#4106 [RFE] Support for SSH Hostbased Authentication
Opened 4 months ago by viniciusferrao. Modified 10 days ago

Hello, I'm extensively using FreeIPA and SSSD with SSH support. One of the features missing from SSSD is proper support for Hostbased Authentication.

As discussed on the FreeIPA mailing list we've mapped the missing parts for this RFE: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/BJBRN4R7VL7ZL5D6GA2GLFYMX7XW72XW/

Basically to setup Hostbased Authentication, the SSH daemon and client expects some configurations and features.

On the server side:
1. /etc/ssh/sshd_config must set HostbasedAuthentication yes.
2. /etc/ssh/ssh_known_hosts must be populated with all the public hosts keys from the connecting clients.
3. /etc/ssh/shosts.equiv must contains all the hosts allowed to connect from. So in my case, since I'm using FreeIPA, I can just put a netgroup and everything is fine.

On the client side:
1. /etc/ssh/ssh_config must set HostbasedAuthentication yes and EnableSSHKeysign yes

So it's basically this, everything works as expected, but only one thing breaks, since it's not supported by SSSD. And it's on the server part: the /etc/ssh/ssh_known_hosts file.

When a client connects to the server, the server read this file, and only this file, to check the client public keys. Since the file does not exists it does not work. But we are aware that SSSD generates a dynamic known_hosts file on /var/lib/sss/pubconf/known_hosts, and if I simply create a symbolic link to this file to /etc/ssh/ssh_known_hosts everything works as expected. The server allows the client to join in using Hostbased Authentication.

This made the trick: ln -s /var/lib/sss/pubconf/known_hosts /etc/ssh/ssh_known_hosts

But we have only one problem open, which is the generation of the /var/lib/sss/pubconf/known_hosts file. This file is generated when a SSH client tries to connect to another server, and then the dynamic known_hosts file starts to get populated. When using Hostbased Authentication this file isn't populated yet, and since only the SSH client can request this file to be populated, the server does not known any key during the connection from a client.

To sum things up. The SSH daemon (sshd) should be able to require from SSSD the host keys from the client trying to connect to him. And them populating the list of hosts. Without this, Hostbased Authentication just fails.

That's the RFE: allow sshd fetch connecting client public keys from SSSD and feed the /var/lib/sss/pubconf/known_hosts. The symbolic link can be done manually without any problem as part of the basic configuration.

Would it help adding a systemd drop-in file to your sshd.service?
Something like

# /etc/systemd/system/sshd.service.d/hba.conf
ExecCondition=/bin/sh -c "test -f /var/lib/sss/pubconf/known_hosts || /usr/bin/sss_ssh_knownhostsproxy -k `hostname` 2>//dev/null"
ExecCondition=/bin/sh -c "test -h /etc/ssh/ssh_known_hosts || test -f /etc/ssh/ssh_known_hosts || ln -s /var/lib/sss/pubconf/known_hosts /etc/ssh/ssh_known_hosts"

Then systemctl daemon-reload and systemctl restart sshd. Of course, you need sshd configuration to be updated but this way you ensure there is a link and we request the file to be created from SSSD.

Login to comment on this ticket.