[Freeipa-users] sssd not caching public keys in sss_authorized_keys file

Thu Jun 4 07:24:20 UTC 2015

On (03/06/15 11:48), nathan at nathanpeters.com wrote:
>> On Wed, 2015-06-03 at 09:57 -0700, nathan at nathanpeters.com wrote:
>>> Comments inline
>>>
>>> > On (02/06/15 15:25), nathan at nathanpeters.com wrote:
>>> >>I am running FreeIPA 4.1.3 on CentOS 7 for the server and on the
>>> client
>>> >> is
>>> >>CentOS 6.5 with client 3.0.0-42 (sssd 1.11.6-30).
>>> >>
>>> >>I have created a user in FreeIPA and he has access to a server through
>>> >>HBAC rules.  This user has created a public / private keypair and
>>> >> uploaded
>>> >>the public key from his personal machine to the IPA server so it shows
>>> up
>>> >>in his user record.  The record was saved and he successfully logged
>>> into
>>> >>the IPA client using the keys.
>>> >>
>>> >>According to the docs here (Yes, I know it's a little old but I could
>>> not
>>> >>find any newer info that conflicted with this) :
>>> >>https://docs.fedoraproject.org/en-US/Fedora/18/html/System_Administrators_Guide/openssh-sssd.html
>>> >>
>>> > Aa you already notice it isquite old documetation.
>>> >
>>> >>2.Stores the user key in a custom file, .ssh/sss_authorized_keys, in
>>> the
>>> >>standard authorized keys format.
>>> >>
>>> > There's bug in documentation.
>>> >
>>> >>However, when he logs in, there is no sss_authorized_keys file created
>>> >> and
>>> >>as far as I can tell, the key is never cached in his account.
>>> >>
>>> > The better test would be to authenticate with ssh keys online,
>>> > so they can be fetched from FreeIPA
>>> > then block connection to FreeIPA (simmulate offline state)
>>> > and re-test one more time.
>>>
>>> Ok, so I looked at the newer documentation you linked below (RH7
>>> version)
>>> and it makes the exact same statement "Stores the user key in a custom
>>> file, .ssh/sss_authorized_keys, in the standard authorized keys format.
>>> "
>>>
>>> Are you saying the newer documentation is also bugged?
>>>
>>> Unfortunately, that type of test will not be conclusive for the people I
>>> am trying to convince.  They want me to actually show them the file on
>>> disk where that thing is cached to prove that if the machine was
>>> rebooted,
>>> and the ipa connection is lost, that key was not only in memory
>>> somewhere
>>> but actually saved to storage.
>>>
>>> >
>>> >>How do I get the keys to actually save on login like the manual says?
>>> > Keys are already cached in different file
>>> > /var/lib/sss/pubconf/known_hosts.
>>> > @see rhel7 documentation [1]
>>>
>>> The known_hosts file does not sound like the right place,  It has a
>>> completely different function of caching host keys for when I make an
>>> outgoing connection from the server for the purpose of verifying someone
>>> is not spoofing a host, not for caching individual user keys for
>>> passwordless login for when I'm trying to make an ingoing connection to
>>> the server.
>>>
>>> In addition, you can see from my search below that there is no
>>> sss_authorized_keys file anywhere on the server and that the known_hosts
>>> file you referenced has no data in it because it is zero size.
>>>
>>> [root at ipaclient sss]# find / -name sss_authorized_keys
>>> [root at ipaclient sss]# cd pubconf
>>> [root at ipaclient pubconf]# ls -al
>>> total 16
>>> drwxr-xr-x 3 root root 4096 Jun  3 16:42 .
>>> drwxr-xr-x 6 root root 4096 May 27 22:49 ..
>>> -rw-r--r-- 1 root root   11 Jun  3 16:42 kdcinfo.MYDOMAIN.NET
>>> -rw-r--r-- 1 root root    0 Jun  2 16:05 known_hosts
>>> drwxr-xr-x 2 root root 4096 May 28 01:13 krb5.include.d
>>> [root at ipaclient pubconf]#
>>>
>>> So... I am still looking for the actual location on disk that this is
>>> apparently being cached and cannot find it.
>>
>> You won't find a "file" because user's public keys are not stored in a
>> file.
>> They are stored in the ldb cache with all other user information, and
>> then extracted from the cache (or queried from the server if online and
>> the cache is expired) on request.
>>
>> You can use the ldbsearch tool against the sssd ldb cache file and look
>> for entries with the sshPublicKey attribute.
>>
>> HTH,
>> Simo.
>>
>> --
>> Simo Sorce * Red Hat, Inc * New York
>>
>>
>
>Oh this is great information.  Thank you.
>
>It appears that the documentation should state that the user keys are
>cached not in .ssh/sss_authorized_keys
I didn't notice it in documentation. We fixed info about known_hosts.
Thank you for a report.

>but actually in
>/var/lib/sss/db/cache_yourdomain.ldb as I was able to search and
>successfully find the user key by running 'ldbsearch -H
>cache_mydomain.net.ldb  sshPublicKey'
Simpler way for checking cached public ssh key is to use the same utility as
sssd/sshd

# go offline and run next command.
sh$ sss_ssh_authorizedkeys usersssd

LS