Description of problem: When you add a sshpubkey and certificate to a user. sss_ssh_authorizedkeys will pull both certs. Version-Release number of selected component (if applicable): sssd-common-1.13.0-40.el7_2.12 How reproducible: Always Steps to Reproduce: 1. ipa user-mod uone --sshpubkey='ssh-rsa ...' 2. ipa user-add-cert uone --certificate=$(openssl x509 -in /etc/ipa/ca.crt -outform DER | base64 -w 0) 3. /usr/bin/sss_ssh_authorizedkeys uone Actual results: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnWge53Ommkv8NFA5QZFhRJNlO1sdujqs6NhQZpwKiNpsgVIVQRr3ucz9rlhV4fadFsaj0bmsJdQacE6oH82SmUYv+mIA4YI298fPzrujDNqAOf37js4ksM3R8UarEp2ETUPlN7fXfgaqX016yFExNBf9/XTqzFK5OcKYCYJfJIIykV4dE3xUAAAtTml5yObdQc0eLU2LqvM5gzHDSgj1rI9OXsVqh9a7dFCHNCPgp1Lo/DpAwNNMGSX4aW/JaWmowWuaQJgBViPIn+Io+k/3wlYV8Gn9Wo3EdVPcF7t7/4n4GGjClx8n8gKs1Q+KaE6/0yaDlTUTqhQUISinQ+Zwn ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQPR3tlNFy2zr44G+pYNuoSRCgYyLdAgwAxHBKr9Z+3KSP+hxS/EHxgiCs0frUdqbU8Moe+rdff48v7T/ZRhP1ZPfXc3tA8AC4xz/HI21J0ch3shokdsfWBIGIvWBqdN+v9Cl9xbfzVNjr1MrQa3jGQxL000MDcAD5bOVx27gC2KUHdEKZs6Qt6iRh2OsVlfeDUCaSUnMPTWD2w/ZsOKQx3w7FU0rV1UL2lNUmbBUzuLLvxy39QYUCBx5khohYSjEcQocUod5UeN/peMuQqUgk7Gi4f+l6Nk+4Fh6FaCw/vsw/Z2eAgyYyETok0cfSGtNnYt1XGioE68JFCZVMUj6j Expected results: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnWge53Ommkv8NFA5QZFhRJNlO1sdujqs6NhQZpwKiNpsgVIVQRr3ucz9rlhV4fadFsaj0bmsJdQacE6oH82SmUYv+mIA4YI298fPzrujDNqAOf37js4ksM3R8UarEp2ETUPlN7fXfgaqX016yFExNBf9/XTqzFK5OcKYCYJfJIIykV4dE3xUAAAtTml5yObdQc0eLU2LqvM5gzHDSgj1rI9OXsVqh9a7dFCHNCPgp1Lo/DpAwNNMGSX4aW/JaWmowWuaQJgBViPIn+Io+k/3wlYV8Gn9Wo3EdVPcF7t7/4n4GGjClx8n8gKs1Q+KaE6/0yaDlTUTqhQUISinQ+Zwn Additional info: I add a ssh key to a user # ipa user-mod uone --sshpubkey='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnWge53Ommkv8NFA5QZFhRJNlO1sdujqs6NhQZpwKiNpsgVIVQRr3ucz9rlhV4fadFsaj0bmsJdQacE6oH82SmUYv+mIA4YI298fPzrujDNqAOf37js4ksM3R8UarEp2ETUPlN7fXfgaqX016yFExNBf9/XTqzFK5OcKYCYJfJIIykV4dE3xUAAAtTml5yObdQc0eLU2LqvM5gzHDSgj1rI9OXsVqh9a7dFCHNCPgp1Lo/DpAwNNMGSX4aW/JaWmowWuaQJgBViPIn+Io+k/3wlYV8Gn9Wo3EdVPcF7t7/4n4GGjClx8n8gKs1Q+KaE6/0yaDlTUTqhQUISinQ+Zwn' -------------------- Modified user "uone" -------------------- User login: uone First name: User Last name: One Home directory: /home/uone Login shell: /bin/sh Email address: uone UID: 289000001 GID: 289000001 SSH public key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnWge53Ommkv8NFA5QZFhRJNlO1sdujqs6NhQZpwKiNpsgVIVQRr3ucz9rlhV4fadFsaj0bmsJdQacE6oH82SmUYv+mIA4YI298fPzrujDNqAOf37js4ksM3R8UarEp2ETUPlN7fXfgaqX016yFExNBf9/XTqzFK5OcKYCYJfJIIykV4dE3xUAAAtTml5yObdQc0eLU2LqvM5gzHDSgj1rI9OXsVqh9a7dFCHNCPgp1Lo/DpAwNNMGSX4aW/JaWmowWuaQJgBViPIn+Io+k/3wlYV8Gn9Wo3EdVPcF7t7/4n4GGjClx8n8gKs1Q+KaE6/0yaDlTUTqhQUISinQ+Zwn Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True SSH public key fingerprint: 4A:23:2C:DA:C2:86:B7:C6:63:C3:9A:57:20:37:86:2B (ssh-rsa) # /usr/bin/sss_ssh_authorizedkeys uone ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnWge53Ommkv8NFA5QZFhRJNlO1sdujqs6NhQZpwKiNpsgVIVQRr3ucz9rlhV4fadFsaj0bmsJdQacE6oH82SmUYv+mIA4YI298fPzrujDNqAOf37js4ksM3R8UarEp2ETUPlN7fXfgaqX016yFExNBf9/XTqzFK5OcKYCYJfJIIykV4dE3xUAAAtTml5yObdQc0eLU2LqvM5gzHDSgj1rI9OXsVqh9a7dFCHNCPgp1Lo/DpAwNNMGSX4aW/JaWmowWuaQJgBViPIn+Io+k/3wlYV8Gn9Wo3EdVPcF7t7/4n4GGjClx8n8gKs1Q+KaE6/0yaDlTUTqhQUISinQ+Zwn I then added a pem file. # ipa user-add-cert uone --certificate=$(openssl x509 -in /etc/ipa/ca.crt -outform DER | base64 -w 0) --------------------------------- Added certificates to user "uone" --------------------------------- User login: uone Certificate: MIIDjDCCAnSgAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtFWEFNUExFLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDgzMTE1NTY0M1oXDTM2MDgzMTE1NTY0M1owNjEUMBIGA1UECgwLRVhBTVBMRS5DT00xHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANA9He2U0XLbOvjgb6lg26hJEKBjIt0CDADEcEqv1n7cpI/6HFL8QfGCIKzR+tR2ptTwyh76t19/jy/tP9lGE/Vk99dze0DwALjHP8cjbUnRyHeyGiR2x9YEgYi9YGp036/0KX3Ft/NU2OvUytBreMZDEvTTQwNwAPls5XHbuALYpQd0QpmzpC3qJGHY6xWV94NQJpJScw9NYPbD9mw4pDHfDsVTStXVQvaU1SZsFTO4su/HLf1BhQIHHmSGiFhKMRxChxSh3lR43+l4y5CpSCTsaLh/6Xo2T7gWHoVoLD++zD9nZ4CDJjIROiTRx9Ia02di3VcaKgTrwkUJlUxSPqMCAwEAAaOBpDCBoTAfBgNVHSMEGDAWgBTqAPZFPy0JA2QvDVdPA88+YT3cCzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQU6gD2RT8tCQNkLw1XTwPPPmE93AswPgYIKwYBBQUHAQEEMjAwMC4GCCsGAQUFBzABhiJodHRwOi8vaXBhNC5leGFtcGxlLmNvbTo4MC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBAQBZrn0vptlcntU0Ae14vXQZecBW3uk/dtYcju9PGgzBNTJPuZ815aaBlhe10tXel4WNpPceNSyG0J2wyJ8fUwt4KjKhe5RhctnPhEmFXWXA97U4EocsPhbU6u4VngMqmMhJwoSIyRCDskCxYMU6BfbnQOc/33wipvp05NRtE/LQa+774iqCD9UvrsFC95PgN7MeyN7wiQJghups4dowNZytKaIIDCi0wEs2EmK/Cq3Ozp1SKp97dzKfXPw/dD4Ys1Oibmc8Um134IRquTQ6EiIRG63kyFBNB9Osmik4otU4Ogx3AH7l/d7vG6Jj+O1K/n6xUsJv6Oh6UW+97edV3ov3 # /usr/bin/sss_ssh_authorizedkeys uone ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnWge53Ommkv8NFA5QZFhRJNlO1sdujqs6NhQZpwKiNpsgVIVQRr3ucz9rlhV4fadFsaj0bmsJdQacE6oH82SmUYv+mIA4YI298fPzrujDNqAOf37js4ksM3R8UarEp2ETUPlN7fXfgaqX016yFExNBf9/XTqzFK5OcKYCYJfJIIykV4dE3xUAAAtTml5yObdQc0eLU2LqvM5gzHDSgj1rI9OXsVqh9a7dFCHNCPgp1Lo/DpAwNNMGSX4aW/JaWmowWuaQJgBViPIn+Io+k/3wlYV8Gn9Wo3EdVPcF7t7/4n4GGjClx8n8gKs1Q+KaE6/0yaDlTUTqhQUISinQ+Zwn ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQPR3tlNFy2zr44G+pYNuoSRCgYyLdAgwAxHBKr9Z+3KSP+hxS/EHxgiCs0frUdqbU8Moe+rdff48v7T/ZRhP1ZPfXc3tA8AC4xz/HI21J0ch3shokdsfWBIGIvWBqdN+v9Cl9xbfzVNjr1MrQa3jGQxL000MDcAD5bOVx27gC2KUHdEKZs6Qt6iRh2OsVlfeDUCaSUnMPTWD2w/ZsOKQx3w7FU0rV1UL2lNUmbBUzuLLvxy39QYUCBx5khohYSjEcQocUod5UeN/peMuQqUgk7Gi4f+l6Nk+4Fh6FaCw/vsw/Z2eAgyYyETok0cfSGtNnYt1XGioE68JFCZVMUj6j From the access logs it does look like sss_ssh_authorizedkeys is looking for usercertificate. [31/Aug/2016:14:24:17 -0400] conn=64 op=5 SRCH base="cn=accounts,dc=example,dc=com" scope=2 filter="(&(uid=uone)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey ipaUserAuthType usercertificate;binary"
Hi Eugene, the customer might run into https://fedorahosted.org/sssd/ticket/2977 which will be fixed in 7.3. Nevertheless to be sure it would be nice if you can ask the customer for the SSH responder logs /var/log/sssd/sssd_ssh.log with debug_level=10 which contain the time the sss_ssh_authorizedkeys commands showing the error was run. bye, Sumit
Created attachment 1196949 [details] sssd_ssh.log with client certificate added in IDM
Created attachment 1196950 [details] sssd_ssh.log without client certificate added in IDM
I have attached two logs. One good and one bad. It does look like whats described in https://fedorahosted.org/sssd/ticket/2977 to me. (Thu Sep 1 16:12:02 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0020): CERT_VerifyCertificateNow failed [-8179]. (Thu Sep 1 16:12:02 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040): cert_to_ssh_key failed. (Thu Sep 1 16:12:02 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040): decode_and_add_base64_data failed. (Thu Sep 1 16:12:02 2016) [sssd[ssh]] [ssh_cmd_done] (0x0020): Fatal error, killing connection! Eugene
Hi Eugene, you are right, the certificate cannot be validated because the certificate of the issuer CA is not /etc/pki/nssdb (-8179 means "Peer's certificate issuer is not recognized."). The fix for https://fedorahosted.org/sssd/ticket/2977 will just skip this certificate and return the other ssh keys as expected. The fix is already in the RHEL-7.3 beta. Do you think this is ok for your customer? If he needs it for 7.2 I can provide a test-build with the fix. But for a supported solution you have to start the z-stream process for this. bye, Sumit
Upstream ticket: https://fedorahosted.org/sssd/ticket/2977