On Wed, Sep 16, 2015 at 11:28:49AM -0700, Gustavo Mateus wrote: > Hi, > > I have an IPA server running on redhat and I'm trying find the best way to > get my amazon linux instances to use it for authentication, ssh key > management and sudo rules. > > I'm now trying to use SSSD to achieve those goals. Authentication is > working but I'm having problems to get the user public ssh keys using > /usr/bin/sss_ssh_authorizedkeys. > > > This is my sssd.conf: > > [sssd] > services = nss, pam, ssh, sudo > config_file_version = 2 > domains = default > re_expression = (?P<name>.+) > > [domain/default] > debug_level = 8 > cache_credentials = True > id_provider = ldap > auth_provider = ldap > ldap_uri = ldap://ipa.my.domain.com > ldap_search_base = cn=compat,dc=my,dc=domain,dc=com > ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt > ldap_user_ssh_public_key = ipaSshPubKey > > > The original configuration was done using ipa-advise ipa-advise > config-redhat-sssd-before-1-9.
Is there any particular reason do keep doing this versus joining the client to the domain and using id_provider=ipa ? > I just hanged the services parameter to > include "ssh, sudo" and "ldap_user_ssh_public_key" I don't think sudo would work unless you authenticate the LDAP connection. > > When I run it on the client I get no response or error. Even running it in > debug mode: > > /usr/bin/sss_ssh_authorizedkeys admin --debug 10 I would check if: - debug_level in the [ssh] section reveals anything. Is the ssh responder being contacted, are there any errors? - check with ldbsearch (ldb-tools package) if there ssh key attribute is really fetched from IPA LDAP and is stored along the user entry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project