[Freeipa-users] Re: sss_ssh_authorizedkeys vs user certificates

Thu, 23 Sep 2021 11:12:48 -0700 

Radoslaw Kujawa via FreeIPA-users wrote:
> Hi.
> 
> On 9/23/21 15:06, Sumit Bose via FreeIPA-users wrote:
>> Am Thu, Sep 23, 2021 at 12:33:25PM +0200 schrieb Radoslaw Kujawa via
>> FreeIPA-users:
>>
>> the keys are only derived form the certificate is the certificate can be
>> validated. Have you copied all needed CA certificates to the new machine
>> and made SSSD aware of it?
>>
> 
> Indeed, it was a problem with validation. I've originally created a
> symlink from /etc/sssd/pki/sssd_auth_ca_db.pem to /etc/ipa/ca.crt .
> However, this resulted in SELinux denial:
> 
> ----
> time->Thu Sep 23 15:35:28 2021
> type=AVC msg=audit(1632411328.296:280110): avc:  denied  { read } for
> pid=1555510 comm="p11_child" name="sssd_auth_ca_db.pem" dev="nvme0n1p2"
> ino=421 scontext=system_u:system_r:sssd_t:s0
> tcontext=unconfined_u:object_r:sssd_conf_t:s0 tclass=lnk_file permissive=0
> 
> After copying the certificate, instead of symlinking it,
> sss_ssh_authorizedkeys works correctly and reports public keys from
> certificates too.
> 
> While here, I have a suggestion. Could ipa-client-install also add the
> CA certificate to sssd's PKI directory?

Feel free to open an RFE at https://pagure.io/freeipa/new_issue

rob

> 
> Currently to make this useful functionality work, manual intervention is
> necessary after running ipa-client-install (just having the cert in
> /etc/ipa/ca.crt is not enough for p11_child to perform validation).
> 
> Best regards,
> Radoslaw
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> 
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to