[Freeipa-users] Help with sshd configuration - ChallengeResponseAuthentication
Simo Sorce
ssorce at redhat.com
Thu Oct 9 09:22:18 UTC 2008
Can you use ssh -vv and paste what you get there when trying to login ?
(feel free to sanitize output if there is data that you do not want to
share broadly).
Simo.
On Wed, 2008-10-08 at 11:40 -0500, puck at i29.net wrote:
> Sorry. I meant GSSAPI login.
>
> Jem
>
>
> Simo Sorce wrote:
> > On Wed, 2008-10-08 at 11:07 -0500, puck at i29.net wrote:
> >
> > > I've run into a problem when setting up IPA for ssh logins. I've found
> > > that I need to set ChallengeResponseAuthentication to "yes" in my
> > > sshd_config to allow users to change their expired passwords on login,
> > > otherwise the login process just hangs and eventually times out.
> > > However, when I set it to "yes" password-less logins between my servers
> > > no longer work. Once I'm logged in, if I run a "kinit (username)" then
> > > the password-less login works again so I assume that when
> > > ChallengeResponseAuthentication is on, sshd just doesn't set that
> > > correctly. Can anyone recommend an sshd configuration that would allow
> > > both the password-less logins and allow users to change their passwords
> > > at login when they are expired?
> > >
> >
> > By "password-less" login you mean a gssapi login or an ssh-key aided
> > login ?
> >
> > Simo.
> >
> >
> >
> >
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list