On (27/08/15 08:21), Davor Vusir wrote:
On 2015-08-26 21:36, Lukas Slebodnik wrote:
On (26/08/15 13:09), Davor Vusir wrote:
On 2015-08-25 20:25, Lukas Slebodnik wrote:
Now you can test with command line utility sss_ssh_authorizedkeys wheter ssh responder is correctly configured. ("ssh" should be listed in option services; in sssd section) If the public key is returned then you need to check sshd configuration files for proper integration.
@see more details in man sss_ssh_authorizedkeys
[root@client-1 ~]# sss_ssh_authorizedkeys myLoginID ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
[myLoginID@client-1 ~]# sss_ssh_authorizedkeys myLoginID ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
Seems to work. But as soon as I put "subdomains_provider = none" either sshd or sssd (I believe it's sssd) bypasses the ssh public key check. It recognizes that it should check for the password to unlock the private key, but doesn't care what I'm typing. It solely check for the kerberos password.
Does sss_ssh_authorizedkeys returns public key with "subdomains_provider = none"? Please try with empty cache.
Is this the correct procedure?
yes.
Logged in as "nonPublicKeyUser" su-ing to root in one terminal: [root@server-1 ~]# service sssd stop Redirecting to /bin/systemctl stop sssd.service [root@server-1 ~]# rm -f /var/log/sssd/sssd* [root@server-1 ~]# vi /etc/sssd/sssd.conf [root@server-1 ~]# service sssd stop && rm -Rf /var/lib/sss/db/* && rm -Rf /var/lib/sss/mc/* && service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@server-1 ~]#
In another terminal from client-1: PublicKeyUser@server-1 ~ $ ssh server-1.subdomain.example.org Enter passphrase for key '/home/PublicKeyUser/.ssh/id_rsa': <- No password given. Just pressed <return>. Password: Last login: Wed Aug 26 12:56:21 2015 from client-1.subdomain2.example.org [PublicKeyUser@server-1 ~]$ sss_ssh_authorizedkeys PublicKeyUser ssh-rsa AAAAB3NzaC1yc2EAAA... [PublicKeyUser@server-1 ~]$ exit
Back to the first terminal: [root@server-1 ~]# service sssd stop && rm -Rf /var/lib/sss/db/* && rm -Rf /var/lib/sss/mc/* && service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@server-1 ~]# sss_ssh_authorizedkeys PublicKeyUser ssh-rsa AAAAB3NzaC1yc2E... [root@server-1 ~]#
You could immediatelly run as root "sss_ssh_authorizedkeys PublicKeyUser" after restarting sssd with new configuration.
But it looks like public key is returned even with disabled subdomain provider.
As soon as I comment out "subdomains_provider = none" user accounts with public key uses this type of authentication only and user accounts with Kerberos password uses Kerberos authentication only. Which, of course, is the goal.
I don't expect you to comment on the sshd_config but here are relevant parts of both sshd_config and sssd.conf. Both "ct-linuxuberadmins" and "ct-linuxservicesadmins" in sshd_config are AD-groups with corresponding sudoers-files.
sssd.conf: [domain/ad.example.org] debug_level = 6 id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad
subdomains_provider = none # subdomain_enumerate = none ignore_group_members = True
enumerate = False
ldap_page_size = 1000 ldap_id_mapping = False ldap_purge_cache_timeout = 0 ldap_user_ssh_public_key = altSecurityIdentities ldap_use_tokengroups = True
dyndns_update = False dyndns_update_ptr = False
cache_credentials = true krb5_store_password_if_offline = true
sshd_config: PubkeyAuthentication yes PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication yes
UsePAM yes
Match Group ct-linuxuberadmins AuthorizedKeysCommand /bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser svcCTSSHDbind
Match Group ct-linuxservicesadmins PubkeyAuthentication no
Maybe I'm wrong but you might miss some groups with disabled subdomain_provider. Please try with empty cache
So sshd will not get to the section with AuthorizedKeysCommand.
After step 3 above: [root@server-1 ~]# getent group ct-linuxuberadmins ct-linuxuberadmins:*:10287220: [root@server-1 ~]# service sssd stop && rm -Rf /var/lib/sss/db/* && rm -Rf /var/lib/sss/mc/* && service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@server-1 ~]# getent group ct-linuxservicesadmins uuct-gg-linuxservicesadmins:*:10287637:
users are not listed due to enabeld option ignore_group_members.
I would be more interested in output of command. "id PublicKeyUser" with enabled and disabled subdomain provider.
LS