Hi list.
I have a CentOS 8.4 machine (fully updated), where sss_ssh_authorizedkeys is successfully able to pull public keys from IPA user certificates. Recently I have installed a new Fedora 34 machine and this functionality is not working - running "sss_ssh_authorizedkeys username" only reports public keys explicitly added to the account, omitting keys from X.509 certificates.
Both machines are joined to the same IPA domain.
I've checked sssd configuration, and ssh_use_certificate_keys option seems to be default, as the man page states. To be extra sure, I have also manually added it sssd.conf:
[ssh] ssh_use_certificate_keys = true
CentOS machine has the following package versions: python3-sss-murmur-2.4.0-9.el8_4.2.x86_64 sssd-proxy-2.4.0-9.el8_4.2.x86_64 libsss_sudo-2.4.0-9.el8_4.2.x86_64 libsss_autofs-2.4.0-9.el8_4.2.x86_64 sssd-nfs-idmap-2.4.0-9.el8_4.2.x86_64 sssd-2.4.0-9.el8_4.2.x86_64 libsss_idmap-2.4.0-9.el8_4.2.x86_64 sssd-ldap-2.4.0-9.el8_4.2.x86_64 sssd-kcm-2.4.0-9.el8_4.2.x86_64 sssd-dbus-2.4.0-9.el8_4.2.x86_64 python3-cssselect-0.9.2-10.el8.noarch sssd-ipa-2.4.0-9.el8_4.2.x86_64 sssd-ad-2.4.0-9.el8_4.2.x86_64 python3-sssdconfig-2.4.0-9.el8_4.2.noarch sssd-krb5-2.4.0-9.el8_4.2.x86_64 sssd-tools-2.4.0-9.el8_4.2.x86_64 sssd-client-2.4.0-9.el8_4.2.x86_64 sssd-krb5-common-2.4.0-9.el8_4.2.x86_64 sssd-common-2.4.0-9.el8_4.2.x86_64 sssd-common-pac-2.4.0-9.el8_4.2.x86_64 libsss_certmap-2.4.0-9.el8_4.2.x86_64 libsss_nss_idmap-2.4.0-9.el8_4.2.x86_64 libsss_simpleifp-2.4.0-9.el8_4.2.x86_64 python3-sss-2.4.0-9.el8_4.2.x86_64
Fedora machine has the following package versions: libsss_idmap-2.5.2-2.fc34.aarch64 libsss_autofs-2.5.2-2.fc34.aarch64 libsss_sudo-2.5.2-2.fc34.aarch64 libsss_certmap-2.5.2-2.fc34.aarch64 sssd-nfs-idmap-2.5.2-2.fc34.aarch64 libsss_nss_idmap-2.5.2-2.fc34.aarch64 sssd-client-2.5.2-2.fc34.aarch64 sssd-common-2.5.2-2.fc34.aarch64 sssd-common-pac-2.5.2-2.fc34.aarch64 sssd-dbus-2.5.2-2.fc34.aarch64 sssd-krb5-common-2.5.2-2.fc34.aarch64 python3-sssdconfig-2.5.2-2.fc34.noarch python3-sss-2.5.2-2.fc34.aarch64 sssd-tools-2.5.2-2.fc34.aarch64 python3-sss-murmur-2.5.2-2.fc34.aarch64 sssd-ipa-2.5.2-2.fc34.aarch64 sssd-kcm-2.5.2-2.fc34.aarch64
Any hints on how to make sss_ssh_authorizedkeys pull keys from IPA user certificates on Fedora, or how to further debug this?
Best regards, Radoslaw
Am Thu, Sep 23, 2021 at 12:33:25PM +0200 schrieb Radoslaw Kujawa via FreeIPA-users:
Hi list.
I have a CentOS 8.4 machine (fully updated), where sss_ssh_authorizedkeys is successfully able to pull public keys from IPA user certificates. Recently I have installed a new Fedora 34 machine and this functionality is not working
- running "sss_ssh_authorizedkeys username" only reports public keys
explicitly added to the account, omitting keys from X.509 certificates.
Both machines are joined to the same IPA domain.
I've checked sssd configuration, and ssh_use_certificate_keys option seems to be default, as the man page states. To be extra sure, I have also manually added it sssd.conf:
[ssh] ssh_use_certificate_keys = true
CentOS machine has the following package versions: python3-sss-murmur-2.4.0-9.el8_4.2.x86_64 sssd-proxy-2.4.0-9.el8_4.2.x86_64 libsss_sudo-2.4.0-9.el8_4.2.x86_64 libsss_autofs-2.4.0-9.el8_4.2.x86_64 sssd-nfs-idmap-2.4.0-9.el8_4.2.x86_64 sssd-2.4.0-9.el8_4.2.x86_64 libsss_idmap-2.4.0-9.el8_4.2.x86_64 sssd-ldap-2.4.0-9.el8_4.2.x86_64 sssd-kcm-2.4.0-9.el8_4.2.x86_64 sssd-dbus-2.4.0-9.el8_4.2.x86_64 python3-cssselect-0.9.2-10.el8.noarch sssd-ipa-2.4.0-9.el8_4.2.x86_64 sssd-ad-2.4.0-9.el8_4.2.x86_64 python3-sssdconfig-2.4.0-9.el8_4.2.noarch sssd-krb5-2.4.0-9.el8_4.2.x86_64 sssd-tools-2.4.0-9.el8_4.2.x86_64 sssd-client-2.4.0-9.el8_4.2.x86_64 sssd-krb5-common-2.4.0-9.el8_4.2.x86_64 sssd-common-2.4.0-9.el8_4.2.x86_64 sssd-common-pac-2.4.0-9.el8_4.2.x86_64 libsss_certmap-2.4.0-9.el8_4.2.x86_64 libsss_nss_idmap-2.4.0-9.el8_4.2.x86_64 libsss_simpleifp-2.4.0-9.el8_4.2.x86_64 python3-sss-2.4.0-9.el8_4.2.x86_64
Fedora machine has the following package versions: libsss_idmap-2.5.2-2.fc34.aarch64 libsss_autofs-2.5.2-2.fc34.aarch64 libsss_sudo-2.5.2-2.fc34.aarch64 libsss_certmap-2.5.2-2.fc34.aarch64 sssd-nfs-idmap-2.5.2-2.fc34.aarch64 libsss_nss_idmap-2.5.2-2.fc34.aarch64 sssd-client-2.5.2-2.fc34.aarch64 sssd-common-2.5.2-2.fc34.aarch64 sssd-common-pac-2.5.2-2.fc34.aarch64 sssd-dbus-2.5.2-2.fc34.aarch64 sssd-krb5-common-2.5.2-2.fc34.aarch64 python3-sssdconfig-2.5.2-2.fc34.noarch python3-sss-2.5.2-2.fc34.aarch64 sssd-tools-2.5.2-2.fc34.aarch64 python3-sss-murmur-2.5.2-2.fc34.aarch64 sssd-ipa-2.5.2-2.fc34.aarch64 sssd-kcm-2.5.2-2.fc34.aarch64
Any hints on how to make sss_ssh_authorizedkeys pull keys from IPA user certificates on Fedora, or how to further debug this?
Hi,
the keys are only derived form the certificate is the certificate can be validated. Have you copied all needed CA certificates to the new machine and made SSSD aware of it?
Adding 'debug_level = 9' to the [ssh] section of sssd.conf and restarting SSSD should add log messages to sssd_ssh.log which might help to understand why the keys are not extracted.
HTH
bye, Sumit
Best regards, Radoslaw _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Hi.
On 9/23/21 15:06, Sumit Bose via FreeIPA-users wrote:
Am Thu, Sep 23, 2021 at 12:33:25PM +0200 schrieb Radoslaw Kujawa via FreeIPA-users:
the keys are only derived form the certificate is the certificate can be validated. Have you copied all needed CA certificates to the new machine and made SSSD aware of it?
Indeed, it was a problem with validation. I've originally created a symlink from /etc/sssd/pki/sssd_auth_ca_db.pem to /etc/ipa/ca.crt . However, this resulted in SELinux denial:
---- time->Thu Sep 23 15:35:28 2021 type=AVC msg=audit(1632411328.296:280110): avc: denied { read } for pid=1555510 comm="p11_child" name="sssd_auth_ca_db.pem" dev="nvme0n1p2" ino=421 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:sssd_conf_t:s0 tclass=lnk_file permissive=0
After copying the certificate, instead of symlinking it, sss_ssh_authorizedkeys works correctly and reports public keys from certificates too.
While here, I have a suggestion. Could ipa-client-install also add the CA certificate to sssd's PKI directory?
Currently to make this useful functionality work, manual intervention is necessary after running ipa-client-install (just having the cert in /etc/ipa/ca.crt is not enough for p11_child to perform validation).
Best regards, Radoslaw
Radoslaw Kujawa via FreeIPA-users wrote:
Hi.
On 9/23/21 15:06, Sumit Bose via FreeIPA-users wrote:
Am Thu, Sep 23, 2021 at 12:33:25PM +0200 schrieb Radoslaw Kujawa via FreeIPA-users:
the keys are only derived form the certificate is the certificate can be validated. Have you copied all needed CA certificates to the new machine and made SSSD aware of it?
Indeed, it was a problem with validation. I've originally created a symlink from /etc/sssd/pki/sssd_auth_ca_db.pem to /etc/ipa/ca.crt . However, this resulted in SELinux denial:
time->Thu Sep 23 15:35:28 2021 type=AVC msg=audit(1632411328.296:280110): avc: denied { read } for pid=1555510 comm="p11_child" name="sssd_auth_ca_db.pem" dev="nvme0n1p2" ino=421 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:sssd_conf_t:s0 tclass=lnk_file permissive=0
After copying the certificate, instead of symlinking it, sss_ssh_authorizedkeys works correctly and reports public keys from certificates too.
While here, I have a suggestion. Could ipa-client-install also add the CA certificate to sssd's PKI directory?
Feel free to open an RFE at https://pagure.io/freeipa/new_issue
rob
Currently to make this useful functionality work, manual intervention is necessary after running ipa-client-install (just having the cert in /etc/ipa/ca.crt is not enough for p11_child to perform validation).
Best regards, Radoslaw _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Am Thu, Sep 23, 2021 at 02:12:20PM -0400 schrieb Rob Crittenden via FreeIPA-users:
Radoslaw Kujawa via FreeIPA-users wrote:
Hi.
On 9/23/21 15:06, Sumit Bose via FreeIPA-users wrote:
Am Thu, Sep 23, 2021 at 12:33:25PM +0200 schrieb Radoslaw Kujawa via FreeIPA-users:
the keys are only derived form the certificate is the certificate can be validated. Have you copied all needed CA certificates to the new machine and made SSSD aware of it?
Indeed, it was a problem with validation. I've originally created a symlink from /etc/sssd/pki/sssd_auth_ca_db.pem to /etc/ipa/ca.crt . However, this resulted in SELinux denial:
time->Thu Sep 23 15:35:28 2021 type=AVC msg=audit(1632411328.296:280110): avc: denied { read } for pid=1555510 comm="p11_child" name="sssd_auth_ca_db.pem" dev="nvme0n1p2" ino=421 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:sssd_conf_t:s0 tclass=lnk_file permissive=0
Hi,
it looks like SELinux does not link that a link is used here. Have you tried if adding
pam_cert_db_path = /etc/ipa/ca.crt
to the [pam] section of sssd.conf (or as snippet in /etc/sssd/conf.d/) works?
About using /etc/ipa/ca.crt. This file only contains the IPA CA certificate, so it can only verify certificates issues by IPA. It might be better to use /var/lib/ipa-client/pki/ca-bundle.pem which contains all the CA certificates trusted by the IPA servers, see man ipa-cacert-manage for details.
After copying the certificate, instead of symlinking it, sss_ssh_authorizedkeys works correctly and reports public keys from certificates too.
While here, I have a suggestion. Could ipa-client-install also add the CA certificate to sssd's PKI directory?
Feel free to open an RFE at https://pagure.io/freeipa/new_issue
Currently the 'ipa-advise config-client-for-smart-card-auth' script adds CA certificates to /etc/sssd/pki/sssd_auth_ca_db.pem.
HTH
bye, Sumit
rob
Currently to make this useful functionality work, manual intervention is necessary after running ipa-client-install (just having the cert in /etc/ipa/ca.crt is not enough for p11_child to perform validation).
Best regards, Radoslaw _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
freeipa-users@lists.fedorahosted.org
-
Radoslaw Kujawa -
Rob Crittenden -
Sumit Bose