Hi
i m just trying to authenticate the remote machine with ssh user from ad authentication, but it returns error as
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).its not asking for password.
when i try to debug the same with below commad, it shows below output
we have already setup PasswordAuthentication yes in /etc/ssh/sshd_config
I suspect that your MaxAuthTries is set to 3, because it tries your 3 present priv/pubkeys and then fails (ref)
You can mitigate that either by increasing that (not so good option), or you you extend your ssh client config, so it will always use basic auth for this connection (i.e. by setting PreferredAuthentications) (ref)
thanks for reply.
i am not sure what is needed to be done at my side.
also i can see below error on systemctl status sssd , can you please suggest
Nov 27 10:00:31 server-1 sssd[4033234]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server no>
Nov 27 10:00:31 server-1 sssd[4033234]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server no>
Nov 27 10:00:31 server-1 sssd[4033238]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server no>
Nov 27 10:00:31 server-1 sssd[4033238]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server no>
Nov 27 10:00:31 server-1 sssd[4033244]: ; TSIG error with server: tsig verify failure
Okay, did you verify that your configuration in SSSD works?
If not depending on your configuration, can you do a id <username> or id <domain>\<username> this should resolve the id and groups of the provided user. If that works your IdP config should be fine enough to work for login.
Reading some documentation these errors could be due to a dyndns misconfiguration on the IdP side (ref), so not relevant for the functionality.
As said above best would be to setup your in the config file or directly provide the option.
Btw why are you providing an ssh pub key to ssh in the identity property, even though you want to do password auth?
So for minimum configuration (hence no ssh client config file) it would be a ssh -o PreferredAuthentications=password user1@xxx.xxx.xx.xx
if i try
ssh -v -o PreferredAuthentications=password user1@xxx.xxx.xx.xx
i get below output
OpenSSH_7.2p2 Ubuntu-4ubuntu2.8, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to xxxxxx [xx.xxx.xxx.xx] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7
debug1: match: OpenSSH_8.7 pat OpenSSH* compat 0x04000000
debug1: Authenticating to xxxxxx:22 as ‘user1’
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:BMD+N+geLlHsprIkFrl2DRJyMcGaacT+GM8nLABJtOs
debug1: Host ‘xxxxxx’ is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:951
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
if i try the same for user2 who is a local user of remote machine, then its working fine .but when i try to connect ad joined user , its returning error. below is the log for reference when local user of remote server is attempted to ssh
systemctl status sssd showing below error,c an this be cause for this?
Nov 28 21:49:23 serv1 sssd_nss[2425987]: Starting up
Nov 28 21:49:23 serv1 sssd_pam[2425988]: Starting up
Nov 28 21:49:23 serv1 sssd_pac[2425989]: Starting up
Nov 28 21:49:23 serv1 systemd[1]: Started System Security Services Daemon.
Nov 28 21:49:42 serv1 sssd[2429434]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server no>
Nov 28 21:49:42 serv1 sssd[2429434]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server no>
Nov 28 21:49:42 serv1 sssd[2429488]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server no>
Nov 28 21:49:42 serv1 sssd[2429488]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server no>
Nov 28 21:49:42 serv1 sssd[2429531]: ; TSIG error with server: tsig verify failure
Nov 28 21:49:42 serv1 sssd[2429531]: update failed: SERVFAIL
The issue won’t be within sshd, the issue is going to be within sssd. Based on the logs you’ve provided, this can come down to a few things:
There is missing DNS records (especially reverse DNS for the DC or the host you’ve joined)
dynamic DNS is not allowed
Your system’s FQDN / server name does NOT match what’s actually in AD
You can try the following:
rm -rf /var/lib/sss/db/* ; systemctl restart sssd - This clears the cache and starts at a clean slate. Do this and try again.
Set dyndns_updates = false under the [domain/... section in /etc/sssd/sssd.conf and run systemctl restart sssd
If any of the above does not work: realm leave DOMAIN and then realm join DOMAIN and try again.
Beyond this, I would highly recommend troubleshooting/debugging sssd. I would read this guide: Troubleshooting Basics - sssd.io - This guide will get you through basic troubleshooting to try to drill down if any of the above does not work for you.
Note on that, since you seem to have el9 (based on “remote software version OpenSSH_8.0”).
The el9 version fo sshd starts /etc/ssh/sshd_config with:
Include /etc/ssh/sshd_config.d/*.conf
If your PasswordAuthentication yes is afher the include and
if any of the /etc/ssh/sshd_config.d/*.conf sets PasswordAuthentication
then that overrides your setting because sshd does use first occurrence for each option.
The preferred way to modify sshd config in el9 is thus to add a *.conf file into /etc/ssh/sshd_config.d/ that is lexicographically first (by its name).
Do you have any other method to access the system than ssh?
That is, can the AD accounts use password at all?
I.e. you probably want to test/debug (the sssd) with more than just ssh.
i have now new issue here related to same rocky linux9 , please check if you can suggest.
one of our user is trying to connect to sftp , is not able to connect ,
when i check /var/log/secure i can see below error in log.
localhost sshd: Unable to negotiate with xxx.xx.xxx.xx port xxxx: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
localhost sshd[1875696]: Unable to negotiate with xx.xx.xxx.xx port xxxx: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]
thanks for the reply and valuable information in the provided URL.
i am just gone through this the site OpenSSH: Legacy Options
as per site i can imagine below 3 solutions, can you please suggest me ?
or
suggestion2:
end user should upgrade to latest openssh version 8 or laterm, if openssh upgrade is not possible, can we ask end user to use any latest winscp software which normally dont face any issue while connecting to rocky9 ssh/sftp
or solution3 :
we at our side , need to update the cyrpto-policies
update-crypto-policies --show (it shows default)
update-crypto-policies --set LEGACY OR update-crypto-policies --set DEFAULT:SHA1**
reboot
OR
if end user is using OpenSSH_7.2 , what we should suggest them?
if user is having openssh-7.2 version , what we can ask client to do at his side ?
in above mentioned solutions, is solution1 and solution3 both needs to apply together , or it can work independently ?
(