[Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys'
Rob Crittenden
rcritten at redhat.com
Mon Jul 18 13:54:37 UTC 2016
Sumit Bose wrote:
> On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin Štefany wrote:
>> On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote:
>>> On (16/07/16 10:19), Martin Štefany wrote:
>>>>
>>>> Hello Sumit,
>>>>
>>>> seems that upgrade to F24 broke things again. This time no AVCs, empty SSSD
>>>> logs, but same problem: 'Error looking up public keys'.
>>>>
>>>> selinux-policy-3.13.1-191.fc24.3.noarch
>>>> selinux-policy-targeted-3.13.1-191.fc24.3.noarch
>>>> sssd-1.13.4-3.fc24.x86_64
>>>>
>>> Fedora 23 and fedora 24 has the same version of sssd
>>> and almost the same version of openssh.
>>> I have no idea what coudl broke it it there are not any AVCs.
>>>
>>>>
>>>> Using debug_level 0x0250 ::
>>>>
>>> For troubleshooting, it would be better to see all
>>> debug messages. (debug_level = 0xfff0)
>>
>> Hello Lukas,
>>
>> thanks for replying on this, here are debug_level = 0xfff0 messages
>>
>
> ...
>
>> (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0020):
>> CERT_VerifyCertificateNow failed [-8179].
>> (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040):
>> cert_to_ssh_key failed.
>
> -8179 translates to "Peer's certificate issuer is not recognized."
> (http://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html).
> This means the CA certificate which signed the certificate on the
> Smartcard is missing in /etc/pki/nssdb which is used by default by SSSD.
>
> Recent version of IPA put IPA CA certificates only in /etc/ipa/nssdb,
> this might be the reason why you see this with F24.
>
> To fix this please either add the needed CA certificates to
> /etc/pki/nssdb with certutil or add 'ca_db = /etc/ipa/nssdb' to the
> [ssh] section of sssd.conf if /etc/ipa/nssdb already has all needed CA
> certificates to validate the Smartcard certificate.
>
> I'm working on a fix for SSSD to handle handle this change
> automatically, but unfortunately it is not ready yet.
The client installer should be adding the IPA CA to the system
certificate store which should be picked up automagically by OpenSSL and
NSS applications. I think I'd start there to see if that happened.
rob
More information about the Freeipa-users
mailing list