Hi, I was reading this slide " https://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf";
to troubleshoot an issue which we are facing while IPA to allow user using public Key authentication and had few questions: 1. Where does IPA stores the User Public Keys, I can fetch them using sss_ssh_authorizedkeys but would be good if I we can know from where it fetches the keys. Is it in LDAP DB. 2. When I registered new users with PubKey Authentication, some of them are working fine and some got prompted for Password (this also happen when we update their public key). This usually happens when either SSH is not able to pick the private key (id_rsa) or if there is some permission issue with .ssh or authorized_keys file. I am trying to find this in IPA environment as why this is happening for certain users only though it is picking the right private_key and client side. SSSD logs and secure logs does not have much to say except authentication failed. 3. I have checked the sshd config and does not seems to be an issue. KerberosAuthentication no PubkeyAuthentication yes UsePAM yes GSSAPIAuthentication yes AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys 4. As per the above slide, OpenSSH Integration with SSSD Slide 2 says, that add know_hosts file with SSSD, However, Neither IPA Client nor IPA Server has this Configure ssh in /etc/ssh/ssh_config Get known_hosts from SSSD GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h A suggestion can really help us moving forward. *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: [email protected] <[email protected]> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks0000> <http://in.linkedin.com/in/yks0000> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus>
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
