Bug 1288659 - [RFE] auth_provider = pubkey
[RFE] auth_provider = pubkey
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
23
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Jakub Hrozek
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-04 17:07 EST by Striker Leggette
Modified: 2015-12-13 09:31 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-10 10:56:28 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Striker Leggette 2015-12-04 17:07:42 EST
Is it possible to add a feature where SSSD can be given a private key and then use it while reading LDAP attribute for a public key to grant/deny access?

$ ldapsearch -LLL -x -h ldap.example.com -b dc=redhat,dc=com uid=striker sshpubkey

dn: uid=striker,ou=users,dc=example,dc=com
ipasshpubkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/5Js6lNAGIVas9GcJo4uPkNUh
 V+DhN3dQvSguMmXhQD1TQR14x63Ky8Ldo0Z3OOdI/s6seRu+EleX6e9UKIod7G6EavjyJywSBnLYT
 0xLSuQIGhHf/xoA1qMneeQ36DaePO0CuilWzXxqNMbj9BdcN/eq3/qybctN/N+WayQ707kUbUSza
 0NhFM6X8/TZgBKTkTcqjCjpz/MpvYGFmIJ//LUeYDssaeEkfFan1CzF1hLb62ZIarQ4AbEuCtIuaT
 IBHK2FZxoXeJxtd92Pgkk/iLF3uRSbxEOq5z+w7rCX083KIFjBheLF5DSMusyzBnEZueiewCQ1TY0
 vWlRSLn/ striker
Comment 1 Striker Leggette 2015-12-04 17:08:43 EST
Example ldapsearch command was mis-typed:

$ ldapsearch -LLL -x -h ldap.example.com -b dc=example,dc=com uid=striker sshpubkey
Comment 2 Sumit Bose 2015-12-07 03:43:06 EST
Can you describe the use-case in more details? Please note that you should never give a private key to any service!

Why is sss_ssh_authorizedkeys not sufficient for your use-case?
Comment 3 Lukas Slebodnik 2015-12-07 03:49:19 EST
+1 for ssh integration with sssd.

I assume that only one user is associated with ssh public key.
and you can achieve the same with IPA HBAC rules or with simple access provider.
The 2nd one is not so flexible, because it is stored in sssd.conf and not in ldap.
Comment 4 Striker Leggette 2015-12-08 11:48:35 EST
Sumit, do we not already give private keys to SSHD?  This would essentially work in the same way as SSHD, but instead of having the public keys locally on the machine, they would be read from LDAP, which would require SSSD.
Comment 5 Sumit Bose 2015-12-08 12:31:01 EST
(In reply to Striker Leggette from comment #4)
> Sumit, do we not already give private keys to SSHD? 

no, the private key is used on the client to crypt something and this encrypted message is send to SSHD on the target, which then decrypts it with the help of the public key.

> This would essentially
> work in the same way as SSHD, but instead of having the public keys locally
> on the machine, they would be read from LDAP, which would require SSSD.
Comment 6 Striker Leggette 2015-12-09 09:39:48 EST
(In reply to Sumit Bose from comment #5)
> no, the private key is used on the client to crypt something and this
> encrypted message is send to SSHD on the target, which then decrypts it with
> the help of the public key.

Do you believe it would be possible to gain the same functionality with SSSD, pulling a public key from an LDAP attribute instead of a local file on the system?
Comment 7 Sumit Bose 2015-12-09 10:07:34 EST
As mentioned in comment #1 this is already possible with sss_ssh_authorizedkeys. If the public keys are stored in LDAP in a different attribute than sshPublicKey you should add ldap_user_ssh_public_key=yourAttributeName to sssd.conf, see man sssd-ldap for details.
Comment 9 Striker Leggette 2015-12-09 10:23:31 EST
(In reply to Sumit Bose from comment #7)
> As mentioned in comment #1 this is already possible with
> sss_ssh_authorizedkeys. If the public keys are stored in LDAP in a different
> attribute than sshPublicKey you should add
> ldap_user_ssh_public_key=yourAttributeName to sssd.conf, see man sssd-ldap
> for details.

Ah.  I didn't realize that was what this was for.  Will open other BZs in case of bugs.  Thanks for the replies.
Comment 10 Jakub Hrozek 2015-12-10 10:56:28 EST
Closing according to the last comment. Please open a new bug if the SSH integration doesn't work for you..
Comment 11 Striker Leggette 2015-12-13 09:31:08 EST
Just wanted to say thanks for pointing me in the right direction. :)




[sssd]
config_file_version = 2
services = nss, pam, ssh
domains = example.com

[nss]
filter_groups = root
filter users = root

[pam]

[domain/example.com]
id_provider = ldap
ldap_uri = ldap://ldap.example.com/
ldap_search_base = dc=example,dc=com
override_homedir = /home/%u
auth_provider = ldap
ldap_user_ssh_public_key = ipaSshPubKey




Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
Subsystem       sftp    /usr/libexec/openssh/sftp-server
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys

Note You need to log in before you can comment on or make changes to this bug.