[Freeipa-users] authenticating ssh using ssh publickey

Rob Crittenden rcritten at redhat.com
Thu Apr 18 17:49:53 UTC 2013 

Guy Matz wrote:
> Hello! Trying to configure a Centos 6.3 server to authenticate ssh using
> keys stored in IPA . . .  it's not working and I was hoping someone
> might be able to give a place to start debugging.
>
> My user is in IPA (is is a publickey):
> [root at iparepl01 log]# ipa user-find gmatz
> --------------
> 1 user matched
> --------------
>    User login: gmatz
>    First name: Guy
>    Last name: Matz
>    Home directory: /home/gmatz
>    Login shell: /bin/bash
>    UID: 1756600036
>    GID: 1756600036
>    Account disabled: False
>    SSH public key fingerprint:
> B7:97:56:71:31:D8:35:67:6A:4B:5F:C2:D8:00:E6:39 (ssh-rsa)
>    Password: True
>    Kerberos keys available: True
>
>   . . .  which matches the key used on the client machine:
> gmatz at halliburton:~$ uname -a
> Linux halliburton 3.5.0-27-generic #46-Ubuntu SMP Mon Mar 25 19:58:17
> UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
> gmatz at halliburton:~$ ssh-keygen -l
> Enter file in which the key is (/home/gmatz/.ssh/id_rsa):
> 2048 b7:97:56:71:31:d8:35:67:6a:4b:5f:c2:d8:00:e6:39 gmatz at halliburton
> (RSA)
>
> When I run sshd in debug mode, I don't see any indication that the ssh
> server is trying to connect to IPA, but strace gives some indication
> that sssd libs are being loaded.
>
> I don't know if this is any help, but here's what audit.log says when
> publickey auth fails:
> type=CRYPTO_KEY_USER msg=audit(1366304690.290:26013): user pid=1592
> uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server
> fp=2b:54:31:7d:2f:18:d9:ed:5b:1e:7d:37:34:fa:a7:3b direction=? spid=1592
> suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=?
> res=success'
> type=CRYPTO_KEY_USER msg=audit(1366304690.292:26014): user pid=1592
> uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server
> fp=70:bc:4f:b5:1c:e4:93:0d:4f:c9:96:08:dc:85:22:ea direction=? spid=1592
> suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=?
> res=success'
> type=CRYPTO_SESSION msg=audit(1366304690.300:26015): user pid=1591 uid=0
> auid=4294967295 ses=4294967295 msg='op=start direction=from-client
> cipher=aes128-ctr ksize=128 spid=1592 suid=74 rport=45662
> laddr=172.16.6.203 lport=22  exe="/usr/sbin/sshd" hostname=?
> addr=192.168.2.67 terminal=? res=success'
> type=CRYPTO_SESSION msg=audit(1366304690.300:26016): user pid=1591 uid=0
> auid=4294967295 ses=4294967295 msg='op=start direction=from-server
> cipher=aes128-ctr ksize=128 spid=1592 suid=74 rport=45662
> laddr=172.16.6.203 lport=22  exe="/usr/sbin/sshd" hostname=?
> addr=192.168.2.67 terminal=? res=success'
> type=USER_AUTH msg=audit(1366304690.474:26017): user pid=1591 uid=0
> auid=4294967295 ses=4294967295 msg='op=pubkey acct="gmatz"
> exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=ssh res=failed'
> type=USER_AUTH msg=audit(1366304690.485:26018): user pid=1591 uid=0
> auid=4294967295 ses=4294967295 msg='op=pubkey acct="gmatz"
> exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=ssh res=failed'
>
> any help is greatly appreciated!

SSH was a tech preview in 6.3, YMMV.

Look on the client in /etc/ssh/ssh_config to see if it is configured, 
something like:

GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

Double-check that PubkeyAuthentication is yes too.

The server should have something like this in sshd_config:

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys

rob

More information about the Freeipa-users mailing list