[Freeipa-users] Re: sss_ssh_authorizedkeys vs user certificates
Am Thu, Sep 23, 2021 at 02:12:20PM -0400 schrieb Rob Crittenden via FreeIPA-users: > Radoslaw Kujawa via FreeIPA-users wrote: > > Hi. > > > > On 9/23/21 15:06, Sumit Bose via FreeIPA-users wrote: > >> Am Thu, Sep 23, 2021 at 12:33:25PM +0200 schrieb Radoslaw Kujawa via > >> FreeIPA-users: > >> > >> the keys are only derived form the certificate is the certificate can be > >> validated. Have you copied all needed CA certificates to the new machine > >> and made SSSD aware of it? > >> > > > > Indeed, it was a problem with validation. I've originally created a > > symlink from /etc/sssd/pki/sssd_auth_ca_db.pem to /etc/ipa/ca.crt . > > However, this resulted in SELinux denial: > > > > > > time->Thu Sep 23 15:35:28 2021 > > type=AVC msg=audit(1632411328.296:280110): avc: denied { read } for > > pid=110 comm="p11_child" name="sssd_auth_ca_db.pem" dev="nvme0n1p2" > > ino=421 scontext=system_u:system_r:sssd_t:s0 > > tcontext=unconfined_u:object_r:sssd_conf_t:s0 tclass=lnk_file permissive=0 Hi, it looks like SELinux does not link that a link is used here. Have you tried if adding pam_cert_db_path = /etc/ipa/ca.crt to the [pam] section of sssd.conf (or as snippet in /etc/sssd/conf.d/) works? About using /etc/ipa/ca.crt. This file only contains the IPA CA certificate, so it can only verify certificates issues by IPA. It might be better to use /var/lib/ipa-client/pki/ca-bundle.pem which contains all the CA certificates trusted by the IPA servers, see man ipa-cacert-manage for details. > > > > After copying the certificate, instead of symlinking it, > > sss_ssh_authorizedkeys works correctly and reports public keys from > > certificates too. > > > > While here, I have a suggestion. Could ipa-client-install also add the > > CA certificate to sssd's PKI directory? > > Feel free to open an RFE at https://pagure.io/freeipa/new_issue Currently the 'ipa-advise config-client-for-smart-card-auth' script adds CA certificates to /etc/sssd/pki/sssd_auth_ca_db.pem. HTH bye, Sumit > > rob > > > > > Currently to make this useful functionality work, manual intervention is > > necessary after running ipa-client-install (just having the cert in > > /etc/ipa/ca.crt is not enough for p11_child to perform validation). > > > > Best regards, > > Radoslaw > > ___ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > Do not reply to spam on the list, report it: > > https://pagure.io/fedora-infrastructure > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: sss_ssh_authorizedkeys vs user certificates
Radoslaw Kujawa via FreeIPA-users wrote: > Hi. > > On 9/23/21 15:06, Sumit Bose via FreeIPA-users wrote: >> Am Thu, Sep 23, 2021 at 12:33:25PM +0200 schrieb Radoslaw Kujawa via >> FreeIPA-users: >> >> the keys are only derived form the certificate is the certificate can be >> validated. Have you copied all needed CA certificates to the new machine >> and made SSSD aware of it? >> > > Indeed, it was a problem with validation. I've originally created a > symlink from /etc/sssd/pki/sssd_auth_ca_db.pem to /etc/ipa/ca.crt . > However, this resulted in SELinux denial: > > > time->Thu Sep 23 15:35:28 2021 > type=AVC msg=audit(1632411328.296:280110): avc: denied { read } for > pid=110 comm="p11_child" name="sssd_auth_ca_db.pem" dev="nvme0n1p2" > ino=421 scontext=system_u:system_r:sssd_t:s0 > tcontext=unconfined_u:object_r:sssd_conf_t:s0 tclass=lnk_file permissive=0 > > After copying the certificate, instead of symlinking it, > sss_ssh_authorizedkeys works correctly and reports public keys from > certificates too. > > While here, I have a suggestion. Could ipa-client-install also add the > CA certificate to sssd's PKI directory? Feel free to open an RFE at https://pagure.io/freeipa/new_issue rob > > Currently to make this useful functionality work, manual intervention is > necessary after running ipa-client-install (just having the cert in > /etc/ipa/ca.crt is not enough for p11_child to perform validation). > > Best regards, > Radoslaw > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: sss_ssh_authorizedkeys vs user certificates
Hi. On 9/23/21 15:06, Sumit Bose via FreeIPA-users wrote: Am Thu, Sep 23, 2021 at 12:33:25PM +0200 schrieb Radoslaw Kujawa via FreeIPA-users: the keys are only derived form the certificate is the certificate can be validated. Have you copied all needed CA certificates to the new machine and made SSSD aware of it? Indeed, it was a problem with validation. I've originally created a symlink from /etc/sssd/pki/sssd_auth_ca_db.pem to /etc/ipa/ca.crt . However, this resulted in SELinux denial: time->Thu Sep 23 15:35:28 2021 type=AVC msg=audit(1632411328.296:280110): avc: denied { read } for pid=110 comm="p11_child" name="sssd_auth_ca_db.pem" dev="nvme0n1p2" ino=421 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:sssd_conf_t:s0 tclass=lnk_file permissive=0 After copying the certificate, instead of symlinking it, sss_ssh_authorizedkeys works correctly and reports public keys from certificates too. While here, I have a suggestion. Could ipa-client-install also add the CA certificate to sssd's PKI directory? Currently to make this useful functionality work, manual intervention is necessary after running ipa-client-install (just having the cert in /etc/ipa/ca.crt is not enough for p11_child to perform validation). Best regards, Radoslaw ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: sss_ssh_authorizedkeys vs user certificates
Am Thu, Sep 23, 2021 at 12:33:25PM +0200 schrieb Radoslaw Kujawa via FreeIPA-users: > Hi list. > > I have a CentOS 8.4 machine (fully updated), where sss_ssh_authorizedkeys is > successfully able to pull public keys from IPA user certificates. Recently I > have installed a new Fedora 34 machine and this functionality is not working > - running "sss_ssh_authorizedkeys username" only reports public keys > explicitly added to the account, omitting keys from X.509 certificates. > > Both machines are joined to the same IPA domain. > > I've checked sssd configuration, and ssh_use_certificate_keys option seems > to be default, as the man page states. To be extra sure, I have also > manually added it sssd.conf: > > [ssh] > ssh_use_certificate_keys = true > > CentOS machine has the following package versions: > python3-sss-murmur-2.4.0-9.el8_4.2.x86_64 > sssd-proxy-2.4.0-9.el8_4.2.x86_64 > libsss_sudo-2.4.0-9.el8_4.2.x86_64 > libsss_autofs-2.4.0-9.el8_4.2.x86_64 > sssd-nfs-idmap-2.4.0-9.el8_4.2.x86_64 > sssd-2.4.0-9.el8_4.2.x86_64 > libsss_idmap-2.4.0-9.el8_4.2.x86_64 > sssd-ldap-2.4.0-9.el8_4.2.x86_64 > sssd-kcm-2.4.0-9.el8_4.2.x86_64 > sssd-dbus-2.4.0-9.el8_4.2.x86_64 > python3-cssselect-0.9.2-10.el8.noarch > sssd-ipa-2.4.0-9.el8_4.2.x86_64 > sssd-ad-2.4.0-9.el8_4.2.x86_64 > python3-sssdconfig-2.4.0-9.el8_4.2.noarch > sssd-krb5-2.4.0-9.el8_4.2.x86_64 > sssd-tools-2.4.0-9.el8_4.2.x86_64 > sssd-client-2.4.0-9.el8_4.2.x86_64 > sssd-krb5-common-2.4.0-9.el8_4.2.x86_64 > sssd-common-2.4.0-9.el8_4.2.x86_64 > sssd-common-pac-2.4.0-9.el8_4.2.x86_64 > libsss_certmap-2.4.0-9.el8_4.2.x86_64 > libsss_nss_idmap-2.4.0-9.el8_4.2.x86_64 > libsss_simpleifp-2.4.0-9.el8_4.2.x86_64 > python3-sss-2.4.0-9.el8_4.2.x86_64 > > Fedora machine has the following package versions: > libsss_idmap-2.5.2-2.fc34.aarch64 > libsss_autofs-2.5.2-2.fc34.aarch64 > libsss_sudo-2.5.2-2.fc34.aarch64 > libsss_certmap-2.5.2-2.fc34.aarch64 > sssd-nfs-idmap-2.5.2-2.fc34.aarch64 > libsss_nss_idmap-2.5.2-2.fc34.aarch64 > sssd-client-2.5.2-2.fc34.aarch64 > sssd-common-2.5.2-2.fc34.aarch64 > sssd-common-pac-2.5.2-2.fc34.aarch64 > sssd-dbus-2.5.2-2.fc34.aarch64 > sssd-krb5-common-2.5.2-2.fc34.aarch64 > python3-sssdconfig-2.5.2-2.fc34.noarch > python3-sss-2.5.2-2.fc34.aarch64 > sssd-tools-2.5.2-2.fc34.aarch64 > python3-sss-murmur-2.5.2-2.fc34.aarch64 > sssd-ipa-2.5.2-2.fc34.aarch64 > sssd-kcm-2.5.2-2.fc34.aarch64 > > Any hints on how to make sss_ssh_authorizedkeys pull keys from IPA user > certificates on Fedora, or how to further debug this? Hi, the keys are only derived form the certificate is the certificate can be validated. Have you copied all needed CA certificates to the new machine and made SSSD aware of it? Adding 'debug_level = 9' to the [ssh] section of sssd.conf and restarting SSSD should add log messages to sssd_ssh.log which might help to understand why the keys are not extracted. HTH bye, Sumit > > Best regards, > Radoslaw > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure