Learn more about these different git repos.
Other Git URLs
Hello, I'm extensively using FreeIPA and SSSD with SSH support. One of the features missing from SSSD is proper support for Hostbased Authentication.
As discussed on the FreeIPA mailing list we've mapped the missing parts for this RFE: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/BJBRN4R7VL7ZL5D6GA2GLFYMX7XW72XW/
Basically to setup Hostbased Authentication, the SSH daemon and client expects some configurations and features.
On the server side: 1. /etc/ssh/sshd_config must set HostbasedAuthentication yes. 2. /etc/ssh/ssh_known_hosts must be populated with all the public hosts keys from the connecting clients. 3. /etc/ssh/shosts.equiv must contains all the hosts allowed to connect from. So in my case, since I'm using FreeIPA, I can just put a netgroup and everything is fine.
/etc/ssh/sshd_config
HostbasedAuthentication yes
/etc/ssh/ssh_known_hosts
/etc/ssh/shosts.equiv
On the client side: 1. /etc/ssh/ssh_config must set HostbasedAuthentication yes and EnableSSHKeysign yes
/etc/ssh/ssh_config
EnableSSHKeysign yes
So it's basically this, everything works as expected, but only one thing breaks, since it's not supported by SSSD. And it's on the server part: the /etc/ssh/ssh_known_hosts file.
When a client connects to the server, the server read this file, and only this file, to check the client public keys. Since the file does not exists it does not work. But we are aware that SSSD generates a dynamic known_hosts file on /var/lib/sss/pubconf/known_hosts, and if I simply create a symbolic link to this file to /etc/ssh/ssh_known_hosts everything works as expected. The server allows the client to join in using Hostbased Authentication.
known_hosts
/var/lib/sss/pubconf/known_hosts
This made the trick: ln -s /var/lib/sss/pubconf/known_hosts /etc/ssh/ssh_known_hosts
ln -s /var/lib/sss/pubconf/known_hosts /etc/ssh/ssh_known_hosts
But we have only one problem open, which is the generation of the /var/lib/sss/pubconf/known_hosts file. This file is generated when a SSH client tries to connect to another server, and then the dynamic known_hosts file starts to get populated. When using Hostbased Authentication this file isn't populated yet, and since only the SSH client can request this file to be populated, the server does not known any key during the connection from a client.
To sum things up. The SSH daemon (sshd) should be able to require from SSSD the host keys from the client trying to connect to him. And them populating the list of hosts. Without this, Hostbased Authentication just fails.
That's the RFE: allow sshd fetch connecting client public keys from SSSD and feed the /var/lib/sss/pubconf/known_hosts. The symbolic link can be done manually without any problem as part of the basic configuration.
sshd
Would it help adding a systemd drop-in file to your sshd.service? Something like
# /etc/systemd/system/sshd.service.d/hba.conf [Service] ExecCondition=/bin/sh -c "test -f /var/lib/sss/pubconf/known_hosts || /usr/bin/sss_ssh_knownhostsproxy -k `hostname` 2>//dev/null" ExecCondition=/bin/sh -c "test -h /etc/ssh/ssh_known_hosts || test -f /etc/ssh/ssh_known_hosts || ln -s /var/lib/sss/pubconf/known_hosts /etc/ssh/ssh_known_hosts"
Then systemctl daemon-reload and systemctl restart sshd. Of course, you need sshd configuration to be updated but this way you ensure there is a link and we request the file to be created from SSSD.
systemctl daemon-reload
systemctl restart sshd
Metadata Update from @thalman: - Issue tagged with: Future milestone
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/5069
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @pbrezina: - Issue close_status updated to: cloned-to-github - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.