Hi all, I have set up ipa server, established trust with an ad controller and enrolled a couple of clients to it. I have a problem understanding how to properly set up ssh pubkey authentication when it comes to caching. The issue is that when I upload the key to the server (via the web ui, for an AD user) and later delete this key (also via the web UI) I still can log in on a client machine for a couple of days using my private ssh key part. The command sss_ssh_authorizedkeys ad_user shows the correct key on both server and a client. Even after I delete manually cache files on the client, then sss_ssh_authorizedkeys displays the correct key.
In a trial and error process of debugging it I added entry_cache_user_timeout = 60 to every section of sssd.conf on a client but it did not change much the situation described above. I assume that this is due to the caching settings on the server side (I guess user entries are still present in the sssd cache yet they are not visible in the web ui). Can someone please point me to the sssd cache settings that would cause ssh keys to stop from working within a reasonable time after they were deleted? Below I paste sanitized sssd config for the server: [domain/ipa.domain/ad.domain] debug_level = 10 # Enable short names without full domain use_fully_qualified_names = False ad_server = ad-1.ad.domain,ad-2.ad.domain #cache_first = True [domain/ipa.domain] ad_server = ad-1.ad.domain,ad-2.ad.domain debug_level = 10 id_provider = ipa ipa_server_mode = True ipa_server = ipa-server.ipa.domain ipa_domain = ipa.domain ipa_hostname = ipa-server.ipa.domain auth_provider = ipa chpass_provider = ipa access_provider = ipa cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_store_password_if_offline = True enumerate = False subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout ignore_group_members = True ldap_purge_cache_timeout = 0 #cache_first = True [sssd] debug_level = 10 domain_resolution_order = ad.domain, ipa.domain services = nss, pam, ifp, ssh, sudo domains = ipa.domain [nss] debug_level = 10 filter_users = root,fedora homedir_substring = /home memcache_timeout = 600 entry_negative_timeout = 3600 override_shell = /bin/bash override_homedir = /home/%u homedir_substring = /home [pam] debug_level = 10 [sudo] debug_level = 10 [autofs] debug_level = 10 [ssh] debug_level = 10 [pac] debug_level = 10 [ifp] debug_level = 10 [secrets] debug_level = 10 [session_recording] debug_level = 10 and the client: [domain/ipa.domain/ad.domain] entry_cache_user_timeout = 60 debug_level = 10 # Enable short names without full domain use_fully_qualified_names = False subdomain_homedir = /home/%u selinux_provider = none ad_enable_gc = false ad_server = ad-1.ad.domain,ad-2.ad.domain [domain/ipa.domain] entry_cache_user_timeout = 60 debug_level = 9 ad_enable_gc = false subdomain_homedir = /home/%u # Optimization selinux_provider = none subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout ignore_group_members = True cache_first = True ldap_purge_cache_timeout = 0 ldap_sudo_smart_refresh_interval = 60 ldap_sudo_full_refresh_interval = 21600 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.domain id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = ipa-client.ipa.domain chpass_provider = ipa ipa_server = _srv_, ipa-server.ipa.domain dns_discovery_domain = ipa.domain [sssd] entry_cache_user_timeout = 60 domain_resolution_order = ad.domain,ipa.domain services = nss, sudo, pam, ssh domains = ipa.domain entry_cache_user_timeout = 60 [nss] entry_cache_user_timeout = 60 override_shell = /bin/bash override_homedir = /home/%u filter_users = root,fedora homedir_substring = /home [pam] entry_cache_user_timeout = 60 debug_level = 9 [sudo] entry_cache_user_timeout = 60 debug_level = 9 [autofs] [ssh] entry_cache_user_timeout = 60 debug_level = 9 [pac] debug_level = 9 [ifp] debug_level = 9 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/PMGJBQ3ROP3CAZO5CF7REDETEMUGG3LT/
