LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

May 2006

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS May 2006

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Authentication problems
From:	John Hanks <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Mon, 22 May 2006 15:21:03 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (62 lines)

Our setup (which has worked great until a few weeks ago) is:

  * Windows Active Directory for LDAP and Kerberos 
  * Clusters using Scientific Linux 4.2 
  * Workstations using Fedora Core 4/5 

In the last couple of weeks we've seen some strange behavior. Some
accounts (generally the older user accounts) are continuing to work
fine. But newer accounts are no longer able to connect to any of the SL
4.2 clusters. At first I thought it was a kerberos issue, but I've been
unable to find anything to point at a kerberos/LDAP problem. As far as I
can tell, there is no significant difference between newer and older
accounts within the LDAP directory. 

sshd hangs when attempting to exchange the public key. I've started sshd
in debug mode with:

[root@edna pam.d]# /usr/sbin/sshd -p 48000 -ddd

then connected from a workstation using a "bad" account with this
command:

griznog@danaus ~ $ ssh -vvv -p 48000 markm@edna

The sshd session logs these lines as the last bit of output before
hanging:

debug3: fd 4 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 331
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7

the ssh session connecting has this to say:

debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/griznog/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply

To muddy the water some more, trying to 'su - baduser' behaves
similarly, the su command hangs but it waits until something times out
then succeeds. The problem doesn't exist on our FC5 workstations, either
with su or ssh.

If someone has any clues as to what might cause this or can provide some
pointers to use while troubleshooting, I'd be grateful.

Thanks,

jbh

John Hanks
Utah State University

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV