Red Hat Bugzilla – Bug 1185410
idoverrideuser-add option --sshpubkey does not work
Last modified: 2015-03-05 05:19:31 EST
Description of problem: A ssh key cannot be added with idoverrideuser-add: [root@sideswipe ~]# ipa idoverrideuser-add 'default trust view' aduser1@adtest.qe --uid 960600030 --sshpubkey 'ssh-rsa AAAAAAAAAAAXXXXXXXX root@sideswipe.ipasync.test' ipa: ERROR: attribute "ipaSshPubKey" not allowed Nevertheless it is working as expected with idoverrideuser-mod Version-Release number of selected component (if applicable): ipa-4.1.0-15.el7
This is indeed a bug, I see if 'ipasshpubkey' in entry_attrs and 'ipasshuser' not in obj_classes: obj_classes.append('ipasshuser') is only in idoverrideuser_mod command. I will create an upstream bug.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4868
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/3b87302f5a280c044a8e6a8b4aa08a29e3b4b0d5 ipa-4-1: https://fedorahosted.org/freeipa/changeset/0dc7448b3634be443806db45ffead57107213ad6
On Client [root@ratchet ~]# su - aduser1@adtest.qe -sh-4.2$ bash [aduser1@adtest.qe@ratchet ~]$ ssh-keygen -t rsa -N '' -f /home/adtest.qe/aduser1/.ssh/id_rsa Generating public/private rsa key pair. Created directory '/home/adtest.qe/aduser1/.ssh'. Your identification has been saved in /home/adtest.qe/aduser1/.ssh/id_rsa. Your public key has been saved in /home/adtest.qe/aduser1/.ssh/id_rsa.pub. The key fingerprint is: 97:23:4f:c4:66:19:32:57:68:3b:aa:d7:4b:99:92:2e aduser1@adtest.qe@ratchet.ipabugs.test The key's randomart image is: +--[ RSA 2048]----+ | o oo. | | =oo | | .*. | | +o. | | S.=. | | .* + | | .o.= | | E..o. | | o. .. | +-----------------+ [aduser1@adtest.qe@ratchet ~]$ cat .ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDd3MllNN7FV73WSBcABttKoXiNSgpgg47em7QqwR8Mk9iIIiblfuShXxL35L2iCS9D/hr72bzT1yJD5B+gqmXPIwm+myzBSgAjqtQLVZ15xnyZnQQdUE3lTGhWoX3BuTXqK0m9YfAB9yPiAFYDXNWn+X0UGvAwQat91k0muB4PbinIbY76f5klH5T1gKX5Ih4Zr7YE7xjwnyplB//mduCmZeXSBML43yl+nrFMtS41iYlxwMrIUbZhB3KUw23QQdSSe8EOBTKS+KImUhQXn5crf+mcfhiPSfZZVpA+beAenFkbz1bw7Bkv7bJIDVuRRKmROLW2APYK7HqdlLiXeiYt aduser1@adtest.qe@ratchet.ipabugs.test On Server [root@sideswipe ~]# ipa idoverrideuser-add 'default trust view' aduser1@adtest.qe --sshpubkey "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDd3MllNN7FV73WSBcABttKoXiNSgpgg47em7QqwR8Mk9iIIiblfuShXxL35L2iCS9D/hr72bzT1yJD5B+gqmXPIwm+myzBSgAjqtQLVZ15xnyZnQQdUE3lTGhWoX3BuTXqK0m9YfAB9yPiAFYDXNWn+X0UGvAwQat91k0muB4PbinIbY76f5klH5T1gKX5Ih4Zr7YE7xjwnyplB//mduCmZeXSBML43yl+nrFMtS41iYlxwMrIUbZhB3KUw23QQdSSe8EOBTKS+KImUhQXn5crf+mcfhiPSfZZVpA+beAenFkbz1bw7Bkv7bJIDVuRRKmROLW2APYK7HqdlLiXeiYt aduser1@adtest.qe@ratchet.ipabugs.test" ------------------------------------------ Added User ID override "aduser1@adtest.qe" ------------------------------------------ Anchor to override: aduser1@adtest.qe SSH public key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDd3MllNN7FV73WSBcABttKoXiNSgpgg47em7QqwR8Mk9iIIiblfuShXxL35L2iCS9D/hr72bzT1yJD5B+gqmXPIwm+myzBSgAjqtQLVZ15xnyZnQQdUE3lTGhWoX3BuTXqK0m9YfAB9yPiAFYDXNWn+X0UGvAwQat91k0muB4PbinIbY76f5klH5T1gKX5Ih4Zr7YE7xjwnyplB//mduCmZeXSBML43yl+nrFMtS41iYlxwMrIUbZhB3KUw23QQdSSe8EOBTKS+KImUhQXn5crf+mcfhiPSfZZVpA+beAenFkbz1bw7Bkv7bJIDVuRRKmROLW2APYK7HqdlLiXeiYt aduser1@adtest.qe@ratchet.ipabugs.test [root@sideswipe ~]# grep sss_ssh_authorizedkeys /etc/ssh/sshd_config AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys [root@sideswipe ~]# sss_ssh_authorizedkeys -d ipabugs.test aduser1@adtest.qe ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDd3MllNN7FV73WSBcABttKoXiNSgpgg47em7QqwR8Mk9iIIiblfuShXxL35L2iCS9D/hr72bzT1yJD5B+gqmXPIwm+myzBSgAjqtQLVZ15xnyZnQQdUE3lTGhWoX3BuTXqK0m9YfAB9yPiAFYDXNWn+X0UGvAwQat91k0muB4PbinIbY76f5klH5T1gKX5Ih4Zr7YE7xjwnyplB//mduCmZeXSBML43yl+nrFMtS41iYlxwMrIUbZhB3KUw23QQdSSe8EOBTKS+KImUhQXn5crf+mcfhiPSfZZVpA+beAenFkbz1bw7Bkv7bJIDVuRRKmROLW2APYK7HqdlLiXeiYt aduser1@adtest.qe@ratchet.ipabugs.test On Client [root@ratchet ~]# grep sss_ssh_authorizedkeys /etc/ssh/sshd_config AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys [root@ratchet ~]# sss_ssh_authorizedkeys -d ipabugs.test aduser1@adtest.qe ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDd3MllNN7FV73WSBcABttKoXiNSgpgg47em7QqwR8Mk9iIIiblfuShXxL35L2iCS9D/hr72bzT1yJD5B+gqmXPIwm+myzBSgAjqtQLVZ15xnyZnQQdUE3lTGhWoX3BuTXqK0m9YfAB9yPiAFYDXNWn+X0UGvAwQat91k0muB4PbinIbY76f5klH5T1gKX5Ih4Zr7YE7xjwnyplB//mduCmZeXSBML43yl+nrFMtS41iYlxwMrIUbZhB3KUw23QQdSSe8EOBTKS+KImUhQXn5crf+mcfhiPSfZZVpA+beAenFkbz1bw7Bkv7bJIDVuRRKmROLW2APYK7HqdlLiXeiYt aduser1@adtest.qe@ratchet.ipabugs.test [root@ratchet ~]# su - aduser1@adtest.qe Last login: Wed Jan 28 17:19:08 IST 2015 from ratchet.ipabugs.test on pts/1 -sh-4.2$ klist klist: Credentials cache keyring 'persistent:1148401313:krb_ccache_Bndbp0R' not found -sh-4.2$ ssh -l aduser1@adtest.qe sideswipe.ipabugs.test hostname sideswipe.ipabugs.test -sh-4.2$ ssh -l aduser1@adtest.qe `hostname` hostname ratchet.ipabugs.test
Verified in version [root@sideswipe ~]# rpm -q ipa-server sssd ipa-server-4.1.0-17.el7.x86_64 sssd-1.12.2-52.el7.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html