Description of problem: Ran ipa-install-client as part of server install, GSSAPIAuthentication, Kerberos and UsePAM was not enabled in /etc/ssh/sshd_config Version-Release number of selected component (if applicable): 2.0.0.rc3 How reproducible: Run install script. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
https://fedorahosted.org/freeipa/ticket/1634 Would you mind adding more details to the ticket that I opened? Here are some questions: 1) Why do you think IPA should touch the SSH on the machine? 2) Should it be a client option? 3) Should be a server install option to configure SSH that would be passed to the client? 4) It seems that SSH can be configured in different ways, what is the preferred configuration? Can you provide a sample config file? Thank you Dmitri
1) I think ipa-client-install should enable the required settings in sshd_config because ssh is the most common way of accessing linux machines. (Servers in particular.) As a user I expect to be able to log in to the server with IPA credentials after the setup. It's also a part of the server install instructions to restart the ssh service so it can retrieve its kerberos principal, which doesn't make much sense if kerberos is not enabled in sshd. (6.3 point 4 in the management guide) Also given that ipa-client-install touches nsswitch/pam/sssd/kerberos config files, ssh feels like the missing piece. 2) Not sure if you mean client vs. server option or option vs. mandatory. It should definitely be done by the client, I would say a --no-sshd option similar to the --no-sssd option would be natural. 3) Personally I don't think so, as this is really a client issue. 4) I don't have a sample config file, but there's 3 required settings (Please confirm this, as I'm new to kerberos and IPA): 4.1) Enable kerberos, this is required to be able to log in with ipa credentials (I set them all to yes, which I think is a reasonable configuration. We may have some service accounts in local password file): KerberosAuthentication yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes 4.2) Enable GSSAPI, this to allow ssh to other machine without retyping password. GSSAPIAuthentication yes 4.3) Enable UsePAM, this is required to make HBAC rules work. Otherwise all users in the IPA realm will have access to the server: UsePAM yes
Correction, the Kerberos would not be required if UsePAM is enabled and sssd is being configured as pam is set up to use sssd. I think GSSAPI would still be required to enable passwordless ssh using tickets.
This issue has been fixed upstream. ipa-client-install in the next version of IPA (2.2) will set GSSAPIAuthentication and UsePAM to "yes". KerberosAuthentication will be set to "no" so that the authentication request is passed to PAM stack (and SSSD).
freeipa-2.2.0-1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/freeipa-2.2.0-1.fc17
Package freeipa-2.2.0-1.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-2.2.0-1.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-7278/freeipa-2.2.0-1.fc17 then log in and leave karma (feedback).
freeipa-2.2.0-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.