Bug 1537272

Summary: SSH public key authentication keeps working after keys are removed from ID view
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: Fabiano FidĂȘncio <fidencio>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: fidencio, grajaiya, jhrozek, ksiddiqu, lslebodn, mkosek, mzidek, ndehadra, pbrezina, sgoveas, sumenon, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.16.2-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:41:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Hrozek 2018-01-22 19:46:52 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/SSSD/sssd/issue/3602

I installed FreeIPA 4.5.0 on a CentOS 7.4 server and configured a trust between it and an AD domain server, using ID views in the the Default Trust View to override the users' loginShell and homeDirectory attributes sent to the ipa clients. Once configured, SSH authentication with a public key works even after the public key is removed.

Steps to Reproduce:
 - create a ID View on the Default Trust View and add a user override
 - add an SSH public key to the user override
 - login to a client, the password will not be requested
 - remove the public key from the user override
 - login to a client again, the password is not requested

Actual behavior:
After I remove a key, either from the web GUI or the CLI, the user can still login with the old key.

Expected behavior:
After removing a key the users shouldn't be able to login to the clients without using their password.
Comment 2 Jakub Hrozek 2018-01-23 08:31:16 UTC 
 * master:
   * 56f015e
   * d0d3631
Comment 5 Sudhir Menon 2018-08-20 07:04:15 UTC 
Performed the below steps to test the fix

1. Created Homed directory on ipa-client.
[root@client ipaad2016.test]# pwd
/home/ipaad2016.test
[root@client ipaad2016.test]# ls -l
total 0
drwxr-xr-x. 2 aduser20 aduser20 6 Aug 20 11:54 aduser20

2. ensure id command returns output on IPA server and tried to login to client using password and generated ssh keys

[root@master home]# id aduser20
uid=1577608160(aduser20) gid=1577608160(aduser20) groups=1577608160(aduser20),1577600513(domain users)
[root@master home]# ssh -l aduser20 client.apollo.test
Password: 
-sh-4.2$ pwd
/home/ipaad2016.test/aduser20
-sh-4.2$ ssh-keygen -t rsa
-sh-4.2$ pwd
/home/ipaad2016.test/aduser20/.ssh
-rw-------. 1 aduser20 aduser20 1679 Aug 20 11:56 id_rsa
-rw-r--r--. 1 aduser20 aduser20  424 Aug 20 11:56 id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvLIJH+jbyW1e4ce0AQGom3YebKAnK4jhEN8WTczzzrA3vex+oPJFT+wvg6VuqALcjwnUtESsARMBXIW9zLXZJt0PeHDLeswbCA6YelCD2PEw3EGl6/RlziAbah21U1XIDUC3oNyMQraOGEyxE5lXOH9Rym/frLm7Bk+DzeP+6s9kbVX8WwEA7R0zHW1IqHom/Ej9L9I+/NMJ8DTg88MlCJeBzD4Eu6Jg55G8sgFlZ0V7h/3o40I/+18DZVWZTPu2HYJbO5AJgN785up3gWIpZsnYR99SQ8fTA7YcKJzwHM+zN9LFUwdjrHXOM8613bbPSTbr4PcgOI/As73MCo+Qh aduser20@client.apollo.test

3. Created idoverride for aduser20 on IPA server with the above pubkey with only the blob.
[root@master home]# ipa idoverrideuser-add
ID View Name: Default Trust View
Anchor to override: aduser20
------------------------------------------------
Added User ID override "aduser20"
------------------------------------------------
  Anchor to override: aduser20

[root@master home]# ipa idoverrideuser-mod --sshpubkey='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvLIJH+jbyW1e4ce0AQGom3YebKAnK4jhEN8WTczzzrA3vex+oPJFT+wvg6VuqALcjwnUtESsARMBXIW9zLXZJt0PeHDLeswbCA6YelCD2PEw3EGl6/RlziAbah21U1XIDUC3oNyMQraOGEyxE5lXOH9Rym/frLm7Bk+DzeP+6s9kbVX8WwEA7R0zHW1IqHom/Ej9L9I+/NMJ8DTg88MlCJeBzD4Eu6Jg55G8sgFlZ0V7h/3o40I/+18DZVWZTPu2HYJbO5AJgN785up3gWIpZsnYR99SQ8fTA7YcKJzwHM+zN9LFUwdjrHXOM8613bbPSTbr4PcgOI/As73MCo+Qh'
ID View Name: Default Trust View
Anchor to override: aduser20
------------------------------------------------------
Modified an User ID override "aduser20"
------------------------------------------------------
  Anchor to override: aduser20
  SSH public key: ssh-rsa                  AAAAB3NzaC1yc2EAAAADAQABAAABAQCvLIJH+jbyW1e4ce0AQGom3YebKAnK4jhEN8WTczzzrA3vex+oPJFT+wvg6VuqALcjwnUtESsARMBXIW9zLXZJt0PeHDLeswbCA6YelCD2PEw3EGl6/RlziAbah21U1XIDUC3oNyMQraOGEyxE5lXOH9Rym/frLm7Bk+DzeP+6s9kbVX8WwEA7R0zHW1IqHom/Ej9L9I+/NMJ8DTg88MlCJeBzD4Eu6Jg55G8sgFlZ0V7h/3o40I/+18DZVWZTPu2HYJbO5AJgN785up3gWIpZsnYR99SQ8fTA7YcKJzwHM+zN9LFUwdjrHXOM8613bbPSTbr4PcgOI/As73MCo+Qh

4.  Tried logging to client from the IPA master after adding pubkey.

[root@master sssd]# sss_ssh_authorizedkeys aduser20
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvLIJH+jbyW1e4ce0AQGom3YebKAnK4jhEN8WTczzzrA3vex+oPJFT+wvg6VuqALcjwnUtESsARMBXIW9zLXZJt0PeHDLeswbCA6YelCD2PEw3EGl6/RlziAbah21U1XIDUC3oNyMQraOGEyxE5lXOH9Rym/frLm7Bk+DzeP+6s9kbVX8WwEA7R0zHW1IqHom/Ej9L9I+/NMJ8DTg88MlCJeBzD4Eu6Jg55G8sgFlZ0V7h/3o40I/+18DZVWZTPu2HYJbO5AJgN785up3gWIpZsnYR99SQ8fTA7YcKJzwHM+zN9LFUwdjrHXOM8613bbPSTbr4PcgOI/As73MCo+Qh

[root@master home]# ssh -l aduser20 client.apollo.test
Password: 
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
-sh-4.2$ 

Tried login second time, but password is again requested.
[root@master home]# ssh -l aduser20 client.apollo.test
Password: 

Observations:

1. As per bugzilla step, login to a client, the password will not be requested after adding pubkey override but password is 
requested for first time and also second time during login even after using sss_cache -E

2. Seeing AVC denials with selinux-policy-3.13.1-215.el7.noarch
time->Fri Aug 17 17:51:25 2018
type=PROCTITLE msg=audit(1534508485.600:3228): proctitle=737368643A206164757365723230406970616164323031362E74657374205B707269765D
type=PATH msg=audit(1534508485.600:3228): item=0 name="/home/ipaad2016.test/aduser20/.ssh/authorized_keys" inode=35295870 dev=fd:00 mode=0100600 ouid=1577608160 ogid=1577608160 rdev=00:00 obj=unconfined_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1534508485.600:3228):  cwd="/"
type=SYSCALL msg=audit(1534508485.600:3228): arch=c000003e syscall=2 success=no exit=-13 a0=55df48fe8100 a1=800 a2=1 a3=7f64f20da300 items=1 ppid=26099 pid=27038 auid=4294967295 uid=0 gid=0 euid=1577608160 suid=0 fsuid=1577608160 egid=1577608160 sgid=0 fsgid=1577608160 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1534508485.600:3228): avc:  denied  { read } for  pid=27038 comm="sshd" name="authorized_keys" dev="dm-0" ino=35295870 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file permissive=0
Comment 6 Fabiano FidĂȘncio 2018-08-20 07:08:17 UTC 
A little bit more info here:

This is what I can see on IPA side:
# :SID:S-1-5-21-813110839-3732285123-1597101681-8160, Default Trust View, views
 , accounts, apollo.test
dn: ipaanchoruuid=:SID:S-1-5-21-813110839-3732285123-1597101681-8160,cn=Defaul
 t Trust View,cn=views,cn=accounts,dc=apollo,dc=test
objectClass: ipaOverrideAnchor
objectClass: top
objectClass: ipaUserOverride
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
ipaOriginalUid: aduser20
ipaAnchorUUID:: OlNJRDpTLTEtNS0yMS04MTMxMTA4MzktMzczMjI4NTEyMy0xNTk3MTAxNjgxLT
 gxNjA=
ipaSshPubKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvLIJH+jbyW1e4ce0AQGom3Yeb
 KAnK4jhEN8WTczzzrA3vex+oPJFT+wvg6VuqALcjwnUtESsARMBXIW9zLXZJt0PeHDLeswbCA6Yel
 CD2PEw3EGl6/RlziAbah21U1XIDUC3oNyMQraOGEyxE5lXOH9Rym/frLm7Bk+DzeP+6s9kbVX8WwE
 A7R0zHW1IqHom/Ej9L9I+/NMJ8DTg88MlCJeBzD4Eu6Jg55G8sgFlZ0V7h/3o40I/+18DZVWZTPu2
 HYJbO5AJgN785up3gWIpZsnYR99SQ8fTA7YcKJzwHM+zN9LFUwdjrHXOM8613bbPSTbr4PcgOI/As
 73MCo+Qh

And this is what I can see on SSSD server side:
# record 46
dn: name=aduser20,cn=users,cn=ipaad2016.test,cn=sysdb
createTimestamp: 1534505730
fullName: aduser20
gecos: aduser20
gidNumber: 1577608160
name: aduser20
objectCategory: user
uidNumber: 1577608160
objectSIDString: S-1-5-21-813110839-3732285123-1597101681-8160
uniqueID: 5cc2e846-ead0-4cdc-ad09-1a2bf68f2570
origPrimaryGroupGidNumber: 1577600513
originalDN: CN=aduser20,CN=Users,DC=ipaad2016,DC=test
originalModifyTimestamp: 20180816122733.0Z
entryUSN: 369504
userPrincipalName: aduser20
adUserAccountControl: 66048
nameAlias: aduser20
isPosix: TRUE
originalADuidNumber: 1577608160
originalADgidNumber: 1577608160
originalADgecos: aduser20
originalADhomeDirectory: /home/ipaad2016.test/aduser20
originalADname: aduser20
initgrExpireTimestamp: 1534511134
ccacheFile: KEYRING:persistent:1577608160
cachedPasswordType: 1
failedLoginAttempts: 0
pacBlob:: BQAAAAAAAAABAAAA4AEAAFgAAAAAAAAACgAAABoAAAA4AgAAAAAAAAwAAABgAAAAWAIA
 AAAAAAAGAAAAEAAAALgCAAAAAAAABwAAABAAAADIAgAAAAAAAAEQCADMzMzM0AEAAAAAAAAAAAIAa
 crGiSI21AH/////////f/////////9/s3rU+1c11AGzetT7VzXUAf////////9/EAAQAAQAAgAQAB
 AACAACAAAAAAAMAAIAAAAAABAAAgAAAAAAFAACAAAAAAAYAAIAGgAAAOAfAAABAgAAAQAAABwAAgA
 gAAAAAAAAAAAAAAAAAAAAAAAAABwAHgAgAAIAEgAUACQAAgAoAAIAAAAAAAAAAAAQAgAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAsAAIAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAYQBkA
 HUAcwBlAHIAMgAwAAgAAAAAAAAACAAAAGEAZAB1AHMAZQByADIAMAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAQIAAAcAAAAPAAAAAAAAAA4AAABJAEQ
 ATQAtAFEARQAtAEkAUABBAC0AQwBJADEACgAAAAAAAAAJAAAASQBQAEEAQQBEADIAMAAxADYAAAAE
 AAAAAQQAAAAAAAUVAAAANxZ3MMMmdt5x1jFfAQAAADAAAgAHAAAAAQAAAAEBAAAAAAASAQAAAABTZ
 pAiNtQBEABhAGQAdQBzAGUAcgAyADAAAAAAAAAALgAQABwAQAAAAAAAAAAAAGEAZAB1AHMAZQByAD
 IAMABAAGkAcABhAGEAZAAyADAAMQA2AC4AdABlAHMAdAAAAEkAUABBAEEARAAyADAAMQA2AC4AVAB
 FAFMAVAAAAAAAEAAAAErKPeTCuA3GCt6EWRAAAAAFmOFwAfmEyMhG7JY=
pacBlobExpireTimestamp: 1534507845
cachedPassword: $6$C6vtl5GBtKKgxDmn$6cGWx0WkSAFIMBrrOO.bTbXGkkj.a.12oLGrdb7Z/R
 IP11908lL9uqlCghEt5ONRbdFqBqkTGCXXxLmwwexpL.
lastCachedPasswordChange: 1534508499
lastOnlineAuth: 1534508499
lastOnlineAuthWithCurrentToken: 1534508499
lastLogin: 1534508499
sshPublicKey: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDdkxJSkgramJ5
 VzFlNGNlMEFRR29tM1llYktBbks0amhFTjhXVGN6enpyQTN2ZXgrb1BKRlQrd3ZnNlZ1cUFMY2p3b
 lV0RVNzQVJNQlhJVzl6TFhaSnQwUGVIRExlc3diQ0E2WWVsQ0QyUEV3M0VHbDYvUmx6aUFiYWgyMV
 UxWElEVUMzb055TVFyYU9HRXl4RTVsWE9IOVJ5bS9mckxtN0JrK0R6ZVArNnM5a2JWWDhXd0VBN1I
 wekhXMUlxSG9tL0VqOUw5SSsvTk1KOERUZzg4TWxDSmVCekQ0RXU2Smc1NUc4c2dGbFowVjdoLzNv
 NDBJLysxOERaVldaVFB1MkhZSmJPNUFKZ043ODV1cDNnV0lwWnNuWVI5OVNROGZUQTdZY0tKendIT
 St6TjlMRlV3ZGpySFhPTTg2MTNiYlBTVGJyNFBjZ09JL0FzNzNNQ28rUWg=
originalADsshPublicKey: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDdk
 xJSkgramJ5VzFlNGNlMEFRR29tM1llYktBbks0amhFTjhXVGN6enpyQTN2ZXgrb1BKRlQrd3ZnNlZ
 1cUFMY2p3blV0RVNzQVJNQlhJVzl6TFhaSnQwUGVIRExlc3diQ0E2WWVsQ0QyUEV3M0VHbDYvUmx6
 aUFiYWgyMVUxWElEVUMzb055TVFyYU9HRXl4RTVsWE9IOVJ5bS9mckxtN0JrK0R6ZVArNnM5a2JWW
 DhXd0VBN1IwekhXMUlxSG9tL0VqOUw5SSsvTk1KOERUZzg4TWxDSmVCekQ0RXU2Smc1NUc4c2dGbF
 owVjdoLzNvNDBJLysxOERaVldaVFB1MkhZSmJPNUFKZ043ODV1cDNnV0lwWnNuWVI5OVNROGZUQTd
 ZY0tKendITSt6TjlMRlV3ZGpySFhPTTg2MTNiYlBTVGJyNFBjZ09JL0FzNzNNQ28rUWg=
lastUpdate: 1534748325
dataExpireTimestamp: 1534753725
homeDirectory: /home/ipaad2016.test/aduser20
distinguishedName: name=aduser20,cn=users,cn=ipaad2016.test,cn=
 sysdb

Basically, for some reason, SSSD's cache has not been updated.
Comment 7 Sudhir Menon 2018-08-20 10:18:15 UTC 
In comment #5, on the test system, was already logged in as root and was trying to ssh to client without the pubkey of the root user in the override, hence the password was prompted every now and then. Hence after adding the pubkey for root user in override the ssh worked without prompting for password.

Also when the pubkey for user was removed from the override the user was prompted for password when trying to login to client.

1. login from IPA master to client with the pubkey added in override.

[root@master ~]# sss_cache -E
[root@master ~]# sss_ssh_authorizedkeys aduser20
 
[root@client .ssh]# sss_cache -E
[root@client .ssh]# sss_ssh_authorizedkeys aduser20

[root@master ~]# sss_ssh_authorizedkeys aduser20
ssh-dss AAAAB3NzaC1kc3MAAACBAMtMUmN4m8MKmtyy27lCNgfCsWS8fWu+RQDN8lGm6twCfegoM+rVpQdrgVDXCZbZ+xMmWQqMccAewk6i7sG7M9UThxMWFVyJVu6aS4ej8Ze/uaY0ahRVHIZ38EQnklqRLP6HPorTBixOW1ds7mM05blFIBImq8+YhBcgGzyqV0tBAAAAFQDrls806RlSM5sfM4zD0tGkCFJOjwAAAIAEpqTB1od2g9JW1hpWrsae4ashJzIOzkmis8KFV7juDLOYpksRocSA8KEwpaibfy3Igz9rYbFZZk13sb9fOXESbgY5Li2pblxbXJMUemYEROmvAsCSV5/HPL6/Uwq4uZJ5tWJ4hyC7h/7pYY8QhTI931DPO30+i4atJL+Z9uZSyQAAAIEAiNWuonFYRMqsmSMXX4yj3gRMHDY8WPO54/BSmf912iuS2VxNSwTiexB4WtbFLWzM2MNhI8ewXTTT38hd5nGgoiTh9jmnOHGrXbyZ3QtoqmpgfIR1zVh4mi3oqr7Dp5GqHretfUqfrXrIf3hWMPgGF3xBBqK0B/q2knG1ax5/y7U=
 
[root@master ~]# klist -l
Principal name                 Cache name
--------------                 ----------

[root@master ~]# ssh -o GSSAPIAuthentication=no -l aduser20 client.apollo.test
Last login: Mon Aug 20 15:35:04 2018 from vm-idm-028.   <---No password prompted
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
-sh-4.2$ hostname
client.apollo.test
-sh-4.2$ id
uid=1577608160(aduser20) gid=1577608160(aduser20) groups=1577608160(aduser20),1577600513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

2. Once the pubkey was removed from override when we tried to login it prompted
for password.

[root@master ~]# sss_cache -E
[root@master ~]# sss_ssh_authorizedkeys aduser20
 
 
[root@client .ssh]# sss_cache -E
[root@client .ssh]# sss_ssh_authorizedkeys aduser20
 
[root@master ~]# ssh -o GSSAPIAuthentication=no -l aduser20 client.apollo.test
Password:

Verified on Red Hat Enterprise Linux Server release 7.6 Beta (Maipo)
[root@master ~]# rpm -q ipa-server sssd krb5-server pki-server selinux-policy
ipa-server-4.6.4-6.el7.x86_64
sssd-1.16.2-12.el7.x86_64
krb5-server-1.15.1-34.el7.x86_64
pki-server-10.5.9-5.el7.noarch
selinux-policy-3.13.1-215.el7.noarch
Comment 9 errata-xmlrpc 2018-10-30 10:41:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3158