Ubuntu
sssd package

sss_ssh_authorizedkeys fails with: Error looking up public keys when client cert present in IPA

Bug #1775636 reported by 4tro
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Won't Fix
Low
Unassigned

Bug Description

When trying to get the key for a person with also a client cert present in IPA the following error shows:
```
(Thu Jun 7 14:37:11:920526 2018) [/usr/bin/sss_ssh_authorizedkeys] [main] (0x0020): sss_ssh_get_ent() failed (14): Bad address
Error looking up public keys
```

What is supposed to happen:
return public key for user

Version Information:
Ubuntu 16.04.2 LTS

Updated sssd-common and related tools to latest: libipa-hbac0 libsss-idmap0 python-libipa-hbac python-sss sssd sssd-ad sssd-ad-common sssd-common sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy

so sssd is now at:
ii sssd-common 1.13.4-1ubuntu1.10 amd64 System Security Services Daemon -- common files

This doesn't happen on Centos 7.5 (sssd-common-1.16.0-19.el7.x86_64) nor on ubuntu 14.04 (sssd-common==1.11.8-0ubuntu0.7)

IPA server is on CentOS 7.5: ipa-server-4.5.4-10.el7.centos.x86_64

From what I've seen upstream, it might be related to the fairly new handling of x509 certificates with ssh certificates in them.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sssd (Ubuntu):
status: New → Confirmed
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi,
can you in addition try if it is also fixed with the version that is in Ubunt u 18.04 or later.
That would be based on 1.16.1 like the one you referred for CentOS.

If so it is quite likely an upstream issue fixed in te meantime and one has to check which diff between 1.13 -> 1.16 is the fix and if it can be backported to Ubuntu Releases being affected.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'm also taking a look at reproducing this.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

How did you add the certificate to the user? Following https://www.freeipa.org/page/Howto/Client_Certificate_Authentication_with_LDAP perhaps? Is that howto still up-to-date for your deployment?

Revision history for this message
4tro (finke-lamein) wrote :

Yes, seems right.

I have setup a system with ubuntu 18.04, and the problem doesn't show up there.

Revision history for this message
Andreas Hasenack (ahasenack) wrote : Re: [Bug 1775636] Re: sss_ssh_authorizedkeys fails with: Error looking up public keys when client cert present in IPA

I'm trying on trusty and just found out realmd there segfaults when joining

On Fri, Jun 8, 2018, 12:30 4tro <email address hidden> wrote:

> Yes, seems right.
>
> I have setup a system with ubuntu 18.04, and the problem doesn't show up
> there.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1775636
>
> Title:
> sss_ssh_authorizedkeys fails with: Error looking up public keys when
> client cert present in IPA
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1775636/+subscriptions
>

Revision history for this message
4tro (finke-lamein) wrote :

I've been using the ipa-client-install on 14.04 and had no issues (knock on wood)

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Yeah, ipa-client-install worked.

Ok, problem confirmed on xenial, and working on trusty:

root@xenial-freeipaclient:~# sss_ssh_authorizedkeys andreas
Error looking up public keys
root@xenial-freeipaclient:~#

root@trusty-freeipaclient:~# sss_ssh_authorizedkeys andreas
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsfoFAX+liChwOQ1qF/f8P0uARnf2O54D5wnRUpvw/VDAQMLIlsTYVnE2Olqk2Cf2eFp4oOz5CW3X/nfRe59xcXzQWtqzfGlaD0VXXyaRSwtwxlIS2XVIvpOm/D5ks3W7NkyglP1UqdK3iVyZa55o+LYv86VdGm9phDY+1ae1/zrFmuOjFuKwIz4NBaTzYLH5VUQD9MbEWLqm41I887HB530nCFhfW401HrdgkQkqgQ0mywN534gp8K9JDRIYq2jWaJMNkF3Evmdn2BVnHcYzmE61rt0G1lbWGF4JUe+CLBV8cxS5OdZ5xk64/xS+osjvl1W94GHbEgbvfNJnLPWPLQ== andreas@nsn

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

It looks like this could be https://pagure.io/SSSD/sssd/issue/2977

Can you try adding this line to the [domain/] section of xenial's /etc/sssd/sssd.conf:
ldap_user_certificate = noSuchAttribute

and then restart sssd:
sudo service sssd restart

It worked around the problem here. Next I'm going to try the commit linked to the bug above.

Revision history for this message
4tro (finke-lamein) wrote :

Workaround confirmed, I'll be rolling that out while waiting for that to land in xenial.
If you need more info or help debugging, I'll be happy to help.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

That patch will require some backporting effort as it depends on other changes done before in that 1-13 branch.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Only xenial affected, adjusting bug tasks

Changed in sssd (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → Low
Changed in sssd (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Just confirming this is still in our queue.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Xenial has entered ESM, so I'm marking this bug as Won't Fix for it.

Changed in sssd (Ubuntu Xenial):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.