On Tue, Aug 27, 2019 at 06:32:12PM +0000, Patterson, David via FreeIPA-users wrote:
RHEL 7.7
sssd 1.16.4
Hi,
the issue I was thinking about should be fixed in the version.
Do I understand correctly the you have store a public ssh-key in the IPA
user object and this was used to do key based authentication on the IPA
clients. After creating a user certificate, which is stored in the IPA
user object as well, key based ssh authentication on the clients does
not work anymore for the user?
To debug this please add 'debug_level = 9' to the [ssh] and [domain/...]
section of sssd.conf and restart SSSD. Now please call
sss_ssh_authorizedkeys username
where you should replace username with the name of the user which has
ssh keys and certificates stored in its LDAP object. This command is
used by sshd as well to get the ssh keys. Please send the logs files
from /var/log/sssd which should explain what prevented SSSD from
returning the ssh keys.
bye,
Sumit
>
> David Patterson
> Sandia National Laboratories
> Ground System Platforms, Infrastructures & Integration
> Phone:(505) 284-3322
> Pager: (505) 951-8112
>
> -----Original Message-----
> From: Sumit Bose via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
> Sent: Tuesday, August 27, 2019 11:05 AM
> To: freeipa-users(a)lists.fedorahosted.org
> Cc: Sumit Bose <sbose(a)redhat.com>
> Subject: [EXTERNAL] [Freeipa-users] Re: Keys vs certificates
>
> On Tue, Aug 27, 2019 at 02:43:22PM +0000, Patterson, David via FreeIPA-users wrote:
> > Hello,
> >
> > I followed the instructions from this page
(
https://frasertweedale.github.io/blog-redhat/posts/2015-08-06-freeipa-cus...)
to create User Certificates.
> > While testing I noticed that when I create a User Cert for an account, the ssh
keys stopped working for that same account.
> >
> > I was hoping to have both SSH keys and User Certificates.
> >
> > Is this a bug, a feature or is there some setting that I'm missing?
>
> Hi,
>
> which version of SSSD are you using? There was a bug in an older version of SSSD
which might have the effect you are describing.
>
> bye,
> Sumit
>
> >
> > Thanks!
> >
> > David Patterson
>
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to
> > freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
> >
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> >
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> >
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor
> >
ahosted.org
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...