[Date Prev][Date Next] [Chronological] [Thread] [Top]
LDAP Passwordless SSH Problem

To: openldap-technical@openldap.org
Subject: LDAP Passwordless SSH Problem
From: Kamran Khan <kamran@pssclabs.com>
Date: Wed, 5 Mar 2014 13:29:48 -0800 (PST)
In-reply-to: <2045445362.215308.1394053874662.JavaMail.root@pssclabs.com>
Thread-index: Awv7cInRtxJ+nmof9G82q4CNXiOyYg==
Thread-topic: LDAP Passwordless SSH Problem
Hi all, 

I have a cluster, running RHEL6.5, which I have installed and configured LDAP w/ TLS support. The systems are all authenticating using LDAP properly, and I have added a test user to make sure this works. I can 'su' into the new user, and SSH across all systems. However, it requires a password upon every SSH. 

Please see verbose SSH below: 
=================================================== 
[root@usdtwclus01 ~]# su - jramey 

[jramey@usdtwclus01 ~]$ ssh -vvvvv n001 
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 
debug1: Reading configuration data /etc/ssh/ssh_config 
debug1: Applying options for * 
debug2: ssh_connect: needpriv 0 
debug1: Connecting to n001 [172.16.36.1] port 22. 
debug1: Connection established. 
debug3: Not a RSA1 key file /home/jramey/.ssh/id_rsa. 
debug2: key_type_from_name: unknown key type '-----BEGIN' 
debug3: key_read: missing keytype 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug3: key_read: missing whitespace 
debug2: key_type_from_name: unknown key type '-----END' 
debug3: key_read: missing keytype 
debug1: identity file /home/jramey/.ssh/id_rsa type 1 
debug1: identity file /home/jramey/.ssh/id_rsa-cert type -1 
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 
debug1: match: OpenSSH_5.3 pat OpenSSH* 
debug1: Enabling compatibility mode for protocol 2.0 
debug1: Local version string SSH-2.0-OpenSSH_5.3 
debug2: fd 5 setting O_NONBLOCK 
debug1: SSH2_MSG_KEXINIT sent 
debug3: Wrote 960 bytes for a total of 981 
debug1: SSH2_MSG_KEXINIT received 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss 
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se 
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se 
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib 
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss 
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se 
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se 
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 
debug2: kex_parse_kexinit: none,zlib@openssh.com 
debug2: kex_parse_kexinit: none,zlib@openssh.com 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5 
debug1: kex: server->client aes128-ctr hmac-md5 none 
debug2: mac_setup: found hmac-md5 
debug1: kex: client->server aes128-ctr hmac-md5 none 
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent 
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP 
debug3: Wrote 24 bytes for a total of 1005 
debug2: dh_gen_key: priv key bits set: 120/256 
debug2: bits set: 522/1024 
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent 
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY 
debug3: Wrote 144 bytes for a total of 1149 
debug3: check_host_in_hostfile: host n001 filename /home/jramey/.ssh/known_hosts 
debug3: check_host_in_hostfile: host n001 filename /home/jramey/.ssh/known_hosts 
debug3: check_host_in_hostfile: match line 1 
debug3: check_host_in_hostfile: host 172.16.36.1 filename /home/jramey/.ssh/known_hosts 
debug3: check_host_in_hostfile: host 172.16.36.1 filename /home/jramey/.ssh/known_hosts 
debug3: check_host_in_hostfile: match line 1 
debug1: Host 'n001' is known and matches the RSA host key. 
debug1: Found key in /home/jramey/.ssh/known_hosts:1 
debug2: bits set: 504/1024 
debug1: ssh_rsa_verify: signature correct 
debug2: kex_derive_keys 
debug2: set_newkeys: mode 1 
debug1: SSH2_MSG_NEWKEYS sent 
debug1: expecting SSH2_MSG_NEWKEYS 
debug3: Wrote 16 bytes for a total of 1165 
debug2: set_newkeys: mode 0 
debug1: SSH2_MSG_NEWKEYS received 
debug1: SSH2_MSG_SERVICE_REQUEST sent 
debug3: Wrote 48 bytes for a total of 1213 
debug2: service_accept: ssh-userauth 
debug1: SSH2_MSG_SERVICE_ACCEPT received 
debug2: key: /home/jramey/.ssh/id_rsa (0x7f0a9fb7a6a0) 
debug3: Wrote 64 bytes for a total of 1277 
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password 
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password 
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password 
debug3: authmethod_lookup gssapi-keyex 
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password 
debug3: authmethod_is_enabled gssapi-keyex 
debug1: Next authentication method: gssapi-keyex 
debug1: No valid Key exchange context 
debug2: we did not send a packet, disable method 
debug3: authmethod_lookup gssapi-with-mic 
debug3: remaining preferred: publickey,keyboard-interactive,password 
debug3: authmethod_is_enabled gssapi-with-mic 
debug1: Next authentication method: gssapi-with-mic 
debug3: Trying to reverse map address 172.16.36.1. 
debug1: Unspecified GSS failure. Minor code may provide more information 
Credentials cache file '/tmp/krb5cc_15000' not found 

debug1: Unspecified GSS failure. Minor code may provide more information 
Credentials cache file '/tmp/krb5cc_15000' not found 

debug1: Unspecified GSS failure. Minor code may provide more information 


debug1: Unspecified GSS failure. Minor code may provide more information 
Credentials cache file '/tmp/krb5cc_15000' not found 

debug2: we did not send a packet, disable method 
debug3: authmethod_lookup publickey 
debug3: remaining preferred: keyboard-interactive,password 
debug3: authmethod_is_enabled publickey 
debug1: Next authentication method: publickey 
debug1: Offering public key: /home/jramey/.ssh/id_rsa 
debug3: send_pubkey_test 
debug2: we sent a publickey packet, wait for reply 
debug3: Wrote 368 bytes for a total of 1645 
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password 
debug2: we did not send a packet, disable method 
debug3: authmethod_lookup password 
debug3: remaining preferred: ,password 
debug3: authmethod_is_enabled password 
debug1: Next authentication method: password 
jramey@n001's password: 

===================================================

Any ideas on how to accomplish passwordless SSH with LDAP users? 

Please let me know. 

Thanks. 

-- 
Kamran Khan 
PSSC Labs 
HPC Software Technical Engineer
Follow-Ups:
- Re: LDAP Passwordless SSH Problem
  - From: Michael <mlstarling31@hotmail.com>
- Re: LDAP Passwordless SSH Problem
  - From: Dan White <dwhite@olp.net>
Prev by Date: Slapd TLS issue
Next by Date: Re: LDAP Passwordless SSH Problem
Index(es):
- Chronological
- Thread