#2609 [bug] sssd always appends default_domain_suffix when checking for host keys
Closed: Fixed None Opened 7 years ago by nathanpeters.

FreeIPA includes the ability to have the sssd use a host key proxy to check for host keys on the server, rather than using the local known_hosts file, but it breaks if you use the default_domain_suffix

If you have setup your sssd with the following settings:
default_domain_suffix = addomain.net
use_fully_qualified_names = true

This allows active directory users from a trusted Active Directory domain to login to your FreeIPA clients by entering only 'adusername' at the login prompt instead of 'adusername@addomain.net'.

However, when you turn this setting on, it breaks host key checking. What happens is that the sssd is appending the default_domain_suffix all the time, whether it is needed or not.

Here are my sssd logs during a host key check when using ssh to connect from one FreeIPA host to another (same issue in FreeIPA 3.0.0/sssd 1.11 and 4.1.2 / sssd 1.12)

(Fri Mar 20 23:19:55 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next] (0x0400): Requesting SSH host public keys for [ipaclient1-sandbox-atdev-van.ipadomain.net@addomain.net]
(Fri Mar 20 23:19:55 2015) [sssd[ssh]] [sysdb_search_ssh_hosts] (0x0400): No such host

As you can see from the logs, even though I am sending it a fqdn (ipaclient1-sandbox-atdev-van.ipadomain.net it is still appending @addomain.net to the address before checking for a host key for that host.

Ideally, you would not want it to ever append the name, even if a fqdn is not given. Here is why I think this should be the default behavior.

The default_domain_suffix is meant to be applied to usernames when logging in. It is not meant to be applied to hostnames, especially since the fqdn is quite irrelevant when doing a host key check since you will always be looking for that host in the FreeIPA directory anyway.

Thank you for the bug report, I sent a patch to sssd-devel

owner: somebody => jhrozek
patch: 0 => 1
status: new => assigned

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13 alpha

resolution: => fixed
status: assigned => closed

Metadata Update from @nathanpeters:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.13 alpha

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3650

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.