> On Wed, 2015-06-03 at 09:57 -0700, [email protected] wrote: >> Comments inline >> >> > On (02/06/15 15:25), [email protected] wrote: >> >>I am running FreeIPA 4.1.3 on CentOS 7 for the server and on the >> client >> >> is >> >>CentOS 6.5 with client 3.0.0-42 (sssd 1.11.6-30). >> >> >> >>I have created a user in FreeIPA and he has access to a server through >> >>HBAC rules. This user has created a public / private keypair and >> >> uploaded >> >>the public key from his personal machine to the IPA server so it shows >> up >> >>in his user record. The record was saved and he successfully logged >> into >> >>the IPA client using the keys. >> >> >> >>According to the docs here (Yes, I know it's a little old but I could >> not >> >>find any newer info that conflicted with this) : >> >>https://docs.fedoraproject.org/en-US/Fedora/18/html/System_Administrators_Guide/openssh-sssd.html >> >> >> > Aa you already notice it isquite old documetation. >> > >> >>2.Stores the user key in a custom file, .ssh/sss_authorized_keys, in >> the >> >>standard authorized keys format. >> >> >> > There's bug in documentation. >> > >> >>However, when he logs in, there is no sss_authorized_keys file created >> >> and >> >>as far as I can tell, the key is never cached in his account. >> >> >> > The better test would be to authenticate with ssh keys online, >> > so they can be fetched from FreeIPA >> > then block connection to FreeIPA (simmulate offline state) >> > and re-test one more time. >> >> Ok, so I looked at the newer documentation you linked below (RH7 >> version) >> and it makes the exact same statement "Stores the user key in a custom >> file, .ssh/sss_authorized_keys, in the standard authorized keys format. >> " >> >> Are you saying the newer documentation is also bugged? >> >> Unfortunately, that type of test will not be conclusive for the people I >> am trying to convince. They want me to actually show them the file on >> disk where that thing is cached to prove that if the machine was >> rebooted, >> and the ipa connection is lost, that key was not only in memory >> somewhere >> but actually saved to storage. >> >> > >> >>How do I get the keys to actually save on login like the manual says? >> > Keys are already cached in different file >> > /var/lib/sss/pubconf/known_hosts. >> > @see rhel7 documentation [1] >> >> The known_hosts file does not sound like the right place, It has a >> completely different function of caching host keys for when I make an >> outgoing connection from the server for the purpose of verifying someone >> is not spoofing a host, not for caching individual user keys for >> passwordless login for when I'm trying to make an ingoing connection to >> the server. >> >> In addition, you can see from my search below that there is no >> sss_authorized_keys file anywhere on the server and that the known_hosts >> file you referenced has no data in it because it is zero size. >> >> [root@ipaclient sss]# find / -name sss_authorized_keys >> [root@ipaclient sss]# cd pubconf >> [root@ipaclient pubconf]# ls -al >> total 16 >> drwxr-xr-x 3 root root 4096 Jun 3 16:42 . >> drwxr-xr-x 6 root root 4096 May 27 22:49 .. >> -rw-r--r-- 1 root root 11 Jun 3 16:42 kdcinfo.MYDOMAIN.NET >> -rw-r--r-- 1 root root 0 Jun 2 16:05 known_hosts >> drwxr-xr-x 2 root root 4096 May 28 01:13 krb5.include.d >> [root@ipaclient pubconf]# >> >> So... I am still looking for the actual location on disk that this is >> apparently being cached and cannot find it. > > You won't find a "file" because user's public keys are not stored in a > file. > They are stored in the ldb cache with all other user information, and > then extracted from the cache (or queried from the server if online and > the cache is expired) on request. > > You can use the ldbsearch tool against the sssd ldb cache file and look > for entries with the sshPublicKey attribute. > > HTH, > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > >
Oh this is great information. Thank you. It appears that the documentation should state that the user keys are cached not in .ssh/sss_authorized_keys but actually in /var/lib/sss/db/cache_yourdomain.ldb as I was able to search and successfully find the user key by running 'ldbsearch -H cache_mydomain.net.ldb sshPublicKey' -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
