8:15 a.m.
Hi all,
I have set up ipa server, established trust with an ad controller and enrolled a couple of
clients to it.
I have a problem understanding how to properly set up ssh pubkey authentication when it
comes to caching.
The issue is that when I upload the key to the server (via the web ui, for an AD user) and
later delete this key (also via the web UI) I still can log in on a client machine for a
couple of days using my private ssh key part. The command sss_ssh_authorizedkeys ad_user
shows the correct key on both server and a client. Even after I delete manually cache
files on the client, then sss_ssh_authorizedkeys displays the correct key.
In a trial and error process of debugging it I added entry_cache_user_timeout = 60 to
every section of sssd.conf on a client but it did not change much the situation described
above.
I assume that this is due to the caching settings on the server side (I guess user entries
are still present in the sssd cache yet they are not visible in the web ui).
Can someone please point me to the sssd cache settings that would cause ssh keys to stop
from working within a reasonable time after they were deleted?
Below I paste sanitized sssd config for the server:
[domain/ipa.domain/ad.domain]
debug_level = 10
# Enable short names without full domain
use_fully_qualified_names = False
ad_server = ad-1.ad.domain,ad-2.ad.domain
#cache_first = True
[domain/ipa.domain]
ad_server = ad-1.ad.domain,ad-2.ad.domain
debug_level = 10
id_provider = ipa
ipa_server_mode = True
ipa_server = ipa-server.ipa.domain
ipa_domain = ipa.domain
ipa_hostname = ipa-server.ipa.domain
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
enumerate = False
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
ignore_group_members = True
ldap_purge_cache_timeout = 0
#cache_first = True
[sssd]
debug_level = 10
domain_resolution_order = ad.domain, ipa.domain
services = nss, pam, ifp, ssh, sudo
domains = ipa.domain
[nss]
debug_level = 10
filter_users = root,fedora
homedir_substring = /home
memcache_timeout = 600
entry_negative_timeout = 3600
override_shell = /bin/bash
override_homedir = /home/%u
homedir_substring = /home
[pam]
debug_level = 10
[sudo]
debug_level = 10
[autofs]
debug_level = 10
[ssh]
debug_level = 10
[pac]
debug_level = 10
[ifp]
debug_level = 10
[secrets]
debug_level = 10
[session_recording]
debug_level = 10
and the client:
[domain/ipa.domain/ad.domain]
entry_cache_user_timeout = 60
debug_level = 10
# Enable short names without full domain
use_fully_qualified_names = False
subdomain_homedir = /home/%u
selinux_provider = none
ad_enable_gc = false
ad_server = ad-1.ad.domain,ad-2.ad.domain
[domain/ipa.domain]
entry_cache_user_timeout = 60
debug_level = 9
ad_enable_gc = false
subdomain_homedir = /home/%u
# Optimization
selinux_provider = none
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
ignore_group_members = True
cache_first = True
ldap_purge_cache_timeout = 0
ldap_sudo_smart_refresh_interval = 60
ldap_sudo_full_refresh_interval = 21600
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.domain
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = ipa-client.ipa.domain
chpass_provider = ipa
ipa_server = _srv_, ipa-server.ipa.domain
dns_discovery_domain = ipa.domain
[sssd]
entry_cache_user_timeout = 60
domain_resolution_order = ad.domain,ipa.domain
services = nss, sudo, pam, ssh
domains = ipa.domain
entry_cache_user_timeout = 60
[nss]
entry_cache_user_timeout = 60
override_shell = /bin/bash
override_homedir = /home/%u
filter_users = root,fedora
homedir_substring = /home
[pam]
entry_cache_user_timeout = 60
debug_level = 9
[sudo]
entry_cache_user_timeout = 60
debug_level = 9
[autofs]
[ssh]
entry_cache_user_timeout = 60
debug_level = 9
[pac]
debug_level = 9
[ifp]
debug_level = 9
8:18 a.m.
And my package versions are:
ssd: client - 1.16.0-4.el6, server - 1.16.1-8.fc27
ipa: client - 3.0.0-51.el6.centos, server - 4.6.3-2.fc27
8:24 a.m.
On Wed, Jun 20, 2018 at 01:15:24PM -0000, Bart via FreeIPA-users wrote:
Hi all,
I have set up ipa server, established trust with an ad controller and enrolled a couple
of clients to it.
I have a problem understanding how to properly set up ssh pubkey authentication when it
comes to caching.
The issue is that when I upload the key to the server (via the web ui, for an AD user)
and later delete this key (also via the web UI) I still can log in on a client machine for
a couple of days using my private ssh key part. The command sss_ssh_authorizedkeys ad_user
shows the correct key on both server and a client. Even after I delete manually cache
files on the client, then sss_ssh_authorizedkeys displays the correct key.
Which version of SSSD are you using? The issue sounds like
https://pagure.io/SSSD/sssd/issue/3602.
bye,
Sumit
>
> In a trial and error process of debugging it I added entry_cache_user_timeout = 60 to
every section of sssd.conf on a client but it did not change much the situation described
above.
>
> I assume that this is due to the caching settings on the server side (I guess user
entries are still present in the sssd cache yet they are not visible in the web ui).
> Can someone please point me to the sssd cache settings that would cause ssh keys to
stop from working within a reasonable time after they were deleted?
> Below I paste sanitized sssd config for the server:
>
> [domain/ipa.domain/ad.domain]
> debug_level = 10
> # Enable short names without full domain
> use_fully_qualified_names = False
> ad_server = ad-1.ad.domain,ad-2.ad.domain
> #cache_first = True
>
> [domain/ipa.domain]
> ad_server = ad-1.ad.domain,ad-2.ad.domain
> debug_level = 10
> id_provider = ipa
> ipa_server_mode = True
> ipa_server = ipa-server.ipa.domain
> ipa_domain = ipa.domain
> ipa_hostname = ipa-server.ipa.domain
> auth_provider = ipa
> chpass_provider = ipa
> access_provider = ipa
> cache_credentials = True
> ldap_tls_cacert = /etc/ipa/ca.crt
> krb5_store_password_if_offline = True
>
> enumerate = False
> subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
> ignore_group_members = True
> ldap_purge_cache_timeout = 0
> #cache_first = True
>
> [sssd]
> debug_level = 10
> domain_resolution_order = ad.domain, ipa.domain
> services = nss, pam, ifp, ssh, sudo
> domains = ipa.domain
>
> [nss]
> debug_level = 10
> filter_users = root,fedora
>
> homedir_substring = /home
> memcache_timeout = 600
> entry_negative_timeout = 3600
> override_shell = /bin/bash
> override_homedir = /home/%u
> homedir_substring = /home
>
>
>
> [pam]
> debug_level = 10
>
> [sudo]
> debug_level = 10
>
> [autofs]
> debug_level = 10
>
> [ssh]
> debug_level = 10
>
> [pac]
> debug_level = 10
>
> [ifp]
> debug_level = 10
>
> [secrets]
> debug_level = 10
>
> [session_recording]
> debug_level = 10
>
> and the client:
>
> [domain/ipa.domain/ad.domain]
> entry_cache_user_timeout = 60
> debug_level = 10
> # Enable short names without full domain
> use_fully_qualified_names = False
> subdomain_homedir = /home/%u
> selinux_provider = none
> ad_enable_gc = false
> ad_server = ad-1.ad.domain,ad-2.ad.domain
>
>
> [domain/ipa.domain]
> entry_cache_user_timeout = 60
> debug_level = 9
> ad_enable_gc = false
> subdomain_homedir = /home/%u
> # Optimization
> selinux_provider = none
> subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
> ignore_group_members = True
> cache_first = True
> ldap_purge_cache_timeout = 0
> ldap_sudo_smart_refresh_interval = 60
> ldap_sudo_full_refresh_interval = 21600
>
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = ipa.domain
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt
> ipa_hostname = ipa-client.ipa.domain
> chpass_provider = ipa
> ipa_server = _srv_, ipa-server.ipa.domain
> dns_discovery_domain = ipa.domain
> [sssd]
> entry_cache_user_timeout = 60
> domain_resolution_order = ad.domain,ipa.domain
> services = nss, sudo, pam, ssh
>
> domains = ipa.domain
> entry_cache_user_timeout = 60
> [nss]
> entry_cache_user_timeout = 60
> override_shell = /bin/bash
> override_homedir = /home/%u
> filter_users = root,fedora
> homedir_substring = /home
>
> [pam]
> entry_cache_user_timeout = 60
> debug_level = 9
>
> [sudo]
> entry_cache_user_timeout = 60
> debug_level = 9
>
> [autofs]
>
> [ssh]
> entry_cache_user_timeout = 60
> debug_level = 9
>
> [pac]
> debug_level = 9
>
>
> [ifp]
> debug_level = 9
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
9:29 a.m.
Hi Sumit,
That was it. I switched to the https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-16/
repo, installed sssd in 1.16.1-7.el6 version and voila, problem solved :).
Thank you a lot for your help and prompt response!
Best
Bart
7:13 a.m.
Or it is not solved yet :).
After the update my sssd versions are:
server: 1.16.1-8
client: 1.16.1-7
Public keys get updated on the client host but ONLY after I log in to the server. Even
though I set entry_cache_timeout = 120 literally everywhere (on client and server), client
still allows to log in with ssh key after it was deleted using FreeIPA web ui.
9:11 a.m.
On Thu, Jun 21, 2018 at 12:13:03PM -0000, Bart via FreeIPA-users wrote:
Or it is not solved yet :).
After the update my sssd versions are:
server: 1.16.1-8
client: 1.16.1-7
Public keys get updated on the client host but ONLY after I log in to the server. Even
though I set entry_cache_timeout = 120 literally everywhere (on client and server), client
still allows to log in with ssh key after it was deleted using FreeIPA web ui.
Did you lower memcache_timeout as well? This should not be related but
worth a try.
Can you send me the SSSD logs from the IPA client and server which cover
the call of sss_ssh_authorizedkeys at the time you would expect that the
cached entries are expired and fresh data should be read from the
server?
bye,
Sumit
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
2132
days inactive
2134
days old
freeipa-users@lists.fedorahosted.org
5 comments
2 participants
participants (2)
-
Bart -
Sumit Bose