Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1331080
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: IPA key authentication logs false error message for root user. Systems configured with IPA server for authentication and authentication to root user is via public key stored in local authorized key and not in IPA. Now whenever login to system with root user it logs below error messages but same is not the case when we login with IPA user. error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 I guess authentication to root is also trying to retrieve the key from IPA server which is resulting into the error. see the error below. [root@system log]# sss_ssh_authorizedkeys root Error looking up public keys [root@system log]# Version-Release number of selected component (if applicable): RHEL 7.2 How reproducible: 100% Additional info: In the SSH responder, we ignore root as we should: 69 if (strcmp(cmd_ctx->name, "root") == 0) { 70 ret = ENOENT; 71 goto done; 72 } But in the SSH client tool, we fail if the function above returns ENOENT: 86 /* look up public keys */ 87 ret = sss_ssh_get_ent(mem_ctx, SSS_SSH_GET_USER_PUBKEYS, 88 pc_user, pc_domain, NULL, &ent); 89 if (ret != EOK) { 90 DEBUG(SSSDBG_CRIT_FAILURE, 91 "sss_ssh_get_ent() failed (%d): %s\n", ret, strerror(ret)); 92 ERROR("Error looking up public keys\n"); 93 ret = EXIT_FAILURE; 94 goto fini; 95 }
Fields changed
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => mark: no => 0 owner: somebody => jhrozek patch: 0 => 1 review: True => 0 selected: => status: new => assigned testsupdated: => 0
Since this is a trivial patch which is already on the list for a couple of days, I think it's perfectly safe to put this ticket into 1.14 alpha.
milestone: NEEDS_TRIAGE => SSSD 1.14 alpha
Patch is available for some time, but shouldn't block the Beta release.
milestone: SSSD 1.14 alpha => SSSD 1.14.0
master:
resolution: => fixed status: assigned => closed
This fix still hasn't been merged into rhel 7.2 (as of Nov/2016)
A workaround we found was to add the following to /etc/ssh/sshd_config
Match User *,!root AuthorizedKeysCommad /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody
Metadata Update from @jhrozek: - Issue assigned to jhrozek - Issue set to the milestone: SSSD 1.14.0
Could this be backported to sssd-1-13 too?
Sure
sssd-1-13:
Metadata Update from @lslebodn: - Custom field design_review reset (from 0) - Custom field mark reset (from 0) - Custom field patch adjusted to on (was: 1) - Custom field review reset (from 0) - Custom field sensitive reset (from 0) - Custom field testsupdated reset (from 0)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4044
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.