Hi all,
I have set up ipa server, established trust with an ad controller and enrolled a couple of clients to it. I have a problem understanding how to properly set up ssh pubkey authentication when it comes to caching. The issue is that when I upload the key to the server (via the web ui, for an AD user) and later delete this key (also via the web UI) I still can log in on a client machine for a couple of days using my private ssh key part. The command sss_ssh_authorizedkeys ad_user shows the correct key on both server and a client. Even after I delete manually cache files on the client, then sss_ssh_authorizedkeys displays the correct key.
In a trial and error process of debugging it I added entry_cache_user_timeout = 60 to every section of sssd.conf on a client but it did not change much the situation described above.
I assume that this is due to the caching settings on the server side (I guess user entries are still present in the sssd cache yet they are not visible in the web ui). Can someone please point me to the sssd cache settings that would cause ssh keys to stop from working within a reasonable time after they were deleted? Below I paste sanitized sssd config for the server:
[domain/ipa.domain/ad.domain] debug_level = 10 # Enable short names without full domain use_fully_qualified_names = False ad_server = ad-1.ad.domain,ad-2.ad.domain #cache_first = True
[domain/ipa.domain] ad_server = ad-1.ad.domain,ad-2.ad.domain debug_level = 10 id_provider = ipa ipa_server_mode = True ipa_server = ipa-server.ipa.domain ipa_domain = ipa.domain ipa_hostname = ipa-server.ipa.domain auth_provider = ipa chpass_provider = ipa access_provider = ipa cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_store_password_if_offline = True
enumerate = False subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout ignore_group_members = True ldap_purge_cache_timeout = 0 #cache_first = True
[sssd] debug_level = 10 domain_resolution_order = ad.domain, ipa.domain services = nss, pam, ifp, ssh, sudo domains = ipa.domain
[nss] debug_level = 10 filter_users = root,fedora
homedir_substring = /home memcache_timeout = 600 entry_negative_timeout = 3600 override_shell = /bin/bash override_homedir = /home/%u homedir_substring = /home
[pam] debug_level = 10
[sudo] debug_level = 10
[autofs] debug_level = 10
[ssh] debug_level = 10
[pac] debug_level = 10
[ifp] debug_level = 10
[secrets] debug_level = 10
[session_recording] debug_level = 10
and the client:
[domain/ipa.domain/ad.domain] entry_cache_user_timeout = 60 debug_level = 10 # Enable short names without full domain use_fully_qualified_names = False subdomain_homedir = /home/%u selinux_provider = none ad_enable_gc = false ad_server = ad-1.ad.domain,ad-2.ad.domain
[domain/ipa.domain] entry_cache_user_timeout = 60 debug_level = 9 ad_enable_gc = false subdomain_homedir = /home/%u # Optimization selinux_provider = none subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout ignore_group_members = True cache_first = True ldap_purge_cache_timeout = 0 ldap_sudo_smart_refresh_interval = 60 ldap_sudo_full_refresh_interval = 21600
cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.domain id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = ipa-client.ipa.domain chpass_provider = ipa ipa_server = _srv_, ipa-server.ipa.domain dns_discovery_domain = ipa.domain [sssd] entry_cache_user_timeout = 60 domain_resolution_order = ad.domain,ipa.domain services = nss, sudo, pam, ssh
domains = ipa.domain entry_cache_user_timeout = 60 [nss] entry_cache_user_timeout = 60 override_shell = /bin/bash override_homedir = /home/%u filter_users = root,fedora homedir_substring = /home
[pam] entry_cache_user_timeout = 60 debug_level = 9
[sudo] entry_cache_user_timeout = 60 debug_level = 9
[autofs]
[ssh] entry_cache_user_timeout = 60 debug_level = 9
[pac] debug_level = 9
[ifp] debug_level = 9
And my package versions are: ssd: client - 1.16.0-4.el6, server - 1.16.1-8.fc27 ipa: client - 3.0.0-51.el6.centos, server - 4.6.3-2.fc27
On Wed, Jun 20, 2018 at 01:15:24PM -0000, Bart via FreeIPA-users wrote:
Hi all,
I have set up ipa server, established trust with an ad controller and enrolled a couple of clients to it. I have a problem understanding how to properly set up ssh pubkey authentication when it comes to caching. The issue is that when I upload the key to the server (via the web ui, for an AD user) and later delete this key (also via the web UI) I still can log in on a client machine for a couple of days using my private ssh key part. The command sss_ssh_authorizedkeys ad_user shows the correct key on both server and a client. Even after I delete manually cache files on the client, then sss_ssh_authorizedkeys displays the correct key.
Which version of SSSD are you using? The issue sounds like https://pagure.io/SSSD/sssd/issue/3602.
bye, Sumit
In a trial and error process of debugging it I added entry_cache_user_timeout = 60 to every section of sssd.conf on a client but it did not change much the situation described above.
I assume that this is due to the caching settings on the server side (I guess user entries are still present in the sssd cache yet they are not visible in the web ui). Can someone please point me to the sssd cache settings that would cause ssh keys to stop from working within a reasonable time after they were deleted? Below I paste sanitized sssd config for the server:
[domain/ipa.domain/ad.domain] debug_level = 10 # Enable short names without full domain use_fully_qualified_names = False ad_server = ad-1.ad.domain,ad-2.ad.domain #cache_first = True
[domain/ipa.domain] ad_server = ad-1.ad.domain,ad-2.ad.domain debug_level = 10 id_provider = ipa ipa_server_mode = True ipa_server = ipa-server.ipa.domain ipa_domain = ipa.domain ipa_hostname = ipa-server.ipa.domain auth_provider = ipa chpass_provider = ipa access_provider = ipa cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_store_password_if_offline = True
enumerate = False subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout ignore_group_members = True ldap_purge_cache_timeout = 0 #cache_first = True
[sssd] debug_level = 10 domain_resolution_order = ad.domain, ipa.domain services = nss, pam, ifp, ssh, sudo domains = ipa.domain
[nss] debug_level = 10 filter_users = root,fedora
homedir_substring = /home memcache_timeout = 600 entry_negative_timeout = 3600 override_shell = /bin/bash override_homedir = /home/%u homedir_substring = /home
[pam] debug_level = 10
[sudo] debug_level = 10
[autofs] debug_level = 10
[ssh] debug_level = 10
[pac] debug_level = 10
[ifp] debug_level = 10
[secrets] debug_level = 10
[session_recording] debug_level = 10
and the client:
[domain/ipa.domain/ad.domain] entry_cache_user_timeout = 60 debug_level = 10 # Enable short names without full domain use_fully_qualified_names = False subdomain_homedir = /home/%u selinux_provider = none ad_enable_gc = false ad_server = ad-1.ad.domain,ad-2.ad.domain
[domain/ipa.domain] entry_cache_user_timeout = 60 debug_level = 9 ad_enable_gc = false subdomain_homedir = /home/%u # Optimization selinux_provider = none subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout ignore_group_members = True cache_first = True ldap_purge_cache_timeout = 0 ldap_sudo_smart_refresh_interval = 60 ldap_sudo_full_refresh_interval = 21600
cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.domain id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = ipa-client.ipa.domain chpass_provider = ipa ipa_server = _srv_, ipa-server.ipa.domain dns_discovery_domain = ipa.domain [sssd] entry_cache_user_timeout = 60 domain_resolution_order = ad.domain,ipa.domain services = nss, sudo, pam, ssh
domains = ipa.domain entry_cache_user_timeout = 60 [nss] entry_cache_user_timeout = 60 override_shell = /bin/bash override_homedir = /home/%u filter_users = root,fedora homedir_substring = /home
[pam] entry_cache_user_timeout = 60 debug_level = 9
[sudo] entry_cache_user_timeout = 60 debug_level = 9
[autofs]
[ssh] entry_cache_user_timeout = 60 debug_level = 9
[pac] debug_level = 9
[ifp] debug_level = 9 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
Hi Sumit,
That was it. I switched to the https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-16/ repo, installed sssd in 1.16.1-7.el6 version and voila, problem solved :).
Thank you a lot for your help and prompt response!
Best Bart
Or it is not solved yet :).
After the update my sssd versions are: server: 1.16.1-8 client: 1.16.1-7
Public keys get updated on the client host but ONLY after I log in to the server. Even though I set entry_cache_timeout = 120 literally everywhere (on client and server), client still allows to log in with ssh key after it was deleted using FreeIPA web ui.
On Thu, Jun 21, 2018 at 12:13:03PM -0000, Bart via FreeIPA-users wrote:
Or it is not solved yet :).
After the update my sssd versions are: server: 1.16.1-8 client: 1.16.1-7
Public keys get updated on the client host but ONLY after I log in to the server. Even though I set entry_cache_timeout = 120 literally everywhere (on client and server), client still allows to log in with ssh key after it was deleted using FreeIPA web ui.
Did you lower memcache_timeout as well? This should not be related but worth a try.
Can you send me the SSSD logs from the IPA client and server which cover the call of sss_ssh_authorizedkeys at the time you would expect that the cached entries are expired and fresh data should be read from the server?
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
freeipa-users@lists.fedorahosted.org
-
Bart -
Sumit Bose