Public bug reported:
After deploying a replacement machine where all setup has been
previously automaticaally orchestrated and is known to work, the
following error is encountered and login is impossible:
root@bastion01:~# /usr/bin/sss_ssh_authorizedkeys minfrin
Error looking up public keys
The error message "Error looking up public keys" is completely hopeless.
What is the error?
Going off on a bug hunt, we look in /var/log/auth.log, where we find
this:
Mar 16 21:40:24 bastion01 sshd[1492]: Invalid user minfrin from x.x.x.x port
39038
Mar 16 21:40:24 bastion01 sshd[1492]: userauth_pubkey: key type ssh-dss not in
PubkeyAcceptedKeyTypes [preauth]
Mar 16 21:40:24 bastion01 sshd[1492]: Connection closed by invalid user minfrin
x.x.x.x port 39038 [preauth]
Mar 16 21:40:25 bastion01 sshd[1494]: userauth_pubkey: key type ssh-dss not in
PubkeyAcceptedKeyTypes [preauth]
The key is an ssh-rsa key, so the message "key type ssh-dss not in
PubkeyAcceptedKeyTypes" makes no sense whatsoever, and looks like a bug
in itself.
Next step, jack up the debug level:
(Mon Mar 16 21:40:07 2020) [sssd[be[LDAP]]] [sdap_process_message] (0x4000):
Message type: [LDAP_RES_SEARCH_RESULT]
(Mon Mar 16 21:40:07 2020) [sssd[be[LDAP]]] [sdap_get_generic_op_finished]
(0x0400): Search result: Inappropriate authentication(48), Anonymous access is
not allowed.
(Mon Mar 16 21:40:07 2020) [sssd[be[LDAP]]] [sdap_get_generic_op_finished]
(0x0040): Unexpected result from ldap: Inappropriate authentication(48),
Anonymous access is not allowed.
This makes no sense - this host binds to LDAP with a client certificate,
where on earth is "Anonymous access is not allowed" coming from?
(Mon Mar 16 21:40:07 2020) [sssd[be[LDAP]]] [sdap_op_destructor] (0x2000):
Operation 1 finished
(Mon Mar 16 21:40:07 2020) [sssd[be[LDAP]]] [generic_ext_search_handler]
(0x0040): sdap_get_generic_ext_recv failed [5]: Input/output error
(Mon Mar 16 21:40:07 2020) [sssd[be[LDAP]]] [sdap_get_server_opts_from_rootdse]
(0x0200): No known USN scheme is supported by this server!
(Mon Mar 16 21:40:07 2020) [sssd[be[LDAP]]] [sdap_get_server_opts_from_rootdse]
(0x0200): Will use modification timestamp as usn!
(Mon Mar 16 21:40:07 2020) [sssd[be[LDAP]]] [sdap_cli_auth_step] (0x0100):
expire timeout is 900
(Mon Mar 16 21:40:07 2020) [sssd[be[LDAP]]] [sdap_cli_auth_step] (0x1000): the
connection will expire at 1584395707
(Mon Mar 16 21:40:07 2020) [sssd[be[LDAP]]] [sasl_bind_send] (0x0100):
Executing sasl bind mech: EXTERNAL, user: (null)
(Mon Mar 16 21:40:07 2020) [sssd[be[LDAP]]] [sasl_bind_send] (0x0020):
ldap_sasl_bind failed (-6)[Unknown authentication method]
Unknown authentication method without telling us which authentication
method.
(Mon Mar 16 21:40:07 2020) [sssd[be[LDAP]]] [sasl_bind_send] (0x0080): Extended
failure message: [SASL(-4): no mechanism available: ]
(Mon Mar 16 21:40:07 2020) [sssd[be[LDAP]]] [sdap_cli_connect_recv] (0x0040):
Unable to establish connection [1432158226]: Authentication Failed
The error handling is a complete mess.
At the lowest level, we have a what looks like a vaguely specified SASL
error. This then triggers a completely inaccurate error about anonymous
access on a client that is not configured to connect anonymously. Then
we have an error message about ssh-dss keys when ssh-dss keys are not in
use. Then we finally have the useless message "Error looking up public
keys".
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: sssd-common 1.16.1-1ubuntu1.5
ProcVersionSignature: Ubuntu 4.15.0-1063.67-aws 4.15.18
Uname: Linux 4.15.0-1063-aws x86_64
ApportVersion: 2.20.9-0ubuntu7.11
Architecture: amd64
Date: Mon Mar 16 21:43:16 2020
Ec2AMI: ami-04cc79dd5df3bffca
Ec2AMIManifest: (unknown)
Ec2AvailabilityZone: eu-west-2a
Ec2InstanceType: t2.micro
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: sssd
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: sssd (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug bionic ec2-images
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1867688
Title:
Vague error message: sss_ssh_authorizedkeys: Error looking up public
keys
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1867688/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
