[Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys'
Rob Crittenden
rcritten at redhat.com
Mon Jul 18 15:42:19 UTC 2016
Sumit Bose wrote:
> On Mon, Jul 18, 2016 at 09:54:37AM -0400, Rob Crittenden wrote:
>> Sumit Bose wrote:
>>> On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin Štefany wrote:
>>>> On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote:
>>>>> On (16/07/16 10:19), Martin Štefany wrote:
>>>>>>
>>>>>> Hello Sumit,
>>>>>>
>>>>>> seems that upgrade to F24 broke things again. This time no AVCs, empty SSSD
>>>>>> logs, but same problem: 'Error looking up public keys'.
>>>>>>
>>>>>> selinux-policy-3.13.1-191.fc24.3.noarch
>>>>>> selinux-policy-targeted-3.13.1-191.fc24.3.noarch
>>>>>> sssd-1.13.4-3.fc24.x86_64
>>>>>>
>>>>> Fedora 23 and fedora 24 has the same version of sssd
>>>>> and almost the same version of openssh.
>>>>> I have no idea what coudl broke it it there are not any AVCs.
>>>>>
>>>>>>
>>>>>> Using debug_level 0x0250 ::
>>>>>>
>>>>> For troubleshooting, it would be better to see all
>>>>> debug messages. (debug_level = 0xfff0)
>>>>
>>>> Hello Lukas,
>>>>
>>>> thanks for replying on this, here are debug_level = 0xfff0 messages
>>>>
>>>
>>> ...
>>>
>>>> (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0020):
>>>> CERT_VerifyCertificateNow failed [-8179].
>>>> (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040):
>>>> cert_to_ssh_key failed.
>>>
>>> -8179 translates to "Peer's certificate issuer is not recognized."
>>> (http://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html).
>>> This means the CA certificate which signed the certificate on the
>>> Smartcard is missing in /etc/pki/nssdb which is used by default by SSSD.
>>>
>>> Recent version of IPA put IPA CA certificates only in /etc/ipa/nssdb,
>>> this might be the reason why you see this with F24.
>>>
>>> To fix this please either add the needed CA certificates to
>>> /etc/pki/nssdb with certutil or add 'ca_db = /etc/ipa/nssdb' to the
>>> [ssh] section of sssd.conf if /etc/ipa/nssdb already has all needed CA
>>> certificates to validate the Smartcard certificate.
>>>
>>> I'm working on a fix for SSSD to handle handle this change
>>> automatically, but unfortunately it is not ready yet.
>>
>> The client installer should be adding the IPA CA to the system certificate
>> store which should be picked up automagically by OpenSSL and NSS
>> applications. I think I'd start there to see if that happened.
>
> The responsibility for this was delegated to p11-kit in
> 11592dde1b232a70f318e01f5271b38890090648. Not sure if it was expected
> that p11-kit-proxy will be added to /etc/pki/nssdb by default?
That I'm not sure. Kai might know.
rob
More information about the Freeipa-users
mailing list