[Freeipa-users] Question on FreeIPA OpenSSH PubKey Authentication
Yogesh Sharma
yks0000 at gmail.com
Thu Aug 20 13:19:10 UTC 2015
Hi,
I was reading this slide "
https://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf"
to troubleshoot an issue which we are facing while IPA to allow user using
public Key authentication and had few questions:
1. Where does IPA stores the User Public Keys, I can fetch them
using sss_ssh_authorizedkeys but would be good if I we can know from where
it fetches the keys. Is it in LDAP DB.
2. When I registered new users with PubKey Authentication, some of them are
working fine and some got prompted for Password (this also happen when we
update their public key). This usually happens when either SSH is not able
to pick the private key (id_rsa) or if there is some permission issue with
.ssh or authorized_keys file. I am trying to find this in IPA environment
as why this is happening for certain users only though it is picking the
right private_key and client side. SSSD logs and secure logs does not have
much to say except authentication failed.
3. I have checked the sshd config and does not seems to be an issue.
KerberosAuthentication no
PubkeyAuthentication yes
UsePAM yes
GSSAPIAuthentication yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
4. As per the above slide, OpenSSH Integration with SSSD Slide 2 says, that
add know_hosts file with SSSD, However, Neither IPA Client nor IPA Server
has this
Configure ssh in /etc/ssh/ssh_config
Get known_hosts from SSSD
GlobalKnownHostsFile
/var/lib/sss/pubconf/known_hosts
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
A suggestion can really help us moving forward.
*Best Regards,*
*__________________________________________*
*Yogesh Sharma*
*Email: yks0000 at gmail.com <yks0000 at gmail.com> | Web: www.initd.in
<http://www.initd.in/> *
*RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*
<https://www.fb.com/yks0000> <http://in.linkedin.com/in/yks0000>
<https://twitter.com/checkwithyogesh>
<http://google.com/+YogeshSharmaOnGooglePlus>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150820/f52aea7d/attachment.htm>
More information about the Freeipa-users
mailing list