[Freeipa-users] Freeipa -ssh keys
naresh reddy
nareshbtech at yahoo.com
Fri Apr 26 11:29:16 UTC 2013
Hi Alexander
Thank you very much it worked.
its fantastic and I really appreciate your help.
but this scenario is to use the kerboros ticket for each time to login
what we are trying to establish is
users will have priviate and public ssh keys
public sssh keys will be updated to the freeipa server and
then users will connect to the remotes servers via the private ssh keys, remote servers need to authenticate via the keys recieved from the freeipa server
but the present working condition doesn't satisfy this as user needs to get the kerborse ticket every life time.
remote server getting the keys from free ipa
[root at ldap1-eng-switchlab-net ipa]# /usr/bin/sss_ssh_authorizedkeys np
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxOZ37IUe5gvlhO1i+bMhj8vhwlKZN6OKeMW6AM37aJhd7jxhz1R+Cod18YTB+gHkrfwe75kkEKfVyvTjpp9j5DRPeTyGMyWt4VbbyYq1Po4BZT7wOtUjwFq320QD5QnNKU6nbQKsB61xCMQy1Peu0nV/33dQTWHzlGi4uV0MN/KBvaWHmTwN6ZJ34uyEQ8kQ+fStd9XNFREw0iYglk42mNd/SA35njqNlsUbtBAR9ZokruAwAVVZqrfQw== np at ldap.eng.switchlab.net
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxDS69+CH89z5ftzZZCmohY89y2AsJXfA0piHxg2XE+n np at ubuntu
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFyO8uxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxMLGVqIwR8Ps5m6sYsB/hx3gm2fIoKq6fm0g976L26oAmclDi12CpVFYbI/osIjsq6mIpr9de5Qus/n9kIoxTZLHTRuoCEj7xc4PSPG78oE7JoWKLMvBDiwyhXNa+O9X1RgYhfYmS2m+1nGJYC9DG4xo7K60nO6WogBg3T+EwuDjYrVIfB5Rfe4D8iWKqOTNlJ+MzK4Dk8W8hqSJvuQFq5155DsbeqDy00EY1dMaGYVUq81lHEM91oz np at ldap0.eng.switchlab.net
[root at ldap1-eng-switchlab-net ipa]#
debug log of present ssh session
debug2: key: /home/np/.ssh/id_rsa (0x7f495ef25d60)
debug2: key: /home/np/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).
Nareshchandra Paturi
14, St. Augustine’s Court,
Mornington Road,
london.
E11 3BQ.
Mob:07466666001,07856918100
Ph:02082579579
________________________________
From: Alexander Bokovoy <abokovoy at redhat.com>
To: naresh reddy <nareshbtech at yahoo.com>
Cc: Jan Cholasta <jcholast at redhat.com>; "freeipa-users at redhat.com" <freeipa-users at redhat.com>
Sent: Friday, April 26, 2013 11:44 AM
Subject: Re: [Freeipa-users] Freeipa -ssh keys
On Fri, 26 Apr 2013, naresh reddy wrote:
>Hi Alex
>
>I had tried tshoot and so i have changed GSSAPIAuthentication to no
>because i was getting
>debug1: Unspecified GSS failure. Minor code may provide more information
>Ticket expired
^^^ Ticket expired means your ticket on the machine from which you are
trying to connect to ssh server.
You need to maintain actual credentials:
[client]$ kinit np at eng.switchlab.net
Password: <...>
[client]$ ssh -K -l np at eng.switchlab.net ldap1.eng.switchlab.net
You can read basics about Kerberos here:
http://www.kerberos.org/software/tutorial.html
--
/ Alexander Bokovoy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130426/6ee734db/attachment.htm>
More information about the Freeipa-users
mailing list