[Freeipa-users] sssd not caching public keys in sss_authorized_keys file

Wed Jun 3 16:57:29 UTC 2015

Comments inline

> On (02/06/15 15:25), nathan at nathanpeters.com wrote:
>>I am running FreeIPA 4.1.3 on CentOS 7 for the server and on the client
>> is
>>CentOS 6.5 with client 3.0.0-42 (sssd 1.11.6-30).
>>
>>I have created a user in FreeIPA and he has access to a server through
>>HBAC rules.  This user has created a public / private keypair and
>> uploaded
>>the public key from his personal machine to the IPA server so it shows up
>>in his user record.  The record was saved and he successfully logged into
>>the IPA client using the keys.
>>
>>According to the docs here (Yes, I know it's a little old but I could not
>>find any newer info that conflicted with this) :
>>https://docs.fedoraproject.org/en-US/Fedora/18/html/System_Administrators_Guide/openssh-sssd.html
>>
> Aa you already notice it isquite old documetation.
>
>>2.Stores the user key in a custom file, .ssh/sss_authorized_keys, in the
>>standard authorized keys format.
>>
> There's bug in documentation.
>
>>However, when he logs in, there is no sss_authorized_keys file created
>> and
>>as far as I can tell, the key is never cached in his account.
>>
> The better test would be to authenticate with ssh keys online,
> so they can be fetched from FreeIPA
> then block connection to FreeIPA (simmulate offline state)
> and re-test one more time.

Ok, so I looked at the newer documentation you linked below (RH7 version)
and it makes the exact same statement "Stores the user key in a custom
file, .ssh/sss_authorized_keys, in the standard authorized keys format. "

Are you saying the newer documentation is also bugged?

Unfortunately, that type of test will not be conclusive for the people I
am trying to convince.  They want me to actually show them the file on
disk where that thing is cached to prove that if the machine was rebooted,
and the ipa connection is lost, that key was not only in memory somewhere
but actually saved to storage.

>
>>How do I get the keys to actually save on login like the manual says?
> Keys are already cached in different file
> /var/lib/sss/pubconf/known_hosts.
> @see rhel7 documentation [1]

The known_hosts file does not sound like the right place,  It has a
completely different function of caching host keys for when I make an
outgoing connection from the server for the purpose of verifying someone
is not spoofing a host, not for caching individual user keys for
passwordless login for when I'm trying to make an ingoing connection to
the server.

In addition, you can see from my search below that there is no
sss_authorized_keys file anywhere on the server and that the known_hosts
file you referenced has no data in it because it is zero size.

[root at ipaclient sss]# find / -name sss_authorized_keys
[root at ipaclient sss]# cd pubconf
[root at ipaclient pubconf]# ls -al
total 16
drwxr-xr-x 3 root root 4096 Jun  3 16:42 .
drwxr-xr-x 6 root root 4096 May 27 22:49 ..
-rw-r--r-- 1 root root   11 Jun  3 16:42 kdcinfo.MYDOMAIN.NET
-rw-r--r-- 1 root root    0 Jun  2 16:05 known_hosts
drwxr-xr-x 2 root root 4096 May 28 01:13 krb5.include.d
[root at ipaclient pubconf]#

So... I am still looking for the actual location on disk that this is
apparently being cached and cannot find it.

>
> rhel7 documentation[1] should contain valid and recent information.
> If you found any issues plese report them.
>
> LS
>
> [1]
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/System-Level_Authentication_Guide/index.html#openssh-sssd-hosts
>