Ssh login not prompting for password change with FreeIPA on Rocky 9.4

Hi,

I just freshly installed Rocky 9.4 and installed FreeIPA server on it. I added a user, enabled user, changed the password, and set the policy using FreeIPA. However, when I try to login with that password, it doesn’t prompt for a new password. It just says permission denied:

my_user@Desktop:~$ ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no pacific.caps.int
my_user@pacific.caps.int's password:
Permission denied, please try again.

Logging in with a key-pair works fine. Before the new install, I had Rocky 9.1 and I didn’t have an issue with password change. I haven’t made any changes to any of the configuration for sssd, sshd, FreeIPA, or Kerberos. All of the configurations are default settings. FreeIPA version is 4.11.0-15.el9_4. SSSD version is 2.9.4-6.el9_4.1.

In the krb5_child.log, I see:

(2024-08-15 17:24:20): [krb5_child[90722]] [sss_krb5_prompter] (0x4000): [RID#15183] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1].
(2024-08-15 17:24:20): [krb5_child[90722]] [sss_krb5_prompter] (0x4000): [RID#15183] Prompt [0][Password for my_user@CAPS.INT].
(2024-08-15 17:24:20): [krb5_child[90722]] [sss_krb5_prompter] (0x0200): [RID#15183] Prompter interface isn't used for prompting by SSSD.Returning the expected error [-1765328254/Cannot read password].

sssd.conf:

[domain/caps.int]

id_provider = ipa
ipa_server_mode = True
ipa_server = pacific.caps.int
ipa_domain = caps.int
ipa_hostname = pacific.caps.int
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ifp, ssh, sudo

domains = caps.int
[nss]
homedir_substring = /home
memcache_timeout = 600

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]
allowed_uids = ipaapi, root

[session_recording]

sshd_config:

Include /etc/ssh/sshd_config.d/*.conf
AuthorizedKeysFile      .ssh/authorized_keys
Subsystem       sftp    /usr/libexec/openssh/sftp-server

sshd_config.d/04-ipa.conf:

PubkeyAuthentication yes
KerberosAuthentication no
GSSAPIAuthentication yes
UsePAM yes
ChallengeResponseAuthentication yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

sshd_config.d/50-redhat.conf

Include /etc/crypto-policies/back-ends/opensshserver.config
SyslogFacility AUTHPRIV
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
PrintMotd no

I tried commenting out the “ChallengeResponseAuthentication no” in the 50-redhat.conf file and restarting sshd. However, that made no difference. I’ve been looking through the sssd, sssd-ipa, and sshd_config pages and haven’t found any configuration options that might affect the ability to set the password. Any help will be appreciated.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.