On Wed, 2015-06-03 at 09:57 -0700, nat...@nathanpeters.com wrote:
> Comments inline
> > On (02/06/15 15:25), nat...@nathanpeters.com wrote:
> >>I am running FreeIPA 4.1.3 on CentOS 7 for the server and on the client
> >> is
> >>CentOS 6.5 with client 3.0.0-42 (sssd 1.11.6-30).
> >>
> >>I have created a user in FreeIPA and he has access to a server through
> >>HBAC rules.  This user has created a public / private keypair and
> >> uploaded
> >>the public key from his personal machine to the IPA server so it shows up
> >>in his user record.  The record was saved and he successfully logged into
> >>the IPA client using the keys.
> >>
> >>According to the docs here (Yes, I know it's a little old but I could not
> >>find any newer info that conflicted with this) :
> >>https://docs.fedoraproject.org/en-US/Fedora/18/html/System_Administrators_Guide/openssh-sssd.html
> >>
> > Aa you already notice it isquite old documetation.
> >
> >>2.Stores the user key in a custom file, .ssh/sss_authorized_keys, in the
> >>standard authorized keys format.
> >>
> > There's bug in documentation.
> >
> >>However, when he logs in, there is no sss_authorized_keys file created
> >> and
> >>as far as I can tell, the key is never cached in his account.
> >>
> > The better test would be to authenticate with ssh keys online,
> > so they can be fetched from FreeIPA
> > then block connection to FreeIPA (simmulate offline state)
> > and re-test one more time.
> Ok, so I looked at the newer documentation you linked below (RH7 version)
> and it makes the exact same statement "Stores the user key in a custom
> file, .ssh/sss_authorized_keys, in the standard authorized keys format. "
> Are you saying the newer documentation is also bugged?
> Unfortunately, that type of test will not be conclusive for the people I
> am trying to convince.  They want me to actually show them the file on
> disk where that thing is cached to prove that if the machine was rebooted,
> and the ipa connection is lost, that key was not only in memory somewhere
> but actually saved to storage.
> >
> >>How do I get the keys to actually save on login like the manual says?
> > Keys are already cached in different file
> > /var/lib/sss/pubconf/known_hosts.
> > @see rhel7 documentation [1]
> The known_hosts file does not sound like the right place,  It has a
> completely different function of caching host keys for when I make an
> outgoing connection from the server for the purpose of verifying someone
> is not spoofing a host, not for caching individual user keys for
> passwordless login for when I'm trying to make an ingoing connection to
> the server.
> In addition, you can see from my search below that there is no
> sss_authorized_keys file anywhere on the server and that the known_hosts
> file you referenced has no data in it because it is zero size.
> [root@ipaclient sss]# find / -name sss_authorized_keys
> [root@ipaclient sss]# cd pubconf
> [root@ipaclient pubconf]# ls -al
> total 16
> drwxr-xr-x 3 root root 4096 Jun  3 16:42 .
> drwxr-xr-x 6 root root 4096 May 27 22:49 ..
> -rw-r--r-- 1 root root   11 Jun  3 16:42 kdcinfo.MYDOMAIN.NET
> -rw-r--r-- 1 root root    0 Jun  2 16:05 known_hosts
> drwxr-xr-x 2 root root 4096 May 28 01:13 krb5.include.d
> [root@ipaclient pubconf]#
> So... I am still looking for the actual location on disk that this is
> apparently being cached and cannot find it.

You won't find a "file" because user's public keys are not stored in a
They are stored in the ldb cache with all other user information, and
then extracted from the cache (or queried from the server if online and
the cache is expired) on request.

You can use the ldbsearch tool against the sssd ldb cache file and look
for entries with the sshPublicKey attribute.


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to