On Fri, Mar 06, 2020 at 12:44:35PM -0000, Hristina Marosevic wrote: > Hello, > > I added: "certificate_verification = no_ocsp, no_verification" in [sssd] part > of the sssd configuration and I didn't add the CA certs because the > certification validation is disabled, but I am getting the same error > "certificate is not valid" in the sssd_ssh.log > SSSD version that I am using is (yum package version): > 1.16.4-21.0.1.el7_7.1 > Somewhere on the internet, I saw this in the [pam] part of the sssd > configuration: "pam_cert_auth = True" - should I add this line in my config > file?
Hi, no [pam] is not needed for your use case, access via ssh. > and I found the following command for the p11_child log (by you): > /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --pre --nssdb=/etc/pki/nssdb This command looks for certificates from a Smartcard connected to the local system. However p11_child is used to validate the certificates for the ssh key generation as well. You should add debug_level = 9 to the [ssh] section of sssd.conf and then check sssd_ssh.log and p11_child.log after calling sss_ssh_authorized_keys. HTH bye, Sumit > > The output on my machine was: > $ /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --pre --nssdb=/etc/pki/nssdb > (Fri Mar 6 13:33:30:652007 2020) [[sssd[p11_child[8855]]]] [main] (0x0400): > p11_child started. > (Fri Mar 6 13:33:30:652310 2020) [[sssd[p11_child[8855]]]] [main] (0x2000): > Running in [pre-auth] mode. > (Fri Mar 6 13:33:30:652517 2020) [[sssd[p11_child[8855]]]] [main] (0x2000): > Running with effective IDs: [0][0]. > (Fri Mar 6 13:33:30:652758 2020) [[sssd[p11_child[8855]]]] [main] (0x2000): > Running with real IDs [0][0]. > (Fri Mar 6 13:33:30:710650 2020) [[sssd[p11_child[8855]]]] [do_card] > (0x4000): Default Module List: > (Fri Mar 6 13:33:30:710904 2020) [[sssd[p11_child[8855]]]] [do_card] > (0x4000): common name: [NSS Internal PKCS #11 Module]. > (Fri Mar 6 13:33:30:711013 2020) [[sssd[p11_child[8855]]]] [do_card] > (0x4000): dll name: [(null)]. > (Fri Mar 6 13:33:30:711116 2020) [[sssd[p11_child[8855]]]] [do_card] > (0x4000): Dead Module List: > (Fri Mar 6 13:33:30:711218 2020) [[sssd[p11_child[8855]]]] [do_card] > (0x4000): DB Module List: > (Fri Mar 6 13:33:30:711320 2020) [[sssd[p11_child[8855]]]] [do_card] > (0x4000): common name: [NSS Internal Module]. > (Fri Mar 6 13:33:30:711434 2020) [[sssd[p11_child[8855]]]] [do_card] > (0x4000): dll name: [(null)]. > (Fri Mar 6 13:33:30:711564 2020) [[sssd[p11_child[8855]]]] [do_card] > (0x4000): common name: [Policy File]. > (Fri Mar 6 13:33:30:711768 2020) [[sssd[p11_child[8855]]]] [do_card] > (0x4000): dll name: [(null)]. > (Fri Mar 6 13:33:30:711890 2020) [[sssd[p11_child[8855]]]] [do_card] > (0x4000): Description [NSS User Private Key and Certificate Services > Mozilla Foundation ] Manufacturer [Mozilla Foundation > ] flags [1]. > (Fri Mar 6 13:33:30:712016 2020) [[sssd[p11_child[8855]]]] [do_card] > (0x4000): Description [NSS Internal Cryptographic Services > Mozilla Foundation ] Manufacturer [Mozilla > Foundation ] flags [9]. > (Fri Mar 6 13:33:30:712335 2020) [[sssd[p11_child[8855]]]] [do_card] > (0x0040): No removable slots found. > (Fri Mar 6 13:33:30:712448 2020) [[sssd[p11_child[8855]]]] [main] (0x0040): > do_work failed. > (Fri Mar 6 13:33:30:712595 2020) [[sssd[p11_child[8855]]]] [main] (0x0020): > p11_child failed! > > > BR, > Hristina > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
