Thanks Alex for your Inputs.
On my point 2, it happens for freeipa (ldap) users only. If I create a
local user, it works perfectly.
Will dig more into this.
(Sent from my HTC)
On 20-Aug-2015 7:05 pm, "Alexander Bokovoy" <aboko...@redhat.com> wrote:
> On Thu, 20 Aug 2015, Yogesh Sharma wrote:
>> I was reading this slide "
>> to troubleshoot an issue which we are facing while IPA to allow user
>> public Key authentication and had few questions:
>> 1. Where does IPA stores the User Public Keys, I can fetch them
>> using sss_ssh_authorizedkeys but would be good if I we can know from where
>> it fetches the keys. Is it in LDAP DB.
> They are stored in the user entry in LDAP.
> Use 'ipa user-show <user> --raw --all' to see it.
> 2. When I registered new users with PubKey Authentication, some of them are
>> working fine and some got prompted for Password (this also happen when we
>> update their public key). This usually happens when either SSH is not able
>> to pick the private key (id_rsa) or if there is some permission issue with
>> .ssh or authorized_keys file. I am trying to find this in IPA environment
>> as why this is happening for certain users only though it is picking the
>> right private_key and client side. SSSD logs and secure logs does not have
>> much to say except authentication failed.
> private keys are used by SSH client, so you can enable debugging output
> when using SSH client to see if it has issues with file system access.
> This has nothing to do with FreeIPA at all.
> 4. As per the above slide, OpenSSH Integration with SSSD Slide 2 says, that
>> add know_hosts file with SSSD, However, Neither IPA Client nor IPA Server
>> has this
>> Configure ssh in /etc/ssh/ssh_config
>> Get known_hosts from SSSD
>> ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
> This part is automatically configured if you choose to configure SSSD
> and SSSD has support for knownhostsproxy.
> See ipa-client/ipa-install/ipa-client-install:configure_ssh_config() (or
> directly in /sbin/ipa-client-install).
> / Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project