[Freeipa-users] Question on FreeIPA OpenSSH PubKey Authentication

[Alexander Bokovoy]

On Thu, 20 Aug 2015, Yogesh Sharma wrote:
>Hi,
>
>I was reading this slide "
>https://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf"
>
>to troubleshoot an issue which we are facing while  IPA to allow user using
>public Key authentication and had few questions:
>
>1. Where does IPA stores the User Public Keys, I can fetch them
>using sss_ssh_authorizedkeys but would be good if I we can know from where
>it fetches the keys. Is it in LDAP DB.
They are stored in the user entry in LDAP.

Use 'ipa user-show <user> --raw --all' to see it.


>2. When I registered new users with PubKey Authentication, some of them are
>working fine and some got prompted for Password (this also happen when we
>update their public key). This usually happens when either SSH is not able
>to pick the private key (id_rsa) or if there is some permission issue with
>.ssh or authorized_keys file. I am trying to find this in IPA environment
>as why this is happening for certain users only though it is picking the
>right private_key and client side. SSSD logs and secure logs does not have
>much to say except authentication failed.
private keys are used by SSH client, so you can enable debugging output
when using SSH client to see if it has issues with file system access.
This has nothing to do with FreeIPA at all.

>4. As per the above slide, OpenSSH Integration with SSSD Slide 2 says, that
>add know_hosts file with SSSD, However, Neither IPA Client nor IPA Server
>has this
>
>Configure ssh in /etc/ssh/ssh_config
>Get known_hosts  from SSSD
>GlobalKnownHostsFile
>/var/lib/sss/pubconf/known_hosts
>ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
This part is automatically configured if you choose to configure SSSD
and SSSD has support for knownhostsproxy.

See ipa-client/ipa-install/ipa-client-install:configure_ssh_config() (or
directly in /sbin/ipa-client-install).


-- 
/ Alexander Bokovoy