[Freeipa-users] authenticating ssh using ssh publickey

Guy Matz gmatz at collective.com
Thu Apr 18 17:07:05 UTC 2013 

Hello! Trying to configure a Centos 6.3 server to authenticate ssh using 
keys stored in IPA . . .  it's not working and I was hoping someone 
might be able to give a place to start debugging.

My user is in IPA (is is a publickey):
[root at iparepl01 log]# ipa user-find gmatz
--------------
1 user matched
--------------
   User login: gmatz
   First name: Guy
   Last name: Matz
   Home directory: /home/gmatz
   Login shell: /bin/bash
   UID: 1756600036
   GID: 1756600036
   Account disabled: False
   SSH public key fingerprint: 
B7:97:56:71:31:D8:35:67:6A:4B:5F:C2:D8:00:E6:39 (ssh-rsa)
   Password: True
   Kerberos keys available: True

  . . .  which matches the key used on the client machine:
gmatz at halliburton:~$ uname -a
Linux halliburton 3.5.0-27-generic #46-Ubuntu SMP Mon Mar 25 19:58:17 
UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
gmatz at halliburton:~$ ssh-keygen -l
Enter file in which the key is (/home/gmatz/.ssh/id_rsa):
2048 b7:97:56:71:31:d8:35:67:6a:4b:5f:c2:d8:00:e6:39 gmatz at halliburton (RSA)

When I run sshd in debug mode, I don't see any indication that the ssh 
server is trying to connect to IPA, but strace gives some indication 
that sssd libs are being loaded.

I don't know if this is any help, but here's what audit.log says when 
publickey auth fails:
type=CRYPTO_KEY_USER msg=audit(1366304690.290:26013): user pid=1592 
uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server 
fp=2b:54:31:7d:2f:18:d9:ed:5b:1e:7d:37:34:fa:a7:3b direction=? spid=1592 
suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=? 
res=success'
type=CRYPTO_KEY_USER msg=audit(1366304690.292:26014): user pid=1592 
uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server 
fp=70:bc:4f:b5:1c:e4:93:0d:4f:c9:96:08:dc:85:22:ea direction=? spid=1592 
suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=? 
res=success'
type=CRYPTO_SESSION msg=audit(1366304690.300:26015): user pid=1591 uid=0 
auid=4294967295 ses=4294967295 msg='op=start direction=from-client 
cipher=aes128-ctr ksize=128 spid=1592 suid=74 rport=45662 
laddr=172.16.6.203 lport=22  exe="/usr/sbin/sshd" hostname=? 
addr=192.168.2.67 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1366304690.300:26016): user pid=1591 uid=0 
auid=4294967295 ses=4294967295 msg='op=start direction=from-server 
cipher=aes128-ctr ksize=128 spid=1592 suid=74 rport=45662 
laddr=172.16.6.203 lport=22  exe="/usr/sbin/sshd" hostname=? 
addr=192.168.2.67 terminal=? res=success'
type=USER_AUTH msg=audit(1366304690.474:26017): user pid=1591 uid=0 
auid=4294967295 ses=4294967295 msg='op=pubkey acct="gmatz" 
exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1366304690.485:26018): user pid=1591 uid=0 
auid=4294967295 ses=4294967295 msg='op=pubkey acct="gmatz" 
exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=ssh res=failed'

any help is greatly appreciated!

Thanks a lot,
Guy

More information about the Freeipa-users mailing list