[Freeipa-users] sssd not caching public keys in sss_authorized_keys file

[Lukas Slebodnik]

On (02/06/15 15:25), nathan at nathanpeters.com wrote:
>I am running FreeIPA 4.1.3 on CentOS 7 for the server and on the client is
>CentOS 6.5 with client 3.0.0-42 (sssd 1.11.6-30).
>
>I have created a user in FreeIPA and he has access to a server through
>HBAC rules.  This user has created a public / private keypair and uploaded
>the public key from his personal machine to the IPA server so it shows up
>in his user record.  The record was saved and he successfully logged into
>the IPA client using the keys.
>
>According to the docs here (Yes, I know it's a little old but I could not
>find any newer info that conflicted with this) :
>https://docs.fedoraproject.org/en-US/Fedora/18/html/System_Administrators_Guide/openssh-sssd.html
>
Aa you already notice it isquite old documetation.

>2.Stores the user key in a custom file, .ssh/sss_authorized_keys, in the
>standard authorized keys format.
>
There's bug in documentation.

>However, when he logs in, there is no sss_authorized_keys file created and
>as far as I can tell, the key is never cached in his account.
>
The better test would be to authenticate with ssh keys online,
so they can be fetched from FreeIPA
then block connection to FreeIPA (simmulate offline state)
and re-test one more time.

>How do I get the keys to actually save on login like the manual says?
Keys are already cached in different file /var/lib/sss/pubconf/known_hosts.
@see rhel7 documentation [1]

rhel7 documentation[1] should contain valid and recent information.
If you found any issues plese report them.

LS

[1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/System-Level_Authentication_Guide/index.html#openssh-sssd-hosts