Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1372042

Summary: ssh with Smartcards - skip invalid certificates
Product: Red Hat Enterprise Linux 7 Reporter: Eugene Keck <ekeck>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Steeve Goveas <sgoveas>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: ekeck, grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina, sbose
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-16 22:15:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
sssd_ssh.log with client certificate added in IDM
none
sssd_ssh.log without client certificate added in IDM none

Description Eugene Keck 2016-08-31 18:41:07 UTC 
Description of problem:
When you add a sshpubkey and certificate to a user. sss_ssh_authorizedkeys will pull both certs. 

Version-Release number of selected component (if applicable):
sssd-common-1.13.0-40.el7_2.12

How reproducible:
Always

Steps to Reproduce:
1. ipa user-mod uone --sshpubkey='ssh-rsa ...'
2. ipa user-add-cert uone --certificate=$(openssl x509 -in /etc/ipa/ca.crt -outform DER | base64 -w 0)
3. /usr/bin/sss_ssh_authorizedkeys uone

Actual results:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnWge53Ommkv8NFA5QZFhRJNlO1sdujqs6NhQZpwKiNpsgVIVQRr3ucz9rlhV4fadFsaj0bmsJdQacE6oH82SmUYv+mIA4YI298fPzrujDNqAOf37js4ksM3R8UarEp2ETUPlN7fXfgaqX016yFExNBf9/XTqzFK5OcKYCYJfJIIykV4dE3xUAAAtTml5yObdQc0eLU2LqvM5gzHDSgj1rI9OXsVqh9a7dFCHNCPgp1Lo/DpAwNNMGSX4aW/JaWmowWuaQJgBViPIn+Io+k/3wlYV8Gn9Wo3EdVPcF7t7/4n4GGjClx8n8gKs1Q+KaE6/0yaDlTUTqhQUISinQ+Zwn
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQPR3tlNFy2zr44G+pYNuoSRCgYyLdAgwAxHBKr9Z+3KSP+hxS/EHxgiCs0frUdqbU8Moe+rdff48v7T/ZRhP1ZPfXc3tA8AC4xz/HI21J0ch3shokdsfWBIGIvWBqdN+v9Cl9xbfzVNjr1MrQa3jGQxL000MDcAD5bOVx27gC2KUHdEKZs6Qt6iRh2OsVlfeDUCaSUnMPTWD2w/ZsOKQx3w7FU0rV1UL2lNUmbBUzuLLvxy39QYUCBx5khohYSjEcQocUod5UeN/peMuQqUgk7Gi4f+l6Nk+4Fh6FaCw/vsw/Z2eAgyYyETok0cfSGtNnYt1XGioE68JFCZVMUj6j


Expected results:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnWge53Ommkv8NFA5QZFhRJNlO1sdujqs6NhQZpwKiNpsgVIVQRr3ucz9rlhV4fadFsaj0bmsJdQacE6oH82SmUYv+mIA4YI298fPzrujDNqAOf37js4ksM3R8UarEp2ETUPlN7fXfgaqX016yFExNBf9/XTqzFK5OcKYCYJfJIIykV4dE3xUAAAtTml5yObdQc0eLU2LqvM5gzHDSgj1rI9OXsVqh9a7dFCHNCPgp1Lo/DpAwNNMGSX4aW/JaWmowWuaQJgBViPIn+Io+k/3wlYV8Gn9Wo3EdVPcF7t7/4n4GGjClx8n8gKs1Q+KaE6/0yaDlTUTqhQUISinQ+Zwn

Additional info:

I add a ssh key to a user 

# ipa user-mod uone --sshpubkey='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnWge53Ommkv8NFA5QZFhRJNlO1sdujqs6NhQZpwKiNpsgVIVQRr3ucz9rlhV4fadFsaj0bmsJdQacE6oH82SmUYv+mIA4YI298fPzrujDNqAOf37js4ksM3R8UarEp2ETUPlN7fXfgaqX016yFExNBf9/XTqzFK5OcKYCYJfJIIykV4dE3xUAAAtTml5yObdQc0eLU2LqvM5gzHDSgj1rI9OXsVqh9a7dFCHNCPgp1Lo/DpAwNNMGSX4aW/JaWmowWuaQJgBViPIn+Io+k/3wlYV8Gn9Wo3EdVPcF7t7/4n4GGjClx8n8gKs1Q+KaE6/0yaDlTUTqhQUISinQ+Zwn'
--------------------
Modified user "uone"
--------------------
  User login: uone
  First name: User
  Last name: One
  Home directory: /home/uone
  Login shell: /bin/sh
  Email address: uone
  UID: 289000001
  GID: 289000001
  SSH public key: ssh-rsa
                  AAAAB3NzaC1yc2EAAAADAQABAAABAQDnWge53Ommkv8NFA5QZFhRJNlO1sdujqs6NhQZpwKiNpsgVIVQRr3ucz9rlhV4fadFsaj0bmsJdQacE6oH82SmUYv+mIA4YI298fPzrujDNqAOf37js4ksM3R8UarEp2ETUPlN7fXfgaqX016yFExNBf9/XTqzFK5OcKYCYJfJIIykV4dE3xUAAAtTml5yObdQc0eLU2LqvM5gzHDSgj1rI9OXsVqh9a7dFCHNCPgp1Lo/DpAwNNMGSX4aW/JaWmowWuaQJgBViPIn+Io+k/3wlYV8Gn9Wo3EdVPcF7t7/4n4GGjClx8n8gKs1Q+KaE6/0yaDlTUTqhQUISinQ+Zwn
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
  SSH public key fingerprint: 4A:23:2C:DA:C2:86:B7:C6:63:C3:9A:57:20:37:86:2B (ssh-rsa)

# /usr/bin/sss_ssh_authorizedkeys uone
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnWge53Ommkv8NFA5QZFhRJNlO1sdujqs6NhQZpwKiNpsgVIVQRr3ucz9rlhV4fadFsaj0bmsJdQacE6oH82SmUYv+mIA4YI298fPzrujDNqAOf37js4ksM3R8UarEp2ETUPlN7fXfgaqX016yFExNBf9/XTqzFK5OcKYCYJfJIIykV4dE3xUAAAtTml5yObdQc0eLU2LqvM5gzHDSgj1rI9OXsVqh9a7dFCHNCPgp1Lo/DpAwNNMGSX4aW/JaWmowWuaQJgBViPIn+Io+k/3wlYV8Gn9Wo3EdVPcF7t7/4n4GGjClx8n8gKs1Q+KaE6/0yaDlTUTqhQUISinQ+Zwn

I then added a pem file.

# ipa user-add-cert uone --certificate=$(openssl x509 -in /etc/ipa/ca.crt -outform DER | base64 -w 0)
---------------------------------
Added certificates to user "uone"
---------------------------------
  User login: uone
  Certificate: MIIDjDCCAnSgAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtFWEFNUExFLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDgzMTE1NTY0M1oXDTM2MDgzMTE1NTY0M1owNjEUMBIGA1UECgwLRVhBTVBMRS5DT00xHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANA9He2U0XLbOvjgb6lg26hJEKBjIt0CDADEcEqv1n7cpI/6HFL8QfGCIKzR+tR2ptTwyh76t19/jy/tP9lGE/Vk99dze0DwALjHP8cjbUnRyHeyGiR2x9YEgYi9YGp036/0KX3Ft/NU2OvUytBreMZDEvTTQwNwAPls5XHbuALYpQd0QpmzpC3qJGHY6xWV94NQJpJScw9NYPbD9mw4pDHfDsVTStXVQvaU1SZsFTO4su/HLf1BhQIHHmSGiFhKMRxChxSh3lR43+l4y5CpSCTsaLh/6Xo2T7gWHoVoLD++zD9nZ4CDJjIROiTRx9Ia02di3VcaKgTrwkUJlUxSPqMCAwEAAaOBpDCBoTAfBgNVHSMEGDAWgBTqAPZFPy0JA2QvDVdPA88+YT3cCzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQU6gD2RT8tCQNkLw1XTwPPPmE93AswPgYIKwYBBQUHAQEEMjAwMC4GCCsGAQUFBzABhiJodHRwOi8vaXBhNC5leGFtcGxlLmNvbTo4MC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBAQBZrn0vptlcntU0Ae14vXQZecBW3uk/dtYcju9PGgzBNTJPuZ815aaBlhe10tXel4WNpPceNSyG0J2wyJ8fUwt4KjKhe5RhctnPhEmFXWXA97U4EocsPhbU6u4VngMqmMhJwoSIyRCDskCxYMU6BfbnQOc/33wipvp05NRtE/LQa+774iqCD9UvrsFC95PgN7MeyN7wiQJghups4dowNZytKaIIDCi0wEs2EmK/Cq3Ozp1SKp97dzKfXPw/dD4Ys1Oibmc8Um134IRquTQ6EiIRG63kyFBNB9Osmik4otU4Ogx3AH7l/d7vG6Jj+O1K/n6xUsJv6Oh6UW+97edV3ov3

# /usr/bin/sss_ssh_authorizedkeys uone
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnWge53Ommkv8NFA5QZFhRJNlO1sdujqs6NhQZpwKiNpsgVIVQRr3ucz9rlhV4fadFsaj0bmsJdQacE6oH82SmUYv+mIA4YI298fPzrujDNqAOf37js4ksM3R8UarEp2ETUPlN7fXfgaqX016yFExNBf9/XTqzFK5OcKYCYJfJIIykV4dE3xUAAAtTml5yObdQc0eLU2LqvM5gzHDSgj1rI9OXsVqh9a7dFCHNCPgp1Lo/DpAwNNMGSX4aW/JaWmowWuaQJgBViPIn+Io+k/3wlYV8Gn9Wo3EdVPcF7t7/4n4GGjClx8n8gKs1Q+KaE6/0yaDlTUTqhQUISinQ+Zwn
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQPR3tlNFy2zr44G+pYNuoSRCgYyLdAgwAxHBKr9Z+3KSP+hxS/EHxgiCs0frUdqbU8Moe+rdff48v7T/ZRhP1ZPfXc3tA8AC4xz/HI21J0ch3shokdsfWBIGIvWBqdN+v9Cl9xbfzVNjr1MrQa3jGQxL000MDcAD5bOVx27gC2KUHdEKZs6Qt6iRh2OsVlfeDUCaSUnMPTWD2w/ZsOKQx3w7FU0rV1UL2lNUmbBUzuLLvxy39QYUCBx5khohYSjEcQocUod5UeN/peMuQqUgk7Gi4f+l6Nk+4Fh6FaCw/vsw/Z2eAgyYyETok0cfSGtNnYt1XGioE68JFCZVMUj6j

From the access logs it does look like sss_ssh_authorizedkeys is looking for usercertificate. 

[31/Aug/2016:14:24:17 -0400] conn=64 op=5 SRCH base="cn=accounts,dc=example,dc=com" scope=2 filter="(&(uid=uone)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey ipaUserAuthType usercertificate;binary"
Comment 1 Sumit Bose 2016-09-01 13:36:02 UTC 
Hi Eugene,

the customer might run into https://fedorahosted.org/sssd/ticket/2977 which will be fixed in 7.3. Nevertheless to be sure it would be nice if you can ask the customer for the SSH responder logs /var/log/sssd/sssd_ssh.log with debug_level=10 which contain the time the sss_ssh_authorizedkeys commands showing the error was run.

bye,
Sumit
Comment 2 Eugene Keck 2016-09-01 20:40:36 UTC 
Created attachment 1196949 [details]
sssd_ssh.log with client certificate added in IDM
Comment 3 Eugene Keck 2016-09-01 20:41:03 UTC 
Created attachment 1196950 [details]
sssd_ssh.log without client certificate added in IDM
Comment 4 Eugene Keck 2016-09-01 20:42:44 UTC 
I have attached two logs. One good and one bad. It does look like whats described in https://fedorahosted.org/sssd/ticket/2977 to me.


(Thu Sep  1 16:12:02 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0020): CERT_VerifyCertificateNow failed [-8179].
(Thu Sep  1 16:12:02 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040): cert_to_ssh_key failed.
(Thu Sep  1 16:12:02 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040): decode_and_add_base64_data failed.
(Thu Sep  1 16:12:02 2016) [sssd[ssh]] [ssh_cmd_done] (0x0020): Fatal error, killing connection!

Eugene
Comment 5 Sumit Bose 2016-09-02 10:14:10 UTC 
Hi Eugene,

you are right, the certificate cannot be validated because the certificate of the issuer CA is not /etc/pki/nssdb (-8179 means "Peer's certificate issuer is not recognized."). The fix for https://fedorahosted.org/sssd/ticket/2977 will just skip this certificate and return the other ssh keys as expected.

The fix is already in the RHEL-7.3 beta. Do you think this is ok for your customer? If he needs it for 7.2 I can provide a test-build with the fix. But for a supported solution you have to start the z-stream process for this.

bye,
Sumit
Comment 6 Jakub Hrozek 2016-09-02 11:26:58 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2977