[Freeipa-users] Freeipa -ssh keys

[Alexander Bokovoy]

On Fri, 26 Apr 2013, naresh reddy wrote:
>Hi Alexander
>
>Thank you very much it worked.
>its fantastic and I really appreciate your help.
> 
>but this scenario is to use the kerboros ticket for each time to login
>
> what we are trying to establish is 
>users will have priviate and public ssh keys
>public sssh keys will be updated to the freeipa server and 
>
>then users will connect to the remotes servers via the private ssh
>keys, remote servers need to authenticate via the keys recieved from
>the freeipa server
>
>
>but the present working condition doesn't satisfy this as user needs to
>get the kerborse ticket every life time.
I think you mix two different approaches.

In your debug log below:
>debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
This means public key can be used to authenticate, along with GSSAPI and
plain password.

However, your issue is in the fact that you did not set up sshd to use
sss_ssh_authorizedkeys properly -- you missed the fact that both
    AuthorizedKeysCommand and AuthorizedKeysCommandUser
should be configured and AuthorizedKeysCommand should only get the path
to the sss_ssh_authorizedkeys utility.

Add

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

And it should work, works for me on Fedora 19.

There is one issue that 'AuthorizedKeysCommandUser' is a new option in
recent OpenSSH (6.2) and did not exist before. We have patch to support
it already but not merged yet. In OpenSSH before 6.2 there was no
support for AuthorizedKeys and there was Fedora/RHEL patch to add it. As
the patch evolved, first user under which the command is run was
separated to AuthorizedKeysCommandRunAs option and later upstream changed it
to AuthorizedKeysCommandUser.

Thus, we have three different types of OpenSSH versions and a bit of
configuration mess.

-- 
/ Alexander Bokovoy