BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] ssh with rsa keys and ldap
- Subject: [Discuss] ssh with rsa keys and ldap
- From: gaf.linux at gmail.com (Jerry Feldman)
- Date: Wed, 26 Oct 2016 15:07:01 -0400
- In-reply-to: <CAEvgogFkLCHEcBCv76FkcwdQxYWOvLNQ2vXLO2N2e6KHLe1T=w@mail.gmail.com>
- References: <CAEvgogHQWR89Auju9pusPDFFhd6_ijTutn8n=52mJD7TamEhRQ@mail.gmail.com> <CALQ72QFQ_7jb0LsG_iq2ExfZiCiJ7JKdWQts25LTh=Lig3CA9Q@mail.gmail.com> <CAEvgogFkLCHEcBCv76FkcwdQxYWOvLNQ2vXLO2N2e6KHLe1T=w@mail.gmail.com>
Found the culprit!!! Journalctl is your friend. Oct 26 14:56:18 target.usersys.redhat.com python[31245]: SELinux is preventing /usr/sbin/sshd from open access on the file /home/auser/.ssh/authorized_keys. If you believe that sshd should be allowed open access on the authorized_keys file by default. # grep sshd /var/log/audit/audit.log | audit2allow -M mypol I temporarily disabled selinux to test this. On Wed, Oct 26, 2016 at 1:40 PM, Jerry Feldman <gaf.linux at gmail.com> wrote: > It's wierd. I can ssh to the workstation as a non-ldap user > ssh -l <nonldap> > And it authenticates properly. But if I ssh to another host at work where > I have the keys set up. it always goes to password. > > > On Wed, Oct 26, 2016 at 12:14 PM, Guy Gold <guy1gold at gmail.com> wrote: > >> Jerry, >> >> Interesting. >> Would you say it's safe to assume the culprit is the client rather than >> the >> ssh server (target) ? >> >> It's as if "something" (ldap?) is throwing the auth process to believe >> "you" does not exist, even when the files are there. >> >> On 26 October 2016 at 08:42, Jerry Feldman <gaf.linux at gmail.com> wrote: >> >> > Unfortunately nothing very interesting. >> > /var/log/secure on target: >> > Oct 26 08:30:45 jfeldmanws sudo: xxxx : TTY=pts/0 ; PWD=/home/xxxx ; >> > USER=root ; COMMAND=/bin/tail -f /var/log/secure >> > Oct 26 08:31:15 jtarget sshd[16073]: Accepted password for yyyy from >> > 10.18.41.22 port 57384 ssh2 >> > Oct 26 08:31:15 target sshd[16073]: pam_unix(sshd:session): session >> opened >> > for user yyyy by (uid=0) >> > >> > This only showed the password login. >> > ssh -vvv: >> > debug3: authmethod_lookup publickey >> > debug3: remaining preferred: keyboard-interactive,password >> > debug3: authmethod_is_enabled publickey >> > debug1: Next authentication method: publickey >> > debug1: Offering RSA public key: /home/sshuser/.ssh/id_rsa >> > debug3: send_pubkey_test >> > debug3: send packet: type 50 >> > debug2: we sent a publickey packet, wait for reply >> > debug3: receive packet: type 51 >> > debug1: Authentications that can continue: >> > publickey,gssapi-keyex,gssapi-with-mic,password >> > debug1: Trying private key: /home/sshuser/.ssh/id_dsa >> > debug3: no such identity: /home/sshuser/.ssh/id_dsa: No such file or >> > directory >> > debug1: Trying private key: /home/sshuser/.ssh/id_ecdsa >> > debug3: no such identity: /home/sshuser/.ssh/id_ecdsa: No such file or >> > directory >> > debug1: Trying private key: /home/sshuser/.ssh/id_ed25519 >> > debug3: no such identity: /home/sshuser/.ssh/id_ed25519: No such file or >> > directory >> > debug2: we did not send a packet, disable method >> > debug3: authmethod_lookup password >> > debug3: remaining preferred: ,password >> > debug3: authmethod_is_enabled password >> > debug1: Next authentication method: password >> > sshuser at target.usersys.redhat.com's password: >> > debug3: send packet: type 50 >> > debug2: we sent a password packet, wait for reply >> > debug3: receive packet: type 52 >> > debug1: Authentication succeeded (password). >> > ---- >> > here is the same except using a non-ldap user: >> > debug2: we did not send a packet, disable method >> > debug3: authmethod_lookup publickey >> > debug3: remaining preferred: keyboard-interactive,password >> > debug3: authmethod_is_enabled publickey >> > debug1: Next authentication method: publickey >> > debug1: Offering RSA public key: /home/sshuser/.ssh/id_rsa >> > debug3: send_pubkey_test >> > debug3: send packet: type 50 >> > debug2: we sent a publickey packet, wait for reply >> > debug3: receive packet: type 60 >> > debug1: Server accepts key: pkalg ssh-rsa blen 279 >> > debug2: input_userauth_pk_ok: fp >> > SHA256:4SkkYr1TZa/ke4ALxYQMlpKshIAsoCAfr7XukU7/MF8 >> > debug3: sign_and_send_pubkey: RSA >> > SHA256:4SkkYr1TZa/ke4ALxYQMlpKshIAsoCAfr7XukU7/MF8 >> > debug3: send packet: type 50 >> > debug3: receive packet: type 52 >> > debug1: Authentication succeeded (publickey). >> > Authenticated to target.usersys.redhat.com ([10.19.40.121]:22). >> > >> > >> > >> > On 10/25/2016 07:47 PM, Guy Gold wrote: >> > >> > Any interesting details when using: >> > >> > "ssh -vvv" on the client >> > >> > while tailing /var/log/auth.log (or /var/log/secure) on the ssh target ? >> > >> > On 25 October 2016 at 14:13, Jerry Feldman <gaf.linux at gmail.com> wrote: >> > >> > >> > I have a situation using rsa keys from an ldap user id. >> > I have checked the permissions of my home directories, ~/.ssh, as well >> as >> > ~/.ssh/authorized_keys. >> > For instance,, I am logged into my laptop and ssh into the workstation >> at >> > my desk, and it always prompts me for my password. >> > >> > On the same systems, I can ssh into an alternate user (ssh -l alt-user) >> > using the same rsa keys. >> > >> > Also note that I can ssh into the BLU servers as my ldap user, but the >> BLU >> > servers use a local user name, So, there is some system setting on the >> > target machine (not SELINUX) that I am missing. >> > >> > >> > >> > >> > -- >> > -- >> > Jerry Feldman <gaf.linux at gmail.com> >> > Boston Linux and Unix >> > PGP key id: B7F14F2F >> > Key fingerprint: D937 A424 4836 E052 2E1B 8DC6 24D7 000F B7F1 4F2F >> > _______________________________________________ >> > Discuss mailing list >> > Discuss at blu.org >> > http://lists.blu.org/mailman/listinfo/discuss >> > >> >> >> >> -- >> Guy Gold >> _______________________________________________ >> Discuss mailing list >> Discuss at blu.org >> http://lists.blu.org/mailman/listinfo/discuss >> > > > > -- > -- > Jerry Feldman <gaf.linux at gmail.com> > Boston Linux and Unix > PGP key id: B7F14F2F > Key fingerprint: D937 A424 4836 E052 2E1B 8DC6 24D7 000F B7F1 4F2F > -- -- Jerry Feldman <gaf.linux at gmail.com> Boston Linux and Unix PGP key id: B7F14F2F Key fingerprint: D937 A424 4836 E052 2E1B 8DC6 24D7 000F B7F1 4F2F
- Follow-Ups:
- [Discuss] ssh with rsa keys and ldap
- From: gaf at blu.org (Jerry Feldman)
- [Discuss] ssh with rsa keys and ldap
- References:
- [Discuss] ssh with rsa keys and ldap
- From: gaf.linux at gmail.com (Jerry Feldman)
- [Discuss] ssh with rsa keys and ldap
- From: guy1gold at gmail.com (Guy Gold)
- [Discuss] ssh with rsa keys and ldap
- From: gaf.linux at gmail.com (Jerry Feldman)
- [Discuss] ssh with rsa keys and ldap
- Prev by Date: [Discuss] ssh with rsa keys and ldap
- Next by Date: [Discuss] ssh with rsa keys and ldap
- Previous by thread: [Discuss] ssh with rsa keys and ldap
- Next by thread: [Discuss] ssh with rsa keys and ldap
- Index(es):