [preauth]
> Feb 10 14:56:39 ourserver sshd[3085147]: debug1: auth2_challenge_start:
> trying authentication method 'pam' [preauth]
> Feb 10 14:56:39 ourserver sshd[3085147]: Postponed keyboard-interactive for
> ouruser from x.x.x.x port 35046 ssh2 [preauth]
> Feb 10 14:56:42 ourserver sshd[3085152]: debug1: do_pam_account: called
> Feb 10 14:56:42 ourserver sshd[3085147]: debug1: PAM: num PAM env strings 2
> Feb 10 14:56:42 ourserver sshd[3085147]: Postponed keyboard-interactive/pam
> for ouruser from x.x.x.x port 35046 ssh2 [preauth]
> Feb 10 14:56:42 ourserver sshd[3085147]: debug1: do_pam_account: called
>
> I do see the error that sticks out is " Server host/
> ourserver.edu@ourserver.edu not found in Kerberos database" but we have
> students that log in from all over the world so do all clients need to be
> added? iptables, firewalld, and nftables are off and disabled. No hbac
> rules:
> ipa hbacrule-find
> --------------------
> 2 HBAC rules matched
> --------------------
>   Rule name: allow_all
>   User category: all
>   Host category: all
>   Service category: all
>   Description: Allow all users to access any host from any host
>   Enabled: TRUE
>
>   Rule name: allow_systemd-user
>   User category: all
>   Host category: all
>   Description: Allow pam_systemd to run user@.service to create a system
> user session
>   Enabled: TRUE
> ----------------------------
> Number of entries returned 2
>
> Am I missing something obvious to regulars?
>
>
> On Tue, Feb 9, 2021 at 12:34 PM Robert Kudyba <rkudyba@fordham.edu> wrote:
>
> > On Tue, Feb 9, 2021 at 12:20 PM Sumit Bose via FreeIPA-users <
> > freeipa-users@lists.fedorahosted.org> wrote:
> >
> >> On Tue, Feb 09, 2021 at 11:33:15AM -0500, Robert Kudyba via FreeIPA-users
> >> wrote:
> >> > >
> >> > > looks like sshd is trying to read /home/ouruser/.ssh/authorized_keys
> >> and
> >> > > is stuck. Can you read this file from the command line? Is it e.g. on
> >> > > NFS which might not be properly mounted?
> >> > >
> >> > > Does it work if you skip pubkey authentication
> >> > >
> >> > >     ssh -o PubkeyAuthentication=no -vv -k ouruser@ourserver
> >> > >
> >> > > bye,
> >> > > Sumit
> >> > >
> >> >
> >> > Thanks for the suggestion. What happens is the NIS password works. The
> >> > FreeIPA password, which I update with:
> >> > ipa user-mod ouruser --setattr "userpassword=xxxx", fails with the below
> >> > errors/logs
> >> >
> >> > Feb  9 11:10:34 ourserver sshd[381563]: debug1: Forked child 536086.
> >> > Feb  9 11:10:34 ourserver sshd[536086]: debug1: Set
> >> > /proc/self/oom_score_adj to 0
> >> > Feb  9 11:10:34 ourserver sshd[536086]: debug1: rexec start in 5 out 5
> >> > newsock 5 pipe 7 sock 8
> >> > Feb  9 11:10:34 ourserver sshd[536086]: debug1: inetd sockets after
> >> > dupping: 4, 4
> >> > Feb  9 11:10:34 ourserver sshd[536086]: Connection from x.x.x.x port
> >> 53332
> >> > on 150.108.64.156 port 22 rdomain ""
> >> > Feb  9 11:10:34 ourserver sshd[536086]: debug1: Local version string
> >> > SSH-2.0-OpenSSH_8.4
> >> > Feb  9 11:10:34 ourserver sshd[536086]: debug1: Remote protocol version
> >> > 2.0, remote software version OpenSSH_8.4
> >> > Feb  9 11:10:34 ourserver sshd[536086]: debug1: match: OpenSSH_8.4 pat
> >> > OpenSSH* compat 0x04000000
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: SELinux support disabled
> >> > [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: permanently_set_uid:
> >> 74/74
> >> > [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: list_hostkey_types:
> >> > rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
> >> [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT sent
> >> > [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT
> >> received
> >> > [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: algorithm:
> >> > curve25519-sha256 [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: host key algorithm:
> >> > ecdsa-sha2-nistp256 [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: client->server
> >> cipher:
> >> > aes256-gcm@openssh.com MAC: <implicit> compression: none [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: server->client
> >> cipher:
> >> > aes256-gcm@openssh.com MAC: <implicit> compression: none [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: curve25519-sha256
> >> > need=32 dh_need=32 [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: curve25519-sha256
> >> > need=32 dh_need=32 [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: expecting
> >> > SSH2_MSG_KEX_ECDH_INIT [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: rekey out after
> >> 4294967296
> >> > blocks [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS sent
> >> > [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: Sending
> >> SSH2_MSG_EXT_INFO
> >> > [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: expecting
> >> SSH2_MSG_NEWKEYS
> >> > [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS
> >> received
> >> > [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: rekey in after
> >> 4294967296
> >> > blocks [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: KEX done [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for
> >> user
> >> > ouruser service ssh-connection method none [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: attempt 0 failures 0
> >> > [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: PAM: initializing for
> >> > "ouruser"
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting PAM_RHOST
> >> to
> >> > "x.x.x.x"
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting PAM_TTY to
> >> > "ssh"
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for
> >> user
> >> > ouruser service ssh-connection method keyboard-interactive [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: attempt 1 failures 0
> >> > [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: keyboard-interactive
> >> devs
> >> >  [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge:
> >> > user=ouruser devs= [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: kbdint_alloc: devices
> >> 'pam'
> >> > [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge_start:
> >> > trying authentication method 'pam' [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: Postponed keyboard-interactive
> >> for
> >> > ouruser from x.x.x.x port 53332 ssh2 [preauth]
> >> > Feb  9 11:10:39 ourserver sshd[536091]: pam_unix(sshd:auth):
> >> authentication
> >> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x
> >> user=ouruser
> >> > Feb  9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth):
> >> authentication
> >> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser
> >> > Feb  9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): received for
> >> > user ouruser: 9 (Authentication service cannot retrieve authentication
> >> info)
> >> > Feb  9 11:10:41 ourserver sshd[536086]: error: PAM: Authentication
> >> failure
> >> > for ouruser from x.x.x.x
> >> > Feb  9 11:10:41 ourserver sshd[536086]: Failed keyboard-interactive/pam
> >> for
> >> > ouruser from x.x.x.x port 53332 ssh2
> >> > Feb  9 11:10:41 ourserver sshd[536086]: debug1: userauth-request for
> >> user
> >> > ouruser service ssh-connection method keyboard-interactive [preauth]
> >> > Feb  9 11:10:41 ourserver sshd[536086]: debug1: attempt 2 failures 1
> >> > [preauth]
> >> > Feb  9 11:10:41 ourserver sshd[536086]: debug1: keyboard-interactive
> >> devs
> >> >  [preauth]
> >> > Feb  9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge:
> >> > user=ouruser devs= [preauth]
> >> > Feb  9 11:10:41 ourserver sshd[536086]: debug1: kbdint_alloc: devices
> >> 'pam'
> >> > [preauth]
> >> > Feb  9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge_start:
> >> > trying authentication method 'pam' [preauth]
> >> > Feb  9 11:10:41 ourserver sshd[536086]: Postponed keyboard-interactive
> >> for
> >> > ouruser from x.x.x.x port 53332 ssh2 [preauth]
> >> >
> >> >
> >> > Feb  9 11:10:34 ourserver sshd[381563]: debug1: Forked child 536086.
> >> > Feb  9 11:10:34 ourserver sshd[536086]: debug1: Set
> >> > /proc/self/oom_score_adj to 0
> >> > Feb  9 11:10:34 ourserver sshd[536086]: debug1: rexec start in 5 out 5
> >> > newsock 5 pipe 7 sock 8
> >> > Feb  9 11:10:34 ourserver sshd[536086]: debug1: inetd sockets after
> >> > dupping: 4, 4
> >> > Feb  9 11:10:34 ourserver sshd[536086]: Connection from x.x.x.x port
> >> 53332
> >> > on 150.108.64.156 port 22 rdomain ""
> >> > Feb  9 11:10:34 ourserver sshd[536086]: debug1: Local version string
> >> > SSH-2.0-OpenSSH_8.4
> >> > Feb  9 11:10:34 ourserver sshd[536086]: debug1: Remote protocol version
> >> > 2.0, remote software version OpenSSH_8.4
> >> > Feb  9 11:10:34 ourserver sshd[536086]: debug1: match: OpenSSH_8.4 pat
> >> > OpenSSH* compat 0x04000000
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: SELinux support disabled
> >> > [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: permanently_set_uid:
> >> 74/74
> >> > [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: list_hostkey_types:
> >> > rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
> >> [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT sent
> >> > [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT
> >> received
> >> > [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: algorithm:
> >> > curve25519-sha256 [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: host key algorithm:
> >> > ecdsa-sha2-nistp256 [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: client->server
> >> cipher:
> >> > aes256-gcm@openssh.com MAC: <implicit> compression: none [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: server->client
> >> cipher:
> >> > aes256-gcm@openssh.com MAC: <implicit> compression: none [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: curve25519-sha256
> >> > need=32 dh_need=32 [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: curve25519-sha256
> >> > need=32 dh_need=32 [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: expecting
> >> > SSH2_MSG_KEX_ECDH_INIT [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: rekey out after
> >> 4294967296
> >> > blocks [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS sent
> >> > [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: Sending
> >> SSH2_MSG_EXT_INFO
> >> > [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: expecting
> >> SSH2_MSG_NEWKEYS
> >> > [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS
> >> received
> >> > [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: rekey in after
> >> 4294967296
> >> > blocks [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: KEX done [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for
> >> user
> >> > ouruser service ssh-connection method none [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: attempt 0 failures 0
> >> > [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: PAM: initializing for
> >> > "ouruser"
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting PAM_RHOST
> >> to
> >> > "x.x.x.x"
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting PAM_TTY to
> >> > "ssh"
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for
> >> user
> >> > ouruser service ssh-connection method keyboard-interactive [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: attempt 1 failures 0
> >> > [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: keyboard-interactive
> >> devs
> >> >  [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge:
> >> > user=ouruser devs= [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: kbdint_alloc: devices
> >> 'pam'
> >> > [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge_start:
> >> > trying authentication method 'pam' [preauth]
> >> > Feb  9 11:10:35 ourserver sshd[536086]: Postponed keyboard-interactive
> >> for
> >> > ouruser from x.x.x.x port 53332 ssh2 [preauth]
> >> > Feb  9 11:10:39 ourserver sshd[536091]: pam_unix(sshd:auth):
> >> authentication
> >> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x
> >> user=ouruser
> >> > Feb  9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth):
> >> authentication
> >> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser
> >> > Feb  9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): received for
> >> > user ouruser: 9 (Authentication service cannot retrieve authentication
> >> info)
> >> > Feb  9 11:10:41 ourserver sshd[536086]: error: PAM: Authentication
> >> failure
> >> > for ouruser from x.x.x.x
> >> > Feb  9 11:10:41 ourserver sshd[536086]: Failed keyboard-interactive/pam
> >> for
> >> > ouruser from x.x.x.x port 53332 ssh2
> >> > Feb  9 11:10:41 ourserver sshd[536086]: debug1: userauth-request for
> >> user
> >> > ouruser service ssh-connection method keyboard-interactive [preauth]
> >> > Feb  9 11:10:41 ourserver sshd[536086]: debug1: attempt 2 failures 1
> >> > [preauth]
> >> > Feb  9 11:10:41 ourserver sshd[536086]: debug1: keyboard-interactive
> >> devs
> >> >  [preauth]
> >> > Feb  9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge:
> >> > user=ouruser devs= [preauth]
> >> > Feb  9 11:10:41 ourserver sshd[536086]: debug1: kbdint_alloc: devices
> >> 'pam'
> >> > [preauth]
> >> > Feb  9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge_start:
> >> > trying authentication method 'pam' [preauth]
> >> > Feb  9 11:10:41 ourserver sshd[536086]: Postponed keyboard-interactive
> >> for
> >> > ouruser from x.x.x.x port 53332 ssh2 [preauth]
> >> >
> >> > With the NIS password the logs show this:
> >>
> >> Hi,
> >>
> >> did you drop what happened before or is this the only debug output for
> >> the NIS password?
> >>
> >
> > The below here are just logs from /var/log/secure for the user that
> > successfully logs in with his/her NIS password.
> >
> > By "drop what happened before" do you mean the original log snip? Yes I
> > removed those in an attempt to shorten the message content.
> >
> > > Feb  9 11:16:57 debug1: do_pam_account: called
> >> > Feb  9 11:16:57 ourserver sshd[536226]: debug1: PAM: num PAM env
> >> strings 2
> >> > Feb  9 11:16:57 ourserver sshd[536226]: Postponed
> >> keyboard-interactive/pam
> >> > for cai from 150.108.68.26 port 53646 ssh2 [preauth]
> >> > Feb  9 11:16:57 ourserver sshd[536226]: debug1: do_pam_account: called
> >> > Feb  9 11:16:57 ourserver sshd[536226]: Accepted
> >> keyboard-interactive/pam
> >> > for cai from 150.108.68.26 port 53646 ssh2
> >> > Feb  9 11:16:57 ourserver sshd[536226]: debug1: monitor_child_preauth:
> >> cai
> >> > has been authenticated by privileged process
> >> > Feb  9 11:16:57 ourserver sshd[536226]: debug1: monitor_read_log: child
> >> log
> >> > fd closed
> >> > Feb  9 11:16:57 ourserver sshd[536226]: debug1: audit_event: unhandled
> >> > event 2
> >> > Feb  9 11:16:57 ourserver sshd[536226]: debug1: temporarily_use_uid:
> >> > 5879/200 (e=0/0)
> >> > Feb  9 11:16:57 ourserver sshd[536226]: debug1: ssh_gssapi_storecreds:
> >> Not
> >> > a GSSAPI mechanism
> >> > Feb  9 11:16:57 ourserver sshd[536226]: debug1: restore_uid: 0/0
> >> > Feb  9 11:16:57 ourserver sshd[536226]: debug1: SELinux support disabled
> >> > Feb  9 11:16:57 ourserver sshd[536226]: debug1: PAM: establishing
> >> > credentials
> >> > Feb  9 11:16:57 ourserver systemd[536237]:
> >> pam_unix(systemd-user:session):
> >> > session opened for user cai(uid=5879) by (uid=0)
> >> >
> >> > What options should be set in /etc/ssh/sshd_config? Is sssd necessary
> >> for
> >> > this to work with the FreeIPA password
> >>
> >
> >
> > Yes, SSSD must be configured and runnnig. ssd does appear to be working
> > fine and in /etc/ipa/ca.crt and the service is running correctly:
> >
> > [domain/ourdomain.edu]
> >
> > id_provider = ipa
> > ipa_server_mode = True
> > ipa_server = ourdomain.edu
> > ipa_domain = ourdomain.edu
> > ipa_hostname = ourdomain.edu
> > auth_provider = ipa
> > chpass_provider = ipa
> > access_provider = ipa
> > cache_credentials = True
> > ldap_tls_cacert = /etc/ipa/ca.crt
> > krb5_store_password_if_offline = True
> > [sssd]
> > services = nss, pam, ifp, ssh, sudo
> >
> > domains = ourdomain.edu
> > [nss]
> > homedir_substring = /home
> > memcache_timeout = 600
> >
> > [ifp]
> > allowed_uids = ipaapi, root
> >
> > systemctl status sssd
> > * sssd.service - System Security Services Daemon
> >      Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor
> > preset: enabled)
> >      Active: active (running) since Fri 2021-01-29 14:31:34 EST; 1 weeks 3
> > days ago
> >
> >

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwIGaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=cTJlTRQX9Axg1tydxKYEmbl2IKrxckS0U2ceGADLUso&s=Wf0XG9UQFh7Otn3AfsIN3m_k5iZO6z5UZ8iiZyKJO1c&e=
> List Guidelines: https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwIGaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=cTJlTRQX9Axg1tydxKYEmbl2IKrxckS0U2ceGADLUso&s=A4XgtYWDmc342f9TUosxqQW8CvhysH_kCNVhICTkSH8&e=
> List Archives: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_freeipa-2Dusers-40lists.fedorahosted.org&d=DwIGaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=cTJlTRQX9Axg1tydxKYEmbl2IKrxckS0U2ceGADLUso&s=OvsSkJLqW6zqUPpT-3uFhbyywrWiezlb2Dc0sPD3juI&e=
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwIGaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=cTJlTRQX9Axg1tydxKYEmbl2IKrxckS0U2ceGADLUso&s=Wf0XG9UQFh7Otn3AfsIN3m_k5iZO6z5UZ8iiZyKJO1c&e=
List Guidelines: https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwIGaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=cTJlTRQX9Axg1tydxKYEmbl2IKrxckS0U2ceGADLUso&s=A4XgtYWDmc342f9TUosxqQW8CvhysH_kCNVhICTkSH8&e=
List Archives: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_freeipa-2Dusers-40lists.fedorahosted.org&d=DwIGaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=cTJlTRQX9Axg1tydxKYEmbl2IKrxckS0U2ceGADLUso&s=OvsSkJLqW6zqUPpT-3uFhbyywrWiezlb2Dc0sPD3juI&e=
Do not reply to spam on the list, report it: https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_fedora-2Dinfrastructure&d=DwIGaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=cTJlTRQX9Axg1tydxKYEmbl2IKrxckS0U2ceGADLUso&s=VGfRu0gOqDssAffGJHrW6TLN8gmg3hHQXfLGNwNIXfY&e=