SSH: Do not print an error message if sss_ssh_authorizedkeys is asked for a local user

If an IPA client uses the SSH integration and a local user logs in with
SSH, the sss_ssh_authorizedkeys looks up their keys in the SSH
responder, which doesn't find the user and returns ENOENT. The
sss_ssh_authorizedkeys reports a failure on any error, including ENOENT
which produced a confusing error message in the logs.

This patch adds a new error code that handles users that are not found
by SSSD but exist on the system and also special cases root with the
same error code. Therefore, logging in as a local user no longer prints
an error message.

Resolves:
https://fedorahosted.org/sssd/ticket/3003

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

1 files changed, 6 insertions, 1 deletions

diff --git a/src/sss_client/ssh/sss_ssh_authorizedkeys.c b/src/sss_client/ssh/sss_ssh_authorizedkeys.c
index 89eda2371..782a9f443 100644
--- a/src/sss_client/ssh/sss_ssh_authorizedkeys.c
+++ b/src/sss_client/ssh/sss_ssh_authorizedkeys.c
@@ -86,7 +86,12 @@ int main(int argc, const char **argv)
     /* look up public keys */
     ret = sss_ssh_get_ent(mem_ctx, SSS_SSH_GET_USER_PUBKEYS,
                           pc_user, pc_domain, NULL, &ent);
-    if (ret != EOK) {
+    if (ret == ERR_NON_SSSD_USER) {
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "The user %s is valid, but not handled by sssd\n", pc_user);
+        ret = EXIT_SUCCESS;
+        goto fini;
+    } else if (ret != EOK) {
         DEBUG(SSSDBG_CRIT_FAILURE,
               "sss_ssh_get_ent() failed (%d): %s\n", ret, strerror(ret));
         ERROR("Error looking up public keys\n");