[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: LDAP Passwordless SSH Problem

To: Kamran Khan <kamran@pssclabs.com>
Subject: Re: LDAP Passwordless SSH Problem
From: Michael <mlstarling31@hotmail.com>
Date: Wed, 5 Mar 2014 17:30:50 -0500
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <1914542794.215376.1394054988054.JavaMail.root@pssclabs.com>
References: <1914542794.215376.1394054988054.JavaMail.root@pssclabs.com>
You would accomplish it by the same means you would if you weren't using LDAP. LDAP does provide a means to centrally manage keys if you choose however.

Mike 



> On Mar 5, 2014, at 5:00 PM, "Kamran Khan" <kamran@pssclabs.com> wrote:
> 
> Hi all, 
> 
> I have a cluster, running RHEL6.5, which I have installed and configured LDAP w/ TLS support. The systems are all authenticating using LDAP properly, and I have added a test user to make sure this works. I can 'su' into the new user, and SSH across all systems. However, it requires a password upon every SSH. 
> 
> Please see verbose SSH below: 
> =================================================== 
> [root@usdtwclus01 ~]# su - jramey 
> 
> [jramey@usdtwclus01 ~]$ ssh -vvvvv n001 
> OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 
> debug1: Reading configuration data /etc/ssh/ssh_config 
> debug1: Applying options for * 
> debug2: ssh_connect: needpriv 0 
> debug1: Connecting to n001 [172.16.36.1] port 22. 
> debug1: Connection established. 
> debug3: Not a RSA1 key file /home/jramey/.ssh/id_rsa. 
> debug2: key_type_from_name: unknown key type '-----BEGIN' 
> debug3: key_read: missing keytype 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug3: key_read: missing whitespace 
> debug2: key_type_from_name: unknown key type '-----END' 
> debug3: key_read: missing keytype 
> debug1: identity file /home/jramey/.ssh/id_rsa type 1 
> debug1: identity file /home/jramey/.ssh/id_rsa-cert type -1 
> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 
> debug1: match: OpenSSH_5.3 pat OpenSSH* 
> debug1: Enabling compatibility mode for protocol 2.0 
> debug1: Local version string SSH-2.0-OpenSSH_5.3 
> debug2: fd 5 setting O_NONBLOCK 
> debug1: SSH2_MSG_KEXINIT sent 
> debug3: Wrote 960 bytes for a total of 981 
> debug1: SSH2_MSG_KEXINIT received 
> debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 
> debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss 
> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se 
> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se 
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 
> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib 
> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib 
> debug2: kex_parse_kexinit: 
> debug2: kex_parse_kexinit: 
> debug2: kex_parse_kexinit: first_kex_follows 0 
> debug2: kex_parse_kexinit: reserved 0 
> debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss 
> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se 
> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se 
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 
> debug2: kex_parse_kexinit: none,zlib@openssh.com 
> debug2: kex_parse_kexinit: none,zlib@openssh.com 
> debug2: kex_parse_kexinit: 
> debug2: kex_parse_kexinit: 
> debug2: kex_parse_kexinit: first_kex_follows 0 
> debug2: kex_parse_kexinit: reserved 0 
> debug2: mac_setup: found hmac-md5 
> debug1: kex: server->client aes128-ctr hmac-md5 none 
> debug2: mac_setup: found hmac-md5 
> debug1: kex: client->server aes128-ctr hmac-md5 none 
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent 
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug3: Wrote 24 bytes for a total of 1005 
> debug2: dh_gen_key: priv key bits set: 120/256 
> debug2: bits set: 522/1024 
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent 
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY 
> debug3: Wrote 144 bytes for a total of 1149 
> debug3: check_host_in_hostfile: host n001 filename /home/jramey/.ssh/known_hosts 
> debug3: check_host_in_hostfile: host n001 filename /home/jramey/.ssh/known_hosts 
> debug3: check_host_in_hostfile: match line 1 
> debug3: check_host_in_hostfile: host 172.16.36.1 filename /home/jramey/.ssh/known_hosts 
> debug3: check_host_in_hostfile: host 172.16.36.1 filename /home/jramey/.ssh/known_hosts 
> debug3: check_host_in_hostfile: match line 1 
> debug1: Host 'n001' is known and matches the RSA host key. 
> debug1: Found key in /home/jramey/.ssh/known_hosts:1 
> debug2: bits set: 504/1024 
> debug1: ssh_rsa_verify: signature correct 
> debug2: kex_derive_keys 
> debug2: set_newkeys: mode 1 
> debug1: SSH2_MSG_NEWKEYS sent 
> debug1: expecting SSH2_MSG_NEWKEYS 
> debug3: Wrote 16 bytes for a total of 1165 
> debug2: set_newkeys: mode 0 
> debug1: SSH2_MSG_NEWKEYS received 
> debug1: SSH2_MSG_SERVICE_REQUEST sent 
> debug3: Wrote 48 bytes for a total of 1213 
> debug2: service_accept: ssh-userauth 
> debug1: SSH2_MSG_SERVICE_ACCEPT received 
> debug2: key: /home/jramey/.ssh/id_rsa (0x7f0a9fb7a6a0) 
> debug3: Wrote 64 bytes for a total of 1277 
> debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password 
> debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password 
> debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password 
> debug3: authmethod_lookup gssapi-keyex 
> debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password 
> debug3: authmethod_is_enabled gssapi-keyex 
> debug1: Next authentication method: gssapi-keyex 
> debug1: No valid Key exchange context 
> debug2: we did not send a packet, disable method 
> debug3: authmethod_lookup gssapi-with-mic 
> debug3: remaining preferred: publickey,keyboard-interactive,password 
> debug3: authmethod_is_enabled gssapi-with-mic 
> debug1: Next authentication method: gssapi-with-mic 
> debug3: Trying to reverse map address 172.16.36.1. 
> debug1: Unspecified GSS failure. Minor code may provide more information 
> Credentials cache file '/tmp/krb5cc_15000' not found 
> 
> debug1: Unspecified GSS failure. Minor code may provide more information 
> Credentials cache file '/tmp/krb5cc_15000' not found 
> 
> debug1: Unspecified GSS failure. Minor code may provide more information 
> 
> 
> debug1: Unspecified GSS failure. Minor code may provide more information 
> Credentials cache file '/tmp/krb5cc_15000' not found 
> 
> debug2: we did not send a packet, disable method 
> debug3: authmethod_lookup publickey 
> debug3: remaining preferred: keyboard-interactive,password 
> debug3: authmethod_is_enabled publickey 
> debug1: Next authentication method: publickey 
> debug1: Offering public key: /home/jramey/.ssh/id_rsa 
> debug3: send_pubkey_test 
> debug2: we sent a publickey packet, wait for reply 
> debug3: Wrote 368 bytes for a total of 1645 
> debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password 
> debug2: we did not send a packet, disable method 
> debug3: authmethod_lookup password 
> debug3: remaining preferred: ,password 
> debug3: authmethod_is_enabled password 
> debug1: Next authentication method: password 
> jramey@n001's password: 
> 
> ===================================================
> 
> Any ideas on how to accomplish passwordless SSH with LDAP users? 
> 
> Please let me know. 
> 
> Thanks. 
> 
> -- 
> Kamran Khan 
> PSSC Labs 
> HPC Software Technical Engineer 
>
Follow-Ups:
- Re: LDAP Passwordless SSH Problem
  - From: Kamran Khan <kamran@pssclabs.com>
References:
- LDAP Passwordless SSH Problem
  - From: Kamran Khan <kamran@pssclabs.com>
Prev by Date: LDAP Passwordless SSH Problem
Next by Date: Re: ppolicy not verifying password length (not active !!)
Index(es):
- Chronological
- Thread