[Freeipa-users] sssd not caching public keys in sss_authorized_keys file

Wed Jun 3 18:48:43 UTC 2015

> On Wed, 2015-06-03 at 09:57 -0700, nathan at nathanpeters.com wrote:
>> Comments inline
>>
>> > On (02/06/15 15:25), nathan at nathanpeters.com wrote:
>> >>I am running FreeIPA 4.1.3 on CentOS 7 for the server and on the
>> client
>> >> is
>> >>CentOS 6.5 with client 3.0.0-42 (sssd 1.11.6-30).
>> >>
>> >>I have created a user in FreeIPA and he has access to a server through
>> >>HBAC rules.  This user has created a public / private keypair and
>> >> uploaded
>> >>the public key from his personal machine to the IPA server so it shows
>> up
>> >>in his user record.  The record was saved and he successfully logged
>> into
>> >>the IPA client using the keys.
>> >>
>> >>According to the docs here (Yes, I know it's a little old but I could
>> not
>> >>find any newer info that conflicted with this) :
>> >>https://docs.fedoraproject.org/en-US/Fedora/18/html/System_Administrators_Guide/openssh-sssd.html
>> >>
>> > Aa you already notice it isquite old documetation.
>> >
>> >>2.Stores the user key in a custom file, .ssh/sss_authorized_keys, in
>> the
>> >>standard authorized keys format.
>> >>
>> > There's bug in documentation.
>> >
>> >>However, when he logs in, there is no sss_authorized_keys file created
>> >> and
>> >>as far as I can tell, the key is never cached in his account.
>> >>
>> > The better test would be to authenticate with ssh keys online,
>> > so they can be fetched from FreeIPA
>> > then block connection to FreeIPA (simmulate offline state)
>> > and re-test one more time.
>>
>> Ok, so I looked at the newer documentation you linked below (RH7
>> version)
>> and it makes the exact same statement "Stores the user key in a custom
>> file, .ssh/sss_authorized_keys, in the standard authorized keys format.
>> "
>>
>> Are you saying the newer documentation is also bugged?
>>
>> Unfortunately, that type of test will not be conclusive for the people I
>> am trying to convince.  They want me to actually show them the file on
>> disk where that thing is cached to prove that if the machine was
>> rebooted,
>> and the ipa connection is lost, that key was not only in memory
>> somewhere
>> but actually saved to storage.
>>
>> >
>> >>How do I get the keys to actually save on login like the manual says?
>> > Keys are already cached in different file
>> > /var/lib/sss/pubconf/known_hosts.
>> > @see rhel7 documentation [1]
>>
>> The known_hosts file does not sound like the right place,  It has a
>> completely different function of caching host keys for when I make an
>> outgoing connection from the server for the purpose of verifying someone
>> is not spoofing a host, not for caching individual user keys for
>> passwordless login for when I'm trying to make an ingoing connection to
>> the server.
>>
>> In addition, you can see from my search below that there is no
>> sss_authorized_keys file anywhere on the server and that the known_hosts
>> file you referenced has no data in it because it is zero size.
>>
>> [root at ipaclient sss]# find / -name sss_authorized_keys
>> [root at ipaclient sss]# cd pubconf
>> [root at ipaclient pubconf]# ls -al
>> total 16
>> drwxr-xr-x 3 root root 4096 Jun  3 16:42 .
>> drwxr-xr-x 6 root root 4096 May 27 22:49 ..
>> -rw-r--r-- 1 root root   11 Jun  3 16:42 kdcinfo.MYDOMAIN.NET
>> -rw-r--r-- 1 root root    0 Jun  2 16:05 known_hosts
>> drwxr-xr-x 2 root root 4096 May 28 01:13 krb5.include.d
>> [root at ipaclient pubconf]#
>>
>> So... I am still looking for the actual location on disk that this is
>> apparently being cached and cannot find it.
>
> You won't find a "file" because user's public keys are not stored in a
> file.
> They are stored in the ldb cache with all other user information, and
> then extracted from the cache (or queried from the server if online and
> the cache is expired) on request.
>
> You can use the ldbsearch tool against the sssd ldb cache file and look
> for entries with the sshPublicKey attribute.
>
> HTH,
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>

Oh this is great information.  Thank you.

It appears that the documentation should state that the user keys are
cached not in .ssh/sss_authorized_keys but actually in
/var/lib/sss/db/cache_yourdomain.ldb as I was able to search and
successfully find the user key by running 'ldbsearch -H
cache_mydomain.net.ldb  sshPublicKey'