On (27/08/15 08:21), Davor Vusir wrote:
On 2015-08-26 21:36, Lukas Slebodnik wrote:
>On (26/08/15 13:09), Davor Vusir wrote:
>>On 2015-08-25 20:25, Lukas Slebodnik wrote:
>>>Now you can test with command line utility sss_ssh_authorizedkeys
>>>wheter ssh responder is correctly configured.
>>> ("ssh" should be listed in option services; in sssd section)
>>>If the public key is returned then you need to check
>>>sshd configuration files for proper integration.
>>>
>>>@see more details in man sss_ssh_authorizedkeys
>>[root@client-1 ~]# sss_ssh_authorizedkeys myLoginID
>>ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
>>
>>[myLoginID@client-1 ~]# sss_ssh_authorizedkeys myLoginID
>>ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
>>
>>Seems to work. But as soon as I put "subdomains_provider = none" either
sshd
>>or sssd (I believe it's sssd) bypasses the ssh public key check. It
>>recognizes that it should check for the password to unlock the private key,
>>but doesn't care what I'm typing. It solely check for the kerberos
password.
>>
>Does sss_ssh_authorizedkeys returns public key with "subdomains_provider =
none"?
>Please try with empty cache.
>
Is this the correct procedure?
yes.
1.
Logged in as "nonPublicKeyUser" su-ing to root in one terminal:
[root@server-1 ~]# service sssd stop
Redirecting to /bin/systemctl stop sssd.service
[root@server-1 ~]# rm -f /var/log/sssd/sssd*
[root@server-1 ~]# vi /etc/sssd/sssd.conf
[root@server-1 ~]# service sssd stop && rm -Rf /var/lib/sss/db/* && rm
-Rf
/var/lib/sss/mc/* && service sssd start
Redirecting to /bin/systemctl stop sssd.service
Redirecting to /bin/systemctl start sssd.service
[root@server-1 ~]#
2.
In another terminal from client-1:
PublicKeyUser@server-1 ~
$ ssh
server-1.subdomain.example.org
Enter passphrase for key '/home/PublicKeyUser/.ssh/id_rsa': <- No password
given. Just pressed <return>.
Password:
Last login: Wed Aug 26 12:56:21 2015 from
client-1.subdomain2.example.org
[PublicKeyUser@server-1 ~]$ sss_ssh_authorizedkeys PublicKeyUser
ssh-rsa AAAAB3NzaC1yc2EAAA...
[PublicKeyUser@server-1 ~]$ exit
3.
Back to the first terminal:
[root@server-1 ~]# service sssd stop && rm -Rf /var/lib/sss/db/* && rm
-Rf
/var/lib/sss/mc/* && service sssd start
Redirecting to /bin/systemctl stop sssd.service
Redirecting to /bin/systemctl start sssd.service
[root@server-1 ~]# sss_ssh_authorizedkeys PublicKeyUser
ssh-rsa AAAAB3NzaC1yc2E...
[root@server-1 ~]#
You could immediatelly run as root "sss_ssh_authorizedkeys PublicKeyUser"
after restarting sssd with new configuration.
But it looks like public key is returned even with disabled subdomain provider.
>>As soon as I comment out "subdomains_provider = none" user accounts
with
>>public key uses this type of authentication only and user accounts with
>>Kerberos password uses Kerberos authentication only. Which, of course, is the
>>goal.
>>
>>I don't expect you to comment on the sshd_config but here are relevant parts
>>of both sshd_config and sssd.conf. Both "ct-linuxuberadmins" and
>>"ct-linuxservicesadmins" in sshd_config are AD-groups with
corresponding
>>sudoers-files.
>>
>>sssd.conf:
>>[domain/ad.example.org]
>> debug_level = 6
>> id_provider = ad
>> auth_provider = ad
>> access_provider = ad
>> chpass_provider = ad
>>
>> subdomains_provider = none
>># subdomain_enumerate = none
>> ignore_group_members = True
>>
>> enumerate = False
>>
>> ldap_page_size = 1000
>> ldap_id_mapping = False
>> ldap_purge_cache_timeout = 0
>> ldap_user_ssh_public_key = altSecurityIdentities
>> ldap_use_tokengroups = True
>>
>> dyndns_update = False
>> dyndns_update_ptr = False
>>
>> cache_credentials = true
>> krb5_store_password_if_offline = true
>>
>>sshd_config:
>>PubkeyAuthentication yes
>>PasswordAuthentication no
>>PermitEmptyPasswords no
>>ChallengeResponseAuthentication yes
>>
>>UsePAM yes
>>
>>Match Group ct-linuxuberadmins
>> AuthorizedKeysCommand /bin/sss_ssh_authorizedkeys
>> AuthorizedKeysCommandUser svcCTSSHDbind
>>
>>Match Group ct-linuxservicesadmins
>> PubkeyAuthentication no
>>
>Maybe I'm wrong but you might miss some groups with disabled subdomain_provider.
>Please try with empty cache
>
>So sshd will not get to the section with AuthorizedKeysCommand.
After step 3 above:
[root@server-1 ~]# getent group ct-linuxuberadmins
ct-linuxuberadmins:*:10287220:
[root@server-1 ~]# service sssd stop && rm -Rf /var/lib/sss/db/* && rm
-Rf
/var/lib/sss/mc/* && service sssd start
Redirecting to /bin/systemctl stop sssd.service
Redirecting to /bin/systemctl start sssd.service
[root@server-1 ~]# getent group ct-linuxservicesadmins
uuct-gg-linuxservicesadmins:*:10287637:
users are not listed due to enabeld option ignore_group_members.
I would be more interested in output of command.
"id PublicKeyUser" with enabled and disabled subdomain provider.
LS