Hi,
currently the code which generates ssh key from the public keys in the user certificates fails if one certificate cannot be validated and terminates the whole request. It is of course valid that the user entry might contain certificates which SSSD cannot validate and since we just won't generate a ssh-key in this case SSSD should just skip those entires and return ssh-keys for every valid certificate.
You can test the patch even without a real certificate by e.g. adding a ssh-key to an IPA user object. Then 'sss_ssh_authorizedkeys username' should return this key. If you now add some random data the the userCertificate object of the same user, call 'sss_cache -E' and call 'sss_ssh_authorizedkeys username' again, you get nothing because the random data cannot be validated and hence the whole request is aborted. With the attached patch sss_ssh_authorizedkeys should return the ssh-key again.
bye, Sumit