Comments inline

> On (02/06/15 15:25), nat...@nathanpeters.com wrote:
>>I am running FreeIPA 4.1.3 on CentOS 7 for the server and on the client
>> is
>>CentOS 6.5 with client 3.0.0-42 (sssd 1.11.6-30).
>>
>>I have created a user in FreeIPA and he has access to a server through
>>HBAC rules.  This user has created a public / private keypair and
>> uploaded
>>the public key from his personal machine to the IPA server so it shows up
>>in his user record.  The record was saved and he successfully logged into
>>the IPA client using the keys.
>>
>>According to the docs here (Yes, I know it's a little old but I could not
>>find any newer info that conflicted with this) :
>>https://docs.fedoraproject.org/en-US/Fedora/18/html/System_Administrators_Guide/openssh-sssd.html
>>
> Aa you already notice it isquite old documetation.
>
>>2.Stores the user key in a custom file, .ssh/sss_authorized_keys, in the
>>standard authorized keys format.
>>
> There's bug in documentation.
>
>>However, when he logs in, there is no sss_authorized_keys file created
>> and
>>as far as I can tell, the key is never cached in his account.
>>
> The better test would be to authenticate with ssh keys online,
> so they can be fetched from FreeIPA
> then block connection to FreeIPA (simmulate offline state)
> and re-test one more time.

Ok, so I looked at the newer documentation you linked below (RH7 version)
and it makes the exact same statement "Stores the user key in a custom
file, .ssh/sss_authorized_keys, in the standard authorized keys format. "

Are you saying the newer documentation is also bugged?

Unfortunately, that type of test will not be conclusive for the people I
am trying to convince.  They want me to actually show them the file on
disk where that thing is cached to prove that if the machine was rebooted,
and the ipa connection is lost, that key was not only in memory somewhere
but actually saved to storage.

>
>>How do I get the keys to actually save on login like the manual says?
> Keys are already cached in different file
> /var/lib/sss/pubconf/known_hosts.
> @see rhel7 documentation [1]

The known_hosts file does not sound like the right place,  It has a
completely different function of caching host keys for when I make an
outgoing connection from the server for the purpose of verifying someone
is not spoofing a host, not for caching individual user keys for
passwordless login for when I'm trying to make an ingoing connection to
the server.

In addition, you can see from my search below that there is no
sss_authorized_keys file anywhere on the server and that the known_hosts
file you referenced has no data in it because it is zero size.

[root@ipaclient sss]# find / -name sss_authorized_keys
[root@ipaclient sss]# cd pubconf
[root@ipaclient pubconf]# ls -al
total 16
drwxr-xr-x 3 root root 4096 Jun  3 16:42 .
drwxr-xr-x 6 root root 4096 May 27 22:49 ..
-rw-r--r-- 1 root root   11 Jun  3 16:42 kdcinfo.MYDOMAIN.NET
-rw-r--r-- 1 root root    0 Jun  2 16:05 known_hosts
drwxr-xr-x 2 root root 4096 May 28 01:13 krb5.include.d
[root@ipaclient pubconf]#

So... I am still looking for the actual location on disk that this is
apparently being cached and cannot find it.


>
> rhel7 documentation[1] should contain valid and recent information.
> If you found any issues plese report them.
>
> LS
>
> [1]
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/System-Level_Authentication_Guide/index.html#openssh-sssd-hosts
>



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to