Problem

The diagnostic module in Univention Management Console (UMC) reports a warning about ssh connections similar to:

Solution

Step 1

If not already done, try to fix the issue by following the steps from this

Step 2

Check if the attribute “univentionPWExpiryInterval” is set on the machine account and if so, remove the attribute.

root@ucs:~# while read -r dn; do \
ldapmodify -D "$( ucr get ldap/hostdn )" -y /etc/machine.secret <<%EOR
$dn
changetype: modify
delete: univentionPWExpiryInterval
%EOR
done <<<$(  univention-ldapsearch -LLLo ldif-wrap=no "(&(objectClass=univentionDomainController)(univentionPWExpiryInterval=*))" dn | grep "dn: " )

Step 3

When trying to connect to one of the other DCs in your environment it fails with a message like

univention-ssh /etc/machine.secret $(hostname)$\@<REMOTE DC>
Received disconnect from x.x.x.x port 22:2: Too many authentication failures
Authentication failed.

This might be because you have disabled PasswordAuthentication so the password won’t be requested.

First check your remote system if the ucr variable sshd/passwordauthentication is set to true; if not or if the parameter in the /etc/ssh/sshd_config is set to no change this as follows

root@ucs:~# ucr set /etc/ssh/sshd_config=yes
Setting sshd/passwordauthentication
File: /etc/ssh/sshd_config
root@ucs:~# service ssh reload

Step 4

Restart your Kerberos services on the target host (Samba/ Heimdal).