On (02/06/15 15:25), nat...@nathanpeters.com wrote: >I am running FreeIPA 4.1.3 on CentOS 7 for the server and on the client is >CentOS 6.5 with client 3.0.0-42 (sssd 1.11.6-30). > >I have created a user in FreeIPA and he has access to a server through >HBAC rules. This user has created a public / private keypair and uploaded >the public key from his personal machine to the IPA server so it shows up >in his user record. The record was saved and he successfully logged into >the IPA client using the keys. > >According to the docs here (Yes, I know it's a little old but I could not >find any newer info that conflicted with this) : >https://docs.fedoraproject.org/en-US/Fedora/18/html/System_Administrators_Guide/openssh-sssd.html > Aa you already notice it isquite old documetation.
>2.Stores the user key in a custom file, .ssh/sss_authorized_keys, in the >standard authorized keys format. > There's bug in documentation. >However, when he logs in, there is no sss_authorized_keys file created and >as far as I can tell, the key is never cached in his account. > The better test would be to authenticate with ssh keys online, so they can be fetched from FreeIPA then block connection to FreeIPA (simmulate offline state) and re-test one more time. >How do I get the keys to actually save on login like the manual says? Keys are already cached in different file /var/lib/sss/pubconf/known_hosts. @see rhel7 documentation  rhel7 documentation should contain valid and recent information. If you found any issues plese report them. LS  https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/System-Level_Authentication_Guide/index.html#openssh-sssd-hosts -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project