[Freeipa-devel] sshd, gssapi postinstall cleanup

John Dennis jdennis at redhat.com
Wed Jan 2 21:21:00 UTC 2008


I lost my ability to ssh into one of the boxes I had IPA installed on. 
I'm not currently testing IPA on that box anymore so I disabled many of 
the IPA services and reset my /etc/krb5.conf file back to it's original 
content (pointing to our corporate KDC). When I tried to ssh in the 
connection would appear to hang, so I ran ssh in verbose mode and 
discovered it was hanging while attempting GSSAPI authentication. I'm 
perplexed as to why and I'm wondering if something in the IPA 
installation might have done something (I believe each IPA rpm had been 
installed, but only the server install script had been run). Here are 
the relevant facts:

* kerberos works fine, only our corporate KDC is configured.

* disabling gssapi auth in /etc/ssh/sshd.conf makes the problem go away 
(but gssapi auth is enabled by default, so disabling this is non-standard).

* local logons work

* /etc/nsswitch.conf has only "files" for passwd,shadow,group

* pam ssh points to pam system-auth

* pam system-auth is normal

* /etc/gssapi_mech.conf seems normal (?)

* the local IPA KDC is shutdown and there is no reference to it in krb5.conf

So, any ideas as to why sshd on that box would hang as it attempted 
gssapi auth and how might a previous IPA install be responsible for that?
-- 
John Dennis <jdennis at redhat.com>




More information about the Freeipa-devel mailing list