[Freeipa-users] Certificate Access issue
Alexander Bokovoy
abokovoy at redhat.com
Mon Mar 20 14:39:37 UTC 2017
On ma, 20 maalis 2017, Artem Golubev wrote:
>Good day!
>
>We use freeipa server 4.3.1, we usually grant access via ssh keys to linux
>clients.
>We currently face the following issue with access on certificate: when we
>add certificate to user's account, user is not able to login via ssh.
>How can we solve this problem? We would like to have a possibility to
>access linux clients via ssh keys and access to other resources using
>certificates.
You need to provide logs, obviously. Start with level 3 debug logs in
sshd, and debug_level=9 in sssd. Also show user's entry (as in 'ipa
user-show --raw --all username').
When you access SSH with ssh keys, SSSD is involved in account and
session phases of PAM authentication. This means either user does not
exist to sshd (it would then don't exist on system level at all) or
something prevents session phase from success. In session phase SSSD
does verify HBAC rules, for example.
See https://fedorahosted.org/sssd/wiki/Troubleshooting for
troubleshooting instructions.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list