Hiya. Hitting a weird issue here where remote users from an LDAP server are unable to login via an ssh public key.
I have no interest in using password authentication, and my ldap server actually cannot support this. All my local users auth with keys too.
The user exists, has an ssh key, can be su-ed, and everything seems fine.
truenas_admin@truenas[~]$ id thomasj
uid=1883986594(thomasj) gid=1883986594(thomasj) groups=1883986594(thomasj),2015288744(truenas_users),2017331255(cube_admins)
truenas_admin@truenas[~]$ getent passwd thomasj
thomasj:*:1883986594:1883986594:Thomas Aldrian:/mnt/nvmepool/shares/private/thomasj:/bin/bash
truenas_admin@truenas[~]$ sudo -u nobody sss_ssh_authorizedkeys thomasj
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhlG2kGZ+GpNonuiVkMmXU/jLvgQ4GLBkVSdPjwpVHf thomas@thomas-t15p2
truenas_admin@truenas[~]$ sudo su thomasj -c whoami
thomasj
I have updated SSH auxiliary parameters as follows
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
and for good measure my LDAP aux params (btw your ui hints and docs are still wrong and suggest this should be nslcd config, but I’m fairly certain truenas has been using sssd for a solid while now)
override_homedir = /mnt/nvmepool/shares/private/%u
entry_cache_timeout = 120
ldap_group_object_class = object
ldap_group_search_base = dc=idm,dc=thomasaldrian,dc=net?subtree?(|(objectClass=posixAccount)(objectClass=posixGroup))
ignore_group_members = True
Nothing here should be an issue. The group search is like that because primary groups aren’t searchable in my ldap server (kanidm), but the presence of a posixAccount implies the existence of the primary group. There’s a home dir override (which works when you su) and that’s it.
(sidenote: why are groups so broken in truenas? why are group members not being visible via group.query expected behaviour???)
However when you try ssh in, I get Permission denied (publickey). I have tested the exact same key on local users, everything works fine, so this seems to be an ldap/sssd issue?
Enabling debug logging for sshd, and we get pam errors?? No mention of even checking authorizedkeys, just straight up the user doesn’t appear to exist. Having looked through /etc/pam.d/ it would appear pam_sss.so should be being loaded so I have no idea what’s going on.
/var/log/auth.log:
[...]
Feb 19 22:40:10 truenas audit[11215]: USER_LOGIN pid=11215 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='op=login acct="thomasj" exe="/usr/sbin/sshd" hostname=? addr=111.222.333.444 terminal=sshd res=failed'
Feb 19 22:40:10 truenas sshd[11215]: Connection closed by authenticating user thomasj 111.222.333.444 port 47716 [preauth]
Feb 19 22:40:10 truenas audit[11215]: USER_ERR pid=11215 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=111.222.333.444 addr=111.222.333.444 terminal=ssh res=failed'
IP address redacted obviously.
I also noticed in the web ui and from the api, the user appears to not have a GID, and SSH ‘Key not set’. I’m not sure if this is related, right now I’m simply putting that down as the api just being wrong.
If anyone has any suggestions please do tell, I feel like I’m going insane here.
Many thanks