Issue Password-less SSH:  Sun OpenDS 2.0 as Naming Service

Similar Messages

• Prompting for passwords even i configured ssh password less authentication

  There are two servers :
  1. Site
  2. Testing
  from site server i want to connect testing server with ssh password less authentication.
  i generated public and private keys with ssh-keygen -t rsa on site server.
  cat id_rsa >> authorized_keys
  cat id_rsa.pub >> authorized_keys
  i appended id_rsa.pub ( public key site server ) to authorized_keys ( testing server ) with below command .
  ssh [email protected] "cat >> ~/.ssh/authorized_keys" < ~/.ssh/id_rsa.pub
  am i missing some point in performing procedure for ssh password less authentication ?
  because it prompts for passwords agaian and again
  Edited by: user13376823 on Oct 9, 2012 9:30 AM

  user13376823 wrote:
  There are two servers :
  1. Site
  2. Testing
  from site server i want to connect testing server with ssh password less authentication.
  i generated public and private keys with ssh-keygen -t rsa on site server.
  cat id_rsa >> authorized_keys
  cat id_rsa.pub >> authorized_keysI don't think you should be doing this. I can't see the point of adding the private key and adding the public key means the "Site" can ssh to itself without needing a password!
  >
  i appended id_rsa.pub ( public key site server ) to authorized_keys ( testing server ) with below command .
  ssh [email protected] "cat >> ~/.ssh/authorized_keys" < ~/.ssh/id_rsa.pub
  I would expect you to add the RSA public key to the "authorized_keys2" file and not the "authorized_keys" file.
  >
  >
  am i missing some point in performing procedure for ssh password less authentication ?
  because it prompts for passwords agaian and again
  Edited by: user13376823 on Oct 9, 2012 9:30 AM

• Ssh connectivity(password less)  for oracle unix account in 11gR2 RAC

  DB : 11.2.0.2
  OS : Unix
  While installiation of RAC, password less connectivity setup is required between two nodes to copying files and to run commands. This is mandatory before installation.
  But after installation, is it require to have password less connectivity ( SSH) between two nodes ? By locking "oracle" unix account breaks ssh connectivity between two nodes. Even though it's not breaking cluster, but do we really need ssh connectivity once RAC db is up and running ?

  it is also used when you apply patches but not for everyday 'normal' operation
  http://download.oracle.com/docs/cd/B19306_01/install.102/b14203/prelinux.htm#BABJBAEB
  Oracle Universal Installer uses the ssh and scp commands during installation to run remote commands on and copy files to the other cluster nodes. You must configure SSH so that these commands do not prompt for a password.
  Source:-SSH for 10g RAC

• Irregular failure to authenticate OpenDirectory users via password-based ssh

  TL;DR - my Yosemite Open Directory server irregularly fails to properly authenticate users (via password-based ssh). 
  I recently moved an Open Directory server from an Xserve running 10.6 to a new Mini running 10.10.  I archived the OD config on the Xserve and then took it offline.  Then I brought the Mini online using the same hostname/IP address, created a new OD master using the archived configuration.  Everything seemed to work well, however sometimes the server will not authenticate users via password when logging in with ssh/sftp/scp.  This is also true of a few OS X machines that bind to the OD server (i.e. they usually authenticate users properly, but sometimes fail for no discernable reason). 
  The failures are only for password authentication using ssh.  Other mechanisms do not exhibit the auth failures.  For instance, AFP and SMB user auth never fails (with proper credentials).  Nor do users to a FileMaker Server machine that authenticate via the OD server have problems.  Public key based ssh authentication never fails.  Local accounts (non-OD, aka "Local Network Accounts") also do not fail using password-based authentication.
  The failures are irregular.  The only pattern that I can find at all is that sometimes when the failures start happening, they keep happening continuously until...at some point they work properly again.  That is, they may fail from 11:15 am to 2:01 pm, and if so, then all of them fail in that time range.  Sometimes that time range lasts seconds, sometimes it lasts hours.
  The time range failure pattern is host specific.  For instance, if password authentication is failing on the main OD server, authentication may be fine on the other bound machines.  If authentication is failing on one of the bound machines, then it may be fine on all others and fine on the OD server itself.
  The failure pattern does not seem to correlate to any other events or activity on the server (even remotely).  CPU utilization never gets above about 15%.  Memory utilization is similarly very low.  Network traffic is occasionally high, but it does not seem in any way related to the auth failures.  There are not other log messages that occur before or after the failures with any consistency.
  I've been monitoring the auth failures by attempting to login to the OD server and two other bound hosts once per minute so that I can tell when the auth is failing (before getting calls from the users). 
  The adaptive firewall is not running on the OD server.  Nor is any other firewall.
  Below are a comparison of the system.log entries for a failed and successful auth (I've stripped out those lines that are identical in both instances).  The log entries have been sanatized as described.
  Rebooting the OD server does not affect the bound clients' authentication.  Rebooting the OD server is problematic, and I cannot do it often.  When I do, sometimes failures start soon after reboot, and sometimes that don't come back for many hours - again, no discernable pattern.
  If anyone has any ideas what I can do to discover the source of this problem and come up with a solution, I'd very much appreciate it.  Note that I'm aware that I can export all users and group and reconstruct a new, clean OD master, but without the ability to save the passwords, this becomes a large logisitcal problem, and I'm saving it as a last resort (particularly since if it doesn't solve my problem, I will have inconvenienced many users and be right back in the same place).
  Thanks for reading.
  First failure:
      Feb 11 00:00:20 odserver.myorg.gov kdc[67]: TGS-REQ [email protected] from 127.0.0.1:65373 for host/[email protected] [canonicalize, forwardable]
      Feb 11 00:00:20 odserver.myorg.gov opendirectoryd[67268]: GSSAPI Error:  Miscellaneous failure (see text (unable to reach any KDC in realm ODSERVER.MYORG.GOV, tried 2 KDCs (negative cache))
      Feb 11 00:00:20 odserver.myorg.gov sshd[72974]: error: PAM: authentication error for myusername from clienthost.myorg.gov via 10.50.50.50
      Feb 11 00:00:20 odserver.myorg.gov sshd[72974]: Connection closed by 10.50.50.99 [preauth]
  Now successful auth:
      Feb 11 01:03:20 odserver.myorg.gov kdc[67]: TGS-REQ [email protected] from 127.0.0.1:63978 for host/[email protected] [canonicalize, forwardable]
      Feb 11 01:03:20 odserver.myorg.gov kdc[67]: TGS-REQ [email protected] from 127.0.0.1:62346 for ldap/[email protected] [canonicalize, forwardable]
      Feb 11 01:03:20 odserver.myorg.gov sshd[73786]: Accepted keyboard-interactive/pam for myusername from 10.50.50.99 port 53361 ssh2
      Feb 11 01:03:20 odserver.myorg.gov NetAuthSysAgent[73789]: GetStatus: connecting to self not allowed
     Feb 11 01:03:20 odserver.myorg.gov NetAuthSysAgent[73789]: ERROR: AFP_GetServerInfo - connect failed 62
  I've sanitized the entries as follows, replacing...
  My username by myusername
  The ssh source host IP address by 10.50.50.99
  The ssh source hostname by clienthost.myorg.gov
  The server hostname by odserver.myorg.gov
  The server hostname (in caps) by ODSERVER.MYORG.GOV
  The server IP address by 10.50.50.50

  Hello James,
  I have not had a chance to look for the Router configuration document, however, for one of my certificate exams I did configure Authentication Proxy on an IOS router. The config for that lab was:
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authorization auth-proxy default group tacacs+ local
  aaa session-id common
  ip auth-proxy name AUTHPROXY http inactivity-time 60
  interface FastEthernet0/0
  ip address 192.168.250.19 255.255.255.0
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 192.168.200.120 255.255.255.0
  ip access-group 110 in
  ip nat inside
  ip virtual-reassembly
  ip auth-proxy AUTHPROXY
  duplex auto
  speed auto
  ip route 0.0.0.0 0.0.0.0 192.168.250.1
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip nat inside source list nat interface FastEthernet0/0 overload
  ip access-list extended nat
  permit ip 192.168.200.0 0.0.0.255 any
  access-list 110 permit ip any any
  tacacs-server host 192.168.250.20
  tacacs-server key cisco123
  end
  Please check if the commands are supported on your router as well.
  If this ws helpful please rate.
  Regards.

• Encoding issue with " " Less than sign

  Hello Experts,
     I am working on Receiver Webservice scenario where I am facing issue with "<" less than sign. SAP XI system automatically replace it with "&#60;" sign. I can see the changed value in Audit log of communication channel.
  Web service is not able to accept the data and I can see error message in audit log
  SOAP: response message contains an error XIAdapter/PARSING/ADAPTER.SOAPEXCEPTION - soap fault: Server was unable to read request. ---> There is an error in XML document (1, 573). ---> The specified node cannot be inserted as the valid child of this node, because the specified node is the wrong type._
  When I check the payload in audit log I can see the XML structure properly but as I open it in Notepad I can see character code "&#60;" instead of  u201Cless than <u201D symbol.
  Audit log XML file is as given below
  <?xml version="1.0" encoding="utf-8" ?>
  - <ns1:TurnaroundDetail xmlns:ns1="http://isotrak.com/webservices">
    <ns1:sessionid>3f2f2592-39d5-456e-8cf2-5d7ee81402c8</ns1:sessionid>
    <ns1:data><Request xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><TurnaroundDetail><PlannedJobDepartureDatesFrom="2011-03-01T12:01:23.00" To="2011-03-01T12:07:10.00"/><DepotReference DepotReference="EASTLEIGH"/><DepotReference DepotReference="CHANDLERS"/></TurnaroundDetail></Request></ns1:data>
    </ns1:TurnaroundDetail>
  When I open it in notepad I can see converted value
  <?xml version='1.0' encoding='utf-8'?>
  <TurnaroundDetail xmlns='http://isotrak.com/webservices'><sessionid>dcc4adcd-ce8f-403d-a1cf-01fcc5aab066</sessionid><data>&#60;Request xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">&#60;TurnaroundDetail>&#60;PlannedJobDepartureDatesFrom="2011-03-02T08:28:29.00" To="2011-03-02T08:38:09.00"/>&#60;DepotReference DepotReference="EASTLEIGH"/>&#60;DepotReference DepotReference="CHANDLERS"/>&#60;/TurnaroundDetail>&#60;/Request></data></TurnaroundDetail>
  I hope this is not caused due to AnonymizerBean configured in receiver SOAP comm channel.
  anonymizer.acceptNamespaces   http://isotrak.com/webservices ''
  anonymizer.encoding  ISO-8859-1 (also tried utf-8)
  anonymizer.quote  ''
  Could you please suggest if I can get rid of "&#60;" character and get < less than sign? Or it is obvious behaviour by SAP XI system w.r.t Encoding and Receiver end needs to decode this character?
  Note: As per Web service requirement whole XML data to be processed by webservice is populated in single Data field. As here we are populating whole XML data file in one field named data
  Thanks in advance.
  Vinit.

  Simply typing "Test <test> test" into a frame and exporting that yields
  <ParaStyle:Body>Test \<test\> test
  and reading it back into ID gives the expected result.

• Please help me to change the password policy in Sun Directory Server 6.0

  Hi,
  Please help me to change the password policy in Sun Directory Server 6.0

  What are you trying to accomplish? Have you at least read the manual?
  http://docs.oracle.com/cd/E19693-01/819-0995/fhkrj/index.html
  As reported in earlier threads on this forum, DSEE 6.0 IS NOT a release you should use in your production environment, specially if you're starting new projects; consider moving at least to the latest 6.x release which is 6.3.1.1.1
  thanks,
  Marco

• I Would like to Enter My Password Less Often

  I would like to enter my password less often.  I am running the Hello Kitty OS  (a.k.a. iOS 7).
  Previously, I was able to set iPhone so it only required a password every 15 min.  Now, after 5 min. I must reenter the password.
  Thanks

  If you are connected to a corporate IT mail server (Exchange) Your IT staff may be controlling the security options of the device. Speak with Them.
  I.T. department is anti-Apple.  I'm on my own.
  look at, Settings>TouchID&Passcode>Require Immediately
  THANKS, that may have done it.

• Pass password to ssh

  Hi,
  it's possible to pass password into ssh-add? If it is, how? I want to unlock key automatically after reboot.

  Thanks of answers ^_^
  graysky wrote:Which greeter are you using (lxdm, lightdm, gdm, etc)?  Check the wiki for this topic.
  I am using autologin via systemd with XServer autostart
  https://wiki.archlinux.org/index.php/Au … al_console
  https://wiki.archlinux.org/index.php/Start_X_at_Login
  jasonwryan wrote:That sort of undermines the whole point of having a passphrase in the first place.
  No, it doesn't. I don't wan't to input password every time I restarted my laptop, but I don't want to keep my key unprotected for cases
  when someone copies it.
  jasonwryan wrote:This sounds like an XY Problem. What are you trying to achieve?
  Possibly it is. I am trying to achieve:
  After autologin my ssh key is in keychain (https://wiki.archlinux.org/index.php/SSH_Keys#Keychain), gnome-keyring and others seems
  just to heavy and I can use it without writing my password. Writing my password for the key once is accetable, however need to manually
  write ssh-add is not.
  So if key will be added automatically on "ssh host" and I must input password first time I connect somewhere, I am fine with it..
  I hope I made clear what I need.

• [Unknowingly Solved] Bash, passing password to ssh-add

  Hey guys,
  I'm working on a script to add my ssh key to my ssh-agent using pam_exec.so. pam_exec passes the password to my script over STDIN, which is fine. But I can't for the life of me figure out how to pass the password to ssh-add.
  I've already seen this question, but would really perfer not to have to install extra/expects just for this on script.
  Any ideas?
  Last edited by EvanPurkhiser (2013-08-14 05:40:34)

  Wow.. Ok. So I feel dumb. I was way over thinking this one.
  Since pam_exec passes the password to the script over STDIN (WITH a trailing null character) I actually just have to add the ssh-add command somewhere in the script and it will read from STDIN.
  I was actually stuck on this for awhile and had already tried
  echo "myPassword" | add-pass
  which obviously didn't work. And even now, trying something like this
  printf "MyPassword\x00" | ssh-add
  still doesn't work.
  I'm actually a little perplexed as to WHY this worked.
  Here's the full script
  #!/bin/sh
  # Takes a password from STDIN, starts the ssh-agent as a systemd user service,
  # and decrypts the ssh key using the provided password, adding it to the agent.
  # Handle inital checks as root
  if [ $(id -u) = 0 ]
  then
  # Don't execute if the user-session isn't running
  systemctl -q is-active user-session@${PAM_USER} || exit 0
  # Re-execute this script as the user to add their key (while piping STDIN)
  cat | exec su ${PAM_USER} -c $(realpath ${BASH_SOURCE[0]})
  # Handle adding the key as the user
  else
  # We need to specify the XDG_RUNTIME_DIR because pam_systemd won't have run
  export XDG_RUNTIME_DIR=/run/user/$(id -u)
  # Get the SSH_AUTH_SOCK variable from the user session
  export $(systemctl --user show-environment | grep SSH_AUTH_SOCK)
  # Ensure the ssh-agent service is started
  systemctl --user start ssh-agent
  ssh-add
  fi
  ... Marking as unknowingly solved
  Last edited by EvanPurkhiser (2013-08-14 05:40:58)

• Sun One Web Server 6.0 Service Pack 5

  I installed Windows 2000 SP3, Coldfusion MX Updater 1, and Sun One Web Server 6.0 Service Pack 5. In 2 separate instances I had the Sun One Web Server Stop serving all html pages immediately after I set automatic access log rotation in the web server administrator. I had the access log rotate every 1440 minutes at 12:00 AM. Although the web server instance appeared to be started, no html pages could be served. In addition, I was not able to undo the changes through the web server administrator. I finally tried to edit the magnus.conf file to remove the new log settings. However, nothing could bring back the web server into a working state. Web Server restarts and entire server reboots did not resolve this issue. I was wondering if anybody else has seen this issue and if so, how did you resolve it? I was forced to completely uninstall the web server and reinstall it. This makes me hesitant to put Sun One Web Server 6.0 SP5 into production. Any other thoughts or experiences with SP5 in a Windows/ColdfusionMX environment? Thanks for any help?

  Since removing the log settings from magnus.conf failed to fix the problem, the log settings are probably not the source of the problem.
  Did anything else - e.g. ColdFusion configuration changes - occur at about the same time you changed the log settings?

• How to fix this error "this iPad is not able to complete the activation process. Please press Home and start over. If the issue persists, please visit your nearest Apple Store or Authorized service provider for more information or replacement"?

  How to fix this error "this iPad is not able to complete the activation process. Please press Home and start over. If the issue persists, please visit your nearest Apple Store or Authorized service provider for more information or replacement"? When I plugged in my iPad this popped up!

  Hi csreddy, 
  If you are receiving a message to contact an Apple Retail Store or Authorized Service Provider for help updating from iOS 3, click on the link below to initiate that support:
  Update the iOS software on your iPhone, iPad, and iPod touch - Apple Support
  http://support.apple.com/en-us/HT204204
  Update your device using iTunes
  If you can’t update wirelessly, or if you want to update with iTunes, follow these steps:
  Install the latest version of iTunes on your computer.
  Plug in your device to your computer.
  In iTunes, select your device.
  In the Summary pane, click Check for Update. 
  Click Download and Update.
  If you don't have enough free space to update using iTunes, you'll need to delete content manually from your device.
  Find out what to do if you get other error messages while updating your device.
  Last Modified: Jan 12, 2015
  Apple - Find Locations
  https://locate.apple.com
  Contact Apple for support and service - Apple Support
  http://support.apple.com/en-us/HT201232
  Regards,
  - Judy

• Changing Domain Administrator Password : How can I find out what all servers / services are currently using this?

  Good morning all,
  I took over as IT director for the school district in my town about 2 years ago, and we've had some techs come and go, all of which have had the domain administrator password (not my call, but my fault for not changing it by now).  I am about to change
  it, but before doing so I want to know how I can make sure what all this will break so I can quickly change the cached/saved password on whatever supporting services use this user/pass.
  Can anyone help here?
  Thank you!

  Hello,
  In my point of view if I were in this situation I would Change the domain administrator password. By
  Resetting the domain administrators all the services which use domain administrator as their logon user, will lose their functionality. I had this experience and I did change the domain administrator password with no problem. However do not
  forget to have a account lockout tool or script for locating the place where the account was locked out.
  But to keep it short most of the time. lockout problems are arise from mapped drives, credential manager and saved RDP sessions and etc.
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Help on Sun Certified Developer for Java Web Services (CX-310-220) exam

  Hi,
  I am planing for Sun Certified Developer for Java Web Services (CX-310-220) certification. Can anyone provide me the links for resouces? can anyone provide me books/publications/author best preparation material to score good marks in exam? can anyone provide me the download resources available over internet?
  thanks in advance..!!!
  regards
  gaveesha

  yes, that's the only decent book covering most of the exam curiculum (but NOT all of it, check the exam specs versus the book content to know what you are missing).
  I'm working on the same material, and boy is it a lot...
  Dry, boring stuff most of it.

• Sun Certified Developer for Java Web Services (CX-310-220)

  Hello All,
  I'm planning to study for Sun Certified Developer for Java Web Services (CX-310-220). I really appreciate any help in suggesting the books and the material requiered for the above certification.
  Thanks,
  Greeshma...

  yes, that's the only decent book covering most of the exam curiculum (but NOT all of it, check the exam specs versus the book content to know what you are missing).
  I'm working on the same material, and boy is it a lot...
  Dry, boring stuff most of it.

• Issue while starting Named service

  HI All,
  I an in process of upgrading cluster from 1.2.0.5 to 11gr2.My OS is Redhat linux 5.3 For the same i am trying to configure DNS and scan .As i dont' have much idea  about network so
  I followed the link for configuring DNS Oracle 11gR2 2-node RAC on VMWare Workstation 8 – Part VII | The Gruff DBA  . As per link i installed below rpms
  [root@nod1 log]# rpm -qa bind*
  bind-libs-9.3.4-10.P1.el5
  bind-utils-9.3.4-10.P1.el5
  bind-chroot-9.3.4-10.P1.el5
  bind-9.3.4-10.P1.el5
  [root@nod1 log]#
  root@nod1 log]# rpm -qa cach*
  caching-nameserver-9.3.4-10.P1.el5
  [root@nod2 named]# more /etc/named.conf---> Named.conf file from nod2
  options {
          directory "/var/named";
  dump-file "/var/named/data/cache_dump.db";
  statistics-file "/var/named/data/named_stats.txt";
          forwarders { 192.168.1.1; };
  include "/etc/rndc.key";
  zone "mydomain" IN {
  type master;
  file "mydomain.zone";
  allow-update { none; };
  [root@nod1 named]# pwd
  /var/named
  [root@nod1 named]# more mydomain.zone
  $TTL  86400
  @ IN SOA      mydomain. mydomain.(
  42          ; serial (d. adams)
  3H          ; refresh
  15M         ; retry
  1W          ; expiry
  1D )        ; minimum
  nod1.                        IN NS   192.168.56.2
  localhost                     IN A   127.0.0.1
  nod2.mydomain                 IN A   192.168.56.5
  nod1.mydomain                 IN A    192.168.56.2
  nod2-vip.mydoamin.            IN A    192.168.56.7
  nod1-vip.mydoamin..           IN A    192.168.56.4
  underworld-scan.mydomain.     IN A    192.168.56.20
  underworld-scan.mydomain.     IN A    192.168.56.21
  [root@nod2 named]# more /etc/resolv.conf
  nameserver  192.168.56.5    # nod2 DNS server
  nameserver 192.168.56.2     # nod1 DNS server
  nameserver 192.168.1.1    # Primary DNS in the domain
  search mydomain # Local Domain
  But i am hitting issue when i am starting named service:
  [root@nod1 log]# service named start
  Starting named:
  Error in named configuration:
  zone mydomain/IN: loading master file mydomain.zone: file not found
  _default/mydomain/IN: file not found
                                                             [FAILED]
  [root@nod1 log]# Can anyone please help me out .. as its really hitting me badly . Thanks in advance

  Hi
  To configure the SCAN , this SCAN IP should be resolve through DNS or /etc/hosts file .Please follow the below link to configure the DNS.
  If you face any problem , then please let me know .
  shivenracdba: configure DNS for Installtion of Oracle Grid Infrastructure RAC cluster
  warm regards
  Shivendra Narain Nirala