IdM allows to perform ssh from a non-enrolled host into an IdM enrolled host, using Smart Card authentication instead of ssh authorized keys. The ssh command would be the following to log as demosc1 into the host ipaclient.ipadomain.com:
localuser@localhost$ ssh -I /usr/lib64/opensc-pkcs11.so -l demosc1 ipaclient.ipadomain.com Enter PIN for 'PIV_II (PIV Card Holder pin)':
The -I option specifies a PKCS#11 shared library, and -l the username on the remote host.
Configuration of the local host
First check that the local host is properly configured for Smart Cards. The opensc package must be installed, and the the SmartCard daemon must be running.
localuser@localhost$ sudo dnf install opensc localuser@localhost$ sudo systemctl start pcscd.service pcscd.socket
Configuration of the remote (IdM) host
When IdM is properly configured, ssh will prompt for the SmartCard PIN and authenticate the user. If there is an issue with the certificate, ssh will revert to another authentication type (private keys or username/password).
In this case, enable debug logs for ssh authentication on IdM host. Edit /etc/sssd/sssd.conf and add the following line in [ssh] section:
[ssh] debug_level = 9
then restart sssd using
root@ipaclient$ systemctl restart sssd
The logs will be located on the IdM host in /var/log/sssd/sssd_ssh.log.
The Smart Card CA is not trusted by SSSD
If you see the following in /var/log/sssd/sssd_ssh.log:
[sssd[ssh]] [cert_to_ssh_key] (0x0020): CERT_VerifyCertificateNow failed [-8179]. [sssd[ssh]] [get_valid_certs_keys] (0x0040): cert_to_ssh_key failed, ignoring.
then it means that the CA that signed the Smart Card certificate is not trusted. The trusted certs are stored in /etc/pki/nssdb and can be found using:
root@ipaclient$ certutil -L -d /etc/pki/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI SmartCardCA CT,C,C
If the CA cert is missing, add it using
root@ipaclient$ certutil -A -d /etc/pki/nssdb -n SmartCardCA -t CT,C,C -i ca.pem
The user is not an IdM user
If the ssh operation does not log any line in /var/log/sssd/sssd_ssh.log, it probably means that the supplied user name is not a user defined in IdM. You can check with:
root@ipaclient$ ipa user-find demosc1 --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ----------------------------
Check that you provided the right user name, or define an IdM user and associate the SmartCard certificate with this user.
The certificate is not mapped to the IdM user
If you see the following in /var/log/sssd/sssd_ssh.log:
Found 1 entries in domain ipadomain.com
but the authentication fails, check that the SmartCard certificate is associated to the provided username (refer to mapping between a SmartCard certificate and an IdM user)
Florence Blanc-Renaud's technical spot 
One thought on “Troubleshooting: ssh to an IdM host with a SmartCard”