[Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys'
Sumit Bose
sbose at redhat.com
Mon Jul 18 14:32:33 UTC 2016
On Mon, Jul 18, 2016 at 09:54:37AM -0400, Rob Crittenden wrote:
> Sumit Bose wrote:
> > On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin Štefany wrote:
> > > On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote:
> > > > On (16/07/16 10:19), Martin Štefany wrote:
> > > > >
> > > > > Hello Sumit,
> > > > >
> > > > > seems that upgrade to F24 broke things again. This time no AVCs, empty SSSD
> > > > > logs, but same problem: 'Error looking up public keys'.
> > > > >
> > > > > selinux-policy-3.13.1-191.fc24.3.noarch
> > > > > selinux-policy-targeted-3.13.1-191.fc24.3.noarch
> > > > > sssd-1.13.4-3.fc24.x86_64
> > > > >
> > > > Fedora 23 and fedora 24 has the same version of sssd
> > > > and almost the same version of openssh.
> > > > I have no idea what coudl broke it it there are not any AVCs.
> > > >
> > > > >
> > > > > Using debug_level 0x0250 ::
> > > > >
> > > > For troubleshooting, it would be better to see all
> > > > debug messages. (debug_level = 0xfff0)
> > >
> > > Hello Lukas,
> > >
> > > thanks for replying on this, here are debug_level = 0xfff0 messages
> > >
> >
> > ...
> >
> > > (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0020):
> > > CERT_VerifyCertificateNow failed [-8179].
> > > (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040):
> > > cert_to_ssh_key failed.
> >
> > -8179 translates to "Peer's certificate issuer is not recognized."
> > (http://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html).
> > This means the CA certificate which signed the certificate on the
> > Smartcard is missing in /etc/pki/nssdb which is used by default by SSSD.
> >
> > Recent version of IPA put IPA CA certificates only in /etc/ipa/nssdb,
> > this might be the reason why you see this with F24.
> >
> > To fix this please either add the needed CA certificates to
> > /etc/pki/nssdb with certutil or add 'ca_db = /etc/ipa/nssdb' to the
> > [ssh] section of sssd.conf if /etc/ipa/nssdb already has all needed CA
> > certificates to validate the Smartcard certificate.
> >
> > I'm working on a fix for SSSD to handle handle this change
> > automatically, but unfortunately it is not ready yet.
>
> The client installer should be adding the IPA CA to the system certificate
> store which should be picked up automagically by OpenSSL and NSS
> applications. I think I'd start there to see if that happened.
The responsibility for this was delegated to p11-kit in
11592dde1b232a70f318e01f5271b38890090648. Not sure if it was expected
that p11-kit-proxy will be added to /etc/pki/nssdb by default?
bye,
Sumit
>
> rob
>
More information about the Freeipa-users
mailing list