Am Thu, Sep 23, 2021 at 12:33:25PM +0200 schrieb Radoslaw Kujawa via FreeIPA-users: > Hi list. > > I have a CentOS 8.4 machine (fully updated), where sss_ssh_authorizedkeys is > successfully able to pull public keys from IPA user certificates. Recently I > have installed a new Fedora 34 machine and this functionality is not working > - running "sss_ssh_authorizedkeys username" only reports public keys > explicitly added to the account, omitting keys from X.509 certificates. > > Both machines are joined to the same IPA domain. > > I've checked sssd configuration, and ssh_use_certificate_keys option seems > to be default, as the man page states. To be extra sure, I have also > manually added it sssd.conf: > > [ssh] > ssh_use_certificate_keys = true > > CentOS machine has the following package versions: > python3-sss-murmur-2.4.0-9.el8_4.2.x86_64 > sssd-proxy-2.4.0-9.el8_4.2.x86_64 > libsss_sudo-2.4.0-9.el8_4.2.x86_64 > libsss_autofs-2.4.0-9.el8_4.2.x86_64 > sssd-nfs-idmap-2.4.0-9.el8_4.2.x86_64 > sssd-2.4.0-9.el8_4.2.x86_64 > libsss_idmap-2.4.0-9.el8_4.2.x86_64 > sssd-ldap-2.4.0-9.el8_4.2.x86_64 > sssd-kcm-2.4.0-9.el8_4.2.x86_64 > sssd-dbus-2.4.0-9.el8_4.2.x86_64 > python3-cssselect-0.9.2-10.el8.noarch > sssd-ipa-2.4.0-9.el8_4.2.x86_64 > sssd-ad-2.4.0-9.el8_4.2.x86_64 > python3-sssdconfig-2.4.0-9.el8_4.2.noarch > sssd-krb5-2.4.0-9.el8_4.2.x86_64 > sssd-tools-2.4.0-9.el8_4.2.x86_64 > sssd-client-2.4.0-9.el8_4.2.x86_64 > sssd-krb5-common-2.4.0-9.el8_4.2.x86_64 > sssd-common-2.4.0-9.el8_4.2.x86_64 > sssd-common-pac-2.4.0-9.el8_4.2.x86_64 > libsss_certmap-2.4.0-9.el8_4.2.x86_64 > libsss_nss_idmap-2.4.0-9.el8_4.2.x86_64 > libsss_simpleifp-2.4.0-9.el8_4.2.x86_64 > python3-sss-2.4.0-9.el8_4.2.x86_64 > > Fedora machine has the following package versions: > libsss_idmap-2.5.2-2.fc34.aarch64 > libsss_autofs-2.5.2-2.fc34.aarch64 > libsss_sudo-2.5.2-2.fc34.aarch64 > libsss_certmap-2.5.2-2.fc34.aarch64 > sssd-nfs-idmap-2.5.2-2.fc34.aarch64 > libsss_nss_idmap-2.5.2-2.fc34.aarch64 > sssd-client-2.5.2-2.fc34.aarch64 > sssd-common-2.5.2-2.fc34.aarch64 > sssd-common-pac-2.5.2-2.fc34.aarch64 > sssd-dbus-2.5.2-2.fc34.aarch64 > sssd-krb5-common-2.5.2-2.fc34.aarch64 > python3-sssdconfig-2.5.2-2.fc34.noarch > python3-sss-2.5.2-2.fc34.aarch64 > sssd-tools-2.5.2-2.fc34.aarch64 > python3-sss-murmur-2.5.2-2.fc34.aarch64 > sssd-ipa-2.5.2-2.fc34.aarch64 > sssd-kcm-2.5.2-2.fc34.aarch64 > > Any hints on how to make sss_ssh_authorizedkeys pull keys from IPA user > certificates on Fedora, or how to further debug this?
Hi, the keys are only derived form the certificate is the certificate can be validated. Have you copied all needed CA certificates to the new machine and made SSSD aware of it? Adding 'debug_level = 9' to the [ssh] section of sssd.conf and restarting SSSD should add log messages to sssd_ssh.log which might help to understand why the keys are not extracted. HTH bye, Sumit > > Best regards, > Radoslaw > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
