Hi list.
I have a CentOS 8.4 machine (fully updated), where
sss_ssh_authorizedkeys is successfully able to pull public keys from IPA
user certificates. Recently I have installed a new Fedora 34 machine and
this functionality is not working - running "sss_ssh_authorizedkeys
username" only reports public keys explicitly added to the account,
omitting keys from X.509 certificates.
Both machines are joined to the same IPA domain.
I've checked sssd configuration, and ssh_use_certificate_keys option
seems to be default, as the man page states. To be extra sure, I have
also manually added it sssd.conf:
[ssh]
ssh_use_certificate_keys = true
CentOS machine has the following package versions:
python3-sss-murmur-2.4.0-9.el8_4.2.x86_64
sssd-proxy-2.4.0-9.el8_4.2.x86_64
libsss_sudo-2.4.0-9.el8_4.2.x86_64
libsss_autofs-2.4.0-9.el8_4.2.x86_64
sssd-nfs-idmap-2.4.0-9.el8_4.2.x86_64
sssd-2.4.0-9.el8_4.2.x86_64
libsss_idmap-2.4.0-9.el8_4.2.x86_64
sssd-ldap-2.4.0-9.el8_4.2.x86_64
sssd-kcm-2.4.0-9.el8_4.2.x86_64
sssd-dbus-2.4.0-9.el8_4.2.x86_64
python3-cssselect-0.9.2-10.el8.noarch
sssd-ipa-2.4.0-9.el8_4.2.x86_64
sssd-ad-2.4.0-9.el8_4.2.x86_64
python3-sssdconfig-2.4.0-9.el8_4.2.noarch
sssd-krb5-2.4.0-9.el8_4.2.x86_64
sssd-tools-2.4.0-9.el8_4.2.x86_64
sssd-client-2.4.0-9.el8_4.2.x86_64
sssd-krb5-common-2.4.0-9.el8_4.2.x86_64
sssd-common-2.4.0-9.el8_4.2.x86_64
sssd-common-pac-2.4.0-9.el8_4.2.x86_64
libsss_certmap-2.4.0-9.el8_4.2.x86_64
libsss_nss_idmap-2.4.0-9.el8_4.2.x86_64
libsss_simpleifp-2.4.0-9.el8_4.2.x86_64
python3-sss-2.4.0-9.el8_4.2.x86_64
Fedora machine has the following package versions:
libsss_idmap-2.5.2-2.fc34.aarch64
libsss_autofs-2.5.2-2.fc34.aarch64
libsss_sudo-2.5.2-2.fc34.aarch64
libsss_certmap-2.5.2-2.fc34.aarch64
sssd-nfs-idmap-2.5.2-2.fc34.aarch64
libsss_nss_idmap-2.5.2-2.fc34.aarch64
sssd-client-2.5.2-2.fc34.aarch64
sssd-common-2.5.2-2.fc34.aarch64
sssd-common-pac-2.5.2-2.fc34.aarch64
sssd-dbus-2.5.2-2.fc34.aarch64
sssd-krb5-common-2.5.2-2.fc34.aarch64
python3-sssdconfig-2.5.2-2.fc34.noarch
python3-sss-2.5.2-2.fc34.aarch64
sssd-tools-2.5.2-2.fc34.aarch64
python3-sss-murmur-2.5.2-2.fc34.aarch64
sssd-ipa-2.5.2-2.fc34.aarch64
sssd-kcm-2.5.2-2.fc34.aarch64
Any hints on how to make sss_ssh_authorizedkeys pull keys from IPA user
certificates on Fedora, or how to further debug this?
Best regards,
Radoslaw