Hi,
we are integrating a number of Solaris 11 servers into our FreeIPA deployment. The
solution requires SSH key based authentication for user access to the Solaris 11 servers.
We have password authentication working correctly with FreeIPA using a proxy user (Solaris
cllient) binding to a service account (FreeIPA server). Key based authentication keeps
failing with the following message in the SSH server debug output:
mm_answer_keyallowed: publickey authentication test: RSA key is not allowed
The Solaris SSH setup has the following parameter setting:
AuthorizedKeysCommand /usr/lib/ssh/ssh-pubkey-ldap
..
The /usr/lib/ssh/ssh-pubkey-ldap command accepts the username attempting to login and
basically runs a "ldapsearch list <<username>>" command that returns
all the LDAP attributes for the user. From what I can tell, the Solaris LDAP client it is
looking for the sshPublicKey OpenLDAP user attribute to obtain the users SSH public key.
FreeIPA returns the ipaSshPubKey attribute for the user and we get a failed login message
as per the above.
Has anyone had any success in using FreeIPA with Solaris and SSH public keys? I am not
sure if we are looking in the correct place for the errors but from what we can see this
is the most likely cause of the problem.
One thing we have tried is to map the LDAP attributes on Solaris when setting up the LDAP
client. This does not seem to have made any difference however.
Thanks in advance.
Mark
Show replies by thread
Hi Mark,
I haven't used Solaris, but it's possible that it's default configuration (or
some additional configuration) prevents the use of RSA. Based on the error, "RSA key
is not allowed", it seems likely that RSA-keys are not allowed at all or there is a
minimum key length (3072, 4096) and you are testing with at 2048-bit key.
Have you tried generating a different type of ssh key, e.g. ed25519 and testing that? or
checked your sshd_config for the PubkeyAcceptedKeyTypes option?
Not sure if that's helpful, but I wish you luck.
Best,
Owen