[Freeipa-users] FreeIPA - AD trust - SSH Public Keys

Sumit Bose sbose at redhat.com
Thu Nov 3 15:05:31 UTC 2016 

On Thu, Nov 03, 2016 at 04:35:30PM +0200, Taras Drach wrote:
> Hello everyone!
> 
> I want to implement next scheme:
> 
> 1. Use AD as place for user management
> 2. Store ssh public keys in AD
> 3. Use FreeIPA as sudo/hbac provider for AD groups for authentication and authorisation on the linux hosts
> 4. Use trusts roadmap (do not want to synchronise)
> 
> My configuration is:
> AD domain - test.loc - windows server 2012 r2
> IPA domain - ipa.test.loc - ipa-server 4.2.0 on centos 7 (ipa-server.x86_64        4.2.0-15.0.1.el7.centos.19  @updates)
> 
> At this moment everything fine except SSH public keys.
> 
> I tried to use override and it works fine (I can login to linux host with AD user with public key), but I have to create view in ipa for each user from AD. It is not my goal and its also create inconveniences.
> 
> I found that there are several ways to achieve desired configuration:
> 1. Extend AD scheme with sshPublicKey attribute
> 2. Use altSecurityIdentities attribute from AD
> 
> At this moment I can obtain ssh public key from ipa  for user by
> sss_ssh_authorizedkeys -d ipa.test.loc user or
> sss_ssh_authorizedkeys user, because ipa.test.loc is default domain
> 
> But I can’t receive key for AD user using this command
> sss_ssh_authorizedkeys -d test.loc
> 
> At this moment I try to obtain key via altSecurityIdentities, and I see this key in sssd debug log when I run sss_ssh_authorizedkeys, but I can not see public key on stdout
> Here is the part if log
> -
...
> 
> 
> Here is my sssd.conf for ipa domain
> 
> domain/ipa.test.loc]
> debug_level = 0xfff0
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = ipa.test.loc
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = ipa42.ipa.test.loc
> chpass_provider = ipa
> ipa_server = ipa42.ipa.test.loc
> ipa_server_mode = True
> ldap_tls_cacert = /etc/ipa/ca.crt
> create_homedir = True
> ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities

SSH public keys must must be stored with the attribute name 'sshPublicKey' in SSSD's cache, please try

ldap_user_extra_attrs = sshPublicKey:altSecurityIdentities

> ldap_user_ssh_public_key = altSecurityIdentities
> ldap_id_mapping = False
> 
> 
> 

HTH

bye,
Sumit

More information about the Freeipa-users mailing list