Red Hat Bugzilla – Bug 1137013
Enable OpenSSH-LPK support by default
Last modified: 2015-03-05 05:33:36 EST
This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/1560 OpenSSH formatted public keys are now supported in SSSD. This means that the OpenSSH-LPK <http://code.google.com/p/openssh-lpk/> schema is supported as well. It can be enabled by setting the ldap_user_ssh_public_key option to sshPublicKey. In the LDAP provider, ldap_user_ssh_public_key has no default value. Make sshPublicKey the default value for it, so that OpenSSH-LPK support is enabled by default.
* master: 9cd7a75654c64ce9ba320e0fee60e194dca437c1
Verified in version sssd-1.12.2-47.el7 Add a user in openldap server with the following ldif: dn: uid=sshuser1,dc=example,dc=com objectClass: posixAccount objectClass: account objectClass: ldapPublicKey uidNumber: 123344233 gidNumber: 124264233 homeDirectory: /home/sshuser1 userPassword: Secret123 uid: sshuser1 cn: sshuser1 sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5dGycoymjvbZGLia4spL/e1acgwRmzDVnV5MBQR2c7JseQI/7Jsz95tKDqHsB3/KzDGFjXca6l7UAqdJ311IlOLa8eScRTCrDvvfFOmD/yj42zCI00zHv8OhyWNSnNADv41hDfif9osLd4O5zj/C9UVrpfzQaVh7pgFw6NLUxxaKLwjHRomzLt4pDgXaBsg/Gw9k1Ox+yr3PKdED9FPkcYVTrrsdMElkbhcP+yo4VxGJVz9aQQF2HAM9naHKrQ4ybGrS7hgPcGboznj4KXR8aAlwFsoPFK1G4NTdCcmARVT42dO3bCvsP3pJlhUTTxfnEuYKC8784j4gJmhpXDxbd root@client Setup sssd with the following in domain section: [domain/LDAP] debug_level = 0xFFF0 id_provider = ldap ldap_uri = ldap://<ldap server> ldap_search_base = dc=example,dc=com ldap_tls_cacert = /etc/openldap/certs/servercert.pem # cat /etc/ssh/sshd_config | tail -n2 AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody # ssh sshuser1@localhost Last login: Tue Jan 27 20:57:33 2015 from localhost -sh-4.2$ # tailf /var/log/secure Jan 27 21:00:41 dhcp207-237 sshd[30877]: Accepted publickey for sshuser1 from ::1 port 47612 ssh2: RSA 5f:a5:30:d8:6f:13:e1:8c:ef:d8:24:56:71:79:8a:98 # tailf /var/log/sssd/sssd_LDAP.log (Tue Jan 27 21:00:41 2015) [sssd[be[LDAP]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding sshPublicKey [c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDNWRHeWNveW1qdmJaR0xpYTRzcEwvZTFhY2d3Um16RFZuVjVNQlFSMmM3SnNlUUkvN0pzejk1dEtEcUhzQjMvS3pER0ZqWGNhNmw3VUFxZEozMTFJbE9MYThlU2NSVENyRHZ2ZkZPbUQveWo0MnpDSTAwekh2OE9oeVdOU25OQUR2NDFoRGZpZjlvc0xkNE81emovQzlVVnJwZnpRYVZoN3BnRnc2TkxVeHhhS0x3akhSb216THQ0cERnWGFCc2cvR3c5azFPeCt5cjNQS2RFRDlGUGtjWVZUcnJzZE1FbGtiaGNQK3lvNFZ4R0pWejlhUVFGMkhBTTluYUhLclE0eWJHclM3aGdQY0dib3puajRLWFI4YUFsd0Zzb1BGSzFHNE5UZENjbUFSVlQ0MmRPM2JDdnNQM3BKbGhVVFR4Zm5FdVlLQzg3ODRqNGdKbWhwWER4YmQgcm9vdEBkaGNwMjA3LTIzNy5sYWIuZW5nLnBuc
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0441.html