Ticket #2657 (closed defect: wontfix)

Opened 2 years ago

Last modified 23 months ago

'Error looking up public keys' message shown while doing ssh to ipa-server from ipa-client system

Reported by: mkosek Owned by: mkosek
Priority: major Milestone: FreeIPA 3.0 Beta 1
Component: DNS Version: 2.0
Keywords: Cc:
Blocked By: Blocking:
Affects Documentation: no Patch posted for review: no
Red Hat Bugzilla: 813884 Patch review by:
External tracker: Design link:
Needs UI design: Fedora test page:
Feature: Source:
Expertise:
Release Notes:

Description

https://bugzilla.redhat.com/show_bug.cgi?id=813884 (Red Hat Enterprise Linux 6)

Description of problem:
After joining system successfully as ipa-client, Following message shown when i
do ssh to ipa-server after kinit

Error looking up public keys
Last login: Wed Apr 18 21:43:55 2012 from 10.65.201.176
Could not chdir to home directory /home/admin: No such file or directory
-bash-4.1$

Version-Release number of selected component (if applicable):
[root@dhcp201-176 ~]# rpm -q ipa-client
ipa-client-2.2.0-9.el6.x86_64
[root@dhcp201-176 ~]#


How reproducible:
Always

Steps to Reproduce:
1.Install IPA Server
2.Join a system as ipa-client using ipa-client-install

  [root@dhcp201-176 ~]# ipa-client-install --domain=testrelm.com
--realm=TESTRELM.COM -p admin -w Secret123 -U --server=ipa63server.testrelm.com
Discovery was successful!
Hostname: dhcp201-176.englab.pnq.redhat.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: ipa63server.testrelm.com
BaseDN: dc=testrelm,dc=com


Synchronizing time with KDC...

Enrolled in IPA realm TESTRELM.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.COM
Warning: Could not update DNS SSHFP records.
SSSD enabled
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
[root@dhcp201-176 ~]#

3.kinit as admin

   [root@dhcp201-176 ~]# kinit admin
Password for admin@TESTRELM.COM:
[root@dhcp201-176 ~]#

4.ssh to ipa-server system.

  [root@dhcp201-176 ~]# ssh admin@ipa63server.testrelm.com
Error looking up public keys
Last login: Wed Apr 18 21:43:55 2012 from 10.65.201.176
Could not chdir to home directory /home/admin: No such file or directory
-bash-4.1$

Actual results:
    Following message is shown
    "Error looking up public keys"

Expected results:
    Message "Error looking up public keys" should not appear while doing ssh to
ipa-server.

Change History

comment:1 Changed 2 years ago by mkosek

  • affects_cli set to 0
  • tests set to 0
  • Patch posted for review unset
  • candidate_to_defer set to 0
  • Affects Documentation unset
  • testsupdated set to 0

The issue here is that server SSHFP records are only filled when you install IPA via "ipa-server-install --setup-dns" because they are filled as a part of client installation.

When DNS support is installed separately (ipa-dns-install), SSHFP records for the server are not filled and clients connecting to the master will receive "Error looking up public keys" error.

comment:2 Changed 2 years ago by jcholast

That is a wrong guess, actually. This has nothing to do with SSHFP records, as they are not used for host authentication (not by default and definitely not here).

This error message can be seen when SSSD is misconfigured or when the user or host is not known to SSSD. So, this is either a misconfiguration or a SSSD bug.

Can you please post the output of:

$ /usr/bin/sss_ssh_authorizedkeys --debug 10 admin

and:

$ ssh -o ProxyCommand='/usr/bin/sss_ssh_knownhostsproxy --debug 10 -p %p %h' admin@ipa63server.testrelm.com

?

comment:3 Changed 2 years ago by dpal

  • Milestone changed from 0.0 NEEDS_TRIAGE to 3.0 Core Remaining Work 06 June Y12

comment:4 Changed 23 months ago by mkosek

  • Resolution set to wontfix
  • Status changed from new to closed

This is the output that jcholast requested:

# /usr/bin/sss_ssh_authorizedkeys --debug 10 admin
(Thu Jun  7 05:48:18:186913 2012) [/usr/bin/sss_ssh_authorizedkeys] [main] (0x0020): sss_ssh_get_ent() failed (14): Bad address
Error looking up public keys

# ssh -o ProxyCommand='/usr/bin/sss_ssh_knownhostsproxy --debug 10 -p %p %h' admin@vm-125.idm.lab.bos.redhat.com
(Thu Jun  7 05:49:28:107774 2012) [/usr/bin/sss_ssh_knownhostsproxy] [main] (0x0020): sss_ssh_get_ent() failed (14): Bad address
Error looking up public keys
The authenticity of host 'vm-125.idm.lab.bos.redhat.com (<no hostip for proxy command>)' can't be established.
RSA key fingerprint is 6b:a2:26:6f:eb:66:ef:4d:93:b1:dd:ba:e7:6e:f6:b1.
Are you sure you want to continue connecting (yes/no)? ^C

We discussed this issue in person, this is a real bug in SSSD and will be fixed as a part of SSSD ticket #1356, i.e. nothing to be done on IPA side at this moment.

Note: See TracTickets for help on using tickets.