On 03/05/14 13:29 -0800, Kamran Khan wrote:
I have a cluster, running RHEL6.5, which I have installed and configured LDAP w/ TLS support. The systems are all authenticating using LDAP properly, and I have added a test user to make sure this works. I can 'su' into the new user, and SSH across all systems. However, it requires a password upon every SSH.
Please see verbose SSH below:
[root@usdtwclus01 ~]# su - jramey
Do:
ssh-add -L
here, and make sure that key is located within the your authorized_keys file (on n001). Use ssh-copy-id if not. Run a second instance of sshd on the server, is debug mode, to catch permissions problems, or something less obvious, with:
/usr/sbin/sshd -d -p 2200
[jramey@usdtwclus01 ~]$ ssh -vvvvv n001 OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 debug1: Reading configuration data /etc/ssh/ssh_config
debug1: identity file /home/jramey/.ssh/id_rsa type 1 debug1: identity file /home/jramey/.ssh/id_rsa-cert type -1
debug1: Host 'n001' is known and matches the RSA host key. debug1: Found key in /home/jramey/.ssh/known_hosts:1 debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/jramey/.ssh/id_rsa (0x7f0a9fb7a6a0)
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug3: Trying to reverse map address 172.16.36.1. debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_15000' not found
debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_15000' not found
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_15000' not found
debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/jramey/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug3: Wrote 368 bytes for a total of 1645 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password jramey@n001's password:
On 03/06/14 10:20 -0800, Kamran Khan wrote:
I'm not sure which means you are referring to, but I do have a user named 'user' which I created locally, and 'user' can passwordless ssh across the cluster just fine.
Granted, this problem appears to only be happening to your 'ldap' users, but there is nothing that you have presented that indicates you have a problem with your ldap setup. sshd will not, by default, retrieve keys from an ldap server. If that is your aim, consult the OpenSSH documentation.