[Freeipa-users] Re: sss_ssh_authorizedkeys vs user certificates
Am Thu, Sep 23, 2021 at 02:12:20PM -0400 schrieb Rob Crittenden via
FreeIPA-users:
> Radoslaw Kujawa via FreeIPA-users wrote:
> > Hi.
> >
> > On 9/23/21 15:06, Sumit Bose via FreeIPA-users wrote:
> >> Am Thu, Sep 23, 2021 at 12:33:25PM +0200 schrieb Radoslaw Kujawa via
> >> FreeIPA-users:
> >>
> >> the keys are only derived form the certificate is the certificate can be
> >> validated. Have you copied all needed CA certificates to the new machine
> >> and made SSSD aware of it?
> >>
> >
> > Indeed, it was a problem with validation. I've originally created a
> > symlink from /etc/sssd/pki/sssd_auth_ca_db.pem to /etc/ipa/ca.crt .
> > However, this resulted in SELinux denial:
> >
> >
> > time->Thu Sep 23 15:35:28 2021
> > type=AVC msg=audit(1632411328.296:280110): avc: denied { read } for
> > pid=110 comm="p11_child" name="sssd_auth_ca_db.pem" dev="nvme0n1p2"
> > ino=421 scontext=system_u:system_r:sssd_t:s0
> > tcontext=unconfined_u:object_r:sssd_conf_t:s0 tclass=lnk_file permissive=0
Hi,
it looks like SELinux does not link that a link is used here. Have you
tried if adding
pam_cert_db_path = /etc/ipa/ca.crt
to the [pam] section of sssd.conf (or as snippet in /etc/sssd/conf.d/)
works?
About using /etc/ipa/ca.crt. This file only contains the IPA CA
certificate, so it can only verify certificates issues by IPA. It might
be better to use /var/lib/ipa-client/pki/ca-bundle.pem which contains
all the CA certificates trusted by the IPA servers, see man
ipa-cacert-manage for details.
> >
> > After copying the certificate, instead of symlinking it,
> > sss_ssh_authorizedkeys works correctly and reports public keys from
> > certificates too.
> >
> > While here, I have a suggestion. Could ipa-client-install also add the
> > CA certificate to sssd's PKI directory?
>
> Feel free to open an RFE at https://pagure.io/freeipa/new_issue
Currently the 'ipa-advise config-client-for-smart-card-auth' script adds
CA certificates to /etc/sssd/pki/sssd_auth_ca_db.pem.
HTH
bye,
Sumit
>
> rob
>
> >
> > Currently to make this useful functionality work, manual intervention is
> > necessary after running ipa-client-install (just having the cert in
> > /etc/ipa/ca.crt is not enough for p11_child to perform validation).
> >
> > Best regards,
> > Radoslaw
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >
> > Do not reply to spam on the list, report it:
> > https://pagure.io/fedora-infrastructure
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: sss_ssh_authorizedkeys vs user certificates
Radoslaw Kujawa via FreeIPA-users wrote:
> Hi.
>
> On 9/23/21 15:06, Sumit Bose via FreeIPA-users wrote:
>> Am Thu, Sep 23, 2021 at 12:33:25PM +0200 schrieb Radoslaw Kujawa via
>> FreeIPA-users:
>>
>> the keys are only derived form the certificate is the certificate can be
>> validated. Have you copied all needed CA certificates to the new machine
>> and made SSSD aware of it?
>>
>
> Indeed, it was a problem with validation. I've originally created a
> symlink from /etc/sssd/pki/sssd_auth_ca_db.pem to /etc/ipa/ca.crt .
> However, this resulted in SELinux denial:
>
>
> time->Thu Sep 23 15:35:28 2021
> type=AVC msg=audit(1632411328.296:280110): avc: denied { read } for
> pid=110 comm="p11_child" name="sssd_auth_ca_db.pem" dev="nvme0n1p2"
> ino=421 scontext=system_u:system_r:sssd_t:s0
> tcontext=unconfined_u:object_r:sssd_conf_t:s0 tclass=lnk_file permissive=0
>
> After copying the certificate, instead of symlinking it,
> sss_ssh_authorizedkeys works correctly and reports public keys from
> certificates too.
>
> While here, I have a suggestion. Could ipa-client-install also add the
> CA certificate to sssd's PKI directory?
Feel free to open an RFE at https://pagure.io/freeipa/new_issue
rob
>
> Currently to make this useful functionality work, manual intervention is
> necessary after running ipa-client-install (just having the cert in
> /etc/ipa/ca.crt is not enough for p11_child to perform validation).
>
> Best regards,
> Radoslaw
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: sss_ssh_authorizedkeys vs user certificates
Hi.
On 9/23/21 15:06, Sumit Bose via FreeIPA-users wrote:
Am Thu, Sep 23, 2021 at 12:33:25PM +0200 schrieb Radoslaw Kujawa via
FreeIPA-users:
the keys are only derived form the certificate is the certificate can be
validated. Have you copied all needed CA certificates to the new machine
and made SSSD aware of it?
Indeed, it was a problem with validation. I've originally created a
symlink from /etc/sssd/pki/sssd_auth_ca_db.pem to /etc/ipa/ca.crt .
However, this resulted in SELinux denial:
time->Thu Sep 23 15:35:28 2021
type=AVC msg=audit(1632411328.296:280110): avc: denied { read } for
pid=110 comm="p11_child" name="sssd_auth_ca_db.pem" dev="nvme0n1p2"
ino=421 scontext=system_u:system_r:sssd_t:s0
tcontext=unconfined_u:object_r:sssd_conf_t:s0 tclass=lnk_file permissive=0
After copying the certificate, instead of symlinking it,
sss_ssh_authorizedkeys works correctly and reports public keys from
certificates too.
While here, I have a suggestion. Could ipa-client-install also add the
CA certificate to sssd's PKI directory?
Currently to make this useful functionality work, manual intervention is
necessary after running ipa-client-install (just having the cert in
/etc/ipa/ca.crt is not enough for p11_child to perform validation).
Best regards,
Radoslaw
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: sss_ssh_authorizedkeys vs user certificates
Am Thu, Sep 23, 2021 at 12:33:25PM +0200 schrieb Radoslaw Kujawa via FreeIPA-users: > Hi list. > > I have a CentOS 8.4 machine (fully updated), where sss_ssh_authorizedkeys is > successfully able to pull public keys from IPA user certificates. Recently I > have installed a new Fedora 34 machine and this functionality is not working > - running "sss_ssh_authorizedkeys username" only reports public keys > explicitly added to the account, omitting keys from X.509 certificates. > > Both machines are joined to the same IPA domain. > > I've checked sssd configuration, and ssh_use_certificate_keys option seems > to be default, as the man page states. To be extra sure, I have also > manually added it sssd.conf: > > [ssh] > ssh_use_certificate_keys = true > > CentOS machine has the following package versions: > python3-sss-murmur-2.4.0-9.el8_4.2.x86_64 > sssd-proxy-2.4.0-9.el8_4.2.x86_64 > libsss_sudo-2.4.0-9.el8_4.2.x86_64 > libsss_autofs-2.4.0-9.el8_4.2.x86_64 > sssd-nfs-idmap-2.4.0-9.el8_4.2.x86_64 > sssd-2.4.0-9.el8_4.2.x86_64 > libsss_idmap-2.4.0-9.el8_4.2.x86_64 > sssd-ldap-2.4.0-9.el8_4.2.x86_64 > sssd-kcm-2.4.0-9.el8_4.2.x86_64 > sssd-dbus-2.4.0-9.el8_4.2.x86_64 > python3-cssselect-0.9.2-10.el8.noarch > sssd-ipa-2.4.0-9.el8_4.2.x86_64 > sssd-ad-2.4.0-9.el8_4.2.x86_64 > python3-sssdconfig-2.4.0-9.el8_4.2.noarch > sssd-krb5-2.4.0-9.el8_4.2.x86_64 > sssd-tools-2.4.0-9.el8_4.2.x86_64 > sssd-client-2.4.0-9.el8_4.2.x86_64 > sssd-krb5-common-2.4.0-9.el8_4.2.x86_64 > sssd-common-2.4.0-9.el8_4.2.x86_64 > sssd-common-pac-2.4.0-9.el8_4.2.x86_64 > libsss_certmap-2.4.0-9.el8_4.2.x86_64 > libsss_nss_idmap-2.4.0-9.el8_4.2.x86_64 > libsss_simpleifp-2.4.0-9.el8_4.2.x86_64 > python3-sss-2.4.0-9.el8_4.2.x86_64 > > Fedora machine has the following package versions: > libsss_idmap-2.5.2-2.fc34.aarch64 > libsss_autofs-2.5.2-2.fc34.aarch64 > libsss_sudo-2.5.2-2.fc34.aarch64 > libsss_certmap-2.5.2-2.fc34.aarch64 > sssd-nfs-idmap-2.5.2-2.fc34.aarch64 > libsss_nss_idmap-2.5.2-2.fc34.aarch64 > sssd-client-2.5.2-2.fc34.aarch64 > sssd-common-2.5.2-2.fc34.aarch64 > sssd-common-pac-2.5.2-2.fc34.aarch64 > sssd-dbus-2.5.2-2.fc34.aarch64 > sssd-krb5-common-2.5.2-2.fc34.aarch64 > python3-sssdconfig-2.5.2-2.fc34.noarch > python3-sss-2.5.2-2.fc34.aarch64 > sssd-tools-2.5.2-2.fc34.aarch64 > python3-sss-murmur-2.5.2-2.fc34.aarch64 > sssd-ipa-2.5.2-2.fc34.aarch64 > sssd-kcm-2.5.2-2.fc34.aarch64 > > Any hints on how to make sss_ssh_authorizedkeys pull keys from IPA user > certificates on Fedora, or how to further debug this? Hi, the keys are only derived form the certificate is the certificate can be validated. Have you copied all needed CA certificates to the new machine and made SSSD aware of it? Adding 'debug_level = 9' to the [ssh] section of sssd.conf and restarting SSSD should add log messages to sssd_ssh.log which might help to understand why the keys are not extracted. HTH bye, Sumit > > Best regards, > Radoslaw > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
