Hi,
currently the code which generates ssh key from the public keys in the
user certificates fails if one certificate cannot be validated and
terminates the whole request. It is of course valid that the user entry
might contain certificates which SSSD cannot validate and since we just
won't generate a ssh-key in this case SSSD should just skip those
entires and return ssh-keys for every valid certificate.
You can test the patch even without a real certificate by e.g. adding a
ssh-key to an IPA user object. Then 'sss_ssh_authorizedkeys username'
should return this key. If you now add some random data the the
userCertificate object of the same user, call 'sss_cache -E' and call
'sss_ssh_authorizedkeys username' again, you get nothing because the
random data cannot be validated and hence the whole request is aborted.
With the attached patch sss_ssh_authorizedkeys should return the ssh-key
again.
bye,
Sumit
Show replies by thread