On Wed, Apr 3, 2013 at 10:16 PM, Natxo Asenjo <natxo.asenjo@xxxxxxxxx>wrote:
Following up a bit late on this, I found out the issue with the failing
freenx sessions centos 6.4.
We have a growing freeipa infrastructure (http://freeipa.org), using the
identity management solution delivered by RHEL. ,A colleague installed a
host and before joining it to the domain, installed freenx. It worked. So
that made me think that the problem was not with freenx but with freeipa.
Indeed, a joined host to a freeipa domain gets a few options on its ssh
client and server config files:
# diff ssh_config ssh_config.ipa
48a49,52
> GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
> PubkeyAuthentication yes
> ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
# diff sshd_config sshd_config.ipa
81d80
< GSSAPIAuthentication yes
97d95
< UsePAM yes
139a138,143
> KerberosAuthentication no
> PubkeyAuthentication yes
> UsePAM yes
> GSSAPIAuthentication yes
> AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
If we revert the ssh_config and sshd_config files and join the hosts,
freenx works again.
We lose the known_hosts integration but we already were doing that witch
cfengine. For other environments this could be an issue.
I will contact the freeipa guys about this issue, but provided freenx is
not a part of RHEL, I do not think they will see this as their problem.
We'll see.
--
groet,
natxo
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
