[Freeipa-users] Not able to replicate user keys across master and client

Sumit Bose sbose at redhat.com
Fri Jan 13 13:29:25 UTC 2017 

On Thu, Jan 12, 2017 at 10:59:04AM +0000, hirofumi.morikawa at accenture.com wrote:
> Hi Free IPA team
> 
> Let me further clarify the question that is asked by Niraj below.
> 
> Currently, we have 1 master FreeIPA server and 1 client server. Evaluating your product for production deployment
> Master and client connectivity is established and when creating the user in the web console, it is indeed creating the user in the client machine
> 
> However, When we add public key through the web console below, this key is not created(or transfered) to the client machine(checked by logging into the
> server) that blocks the key based access to this machine
> 
> [cid:image003.jpg at 01D26CCB.55E68FA0]

Does the web console show the key's fingerprint after you added it as
shown in
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/user-keys.html


> 
> 
> Could you please let us know if this key is supposed to be created to the client machine natively with FreeIPA
> when registering the key through the console above?  Are we missing any configuration to enable this
> key registration to client machine? Thank you for your response in advance

If you used ipa-join or realmd to join the IPA client to the IPA server
everything should be configured correctly.

In /etc/ssh/sshd_config you should find the line 'AuthorizedKeysCommand
/usr/bin/sss_ssh_authorizedkeys' which tells sshd to call
sss_ssh_authorizedkeys to get the key.

You can call 'sss_ssh_authorizedkeys' directly with the user name as
argument to see if the key is returned:

# sss_ssh_authorizedkeys testuser
ssh-rsa AAAAB3Nz.......

If nothing is returned you should check /var/log/sssd/sssd_ssh.log for
errors. You might need to increase in debug_level in the [ssh] section
of sssd.conf first, see
https://fedorahosted.org/sssd/wiki/Troubleshooting for details.

HTH

bye,
Sumit

> 
> Best regards
> 
> Hirofumi Morikawa
> Accenture
> Certified Technology Architect - Emerging Technologies group
> Email : hirofumi.morikawa at accenture.com<mailto:hirofumi.morikawa at accenture.com>
> Mobile phone : +33 (0)6 82 10 81 88
> 
> From: Singh, NirajKumar
> Sent: mardi 10 janvier 2017 10:38
> To: freeipa-users at redhat.com
> Cc: Morikawa, Hirofumi; Shyam Gupta, Upendra
> Subject: Not able to replicate user keys across master and client
> 
> Hi Team,
> 
> We have Created PPK key for the user on master FreeIPA server  which is there in /home/user/.ssh/authorized_keys file.
> 
> But the key are not reflecting in client machine.
> 
> Please suggest so that authorized_keys file added automatically in client as soon as it gets created in master server.
> 
> Thanks,
> Niraj
> 
> ________________________________
> 
> This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
> ______________________________________________________________________________________
> 
> www.accenture.com



> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list