On (03/06/15 11:48), [email protected] wrote: >> On Wed, 2015-06-03 at 09:57 -0700, [email protected] wrote: >>> Comments inline >>> >>> > On (02/06/15 15:25), [email protected] wrote: >>> >>I am running FreeIPA 4.1.3 on CentOS 7 for the server and on the >>> client >>> >> is >>> >>CentOS 6.5 with client 3.0.0-42 (sssd 1.11.6-30). >>> >> >>> >>I have created a user in FreeIPA and he has access to a server through >>> >>HBAC rules. This user has created a public / private keypair and >>> >> uploaded >>> >>the public key from his personal machine to the IPA server so it shows >>> up >>> >>in his user record. The record was saved and he successfully logged >>> into >>> >>the IPA client using the keys. >>> >> >>> >>According to the docs here (Yes, I know it's a little old but I could >>> not >>> >>find any newer info that conflicted with this) : >>> >>https://docs.fedoraproject.org/en-US/Fedora/18/html/System_Administrators_Guide/openssh-sssd.html >>> >> >>> > Aa you already notice it isquite old documetation. >>> > >>> >>2.Stores the user key in a custom file, .ssh/sss_authorized_keys, in >>> the >>> >>standard authorized keys format. >>> >> >>> > There's bug in documentation. >>> > >>> >>However, when he logs in, there is no sss_authorized_keys file created >>> >> and >>> >>as far as I can tell, the key is never cached in his account. >>> >> >>> > The better test would be to authenticate with ssh keys online, >>> > so they can be fetched from FreeIPA >>> > then block connection to FreeIPA (simmulate offline state) >>> > and re-test one more time. >>> >>> Ok, so I looked at the newer documentation you linked below (RH7 >>> version) >>> and it makes the exact same statement "Stores the user key in a custom >>> file, .ssh/sss_authorized_keys, in the standard authorized keys format. >>> " >>> >>> Are you saying the newer documentation is also bugged? >>> >>> Unfortunately, that type of test will not be conclusive for the people I >>> am trying to convince. They want me to actually show them the file on >>> disk where that thing is cached to prove that if the machine was >>> rebooted, >>> and the ipa connection is lost, that key was not only in memory >>> somewhere >>> but actually saved to storage. >>> >>> > >>> >>How do I get the keys to actually save on login like the manual says? >>> > Keys are already cached in different file >>> > /var/lib/sss/pubconf/known_hosts. >>> > @see rhel7 documentation [1] >>> >>> The known_hosts file does not sound like the right place, It has a >>> completely different function of caching host keys for when I make an >>> outgoing connection from the server for the purpose of verifying someone >>> is not spoofing a host, not for caching individual user keys for >>> passwordless login for when I'm trying to make an ingoing connection to >>> the server. >>> >>> In addition, you can see from my search below that there is no >>> sss_authorized_keys file anywhere on the server and that the known_hosts >>> file you referenced has no data in it because it is zero size. >>> >>> [root@ipaclient sss]# find / -name sss_authorized_keys >>> [root@ipaclient sss]# cd pubconf >>> [root@ipaclient pubconf]# ls -al >>> total 16 >>> drwxr-xr-x 3 root root 4096 Jun 3 16:42 . >>> drwxr-xr-x 6 root root 4096 May 27 22:49 .. >>> -rw-r--r-- 1 root root 11 Jun 3 16:42 kdcinfo.MYDOMAIN.NET >>> -rw-r--r-- 1 root root 0 Jun 2 16:05 known_hosts >>> drwxr-xr-x 2 root root 4096 May 28 01:13 krb5.include.d >>> [root@ipaclient pubconf]# >>> >>> So... I am still looking for the actual location on disk that this is >>> apparently being cached and cannot find it. >> >> You won't find a "file" because user's public keys are not stored in a >> file. >> They are stored in the ldb cache with all other user information, and >> then extracted from the cache (or queried from the server if online and >> the cache is expired) on request. >> >> You can use the ldbsearch tool against the sssd ldb cache file and look >> for entries with the sshPublicKey attribute. >> >> HTH, >> Simo. >> >> -- >> Simo Sorce * Red Hat, Inc * New York >> >> > >Oh this is great information. Thank you. > >It appears that the documentation should state that the user keys are >cached not in .ssh/sss_authorized_keys I didn't notice it in documentation. We fixed info about known_hosts. Thank you for a report.
>but actually in >/var/lib/sss/db/cache_yourdomain.ldb as I was able to search and >successfully find the user key by running 'ldbsearch -H >cache_mydomain.net.ldb sshPublicKey' Simpler way for checking cached public ssh key is to use the same utility as sssd/sshd # go offline and run next command. sh$ sss_ssh_authorizedkeys usersssd LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
