Hello !

I send you this mail because I have a problem with an SSH connection with an IPA user (not a local user) on the client hosts.

Here are the versions I used :

- ipa-server : ipa-server-4.6.6-11.el7.x86_64

- ipa-client : ipa-client-4.4.0-12.el7.x86_64

My nodes are on RHEL7.

When I try to connect from myhost with myuser on the remote host myremotehost, I have the following error :

###

# ssh myuser@myremotehost
myuser@myremotehost's password:
Permission denied, please try again.
myuser@myremotehost's password:

###

In the /var/log/secure log, I can see the following lines which appear when I try my SSH connection.

###

Jun  9 19:27:15 myremotehost sshd[9778]: Connection from myip port 62250 on myremotehostip port 22
Jun  9 19:27:15 myremotehost sshd[9778]: reprocess config line 126: Deprecated option RSAAuthentication
Jun  9 19:27:15 myremotehost sshd[9778]: reprocess config line 129: Deprecated option RhostsRSAAuthentication
Jun  9 19:27:15 myremotehost sshd[9778]: Failed publickey for myuser from myip port 62250 ssh2: RSA SHA256:UP4xpD3GE//DpZYT44F+a+i1ryqsntlbFkQsPOHjVe8
Jun  9 19:27:23 myremotehost sshd[9778]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost  user=myuser
Jun  9 19:27:25 myremotehost sshd[9778]: Failed password for myuser from myip port 62250 ssh2

###

The kinit with this password is OK.

A "su - myuser" is OK with this password.

I don't understand why ssh connection are not working.

/etc/host.allow is configured to allow me to connect with sshd from myip and myhost to this host.

In /etc/ssh/sshd_config, ALlowGroup line is good. myuser belongs to the right group in AllowGroup.

Here is the command used to join the realm on myremotehost :

###

ipa-client-install --domain=mydomain --realm=MYREALM --fixed-primary --server=IPASERVER1 --server=IPASERVER2  --principal=admin --password=ADMINPWD --mkhomedir --hostname=myremotehost --no-ntp --no-ssh --no-sshd

###

Does the problem come from --no-ssh or --no-sshd ? How can I solve this problem without launching this command again ?

Best regards.

Lune