Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1434991

Summary: Issue processing ssh keys from certificates in ssh respoder
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: grajaiya, jhrozek, ksiddiqu, lslebodn, mkosek, mzidek, pbrezina, sbose, sgoveas, spoore, tscherf
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.15.2-5.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:04:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Hrozek 2017-03-22 20:45:09 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/SSSD/sssd/issue/3332

The keys returned by get_valid_certs_keys() are already binary and not base64 encoded.

decode_and_add_base64_data() is called later with the third argument unconditionally set to 'false' which indicates that base64_decode should be called on the data which fails with the data returned by get_valid_certs_keys(). 

So either get_valid_certs_keys()  should return base64 encoded data which would be a bit redundant because base64_decode is called a few cycles later. Or ssh_get_output_keys() should return base64 encoded and binary key in two different variable and decode_and_add_base64_data() is called for each of them with the right setting of the third argument.
Comment 3 Jakub Hrozek 2017-03-29 13:04:33 UTC 
* master:
 * 1b5d6b1afc9c3dc696b7b45f2d73b2634f42800a
 * bd1fa0ec90be717c3b7796d74b6f243f40178d16
Comment 5 Sumit Bose 2017-03-29 14:16:54 UTC 
How to reproduce:
- add a certificate to an IPA user
- call sss_ssh_authorizedkeys for the IPA user

Expected result:
- sss_ssh_authorizedkeys returns a public ssh-key derived from the public key of the certificate

Result without the fix:
- sss_ssh_authorizedkeys return nothing
Comment 8 Scott Poore 2017-05-08 15:11:37 UTC 
Verified.

Version ::
sssd-1.15.2-17.el7.x86_64

Results ::

[root@dhcp129-184 ssh]# sss_ssh_authorizedkeys demosc1
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtyajUGYAiy77oF+P9v28KY0FygpIJyeELEz+ODM0qekS7kbOZ164ZdcWyegyvySXvDJmNWpONNfcMJov8umEgGl0cUnvoJ+U2/QJFCrzNb9Dz2lQfQnJngPLi2phNiN/d0EXnEfjNFwaLbI+dh5q5oaHPIrnhEQw2lrVP+8zlqhCwXY8pUtejudjilQszBNImVnVhRHX3EaPIb7bFSoE6tsD/9DjUM8tI68my9QwJOhTJBx+XaJ9h3a5XSVzN/6v8aXqpXTBBFQfveXWWmRwQS+tO/5ZryoXhac3QMbRJKxO648o+YT7GRF0LDW3uzQKJeaG726b/188qODLdLbFB

This is covered also in the smart card tests for ssh.

[root@dhcp129-184 ~]# p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all-certs
Object 0:
	URL: pkcs11:model=PKCS%2315;manufacturer=OpenSC%20Project;serial=0C0A548021220224;token=demosc1%20%28OpenSC%20Card%29;id=%01;object=Certificate;type=cert
	Type: X.509 Certificate
	Label: Certificate
	ID: 01

[root@dhcp129-184 ~]# p11tool --provider /usr/lib64/opensc-pkcs11.so --outfile /tmp/demosc1_on_card.crt1 --export 'pkcs11:model=PKCS%2315;manufacturer=OpenSC%20Project;serial=0C0A548021220224;token=demosc1%20%28OpenSC%20Card%29;id=%01;object=Certificate;type=cert'


[root@dhcp129-184 ~]# ipa user-show demosc1 --out=/tmp/demosc1.crt1
-------------------------------------------------
Certificate(s) stored in file '/tmp/demosc1.crt1'
-------------------------------------------------
  User login: demosc1
  First name: demosc
  Last name: demosc1
  Home directory: /home/demosc1
  Login shell: /bin/sh
  Principal name: demosc1
  Principal alias: demosc1
  Email address: demosc1
  UID: 576400131
  GID: 576400131
  Certificate: MIIE...
  Certificate mapping data: X509:<I>O=TESTRELM.TEST,CN=Certificate
                            Authority<S>O=TESTRELM.TEST,CN=demosc1
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True


[root@dhcp129-184 ~]# vim /tmp/demosc1.crt1 
# just removed ^M's 

[root@dhcp129-184 ~]# diff /tmp/demosc1.crt1 /tmp/demosc1_on_card.crt1
24a25,26
> 
> 

So certs are the same.

[root@dhcp129-184 ~]# ssh -I /usr/lib64/opensc-pkcs11.so -l demosc1 $(hostname) whoami
Enter PIN for 'demosc1 (OpenSC Card)': 
demosc1
Comment 9 errata-xmlrpc 2017-08-01 09:04:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294