Guy Matz wrote:
Hello! Trying to configure a Centos 6.3 server to authenticate ssh using
keys stored in IPA . . .  it's not working and I was hoping someone
might be able to give a place to start debugging.

My user is in IPA (is is a publickey):
[root@iparepl01 log]# ipa user-find gmatz
--------------
1 user matched
--------------
   User login: gmatz
   First name: Guy
   Last name: Matz
   Home directory: /home/gmatz
   Login shell: /bin/bash
   UID: 1756600036
   GID: 1756600036
   Account disabled: False
   SSH public key fingerprint:
B7:97:56:71:31:D8:35:67:6A:4B:5F:C2:D8:00:E6:39 (ssh-rsa)
   Password: True
   Kerberos keys available: True

  . . .  which matches the key used on the client machine:
gmatz@halliburton:~$ uname -a
Linux halliburton 3.5.0-27-generic #46-Ubuntu SMP Mon Mar 25 19:58:17
UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
gmatz@halliburton:~$ ssh-keygen -l
Enter file in which the key is (/home/gmatz/.ssh/id_rsa):
2048 b7:97:56:71:31:d8:35:67:6a:4b:5f:c2:d8:00:e6:39 gmatz@halliburton
(RSA)

When I run sshd in debug mode, I don't see any indication that the ssh
server is trying to connect to IPA, but strace gives some indication
that sssd libs are being loaded.

I don't know if this is any help, but here's what audit.log says when
publickey auth fails:
type=CRYPTO_KEY_USER msg=audit(1366304690.290:26013): user pid=1592
uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server
fp=2b:54:31:7d:2f:18:d9:ed:5b:1e:7d:37:34:fa:a7:3b direction=? spid=1592
suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=?
res=success'
type=CRYPTO_KEY_USER msg=audit(1366304690.292:26014): user pid=1592
uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server
fp=70:bc:4f:b5:1c:e4:93:0d:4f:c9:96:08:dc:85:22:ea direction=? spid=1592
suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=?
res=success'
type=CRYPTO_SESSION msg=audit(1366304690.300:26015): user pid=1591 uid=0
auid=4294967295 ses=4294967295 msg='op=start direction=from-client
cipher=aes128-ctr ksize=128 spid=1592 suid=74 rport=45662
laddr=172.16.6.203 lport=22  exe="/usr/sbin/sshd" hostname=?
addr=192.168.2.67 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1366304690.300:26016): user pid=1591 uid=0
auid=4294967295 ses=4294967295 msg='op=start direction=from-server
cipher=aes128-ctr ksize=128 spid=1592 suid=74 rport=45662
laddr=172.16.6.203 lport=22  exe="/usr/sbin/sshd" hostname=?
addr=192.168.2.67 terminal=? res=success'
type=USER_AUTH msg=audit(1366304690.474:26017): user pid=1591 uid=0
auid=4294967295 ses=4294967295 msg='op=pubkey acct="gmatz"
exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1366304690.485:26018): user pid=1591 uid=0
auid=4294967295 ses=4294967295 msg='op=pubkey acct="gmatz"
exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=ssh res=failed'

any help is greatly appreciated!

SSH was a tech preview in 6.3, YMMV.

Look on the client in /etc/ssh/ssh_config to see if it is configured, something like:

GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

Double-check that PubkeyAuthentication is yes too.

The server should have something like this in sshd_config:

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to