Most of our FreeIPA client nodes are Ubuntu 14, 16 and some 18. We have a fair number where I am unable to use SSH authentication because the server refuses the key.
The same user/key works fine on other nodes.
I have checked to the best of my knowledge the files and compared them to a node that works and can't find any differences.
/etc/nsswitch.conf /etc/sssd/sssd.conf
I don't understand the nuances of FreeIPA to know where else to look. Can anyone suggest what else I can look at to troubleshoot what is going on? Every user experiences this on different nodes.
Thanks!
Jeff Vincent via FreeIPA-users wrote:
Most of our FreeIPA client nodes are Ubuntu 14, 16 and some 18. We have a fair number where I am unable to use SSH authentication because the server refuses the key.
The same user/key works fine on other nodes.
I have checked to the best of my knowledge the files and compared them to a node that works and can't find any differences.
/etc/nsswitch.conf /etc/sssd/sssd.conf
I don't understand the nuances of FreeIPA to know where else to look. Can anyone suggest what else I can look at to troubleshoot what is going on? Every user experiences this on different nodes.
Compare the sshd config files.
See if the authorized keys tool works:
/usr/bin/sss_ssh_authorizedkeys someuser
rob
That was it!!! The /etc/ssh/sshd_config file is missing a few things. My observation was in error that sometimes it worked for some users on a misconfigured node.
So the next question I have is why doesn't that file always get updated when ipa is configured? Is it supposed to be updated by ipa-client-install?
At least I know what to look for. I may just add this to my salt-stack deployments so every node has the correct sshd config file.
Thanks!!
On Thu, Jan 9, 2020 at 3:14 PM Rob Crittenden rcritten@redhat.com wrote:
Jeff Vincent via FreeIPA-users wrote:
Most of our FreeIPA client nodes are Ubuntu 14, 16 and some 18. We have
a fair number where I am unable to use SSH authentication because the server refuses the key.
The same user/key works fine on other nodes.
I have checked to the best of my knowledge the files and compared them
to a node that works and can't find any differences.
/etc/nsswitch.conf /etc/sssd/sssd.conf
I don't understand the nuances of FreeIPA to know where else to look.
Can anyone suggest what else I can look at to troubleshoot what is going on? Every user experiences this on different nodes.
Compare the sshd config files.
See if the authorized keys tool works:
/usr/bin/sss_ssh_authorizedkeys someuser
rob
Jeff wrote:
That was it!!! The /etc/ssh/sshd_config file is missing a few things. My observation was in error that sometimes it worked for some users on a misconfigured node.
So the next question I have is why doesn't that file always get updated when ipa is configured? Is it supposed to be updated by ipa-client-install?
At least I know what to look for. I may just add this to my salt-stack deployments so every node has the correct sshd config file.
You can check /var/log/ipaclient-install.log to see if it touched the file (or skipped it).
rob
Thanks!!
On Thu, Jan 9, 2020 at 3:14 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Jeff Vincent via FreeIPA-users wrote: > Most of our FreeIPA client nodes are Ubuntu 14, 16 and some 18. We have a fair number where I am unable to use SSH authentication because the server refuses the key. > > The same user/key works fine on other nodes. > > I have checked to the best of my knowledge the files and compared them to a node that works and can't find any differences. > > /etc/nsswitch.conf > /etc/sssd/sssd.conf > > I don't understand the nuances of FreeIPA to know where else to look. Can anyone suggest what else I can look at to troubleshoot what is going on? Every user experiences this on different nodes. Compare the sshd config files. See if the authorized keys tool works: /usr/bin/sss_ssh_authorizedkeys someuser rob
freeipa-users@lists.fedorahosted.org
-
Jeff -
Jeff Vincent
-
Rob Crittenden