12:44 p.m.
Hello !
I send you this mail because I have a problem with an SSH connection with
an IPA user (not a local user) on the client hosts.
Here are the versions I used :
- ipa-server : ipa-server-4.6.6-11.el7.x86_64
- ipa-client : ipa-client-4.4.0-12.el7.x86_64
My nodes are on RHEL7.
When I try to connect from myhost with myuser on the remote host
myremotehost, I have the following error :
###
# ssh myuser@myremotehost
myuser@myremotehost's password:
Permission denied, please try again.
myuser@myremotehost's password:
###
In the /var/log/secure log, I can see the following lines which appear when
I try my SSH connection.
###
Jun 9 19:27:15 myremotehost sshd[9778]: Connection from myip port 62250 on
myremotehostip port 22
Jun 9 19:27:15 myremotehost sshd[9778]: reprocess config line 126:
Deprecated option RSAAuthentication
Jun 9 19:27:15 myremotehost sshd[9778]: reprocess config line 129:
Deprecated option RhostsRSAAuthentication
Jun 9 19:27:15 myremotehost sshd[9778]: Failed publickey for myuser from
myip port 62250 ssh2: RSA SHA256:UP4xpD3GE//DpZYT44F+a+i1ryqsntlbFkQsPOHjVe8
Jun 9 19:27:23 myremotehost sshd[9778]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost
user=myuser
Jun 9 19:27:25 myremotehost sshd[9778]: Failed password for myuser from
myip port 62250 ssh2
###
The kinit with this password is OK.
A "su - myuser" is OK with this password.
I don't understand why ssh connection are not working.
/etc/host.allow is configured to allow me to connect with sshd from myip
and myhost to this host.
In /etc/ssh/sshd_config, ALlowGroup line is good. myuser belongs to the
right group in AllowGroup.
Here is the command used to join the realm on myremotehost :
###
ipa-client-install --domain=mydomain --realm=MYREALM --fixed-primary
--server=IPASERVER1 --server=IPASERVER2 --principal=admin
--password=ADMINPWD --mkhomedir --hostname=myremotehost --no-ntp --no-ssh
--no-sshd
###
Does the problem come from --no-ssh or --no-sshd ? How can I solve this
problem without launching this command again ?
Best regards.
Lune
2:57 p.m.
I stopped sshd server and I started it again with the -d option to get more
information.
Here is what appear as error :
###
debug1: userauth-request for user myuser service ssh-connection method
password [preauth]
debug1: attempt 2 failures 1 [preauth]
debug1: PAM: password authentication failed for myuser: Permission denied
Failed password for myuser from myip port 64146 ssh2
###
What could be this permission denied please ?
Best regards.
Lune
Le mar. 9 juin 2020 à 19:44, lune voo <lune.voo1234(a)gmail.com> a écrit :
Hello !
I send you this mail because I have a problem with an SSH connection with
an IPA user (not a local user) on the client hosts.
Here are the versions I used :
- ipa-server : ipa-server-4.6.6-11.el7.x86_64
- ipa-client : ipa-client-4.4.0-12.el7.x86_64
My nodes are on RHEL7.
When I try to connect from myhost with myuser on the remote host
myremotehost, I have the following error :
###
# ssh myuser@myremotehost
myuser@myremotehost's password:
Permission denied, please try again.
myuser@myremotehost's password:
###
In the /var/log/secure log, I can see the following lines which appear
when I try my SSH connection.
###
Jun 9 19:27:15 myremotehost sshd[9778]: Connection from myip port 62250
on myremotehostip port 22
Jun 9 19:27:15 myremotehost sshd[9778]: reprocess config line 126:
Deprecated option RSAAuthentication
Jun 9 19:27:15 myremotehost sshd[9778]: reprocess config line 129:
Deprecated option RhostsRSAAuthentication
Jun 9 19:27:15 myremotehost sshd[9778]: Failed publickey for myuser from
myip port 62250 ssh2: RSA SHA256:UP4xpD3GE//DpZYT44F+a+i1ryqsntlbFkQsPOHjVe8
Jun 9 19:27:23 myremotehost sshd[9778]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost
user=myuser
Jun 9 19:27:25 myremotehost sshd[9778]: Failed password for myuser from
myip port 62250 ssh2
###
The kinit with this password is OK.
A "su - myuser" is OK with this password.
I don't understand why ssh connection are not working.
/etc/host.allow is configured to allow me to connect with sshd from myip
and myhost to this host.
In /etc/ssh/sshd_config, ALlowGroup line is good. myuser belongs to the
right group in AllowGroup.
Here is the command used to join the realm on myremotehost :
###
ipa-client-install --domain=mydomain --realm=MYREALM --fixed-primary
--server=IPASERVER1 --server=IPASERVER2 --principal=admin
--password=ADMINPWD --mkhomedir --hostname=myremotehost --no-ntp --no-ssh
--no-sshd
###
Does the problem come from --no-ssh or --no-sshd ? How can I solve this
problem without launching this command again ?
Best regards.
Lune
2:56 a.m.
On Tue, Jun 09, 2020 at 09:57:19PM +0200, lune voo via FreeIPA-users wrote:
I stopped sshd server and I started it again with the -d option to
get more
information.
Here is what appear as error :
###
debug1: userauth-request for user myuser service ssh-connection method
password [preauth]
debug1: attempt 2 failures 1 [preauth]
debug1: PAM: password authentication failed for myuser: Permission denied
Failed password for myuser from myip port 64146 ssh2
###
What could be this permission denied please ?
Hi,
please check the PAM related messages in /var/log/secure, this should
tell you which PAM module caused the permission denied.
Additionally please check /etc/pam.d/sshd and /etc/pam.d/password-auth
which should be included by /etc/pam.d/sshd. From the debug messages
you've sent it looks like only pam_unix was tried but pam_sss should be
available in the PAM configuration as well.
bye,
Sumit
Best regards.
Lune
Le mar. 9 juin 2020 à 19:44, lune voo <lune.voo1234(a)gmail.com> a écrit :
> Hello !
>
> I send you this mail because I have a problem with an SSH connection with
> an IPA user (not a local user) on the client hosts.
>
> Here are the versions I used :
> - ipa-server : ipa-server-4.6.6-11.el7.x86_64
> - ipa-client : ipa-client-4.4.0-12.el7.x86_64
>
> My nodes are on RHEL7.
>
> When I try to connect from myhost with myuser on the remote host
> myremotehost, I have the following error :
> ###
> # ssh myuser@myremotehost
> myuser@myremotehost's password:
> Permission denied, please try again.
> myuser@myremotehost's password:
> ###
>
> In the /var/log/secure log, I can see the following lines which appear
> when I try my SSH connection.
> ###
> Jun 9 19:27:15 myremotehost sshd[9778]: Connection from myip port 62250
> on myremotehostip port 22
> Jun 9 19:27:15 myremotehost sshd[9778]: reprocess config line 126:
> Deprecated option RSAAuthentication
> Jun 9 19:27:15 myremotehost sshd[9778]: reprocess config line 129:
> Deprecated option RhostsRSAAuthentication
> Jun 9 19:27:15 myremotehost sshd[9778]: Failed publickey for myuser from
> myip port 62250 ssh2: RSA SHA256:UP4xpD3GE//DpZYT44F+a+i1ryqsntlbFkQsPOHjVe8
> Jun 9 19:27:23 myremotehost sshd[9778]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost
> user=myuser
> Jun 9 19:27:25 myremotehost sshd[9778]: Failed password for myuser from
> myip port 62250 ssh2
> ###
>
> The kinit with this password is OK.
> A "su - myuser" is OK with this password.
>
> I don't understand why ssh connection are not working.
> /etc/host.allow is configured to allow me to connect with sshd from myip
> and myhost to this host.
> In /etc/ssh/sshd_config, ALlowGroup line is good. myuser belongs to the
> right group in AllowGroup.
>
> Here is the command used to join the realm on myremotehost :
> ###
> ipa-client-install --domain=mydomain --realm=MYREALM --fixed-primary
> --server=IPASERVER1 --server=IPASERVER2 --principal=admin
> --password=ADMINPWD --mkhomedir --hostname=myremotehost --no-ntp --no-ssh
> --no-sshd
> ###
>
> Does the problem come from --no-ssh or --no-sshd ? How can I solve this
> problem without launching this command again ?
>
> Best regards.
>
> Lune
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
1413
days inactive
1414
days old
freeipa-users@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
lune voo -
Sumit Bose