Am Thu, Sep 23, 2021 at 12:33:25PM +0200 schrieb Radoslaw Kujawa via FreeIPA-users:
Hi list.
I have a CentOS 8.4 machine (fully updated), where sss_ssh_authorizedkeys is
successfully able to pull public keys from IPA user certificates. Recently I
have installed a new Fedora 34 machine and this functionality is not working
- running "sss_ssh_authorizedkeys username" only reports public keys
explicitly added to the account, omitting keys from X.509 certificates.
Both machines are joined to the same IPA domain.
I've checked sssd configuration, and ssh_use_certificate_keys option seems
to be default, as the man page states. To be extra sure, I have also
manually added it sssd.conf:
[ssh]
ssh_use_certificate_keys = true
CentOS machine has the following package versions:
python3-sss-murmur-2.4.0-9.el8_4.2.x86_64
sssd-proxy-2.4.0-9.el8_4.2.x86_64
libsss_sudo-2.4.0-9.el8_4.2.x86_64
libsss_autofs-2.4.0-9.el8_4.2.x86_64
sssd-nfs-idmap-2.4.0-9.el8_4.2.x86_64
sssd-2.4.0-9.el8_4.2.x86_64
libsss_idmap-2.4.0-9.el8_4.2.x86_64
sssd-ldap-2.4.0-9.el8_4.2.x86_64
sssd-kcm-2.4.0-9.el8_4.2.x86_64
sssd-dbus-2.4.0-9.el8_4.2.x86_64
python3-cssselect-0.9.2-10.el8.noarch
sssd-ipa-2.4.0-9.el8_4.2.x86_64
sssd-ad-2.4.0-9.el8_4.2.x86_64
python3-sssdconfig-2.4.0-9.el8_4.2.noarch
sssd-krb5-2.4.0-9.el8_4.2.x86_64
sssd-tools-2.4.0-9.el8_4.2.x86_64
sssd-client-2.4.0-9.el8_4.2.x86_64
sssd-krb5-common-2.4.0-9.el8_4.2.x86_64
sssd-common-2.4.0-9.el8_4.2.x86_64
sssd-common-pac-2.4.0-9.el8_4.2.x86_64
libsss_certmap-2.4.0-9.el8_4.2.x86_64
libsss_nss_idmap-2.4.0-9.el8_4.2.x86_64
libsss_simpleifp-2.4.0-9.el8_4.2.x86_64
python3-sss-2.4.0-9.el8_4.2.x86_64
Fedora machine has the following package versions:
libsss_idmap-2.5.2-2.fc34.aarch64
libsss_autofs-2.5.2-2.fc34.aarch64
libsss_sudo-2.5.2-2.fc34.aarch64
libsss_certmap-2.5.2-2.fc34.aarch64
sssd-nfs-idmap-2.5.2-2.fc34.aarch64
libsss_nss_idmap-2.5.2-2.fc34.aarch64
sssd-client-2.5.2-2.fc34.aarch64
sssd-common-2.5.2-2.fc34.aarch64
sssd-common-pac-2.5.2-2.fc34.aarch64
sssd-dbus-2.5.2-2.fc34.aarch64
sssd-krb5-common-2.5.2-2.fc34.aarch64
python3-sssdconfig-2.5.2-2.fc34.noarch
python3-sss-2.5.2-2.fc34.aarch64
sssd-tools-2.5.2-2.fc34.aarch64
python3-sss-murmur-2.5.2-2.fc34.aarch64
sssd-ipa-2.5.2-2.fc34.aarch64
sssd-kcm-2.5.2-2.fc34.aarch64
Any hints on how to make sss_ssh_authorizedkeys pull keys from IPA user
certificates on Fedora, or how to further debug this?
Hi,
the keys are only derived form the certificate is the certificate can be
validated. Have you copied all needed CA certificates to the new machine
and made SSSD aware of it?
Adding 'debug_level = 9' to the [ssh] section of sssd.conf and
restarting SSSD should add log messages to sssd_ssh.log which might help
to understand why the keys are not extracted.
HTH
bye,
Sumit
Best regards,
Radoslaw
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure