[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Passwordless SSH Problem



On 03/05/14 13:29 -0800, Kamran Khan wrote:
I have a cluster, running RHEL6.5, which I have installed and configured
LDAP w/ TLS support. The systems are all authenticating using LDAP
properly, and I have added a test user to make sure this works. I can 'su'
into the new user, and SSH across all systems. However, it requires a
password upon every SSH.

Please see verbose SSH below:
===================================================
[root@usdtwclus01 ~]# su - jramey

Do:

ssh-add -L

here, and make sure that key is located within the your authorized_keys
file (on n001). Use ssh-copy-id if not. Run a second instance of sshd on
the server, is debug mode, to catch permissions problems, or something less
obvious, with:

/usr/sbin/sshd -d -p 2200

[jramey@usdtwclus01 ~]$ ssh -vvvvv n001
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config

debug1: identity file /home/jramey/.ssh/id_rsa type 1
debug1: identity file /home/jramey/.ssh/id_rsa-cert type -1

debug1: Host 'n001' is known and matches the RSA host key.
debug1: Found key in /home/jramey/.ssh/known_hosts:1
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/jramey/.ssh/id_rsa (0x7f0a9fb7a6a0)

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 172.16.36.1.
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_15000' not found

debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_15000' not found

debug1: Unspecified GSS failure. Minor code may provide more information


debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_15000' not found

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/jramey/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 1645
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
jramey@n001's password:


On 03/06/14 10:20 -0800, Kamran Khan wrote:
I'm not sure which means you are referring to, but I do have a user named
'user' which I created locally, and 'user' can passwordless ssh across the
cluster just fine.

Granted, this problem appears to only be happening to your 'ldap' users,
but there is nothing that you have presented that indicates you have a
problem with your ldap setup. sshd will not, by default, retrieve
keys from an ldap server. If that is your aim, consult the OpenSSH
documentation.

--
Dan White