Discussion:
[Freeipa-users] authenticating ssh using ssh publickey
Guy Matz
2013-04-18 17:07:05 UTC
Permalink
Hello! Trying to configure a Centos 6.3 server to authenticate ssh using
keys stored in IPA . . . it's not working and I was hoping someone
might be able to give a place to start debugging.

My user is in IPA (is is a publickey):
[***@iparepl01 log]# ipa user-find gmatz
--------------
1 user matched
--------------
User login: gmatz
First name: Guy
Last name: Matz
Home directory: /home/gmatz
Login shell: /bin/bash
UID: 1756600036
GID: 1756600036
Account disabled: False
SSH public key fingerprint:
B7:97:56:71:31:D8:35:67:6A:4B:5F:C2:D8:00:E6:39 (ssh-rsa)
Password: True
Kerberos keys available: True

. . . which matches the key used on the client machine:
***@halliburton:~$ uname -a
Linux halliburton 3.5.0-27-generic #46-Ubuntu SMP Mon Mar 25 19:58:17
UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
***@halliburton:~$ ssh-keygen -l
Enter file in which the key is (/home/gmatz/.ssh/id_rsa):
2048 b7:97:56:71:31:d8:35:67:6a:4b:5f:c2:d8:00:e6:39 ***@halliburton (RSA)

When I run sshd in debug mode, I don't see any indication that the ssh
server is trying to connect to IPA, but strace gives some indication
that sssd libs are being loaded.

I don't know if this is any help, but here's what audit.log says when
publickey auth fails:
type=CRYPTO_KEY_USER msg=audit(1366304690.290:26013): user pid=1592
uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server
fp=2b:54:31:7d:2f:18:d9:ed:5b:1e:7d:37:34:fa:a7:3b direction=? spid=1592
suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=?
res=success'
type=CRYPTO_KEY_USER msg=audit(1366304690.292:26014): user pid=1592
uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server
fp=70:bc:4f:b5:1c:e4:93:0d:4f:c9:96:08:dc:85:22:ea direction=? spid=1592
suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=?
res=success'
type=CRYPTO_SESSION msg=audit(1366304690.300:26015): user pid=1591 uid=0
auid=4294967295 ses=4294967295 msg='op=start direction=from-client
cipher=aes128-ctr ksize=128 spid=1592 suid=74 rport=45662
laddr=172.16.6.203 lport=22 exe="/usr/sbin/sshd" hostname=?
addr=192.168.2.67 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1366304690.300:26016): user pid=1591 uid=0
auid=4294967295 ses=4294967295 msg='op=start direction=from-server
cipher=aes128-ctr ksize=128 spid=1592 suid=74 rport=45662
laddr=172.16.6.203 lport=22 exe="/usr/sbin/sshd" hostname=?
addr=192.168.2.67 terminal=? res=success'
type=USER_AUTH msg=audit(1366304690.474:26017): user pid=1591 uid=0
auid=4294967295 ses=4294967295 msg='op=pubkey acct="gmatz"
exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1366304690.485:26018): user pid=1591 uid=0
auid=4294967295 ses=4294967295 msg='op=pubkey acct="gmatz"
exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=ssh res=failed'

any help is greatly appreciated!

Thanks a lot,
Guy
Rob Crittenden
2013-04-18 17:49:53 UTC
Permalink
Post by Guy Matz
Hello! Trying to configure a Centos 6.3 server to authenticate ssh using
keys stored in IPA . . . it's not working and I was hoping someone
might be able to give a place to start debugging.
--------------
1 user matched
--------------
User login: gmatz
First name: Guy
Last name: Matz
Home directory: /home/gmatz
Login shell: /bin/bash
UID: 1756600036
GID: 1756600036
Account disabled: False
B7:97:56:71:31:D8:35:67:6A:4B:5F:C2:D8:00:E6:39 (ssh-rsa)
Password: True
Kerberos keys available: True
Linux halliburton 3.5.0-27-generic #46-Ubuntu SMP Mon Mar 25 19:58:17
UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
When I run sshd in debug mode, I don't see any indication that the ssh
server is trying to connect to IPA, but strace gives some indication
that sssd libs are being loaded.
I don't know if this is any help, but here's what audit.log says when
type=CRYPTO_KEY_USER msg=audit(1366304690.290:26013): user pid=1592
uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server
fp=2b:54:31:7d:2f:18:d9:ed:5b:1e:7d:37:34:fa:a7:3b direction=? spid=1592
suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=?
res=success'
type=CRYPTO_KEY_USER msg=audit(1366304690.292:26014): user pid=1592
uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server
fp=70:bc:4f:b5:1c:e4:93:0d:4f:c9:96:08:dc:85:22:ea direction=? spid=1592
suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=?
res=success'
type=CRYPTO_SESSION msg=audit(1366304690.300:26015): user pid=1591 uid=0
auid=4294967295 ses=4294967295 msg='op=start direction=from-client
cipher=aes128-ctr ksize=128 spid=1592 suid=74 rport=45662
laddr=172.16.6.203 lport=22 exe="/usr/sbin/sshd" hostname=?
addr=192.168.2.67 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1366304690.300:26016): user pid=1591 uid=0
auid=4294967295 ses=4294967295 msg='op=start direction=from-server
cipher=aes128-ctr ksize=128 spid=1592 suid=74 rport=45662
laddr=172.16.6.203 lport=22 exe="/usr/sbin/sshd" hostname=?
addr=192.168.2.67 terminal=? res=success'
type=USER_AUTH msg=audit(1366304690.474:26017): user pid=1591 uid=0
auid=4294967295 ses=4294967295 msg='op=pubkey acct="gmatz"
exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1366304690.485:26018): user pid=1591 uid=0
auid=4294967295 ses=4294967295 msg='op=pubkey acct="gmatz"
exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=ssh res=failed'
any help is greatly appreciated!
SSH was a tech preview in 6.3, YMMV.

Look on the client in /etc/ssh/ssh_config to see if it is configured,
something like:

GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

Double-check that PubkeyAuthentication is yes too.

The server should have something like this in sshd_config:

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys

rob

Loading...