SSH-Bash Orchestrator Job History Warning Resolution

Previously, it was unlikely the Bash orchestratorClosed The Bash Orchestrator, one of Keyfactor's suite of orchestrators, is used to discover and manage SSH keys across an enterprise. would fail during a sync job once it was configured correctly. With the introduction of SSSD support, there is additional validation the orchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. must do as it applies the configured state that is being passed down from the server. Namely, we must validate that:

  • The home directory known by SSSD falls directly underneath the LogonHomeDirectories setting value.
  • The location of the authorized_keys directory as understood by SSHD is the home directory known by SSSD.
  • The given logon must be resolvable in SSSD.

In the case where one or more of these criteria aren't valid assumptions, the logon won't be created or its keys will not be published. In this case, a message is returned on the Orchestrator Jobs page for the sync job with a Warning result (see Job History). These messages will continue to be returned until all issues are resolved. The intended resolution for this issue depends on the issue itself. See Table 86: Bash Orchestrator Job History Warning Resolution for examples of possible solutions to issues.

Table 86: Bash Orchestrator Job History Warning Resolution

Issue Resolution
The home directory known by SSSD doesn't fall directly underneath the LogonHomeDirectories setting value.

Change the logon's home directory in the identity source that SSSD is pulling the identity from to be exactly one directory level under the configured value for the LogonHomeDirectories setting.

The location of the authorized_keys directory as understood by SSHD is not the home directory known by SSSD. Modify the local SSHD configuration to ensure that the authorized_keys file can be resolved to the user's home directory and that the user's home directory is nested directly beneath the bash orchestrator's LogonHomeDirectories setting value.
A given logon cannot be resolved in SSSD.
  • Ensure that the given logon name is valid in SSSD.

    Tip:  The bash orchestrator will treat SSSD logon names as case sensitive despite the fact that the look up will succeed regardless of case sensitivity. Ensure that the logon name entered matches the logon name as presented by SSSD (see SSH-SSSD Case Sensitivity Flag).
  • If the logon is found not be a valid logon on the server, delete the logon on the Keyfactor Command server and try adding the correct one.