On Tue, Aug 27, 2019 at 06:32:12PM +0000, Patterson, David via FreeIPA-users wrote:
RHEL 7.7 sssd 1.16.4
Hi,
the issue I was thinking about should be fixed in the version.
Do I understand correctly the you have store a public ssh-key in the IPA user object and this was used to do key based authentication on the IPA clients. After creating a user certificate, which is stored in the IPA user object as well, key based ssh authentication on the clients does not work anymore for the user?
To debug this please add 'debug_level = 9' to the [ssh] and [domain/...] section of sssd.conf and restart SSSD. Now please call
sss_ssh_authorizedkeys username
where you should replace username with the name of the user which has ssh keys and certificates stored in its LDAP object. This command is used by sshd as well to get the ssh keys. Please send the logs files from /var/log/sssd which should explain what prevented SSSD from returning the ssh keys.
bye, Sumit
David Patterson Sandia National Laboratories Ground System Platforms, Infrastructures & Integration Phone:(505) 284-3322 Pager: (505) 951-8112
-----Original Message----- From: Sumit Bose via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: Tuesday, August 27, 2019 11:05 AM To: freeipa-users@lists.fedorahosted.org Cc: Sumit Bose sbose@redhat.com Subject: [EXTERNAL] [Freeipa-users] Re: Keys vs certificates
On Tue, Aug 27, 2019 at 02:43:22PM +0000, Patterson, David via FreeIPA-users wrote:
Hello,
I followed the instructions from this page (https://frasertweedale.github.io/blog-redhat/posts/2015-08-06-freeipa-custom...) to create User Certificates. While testing I noticed that when I create a User Cert for an account, the ssh keys stopped working for that same account.
I was hoping to have both SSH keys and User Certificates.
Is this a bug, a feature or is there some setting that I'm missing?
Hi,
which version of SSSD are you using? There was a bug in an older version of SSSD which might have the effect you are describing.
bye, Sumit
Thanks!
David Patterson
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor ahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...