On Thu, 20 Aug 2015, Yogesh Sharma wrote:
Hi,

I was reading this slide "
https://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf";

to troubleshoot an issue which we are facing while  IPA to allow user using
public Key authentication and had few questions:

1. Where does IPA stores the User Public Keys, I can fetch them
using sss_ssh_authorizedkeys but would be good if I we can know from where
it fetches the keys. Is it in LDAP DB.
They are stored in the user entry in LDAP.

Use 'ipa user-show <user> --raw --all' to see it.


2. When I registered new users with PubKey Authentication, some of them are
working fine and some got prompted for Password (this also happen when we
update their public key). This usually happens when either SSH is not able
to pick the private key (id_rsa) or if there is some permission issue with
.ssh or authorized_keys file. I am trying to find this in IPA environment
as why this is happening for certain users only though it is picking the
right private_key and client side. SSSD logs and secure logs does not have
much to say except authentication failed.
private keys are used by SSH client, so you can enable debugging output
when using SSH client to see if it has issues with file system access.
This has nothing to do with FreeIPA at all.

4. As per the above slide, OpenSSH Integration with SSSD Slide 2 says, that
add know_hosts file with SSSD, However, Neither IPA Client nor IPA Server
has this

Configure ssh in /etc/ssh/ssh_config
Get known_hosts  from SSSD
GlobalKnownHostsFile
/var/lib/sss/pubconf/known_hosts
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
This part is automatically configured if you choose to configure SSSD
and SSSD has support for knownhostsproxy.

See ipa-client/ipa-install/ipa-client-install:configure_ssh_config() (or
directly in /sbin/ipa-client-install).


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to