Thanks Alex for your Inputs.

On my point 2, it happens for freeipa (ldap) users only. If I create a
local user, it works perfectly.

Will dig more into this.

-Yogesh Sharma

(Sent from my HTC)
On 20-Aug-2015 7:05 pm, "Alexander Bokovoy" <> wrote:

> On Thu, 20 Aug 2015, Yogesh Sharma wrote:
>> Hi,
>> I was reading this slide "
>> "
>> to troubleshoot an issue which we are facing while  IPA to allow user
>> using
>> public Key authentication and had few questions:
>> 1. Where does IPA stores the User Public Keys, I can fetch them
>> using sss_ssh_authorizedkeys but would be good if I we can know from where
>> it fetches the keys. Is it in LDAP DB.
> They are stored in the user entry in LDAP.
> Use 'ipa user-show <user> --raw --all' to see it.
> 2. When I registered new users with PubKey Authentication, some of them are
>> working fine and some got prompted for Password (this also happen when we
>> update their public key). This usually happens when either SSH is not able
>> to pick the private key (id_rsa) or if there is some permission issue with
>> .ssh or authorized_keys file. I am trying to find this in IPA environment
>> as why this is happening for certain users only though it is picking the
>> right private_key and client side. SSSD logs and secure logs does not have
>> much to say except authentication failed.
> private keys are used by SSH client, so you can enable debugging output
> when using SSH client to see if it has issues with file system access.
> This has nothing to do with FreeIPA at all.
> 4. As per the above slide, OpenSSH Integration with SSSD Slide 2 says, that
>> add know_hosts file with SSSD, However, Neither IPA Client nor IPA Server
>> has this
>> Configure ssh in /etc/ssh/ssh_config
>> Get known_hosts  from SSSD
>> GlobalKnownHostsFile
>> /var/lib/sss/pubconf/known_hosts
>> ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
> This part is automatically configured if you choose to configure SSSD
> and SSSD has support for knownhostsproxy.
> See ipa-client/ipa-install/ipa-client-install:configure_ssh_config() (or
> directly in /sbin/ipa-client-install).
> --
> / Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to