[Freeipa-users] FreeIPA - AD trust - SSH Public Keys
Sumit Bose
sbose at redhat.com
Thu Nov 3 15:05:31 UTC 2016
On Thu, Nov 03, 2016 at 04:35:30PM +0200, Taras Drach wrote:
> Hello everyone!
>
> I want to implement next scheme:
>
> 1. Use AD as place for user management
> 2. Store ssh public keys in AD
> 3. Use FreeIPA as sudo/hbac provider for AD groups for authentication and authorisation on the linux hosts
> 4. Use trusts roadmap (do not want to synchronise)
>
> My configuration is:
> AD domain - test.loc - windows server 2012 r2
> IPA domain - ipa.test.loc - ipa-server 4.2.0 on centos 7 (ipa-server.x86_64 4.2.0-15.0.1.el7.centos.19 @updates)
>
> At this moment everything fine except SSH public keys.
>
> I tried to use override and it works fine (I can login to linux host with AD user with public key), but I have to create view in ipa for each user from AD. It is not my goal and its also create inconveniences.
>
> I found that there are several ways to achieve desired configuration:
> 1. Extend AD scheme with sshPublicKey attribute
> 2. Use altSecurityIdentities attribute from AD
>
> At this moment I can obtain ssh public key from ipa for user by
> sss_ssh_authorizedkeys -d ipa.test.loc user or
> sss_ssh_authorizedkeys user, because ipa.test.loc is default domain
>
> But I can’t receive key for AD user using this command
> sss_ssh_authorizedkeys -d test.loc
>
> At this moment I try to obtain key via altSecurityIdentities, and I see this key in sssd debug log when I run sss_ssh_authorizedkeys, but I can not see public key on stdout
> Here is the part if log
> -
...
>
>
> Here is my sssd.conf for ipa domain
>
> domain/ipa.test.loc]
> debug_level = 0xfff0
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = ipa.test.loc
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = ipa42.ipa.test.loc
> chpass_provider = ipa
> ipa_server = ipa42.ipa.test.loc
> ipa_server_mode = True
> ldap_tls_cacert = /etc/ipa/ca.crt
> create_homedir = True
> ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
SSH public keys must must be stored with the attribute name 'sshPublicKey' in SSSD's cache, please try
ldap_user_extra_attrs = sshPublicKey:altSecurityIdentities
> ldap_user_ssh_public_key = altSecurityIdentities
> ldap_id_mapping = False
>
>
>
HTH
bye,
Sumit
More information about the Freeipa-users
mailing list