[Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys'
Martin Štefany
martin at stefany.eu
Mon Jul 18 09:46:10 UTC 2016
On 7/18/2016 9:50 AM, Sumit Bose wrote:
> On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin Štefany wrote:
>> On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote:
>>> On (16/07/16 10:19), Martin Štefany wrote:
>>>>
>>>> Hello Sumit,
>>>>
>>>> seems that upgrade to F24 broke things again. This time no AVCs, empty SSSD
>>>> logs, but same problem: 'Error looking up public keys'.
>>>>
>>>> selinux-policy-3.13.1-191.fc24.3.noarch
>>>> selinux-policy-targeted-3.13.1-191.fc24.3.noarch
>>>> sssd-1.13.4-3.fc24.x86_64
>>>>
>>> Fedora 23 and fedora 24 has the same version of sssd
>>> and almost the same version of openssh.
>>> I have no idea what coudl broke it it there are not any AVCs.
>>>
>>>>
>>>> Using debug_level 0x0250 ::
>>>>
>>> For troubleshooting, it would be better to see all
>>> debug messages. (debug_level = 0xfff0)
>>
>> Hello Lukas,
>>
>> thanks for replying on this, here are debug_level = 0xfff0 messages
>>
>
> ...
>
>> (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0020):
>> CERT_VerifyCertificateNow failed [-8179].
>> (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040):
>> cert_to_ssh_key failed.
>
> -8179 translates to "Peer's certificate issuer is not recognized."
> (http://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html).
> This means the CA certificate which signed the certificate on the
> Smartcard is missing in /etc/pki/nssdb which is used by default by SSSD.
>
> Recent version of IPA put IPA CA certificates only in /etc/ipa/nssdb,
> this might be the reason why you see this with F24.
>
> To fix this please either add the needed CA certificates to
> /etc/pki/nssdb with certutil or add 'ca_db = /etc/ipa/nssdb' to the
> [ssh] section of sssd.conf if /etc/ipa/nssdb already has all needed CA
> certificates to validate the Smartcard certificate.
Thank you!
Fixed for now by putting 'ca_db = /etc/ipa/nssdb' to the [ssh] section
of sssd.conf, but CA certificate is actually the one from IPA CA, as
this SSH key is generated from my userCertificate. Works like a charm.
Kind regards,
Martin
>
> I'm working on a fix for SSSD to handle handle this change
> automatically, but unfortunately it is not ready yet.
>
> HTH
>
> bye,
> Sumit
>
>>
>>>>
>>>> $ /usr/bin/sss_ssh_authorizedkeys martin
>>>> Error looking up public keys
>>>>
>>> And try to run strace with sss_ssh_authorizedkeys
>>>
>>> LS
>>
>> Martin
--
--
Martin
More information about the Freeipa-users
mailing list