Thanks Alex for your Inputs. On my point 2, it happens for freeipa (ldap) users only. If I create a local user, it works perfectly.
Will dig more into this. -Yogesh Sharma (Sent from my HTC) On 20-Aug-2015 7:05 pm, "Alexander Bokovoy" <aboko...@redhat.com> wrote: > On Thu, 20 Aug 2015, Yogesh Sharma wrote: > >> Hi, >> >> I was reading this slide " >> https://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf >> " >> >> to troubleshoot an issue which we are facing while IPA to allow user >> using >> public Key authentication and had few questions: >> >> 1. Where does IPA stores the User Public Keys, I can fetch them >> using sss_ssh_authorizedkeys but would be good if I we can know from where >> it fetches the keys. Is it in LDAP DB. >> > They are stored in the user entry in LDAP. > > Use 'ipa user-show <user> --raw --all' to see it. > > > 2. When I registered new users with PubKey Authentication, some of them are >> working fine and some got prompted for Password (this also happen when we >> update their public key). This usually happens when either SSH is not able >> to pick the private key (id_rsa) or if there is some permission issue with >> .ssh or authorized_keys file. I am trying to find this in IPA environment >> as why this is happening for certain users only though it is picking the >> right private_key and client side. SSSD logs and secure logs does not have >> much to say except authentication failed. >> > private keys are used by SSH client, so you can enable debugging output > when using SSH client to see if it has issues with file system access. > This has nothing to do with FreeIPA at all. > > 4. As per the above slide, OpenSSH Integration with SSSD Slide 2 says, that >> add know_hosts file with SSSD, However, Neither IPA Client nor IPA Server >> has this >> >> Configure ssh in /etc/ssh/ssh_config >> Get known_hosts from SSSD >> GlobalKnownHostsFile >> /var/lib/sss/pubconf/known_hosts >> ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h >> > This part is automatically configured if you choose to configure SSSD > and SSSD has support for knownhostsproxy. > > See ipa-client/ipa-install/ipa-client-install:configure_ssh_config() (or > directly in /sbin/ipa-client-install). > > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
