[Freeipa-users] GSSAPI authentication from trusted AD domain

Discussion:

Tiemen Ruiten

2017-05-02 15:19:39 UTC

Hello,

I now have a working two-way trust between Active Directory (
clients.rdmedia.com) and FreeIPA (i.rdmedia.com). Users from the AD can
authenticate to FreeIPA hosts and the other way around. Great!

Next, I'm trying to achieve passwordless Single Sign On through GSSAPI for
Windows clients to FreeIPA hosts. This doesn't seem to be working, despite
setting ipa host-mod --ok-as-delegate=TRUE

To be clear, what I'm trying to do: log in from an AD account (adm.tiemen),
from an AD host (leon.clients.rdmedia.com) to a FreeIPA host (
neodymium.test.ams.i.rdmedia.com) with the same AD account. I expect to be
logged in through GSSAPI, instead I get a password prompt.

Is this supposed to work? Did I miss something?

Below the SSH log from the FreeIPA host with LogLevel DEBUG3:

May 2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK
May 2 17:10:32 neodymium sshd[572]: debug1: Forked child 752.
May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: entering fd
= 8 config len 922
May 2 17:10:32 neodymium sshd[572]: debug3: ssh_msg_send: type 0
May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: done
May 2 17:10:32 neodymium sshd[752]: debug3: oom_adjust_restore
May 2 17:10:32 neodymium sshd[752]: Set /proc/self/oom_score_adj to 0
May 2 17:10:32 neodymium sshd[752]: debug1: rexec start in 5 out 5 newsock
5 pipe 7 sock 8
May 2 17:10:32 neodymium sshd[752]: debug1: inetd sockets after dupping:
3, 3
May 2 17:10:32 neodymium sshd[752]: Connection from 192.168.10.155 port
53106 on 192.168.50.63 port 22
May 2 17:10:32 neodymium sshd[752]: debug1: Client protocol version 2.0;
client software version PuTTY_KiTTY
May 2 17:10:32 neodymium sshd[752]: debug1: no match: PuTTY_KiTTY
May 2 17:10:32 neodymium sshd[752]: debug1: Enabling compatibility mode
for protocol 2.0
May 2 17:10:32 neodymium sshd[752]: debug1: Local version string
SSH-2.0-OpenSSH_6.6.1
May 2 17:10:32 neodymium sshd[752]: debug2: fd 3 setting O_NONBLOCK
May 2 17:10:32 neodymium sshd[752]: debug3: ssh_sandbox_init: preparing
rlimit sandbox
May 2 17:10:32 neodymium sshd[752]: debug2: Network child is on pid 753
May 2 17:10:32 neodymium sshd[752]: debug3: preauth child monitor started
May 2 17:10:32 neodymium sshd[752]: debug1: SELinux support disabled
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: privsep user:group 74:74
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug1: permanently_set_uid: 74/74
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug1: list_hostkey_types:
ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type
42 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect
entering: type 43 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request
42
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type
43
May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT sent [preauth]
May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT received
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,
curve25519-***@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-***@openssh.com,aes256-***@openssh.com,chacha20-***@openssh.com
,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-***@lysator.liu.se [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-***@openssh.com,aes256-***@openssh.com,chacha20-***@openssh.com
,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-***@lysator.liu.se [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
hmac-md5-***@openssh.com,hmac-sha1-***@openssh.com,umac-64-***@openssh.com,
umac-128-***@openssh.com,hmac-sha2-256-***@openssh.com,
hmac-sha2-512-***@openssh.com,hmac-ripemd160-***@openssh.com,
hmac-sha1-96-***@openssh.com,hmac-md5-96-***@openssh.com,hmac-md5,hmac-sha1,
umac-***@openssh.com,umac-***@openssh.com
,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
hmac-md5-***@openssh.com,hmac-sha1-***@openssh.com,umac-64-***@openssh.com,
umac-128-***@openssh.com,hmac-sha2-256-***@openssh.com,
hmac-sha2-512-***@openssh.com,hmac-ripemd160-***@openssh.com,
hmac-sha1-96-***@openssh.com,hmac-md5-96-***@openssh.com,hmac-md5,hmac-sha1,
umac-***@openssh.com,umac-***@openssh.com
,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,
***@openssh.com [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,
***@openssh.com [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
first_kex_follows 0 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: reserved 0
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
curve25519-***@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
aes256-ctr,aes256-cbc,rijndael-***@lysator.liu.se
,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-***@openssh.com,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
aes256-ctr,aes256-cbc,rijndael-***@lysator.liu.se
,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-***@openssh.com,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-***@openssh.com,
hmac-sha1-***@openssh.com,hmac-sha1-96-***@openssh.com,
hmac-md5-***@openssh.com [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-***@openssh.com,
hmac-sha1-***@openssh.com,hmac-sha1-96-***@openssh.com,
hmac-md5-***@openssh.com [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,zlib
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,zlib
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
first_kex_follows 0 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: reserved 0
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup hmac-sha2-256
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug1: kex: client->server aes256-ctr
hmac-sha2-256 none [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup hmac-sha2-256
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug1: kex: server->client aes256-ctr
hmac-sha2-256 none [preauth]
May 2 17:10:32 neodymium sshd[752]: debug1: kex:
curve25519-***@libssh.org need=32 dh_need=32 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type
120 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect
entering: type 121 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request
120
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type
121
May 2 17:10:32 neodymium sshd[752]: debug1: kex:
curve25519-***@libssh.org need=32 dh_need=32 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type
120 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect
entering: type 121 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request
120
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type
121
May 2 17:10:32 neodymium sshd[752]: debug1: expecting
SSH2_MSG_KEX_ECDH_INIT [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign entering [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type
6 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign: waiting for
MONITOR_ANS_SIGN [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect
entering: type 7 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request
6
May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign
May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign: signature
0x7f7ea34ed250(83)
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type
7
May 2 17:10:32 neodymium sshd[752]: debug2: monitor_read: 6 used once,
disabling now
May 2 17:10:32 neodymium sshd[752]: debug2: kex_derive_keys [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: set_newkeys: mode 1 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
May 2 17:10:32 neodymium sshd[752]: debug1: expecting SSH2_MSG_NEWKEYS
[preauth]
May 2 17:10:33 neodymium sshd[752]: debug2: set_newkeys: mode 0 [preauth]
May 2 17:10:33 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS received
[preauth]
May 2 17:10:33 neodymium sshd[752]: debug1: KEX done [preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user
***@clients.rdmedia.com service ssh-connection method none [preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: attempt 0 failures 0 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow entering
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type
8 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow: waiting for
MONITOR_ANS_PWNAM [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect
entering: type 9 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request
8
May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow
May 2 17:10:42 neodymium sshd[752]: debug3: Trying to reverse map address
192.168.10.155.
May 2 17:10:42 neodymium sshd[752]: debug2: parse_server_config: config
reprocess config len 922
May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow: sending
MONITOR_ANS_PWNAM: 1
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type
9
May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 8 used once,
disabling now
May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request:
setting up authctxt for ***@clients.rdmedia.com [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_start_pam entering [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type
100 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authserv entering
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type
4 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authrole entering
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type
80 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try
method none [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: userauth_finish: failure
partial=0 next
methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive"
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request
100
May 2 17:10:42 neodymium sshd[752]: debug1: PAM: initializing for "
***@clients.rdmedia.com"
May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_RHOST to
"192.168.10.155"
May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_TTY to "ssh"
May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 100 used once,
disabling now
May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user
***@clients.rdmedia.com service ssh-connection method
gssapi-with-mic [preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: attempt 1 failures 0 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try
method gssapi-with-mic [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type
42 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect
entering: type 43 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request
4
May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authserv:
service=ssh-connection, style=
May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 4 used once,
disabling now
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request
80
May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authrole: role=
May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 80 used once,
disabling now
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request
42
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type
43
May 2 17:10:42 neodymium sshd[752]: Postponed gssapi-with-mic for
***@clients.rdmedia.com from 192.168.10.155 port 53106 ssh2 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user
***@clients.rdmedia.com service ssh-connection method
keyboard-interactive [preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: attempt 2 failures 0 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try
method keyboard-interactive [preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: keyboard-interactive devs
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge: user=
***@clients.rdmedia.com devs= [preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: kbdint_alloc: devices 'pam'
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug2: auth2_challenge_start: devices
pam [preauth]
May 2 17:10:42 neodymium sshd[752]: debug2: kbdint_next_device: devices
<empty> [preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge_start: trying
authentication method 'pam' [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type
104 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx: waiting
for MONITOR_ANS_PAM_INIT_CTX [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect
entering: type 105 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request
104
May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_init_ctx
May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_init_ctx entering
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type
105
May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type
106 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: waiting for
MONITOR_ANS_PAM_QUERY [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect
entering: type 107 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request
106
May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_query
May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_query entering
May 2 17:10:42 neodymium sshd[752]: debug3: ssh_msg_recv entering
May 2 17:10:42 neodymium sshd[766]: debug3: PAM: sshpam_thread_conv
entering, 1 messages
May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_send: type 1
May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_recv entering
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type
107
May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: pam_query
returned 0 [preauth]
May 2 17:10:42 neodymium sshd[752]: Postponed keyboard-interactive for
***@clients.rdmedia.com from 192.168.10.155 port 53106 ssh2 [preauth]

--
Tiemen Ruiten
Systems Engineer
R&D Media

Tiemen Ruiten

2017-05-02 15:46:34 UTC

Permalink

I think I just realised that my expectation may be wrong: GSSAPI login with
a FreeIPA user logged in on an AD host to a FreeIPA host works. So is it
correct to also expect passwordless login with an AD user to a FreeIPA host?

Hi Tiemen,
To be clear, what I'm trying to do: log in from an AD account
(adm.tiemen), from an AD host (leon.clients.rdmedia.com) to a FreeIPA
host (neodymium.test.ams.i.rdmedia.com) with the same AD account. I
expect to be logged in through GSSAPI, instead I get a password prompt.
I'm assuming that you are coming from a Windows client that is domain
joined and logged into that Windows client with the same domain credentials
that you are using to connect to the IPA-joined host. Do you also have
your SSH client configured to attempt GSSAPI? It appears that you do from
the logs you provided but I'm just double-checking.
In my setup I've found that this feature does not work all of the time.
I've not yet been able to track it down and I'm assuming it has something
to do with connections to domain controllers timing out, but at this point
that is speculation.
So to answer your question, yes, that should work. Sorry I don't have
more information for you, I guess I'm basically "me too"ing your post.
Regards,
j
Is this supposed to work? Did I miss something?
May 2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK
May 2 17:10:32 neodymium sshd[572]: debug1: Forked child 752.
May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: entering fd
= 8 config len 922
May 2 17:10:32 neodymium sshd[572]: debug3: ssh_msg_send: type 0
May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: done
May 2 17:10:32 neodymium sshd[752]: debug3: oom_adjust_restore
May 2 17:10:32 neodymium sshd[752]: Set /proc/self/oom_score_adj to 0
May 2 17:10:32 neodymium sshd[752]: debug1: rexec start in 5 out 5
newsock 5 pipe 7 sock 8
3, 3
May 2 17:10:32 neodymium sshd[752]: Connection from 192.168.10.155 port
53106 on 192.168.50.63 port 22
May 2 17:10:32 neodymium sshd[752]: debug1: Client protocol version 2.0;
client software version PuTTY_KiTTY
May 2 17:10:32 neodymium sshd[752]: debug1: no match: PuTTY_KiTTY
May 2 17:10:32 neodymium sshd[752]: debug1: Enabling compatibility mode
for protocol 2.0
May 2 17:10:32 neodymium sshd[752]: debug1: Local version string
SSH-2.0-OpenSSH_6.6.1
May 2 17:10:32 neodymium sshd[752]: debug2: fd 3 setting O_NONBLOCK
May 2 17:10:32 neodymium sshd[752]: debug3: ssh_sandbox_init: preparing
rlimit sandbox
May 2 17:10:32 neodymium sshd[752]: debug2: Network child is on pid 753
May 2 17:10:32 neodymium sshd[752]: debug3: preauth child monitor started
May 2 17:10:32 neodymium sshd[752]: debug1: SELinux support disabled
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: privsep user:group 74:74
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug1: permanently_set_uid: 74/74
[preauth]
ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
type 42 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect
entering: type 43 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking
request 42
type 43
May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT sent [preauth]
May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT received
[preauth]
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+
al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,curve
nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-
sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-
group14-sha1,diffie-hellman-group1-sha1 [preauth]
ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1
,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1
,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth]
first_kex_follows 0 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: reserved 0
[preauth]
nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-
sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-
group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1
[preauth]
ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128
[preauth]
,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128
[preauth]
hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-
hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,zlib
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,zlib
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth]
first_kex_follows 0 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: reserved 0
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup
hmac-sha2-256 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug1: kex: client->server
aes256-ctr hmac-sha2-256 none [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup
hmac-sha2-256 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug1: kex: server->client
aes256-ctr hmac-sha2-256 none [preauth]
type 120 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect
entering: type 121 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking
request 120
type 121
type 120 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect
entering: type 121 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking
request 120
type 121
May 2 17:10:32 neodymium sshd[752]: debug1: expecting
SSH2_MSG_KEX_ECDH_INIT [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign entering [preauth]
type 6 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign: waiting for
MONITOR_ANS_SIGN [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect
entering: type 7 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking
request 6
May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign
May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign: signature
0x7f7ea34ed250(83)
type 7
May 2 17:10:32 neodymium sshd[752]: debug2: monitor_read: 6 used once,
disabling now
May 2 17:10:32 neodymium sshd[752]: debug2: kex_derive_keys [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: set_newkeys: mode 1 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
May 2 17:10:32 neodymium sshd[752]: debug1: expecting SSH2_MSG_NEWKEYS
[preauth]
May 2 17:10:33 neodymium sshd[752]: debug2: set_newkeys: mode 0 [preauth]
May 2 17:10:33 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS received
[preauth]
May 2 17:10:33 neodymium sshd[752]: debug1: KEX done [preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user
May 2 17:10:42 neodymium sshd[752]: debug1: attempt 0 failures 0 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow entering
[preauth]
type 8 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow: waiting for
MONITOR_ANS_PWNAM [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect
entering: type 9 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking
request 8
May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow
May 2 17:10:42 neodymium sshd[752]: debug3: Trying to reverse map address
192.168.10.155.
May 2 17:10:42 neodymium sshd[752]: debug2: parse_server_config: config
reprocess config len 922
May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow: sending
MONITOR_ANS_PWNAM: 1
type 9
May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 8 used once,
disabling now
May 2 17:10:42 neodymium sshd[752]: debug3: mm_start_pam entering [preauth]
type 100 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authserv entering
[preauth]
type 4 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authrole entering
[preauth]
type 80 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try
method none [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: userauth_finish: failure
partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive"
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking
request 100
May 2 17:10:42 neodymium sshd[752]: debug1: PAM: initializing for "
May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_RHOST to
"192.168.10.155"
May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_TTY to "ssh"
May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 100 used once,
disabling now
May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user
gssapi-with-mic [preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: attempt 1 failures 0 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try
method gssapi-with-mic [preauth]
type 42 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect
entering: type 43 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking
request 4
service=ssh-connection, style=
May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 4 used once,
disabling now
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking
request 80
May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authrole: role=
May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 80 used once,
disabling now
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking
request 42
type 43
May 2 17:10:42 neodymium sshd[752]: Postponed gssapi-with-mic for
May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user
keyboard-interactive [preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: attempt 2 failures 0 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try
method keyboard-interactive [preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: keyboard-interactive devs
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge: user=
May 2 17:10:42 neodymium sshd[752]: debug1: kbdint_alloc: devices 'pam'
[preauth]
devices pam [preauth]
May 2 17:10:42 neodymium sshd[752]: debug2: kbdint_next_device: devices
<empty> [preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge_start: trying
authentication method 'pam' [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx [preauth]
type 104 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx: waiting
for MONITOR_ANS_PAM_INIT_CTX [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect
entering: type 105 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking
request 104
May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_init_ctx
May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_init_ctx entering
type 105
May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query [preauth]
type 106 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: waiting for
MONITOR_ANS_PAM_QUERY [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect
entering: type 107 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking
request 106
May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_query
May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_query entering
May 2 17:10:42 neodymium sshd[752]: debug3: ssh_msg_recv entering
May 2 17:10:42 neodymium sshd[766]: debug3: PAM: sshpam_thread_conv
entering, 1 messages
May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_send: type 1
May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_recv entering
type 107
May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: pam_query
returned 0 [preauth]
May 2 17:10:42 neodymium sshd[752]: Postponed keyboard-interactive for
--
Tiemen Ruiten
Systems Engineer
R&D Media
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
Tiemen Ruiten
Systems Engineer
R&D Media

Jason B. Nance

2017-05-02 15:55:28 UTC

Permalink

I think I just realised that my expectation may be wrong: GSSAPI login with a
FreeIPA user logged in on an AD host to a FreeIPA host works. So is it correct
to also expect passwordless login with an AD user to a FreeIPA host?

If your FreeIPA domain trusts the AD domain, then yes, you can use an AD user to login to a FreeIPA-joined Linux host from a domain-joined Windows client where you are logged into the Windows client as the AD user (assuming you have your HBACs setup to allow - if you didn't password auth wouldn't work either). Unless you've configured "default_domain_suffix" in sssd.conf the user name is "***@addomain.tld". If you have configured "default_domain_suffix" make sure that your user names in AD don't conflict with the user names in IPA.

Regards,

j

Hi Tiemen,

To be clear, what I'm trying to do: log in from an AD account (adm.tiemen), from
an AD host ( [ http://leon.clients.rdmedia.com/ | leon.clients.rdmedia.com ] )
to a FreeIPA host ( [ http://neodymium.test.ams.i.rdmedia.com/ |
neodymium.test.ams.i.rdmedia.com ] ) with the same AD account. I expect to be
logged in through GSSAPI, instead I get a password prompt.

I'm assuming that you are coming from a Windows client that is domain joined and
logged into that Windows client with the same domain credentials that you are
using to connect to the IPA-joined host. Do you also have your SSH client
configured to attempt GSSAPI? It appears that you do from the logs you provided
but I'm just double-checking.
In my setup I've found that this feature does not work all of the time. I've not
yet been able to track it down and I'm assuming it has something to do with
connections to domain controllers timing out, but at this point that is
speculation.
So to answer your question, yes, that should work. Sorry I don't have more
information for you, I guess I'm basically "me too"ing your post.
Regards,
j

Is this supposed to work? Did I miss something?
May 2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK
May 2 17:10:32 neodymium sshd[572]: debug1: Forked child 752.
May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: entering fd = 8
config len 922
May 2 17:10:32 neodymium sshd[572]: debug3: ssh_msg_send: type 0
May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: done
May 2 17:10:32 neodymium sshd[752]: debug3: oom_adjust_restore
May 2 17:10:32 neodymium sshd[752]: Set /proc/self/oom_score_adj to 0
May 2 17:10:32 neodymium sshd[752]: debug1: rexec start in 5 out 5 newsock 5
pipe 7 sock 8
May 2 17:10:32 neodymium sshd[752]: debug1: inetd sockets after dupping: 3, 3
May 2 17:10:32 neodymium sshd[752]: Connection from 192.168.10.155 port 53106 on
192.168.50.63 port 22
May 2 17:10:32 neodymium sshd[752]: debug1: Client protocol version 2.0; client
software version PuTTY_KiTTY
May 2 17:10:32 neodymium sshd[752]: debug1: no match: PuTTY_KiTTY
May 2 17:10:32 neodymium sshd[752]: debug1: Enabling compatibility mode for
protocol 2.0
May 2 17:10:32 neodymium sshd[752]: debug1: Local version string
SSH-2.0-OpenSSH_6.6.1
May 2 17:10:32 neodymium sshd[752]: debug2: fd 3 setting O_NONBLOCK
May 2 17:10:32 neodymium sshd[752]: debug3: ssh_sandbox_init: preparing rlimit
sandbox
May 2 17:10:32 neodymium sshd[752]: debug2: Network child is on pid 753
May 2 17:10:32 neodymium sshd[752]: debug3: preauth child monitor started
May 2 17:10:32 neodymium sshd[752]: debug1: SELinux support disabled [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: privsep user:group 74:74 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug1: permanently_set_uid: 74/74 [preauth]
ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 42
[preauth]
type 43 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request 42
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 43
May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT sent [preauth]
May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT received [preauth]
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,
,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[preauth]
ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, [
,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, [
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, [
,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, [
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [
,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, [
,hmac-sha1-96,hmac-md5-96 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [
,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, [
,hmac-sha1-96,hmac-md5-96 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none, [
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none, [
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: first_kex_follows
0 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: reserved 0
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [
,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1
[preauth]
ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
[preauth]
,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 [preauth]
,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 [preauth]
hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5, [
hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5, [
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,zlib
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,zlib
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: first_kex_follows
0 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: reserved 0
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup hmac-sha2-256
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug1: kex: client->server aes256-ctr
hmac-sha2-256 none [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup hmac-sha2-256
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug1: kex: server->client aes256-ctr
hmac-sha2-256 none [preauth]
May 2 17:10:32 neodymium sshd[752]: debug1: kex: [
dh_need=32 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 120
[preauth]
type 121 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request 120
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 121
May 2 17:10:32 neodymium sshd[752]: debug1: kex: [
dh_need=32 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 120
[preauth]
type 121 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request 120
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 121
May 2 17:10:32 neodymium sshd[752]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign entering [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 6
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign: waiting for
MONITOR_ANS_SIGN [preauth]
type 7 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request 6
May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign
May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign: signature
0x7f7ea34ed250(83)
May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 7
May 2 17:10:32 neodymium sshd[752]: debug2: monitor_read: 6 used once, disabling
now
May 2 17:10:32 neodymium sshd[752]: debug2: kex_derive_keys [preauth]
May 2 17:10:32 neodymium sshd[752]: debug2: set_newkeys: mode 1 [preauth]
May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
May 2 17:10:32 neodymium sshd[752]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
May 2 17:10:33 neodymium sshd[752]: debug2: set_newkeys: mode 0 [preauth]
May 2 17:10:33 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS received [preauth]
May 2 17:10:33 neodymium sshd[752]: debug1: KEX done [preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user [
service ssh-connection method none [preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: attempt 0 failures 0 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow entering [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 8
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow: waiting for
MONITOR_ANS_PWNAM [preauth]
type 9 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 8
May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow
May 2 17:10:42 neodymium sshd[752]: debug3: Trying to reverse map address
192.168.10.155.
May 2 17:10:42 neodymium sshd[752]: debug2: parse_server_config: config
reprocess config len 922
May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow: sending
MONITOR_ANS_PWNAM: 1
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 9
May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 8 used once, disabling
now
May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: setting up
May 2 17:10:42 neodymium sshd[752]: debug3: mm_start_pam entering [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 100
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authserv entering
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 4
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authrole entering
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 80
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try method
none [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: userauth_finish: failure partial=0
next
methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive"
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 100
May 2 17:10:42 neodymium sshd[752]: debug1: PAM: initializing for " [
May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_RHOST to
"192.168.10.155"
May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_TTY to "ssh"
May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 100 used once,
disabling now
May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user [
service ssh-connection method gssapi-with-mic [preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: attempt 1 failures 0 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try method
gssapi-with-mic [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 42
[preauth]
type 43 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 4
service=ssh-connection, style=
May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 4 used once, disabling
now
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 80
May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authrole: role=
May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 80 used once,
disabling now
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 42
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 43
May 2 17:10:42 neodymium sshd[752]: Postponed gssapi-with-mic for [
192.168.10.155 port 53106 ssh2 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user [
service ssh-connection method keyboard-interactive [preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: attempt 2 failures 0 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try method
keyboard-interactive [preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: keyboard-interactive devs [preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge: user= [
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: kbdint_alloc: devices 'pam'
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug2: auth2_challenge_start: devices pam
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug2: kbdint_next_device: devices <empty>
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge_start: trying
authentication method 'pam' [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 104
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx: waiting for
MONITOR_ANS_PAM_INIT_CTX [preauth]
type 105 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 104
May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_init_ctx
May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_init_ctx entering
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 105
May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 106
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: waiting for
MONITOR_ANS_PAM_QUERY [preauth]
type 107 [preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering
May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 106
May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_query
May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_query entering
May 2 17:10:42 neodymium sshd[752]: debug3: ssh_msg_recv entering
May 2 17:10:42 neodymium sshd[766]: debug3: PAM: sshpam_thread_conv entering, 1
messages
May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_send: type 1
May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_recv entering
May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 107
May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: pam_query returned
0 [preauth]
May 2 17:10:42 neodymium sshd[752]: Postponed keyboard-interactive for [
192.168.10.155 port 53106 ssh2 [preauth]
--
Tiemen Ruiten
Systems Engineer
R&D Media
--
[ https://www.redhat.com/mailman/listinfo/freeipa-users |
https://www.redhat.com/mailman/listinfo/freeipa-users ]
Go to [ http://freeipa.org/ | http://freeipa.org ] for more info on the project

--
Tiemen Ruiten
Systems Engineer
R&D Media

Sumit Bose

2017-05-02 16:25:51 UTC

Permalink

Post by Tiemen Ruiten
I think I just realised that my expectation may be wrong: GSSAPI login with
a FreeIPA user logged in on an AD host to a FreeIPA host works. So is it
correct to also expect passwordless login with an AD user to a FreeIPA host?

The AD user case should work as well.

First please send the SSSD version you use on the IPA client,
alternatively you can check if
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists or not. This
would tell if SSSD can map the user name to the Kerberos principal of if
additional configuration is needed.

On the AD host please check after trying to connect with ssh if there is
a proper service ticket for the IPA client by calling 'klist' in cmd.exe
or PowerShell.

bye,
Sumit