Bug 1185410

Summary: idoverrideuser-add option --sshpubkey does not work
Product: Red Hat Enterprise Linux 7 Reporter: Sumit Bose <sbose>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.1CC: drieden, jcholast, mkosek, rcritten, sgoveas
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.1.0-17.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:19:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sumit Bose 2015-01-23 16:43:42 UTC 
Description of problem:
A ssh key cannot be added with idoverrideuser-add:

[root@sideswipe ~]# ipa idoverrideuser-add 'default trust view' aduser1 --uid 960600030 --sshpubkey 'ssh-rsa AAAAAAAAAAAXXXXXXXX root.test'
ipa: ERROR: attribute "ipaSshPubKey" not allowed

Nevertheless it is working as expected with idoverrideuser-mod

Version-Release number of selected component (if applicable):
ipa-4.1.0-15.el7
Comment 1 Martin Kosek 2015-01-26 11:37:12 UTC 
This is indeed a bug, I see

        if 'ipasshpubkey' in entry_attrs and 'ipasshuser' not in obj_classes:
            obj_classes.append('ipasshuser')

is only in idoverrideuser_mod command. I will create an upstream bug.
Comment 2 Martin Kosek 2015-01-26 11:39:02 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4868
Comment 4 Jan Cholasta 2015-01-27 16:05:58 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/3b87302f5a280c044a8e6a8b4aa08a29e3b4b0d5
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/0dc7448b3634be443806db45ffead57107213ad6
Comment 6 Steeve Goveas 2015-01-28 12:04:17 UTC 
On Client

[root@ratchet ~]# su - aduser1
-sh-4.2$ bash

[aduser1@ratchet ~]$ ssh-keygen -t rsa -N '' -f /home/adtest.qe/aduser1/.ssh/id_rsa
Generating public/private rsa key pair.
Created directory '/home/adtest.qe/aduser1/.ssh'.
Your identification has been saved in /home/adtest.qe/aduser1/.ssh/id_rsa.
Your public key has been saved in /home/adtest.qe/aduser1/.ssh/id_rsa.pub.
The key fingerprint is:
97:23:4f:c4:66:19:32:57:68:3b:aa:d7:4b:99:92:2e aduser1@ratchet.ipabugs.test
The key's randomart image is:
+--[ RSA 2048]----+
|        o oo.    |
|         =oo     |
|         .*.     |
|         +o.     |
|        S.=.     |
|        .* +     |
|       .o.=      |
|      E..o.      |
|       o. ..     |
+-----------------+

[aduser1@ratchet ~]$ cat .ssh/id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDd3MllNN7FV73WSBcABttKoXiNSgpgg47em7QqwR8Mk9iIIiblfuShXxL35L2iCS9D/hr72bzT1yJD5B+gqmXPIwm+myzBSgAjqtQLVZ15xnyZnQQdUE3lTGhWoX3BuTXqK0m9YfAB9yPiAFYDXNWn+X0UGvAwQat91k0muB4PbinIbY76f5klH5T1gKX5Ih4Zr7YE7xjwnyplB//mduCmZeXSBML43yl+nrFMtS41iYlxwMrIUbZhB3KUw23QQdSSe8EOBTKS+KImUhQXn5crf+mcfhiPSfZZVpA+beAenFkbz1bw7Bkv7bJIDVuRRKmROLW2APYK7HqdlLiXeiYt aduser1@ratchet.ipabugs.test

On Server

[root@sideswipe ~]# ipa idoverrideuser-add 'default trust view' aduser1 --sshpubkey "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDd3MllNN7FV73WSBcABttKoXiNSgpgg47em7QqwR8Mk9iIIiblfuShXxL35L2iCS9D/hr72bzT1yJD5B+gqmXPIwm+myzBSgAjqtQLVZ15xnyZnQQdUE3lTGhWoX3BuTXqK0m9YfAB9yPiAFYDXNWn+X0UGvAwQat91k0muB4PbinIbY76f5klH5T1gKX5Ih4Zr7YE7xjwnyplB//mduCmZeXSBML43yl+nrFMtS41iYlxwMrIUbZhB3KUw23QQdSSe8EOBTKS+KImUhQXn5crf+mcfhiPSfZZVpA+beAenFkbz1bw7Bkv7bJIDVuRRKmROLW2APYK7HqdlLiXeiYt aduser1@ratchet.ipabugs.test"
------------------------------------------
Added User ID override "aduser1"
------------------------------------------
  Anchor to override: aduser1
  SSH public key: ssh-rsa
                  AAAAB3NzaC1yc2EAAAADAQABAAABAQDd3MllNN7FV73WSBcABttKoXiNSgpgg47em7QqwR8Mk9iIIiblfuShXxL35L2iCS9D/hr72bzT1yJD5B+gqmXPIwm+myzBSgAjqtQLVZ15xnyZnQQdUE3lTGhWoX3BuTXqK0m9YfAB9yPiAFYDXNWn+X0UGvAwQat91k0muB4PbinIbY76f5klH5T1gKX5Ih4Zr7YE7xjwnyplB//mduCmZeXSBML43yl+nrFMtS41iYlxwMrIUbZhB3KUw23QQdSSe8EOBTKS+KImUhQXn5crf+mcfhiPSfZZVpA+beAenFkbz1bw7Bkv7bJIDVuRRKmROLW2APYK7HqdlLiXeiYt
                  aduser1@ratchet.ipabugs.test


[root@sideswipe ~]# grep sss_ssh_authorizedkeys /etc/ssh/sshd_config 
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys

[root@sideswipe ~]# sss_ssh_authorizedkeys -d ipabugs.test aduser1
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDd3MllNN7FV73WSBcABttKoXiNSgpgg47em7QqwR8Mk9iIIiblfuShXxL35L2iCS9D/hr72bzT1yJD5B+gqmXPIwm+myzBSgAjqtQLVZ15xnyZnQQdUE3lTGhWoX3BuTXqK0m9YfAB9yPiAFYDXNWn+X0UGvAwQat91k0muB4PbinIbY76f5klH5T1gKX5Ih4Zr7YE7xjwnyplB//mduCmZeXSBML43yl+nrFMtS41iYlxwMrIUbZhB3KUw23QQdSSe8EOBTKS+KImUhQXn5crf+mcfhiPSfZZVpA+beAenFkbz1bw7Bkv7bJIDVuRRKmROLW2APYK7HqdlLiXeiYt aduser1@ratchet.ipabugs.test


On Client

[root@ratchet ~]# grep sss_ssh_authorizedkeys /etc/ssh/sshd_config 
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys

[root@ratchet ~]# sss_ssh_authorizedkeys -d ipabugs.test aduser1
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDd3MllNN7FV73WSBcABttKoXiNSgpgg47em7QqwR8Mk9iIIiblfuShXxL35L2iCS9D/hr72bzT1yJD5B+gqmXPIwm+myzBSgAjqtQLVZ15xnyZnQQdUE3lTGhWoX3BuTXqK0m9YfAB9yPiAFYDXNWn+X0UGvAwQat91k0muB4PbinIbY76f5klH5T1gKX5Ih4Zr7YE7xjwnyplB//mduCmZeXSBML43yl+nrFMtS41iYlxwMrIUbZhB3KUw23QQdSSe8EOBTKS+KImUhQXn5crf+mcfhiPSfZZVpA+beAenFkbz1bw7Bkv7bJIDVuRRKmROLW2APYK7HqdlLiXeiYt aduser1@ratchet.ipabugs.test


[root@ratchet ~]# su - aduser1
Last login: Wed Jan 28 17:19:08 IST 2015 from ratchet.ipabugs.test on pts/1
-sh-4.2$ klist
klist: Credentials cache keyring 'persistent:1148401313:krb_ccache_Bndbp0R' not found

-sh-4.2$ ssh -l aduser1 sideswipe.ipabugs.test hostname
sideswipe.ipabugs.test

-sh-4.2$ ssh -l aduser1 `hostname` hostname
ratchet.ipabugs.test
Comment 7 Steeve Goveas 2015-01-28 12:05:06 UTC 
Verified in version

[root@sideswipe ~]# rpm -q ipa-server sssd
ipa-server-4.1.0-17.el7.x86_64
sssd-1.12.2-52.el7.x86_64
Comment 9 errata-xmlrpc 2015-03-05 10:19:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html