Hello !
I send you this mail because I have a problem with an SSH connection with an IPA user (not a local user) on the client hosts.
Here are the versions I used : - ipa-server : ipa-server-4.6.6-11.el7.x86_64 - ipa-client : ipa-client-4.4.0-12.el7.x86_64
My nodes are on RHEL7.
When I try to connect from myhost with myuser on the remote host myremotehost, I have the following error : ### # ssh myuser@myremotehost myuser@myremotehost's password: Permission denied, please try again. myuser@myremotehost's password: ###
In the /var/log/secure log, I can see the following lines which appear when I try my SSH connection. ### Jun 9 19:27:15 myremotehost sshd[9778]: Connection from myip port 62250 on myremotehostip port 22 Jun 9 19:27:15 myremotehost sshd[9778]: reprocess config line 126: Deprecated option RSAAuthentication Jun 9 19:27:15 myremotehost sshd[9778]: reprocess config line 129: Deprecated option RhostsRSAAuthentication Jun 9 19:27:15 myremotehost sshd[9778]: Failed publickey for myuser from myip port 62250 ssh2: RSA SHA256:UP4xpD3GE//DpZYT44F+a+i1ryqsntlbFkQsPOHjVe8 Jun 9 19:27:23 myremotehost sshd[9778]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost user=myuser Jun 9 19:27:25 myremotehost sshd[9778]: Failed password for myuser from myip port 62250 ssh2 ###
The kinit with this password is OK. A "su - myuser" is OK with this password.
I don't understand why ssh connection are not working. /etc/host.allow is configured to allow me to connect with sshd from myip and myhost to this host. In /etc/ssh/sshd_config, ALlowGroup line is good. myuser belongs to the right group in AllowGroup.
Here is the command used to join the realm on myremotehost : ### ipa-client-install --domain=mydomain --realm=MYREALM --fixed-primary --server=IPASERVER1 --server=IPASERVER2 --principal=admin --password=ADMINPWD --mkhomedir --hostname=myremotehost --no-ntp --no-ssh --no-sshd ###
Does the problem come from --no-ssh or --no-sshd ? How can I solve this problem without launching this command again ?
Best regards.
Lune
I stopped sshd server and I started it again with the -d option to get more information.
Here is what appear as error : ### debug1: userauth-request for user myuser service ssh-connection method password [preauth] debug1: attempt 2 failures 1 [preauth] debug1: PAM: password authentication failed for myuser: Permission denied Failed password for myuser from myip port 64146 ssh2 ###
What could be this permission denied please ?
Best regards.
Lune
Le mar. 9 juin 2020 à 19:44, lune voo lune.voo1234@gmail.com a écrit :
Hello !
I send you this mail because I have a problem with an SSH connection with an IPA user (not a local user) on the client hosts.
Here are the versions I used :
- ipa-server : ipa-server-4.6.6-11.el7.x86_64
- ipa-client : ipa-client-4.4.0-12.el7.x86_64
My nodes are on RHEL7.
When I try to connect from myhost with myuser on the remote host myremotehost, I have the following error : ### # ssh myuser@myremotehost myuser@myremotehost's password: Permission denied, please try again. myuser@myremotehost's password: ###
In the /var/log/secure log, I can see the following lines which appear when I try my SSH connection. ### Jun 9 19:27:15 myremotehost sshd[9778]: Connection from myip port 62250 on myremotehostip port 22 Jun 9 19:27:15 myremotehost sshd[9778]: reprocess config line 126: Deprecated option RSAAuthentication Jun 9 19:27:15 myremotehost sshd[9778]: reprocess config line 129: Deprecated option RhostsRSAAuthentication Jun 9 19:27:15 myremotehost sshd[9778]: Failed publickey for myuser from myip port 62250 ssh2: RSA SHA256:UP4xpD3GE//DpZYT44F+a+i1ryqsntlbFkQsPOHjVe8 Jun 9 19:27:23 myremotehost sshd[9778]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost user=myuser Jun 9 19:27:25 myremotehost sshd[9778]: Failed password for myuser from myip port 62250 ssh2 ###
The kinit with this password is OK. A "su - myuser" is OK with this password.
I don't understand why ssh connection are not working. /etc/host.allow is configured to allow me to connect with sshd from myip and myhost to this host. In /etc/ssh/sshd_config, ALlowGroup line is good. myuser belongs to the right group in AllowGroup.
Here is the command used to join the realm on myremotehost : ### ipa-client-install --domain=mydomain --realm=MYREALM --fixed-primary --server=IPASERVER1 --server=IPASERVER2 --principal=admin --password=ADMINPWD --mkhomedir --hostname=myremotehost --no-ntp --no-ssh --no-sshd ###
Does the problem come from --no-ssh or --no-sshd ? How can I solve this problem without launching this command again ?
Best regards.
Lune
On Tue, Jun 09, 2020 at 09:57:19PM +0200, lune voo via FreeIPA-users wrote:
I stopped sshd server and I started it again with the -d option to get more information.
Here is what appear as error : ### debug1: userauth-request for user myuser service ssh-connection method password [preauth] debug1: attempt 2 failures 1 [preauth] debug1: PAM: password authentication failed for myuser: Permission denied Failed password for myuser from myip port 64146 ssh2 ###
What could be this permission denied please ?
Hi,
please check the PAM related messages in /var/log/secure, this should tell you which PAM module caused the permission denied.
Additionally please check /etc/pam.d/sshd and /etc/pam.d/password-auth which should be included by /etc/pam.d/sshd. From the debug messages you've sent it looks like only pam_unix was tried but pam_sss should be available in the PAM configuration as well.
bye, Sumit
Best regards.
Lune
Le mar. 9 juin 2020 à 19:44, lune voo lune.voo1234@gmail.com a écrit :
Hello !
I send you this mail because I have a problem with an SSH connection with an IPA user (not a local user) on the client hosts.
Here are the versions I used :
- ipa-server : ipa-server-4.6.6-11.el7.x86_64
- ipa-client : ipa-client-4.4.0-12.el7.x86_64
My nodes are on RHEL7.
When I try to connect from myhost with myuser on the remote host myremotehost, I have the following error : ### # ssh myuser@myremotehost myuser@myremotehost's password: Permission denied, please try again. myuser@myremotehost's password: ###
In the /var/log/secure log, I can see the following lines which appear when I try my SSH connection. ### Jun 9 19:27:15 myremotehost sshd[9778]: Connection from myip port 62250 on myremotehostip port 22 Jun 9 19:27:15 myremotehost sshd[9778]: reprocess config line 126: Deprecated option RSAAuthentication Jun 9 19:27:15 myremotehost sshd[9778]: reprocess config line 129: Deprecated option RhostsRSAAuthentication Jun 9 19:27:15 myremotehost sshd[9778]: Failed publickey for myuser from myip port 62250 ssh2: RSA SHA256:UP4xpD3GE//DpZYT44F+a+i1ryqsntlbFkQsPOHjVe8 Jun 9 19:27:23 myremotehost sshd[9778]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost user=myuser Jun 9 19:27:25 myremotehost sshd[9778]: Failed password for myuser from myip port 62250 ssh2 ###
The kinit with this password is OK. A "su - myuser" is OK with this password.
I don't understand why ssh connection are not working. /etc/host.allow is configured to allow me to connect with sshd from myip and myhost to this host. In /etc/ssh/sshd_config, ALlowGroup line is good. myuser belongs to the right group in AllowGroup.
Here is the command used to join the realm on myremotehost : ### ipa-client-install --domain=mydomain --realm=MYREALM --fixed-primary --server=IPASERVER1 --server=IPASERVER2 --principal=admin --password=ADMINPWD --mkhomedir --hostname=myremotehost --no-ntp --no-ssh --no-sshd ###
Does the problem come from --no-ssh or --no-sshd ? How can I solve this problem without launching this command again ?
Best regards.
Lune
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org