#4117 sss_ssh_knownhostsproxy can't search by host alias
Opened 3 months ago by yrro. Modified 3 months ago

I've got a host, foo.ipa.example.com and I've added a Kerberos Principal Alias host/foo.local for it.

Although ssh foo.local now lets me authenticate with Kerberos, I'm still prompted to confirm the SSH host key.

It would be nice if the SSH responder was able to look up hosts by any aliases they may have.


Hi,

the sss_ssh_knownhostsproxy utility should try to canonicalize the given name. How do the related DNS records for foo.ipa.example.com and foo.local look like?

bye,
Sumit

A little more detail: I had two laptops on a network that wasn't mine, and was trying to see if I could SSH from one to another using Kerberos for authentication.

So in this scenario the reverse zone isn't controlled by FreeIPA, so PTR records can't be relied upon. And on this particular network, the ISP (Sky) intercept all DNS traffic and drop nsupdate's traffic, so you can't even look up foo.ipa.example.com.

If this is simply not a supported scenario then fair enough. But that said, I don't see why it's necessary to lean on the DNS at all in this scenario: there's a host/foo.local principal available, and foo.local is resolvable via mDNS, so things should Just Work...

Next time I'm in this situation I can attach debug logs for the ssh responder if this is in fact expected to work...

Hi,

thanks for the explanation. I would say that this setup is currently not supported.

As said, currently it is expected that sss_ssh_knownhostsproxy can canonicalized the name with the help of DNS and then asks the ssh responder with the canonical name. As a result the ssh responder and the backend only search in places where the canonical name is stored and do not try try lookup aliases e.g. in the krbPrincipalName attribute where the alias name can be found in your case.

bye,
Sumit

Login to comment on this ticket.

Metadata