On ma, 20 maalis 2017, Artem Golubev wrote:
Good day!

We use freeipa server 4.3.1, we usually grant access via ssh keys to linux
clients.
We currently face the following issue with access on certificate: when we
add certificate to user's account, user is not able to login via ssh.
How can we solve this problem? We would like to have  a possibility to
access linux clients via ssh keys and access to other resources using
certificates.
You need to provide logs, obviously. Start with level 3 debug logs in
sshd, and debug_level=9 in sssd. Also show user's entry (as in 'ipa
user-show --raw --all username').

When you access SSH with ssh keys, SSSD is involved in account and
session phases of PAM authentication. This means either user does not
exist to sshd (it would then don't exist on system level at all) or
something prevents session phase from success. In session phase SSSD
does verify HBAC rules, for example.

See https://fedorahosted.org/sssd/wiki/Troubleshooting for
troubleshooting instructions.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to