I have a small SFTP server setup using SSSD to authenticate users via LDAP using SSH keys. This works completely fine for basic usernames (i.e "ausername") but I've been requested to make a change so users login with their email addresses instead, these could be from any domain.
On first login attempt as "test@example.com"; SSSD fetches the email address user just fine and drops it in the local database along with the public key, originalDn and everything else. Now my issue is that the login then fails and the user can't login. In the logs I get the error:
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys test@example.com failed, status 1
If I try run the command manually on the host I get:
Error looking up public keys
A "getent passwd test@example.com" returns what I'd expect to see.
I guess its something to do with the local DN for the user being set to "test@example.com@ldap" and SSSD is failing to fetch the sshPublicKey from its own DB? But attempting to login as "test@example.com@ldap" or use the above commands to test manually also fails. I'm stumped as to how to get past this.
Here's my SSSD config
[sssd]
config_file_version = 2
services = nss, pam, ssh, sudo
# Number of times services should attempt to reconnect in the event of a Data Provider crash
reconnection_retries = 3
domains = LDAP
full_name_format = %1$s
###########
### NSS ###
###########
[nss]
override_homedir = LDAP_HOMEDIR
homedir_substring = /
memcache_timeout = 600
###########
### PAM ###
###########
[pam]
###################
### LDAP DOMAIN ###
###################
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_tls_reqcert = allow
debug_level = 10
ldap_uri = LDAP_URI
ldap_search_base = LDAP_BASE_ROOT
ldap_user_ssh_public_key = sshPublicKey
cache_credentials = true
ldap_id_use_start_tls = true
Any help appreciated.
