#2655 [RFE] Add an 'ipa-client-sshkey --refresh' command to allow a host principal to update its SSH public host key
Opened 7 years ago by sgallagh. Modified 2 years ago

It would be useful for hosts to be able to roll their host keys, as well as for reinstalled hosts to generate new keys (rather than trying to escrow the old ones).

To this end, I propose that the public host keys should be writable by the host principal and an XMLRPC routine should be written to be able to update and replace the public key in LDAP.

Hosts can do this now. Is it not working for you?

Is there a way to generate a new host SSH key pair and tell IPA client to update in the central location? I am not sure if it is possible. I have not haired that it is. We should call it out as a feature explicitly if it does.

# kinit host/client.example.com -kt /etc/krb5.keytab
# yum -y install ipa-admintools
# ipa host-mod --sshpubkey=<base64_blob_of_key> client.example.com

This will replace the existing key(s) with this one.

I do not think this would fly. This would turn the client into a management station. IMO it is too heavy. I was looking for something like ipa-join or certmonger to grow this capability without requiring the full administrative package.
Alternatively we can start fragmenting the ipa_admintools and extract host management tools into a separate package if possible. I mean have a subset of the interface that includes only commands that can be executed by the host using host credential.

Ok, I was not aware that the XMLRPC call was already available (presumably that's what's happening under the hood with ipa host-mod).

I agree with Dmitri however that this functionality should be part of the ipa-client package and not the ipa-admintools package (for the reason that this function at least should be available on all hosts, not just those hosts that will administer IPA).

I assume that since the XMLRPC already exists it should be fairly trivial to build a utility script to perform just that function.

That's fine, I was just pointing out that this is already possible.

So a new command like ipa-client-sshkey --refresh? This would re-read all local keys and upload them to IPA?

What do you mean by "all local keys". Shouldn't there only be a single host key?

It may have different kinds of keys, like a DSS and RSA key.

Can we close it then?

No, but I've changed the title to more accurately reflect what we're asking for now.

This can be done with:

$ ipa host-mod $HOSTNAME `awk '{ print "--sshpubkey", $2 }' /etc/ssh/ssh_host_*_key.pub`

Isn't that good enough?

Replying to [comment:11 jcholast]:

This can be done with:
$ ipa host-mod $HOSTNAME awk '{ print "--sshpubkey", $2 }' /etc/ssh/ssh_host_*_key.pub
Isn't that good enough?

See comment 5. The issue is that the 'ipa' command is only available if you have the 'freeipa-admintools' package installed. However, this functionality should be a part of all client installs, not just those that will be administering the system.

So this request is for a new tool that can be included in the 'freeipa-client' package.

I see, sorry for not reading all the comments.

I don't think a new tool is necessary for this, I would suggest doing something like {{{ipa-client-install --ssh-update}}}.

It might be nice to (also) do this as part of a generic client refresh operation, as requested in #1609.

Moving to next month iteration.

Since there is now another request for this functionality moving to triage bucket for re-review.

Moving to earlier release, we will re-assess in 4.1.

The FreeIPA 4.2 was already shaped (see [[milestone:FreeIPA 4.2]] milestone), this does not fit. Pushing out.

If anyone is willing to help and contribute to this one, please let us know!

I have extracted existing lines of code from install() and uninstall() functions in ipa-client-install to create functionality described above, added a command-line param group and option.

ipa-client-install works only under root, to work with the API you need user's principal, to update SSHFP records you need access to hosts keytab and host's principal, so current workflow is either:

$ sudo kinit admin
$ sudo ipa-client-install --ssh-update


$ sudo -s
# kinit admin
# ipa-client-install --ssh-update


$ ipa host-show vpns1 --raw --all | grep ipaSshPubKey
$ dig SSHFP vpns1.stefany.eu | grep -e "^vpns1.stefany.eu.*SSHFP"
vpns1.stefany.eu.       1200    IN      SSHFP   1 1 4DF7C131A3D38AC6450D4628571DB7237860B7C0
vpns1.stefany.eu.       1200    IN      SSHFP   1 2 A3EF01FC4F496FE670647E77520667B21628FB74DBBB005BA042C433 4F49E522
vpns1.stefany.eu.       1200    IN      SSHFP   3 1 FBB35AF6172ED04265193902C6F9A1228C205457
vpns1.stefany.eu.       1200    IN      SSHFP   3 2 F2DFB42664D9C6BA45ECFD0BDBF3455315A59D560984CBFDA84F6633 0CAFC1D1

# rm -fv /etc/ssh/ssh_host_*
removed ‘/etc/ssh/ssh_host_ecdsa_key’
removed ‘/etc/ssh/ssh_host_ecdsa_key.pub’
removed ‘/etc/ssh/ssh_host_ed25519_key’
removed ‘/etc/ssh/ssh_host_ed25519_key.pub’
removed ‘/etc/ssh/ssh_host_rsa_key’
removed ‘/etc/ssh/ssh_host_rsa_key.pub’
# systemctl start sshd-keygen.service
# ./ipa-client-install-sshupdate --ssh-update
trying https://idmc1.stefany.eu/ipa/session/json
Forwarding 'ping' to json server 'https://idmc1.stefany.eu/ipa/session/json'
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to json server 'https://idmc1.stefany.eu/ipa/session/json'

$ ipa host-show vpns1 --raw --all | grep ipaSshPubKey
$ dig SSHFP vpns1.stefany.eu | grep -e "^vpns1.stefany.eu.*SSHFP"
vpns1.stefany.eu.       1200    IN      SSHFP   1 1 19FA9CC0FAACF573FDEFA048DD7C3B7FFF1E579E
vpns1.stefany.eu.       1200    IN      SSHFP   1 2 603EBDE93EAF676644092F71D17101634D3FE0D57C9168624B748425 26030B9F
vpns1.stefany.eu.       1200    IN      SSHFP   3 1 340012DA94DD9A2F9F64CCF37902CA2228082278
vpns1.stefany.eu.       1200    IN      SSHFP   3 2 10B1D3732D49C19CE0B9E42F0D0994AB84F87E725450751A166B4B71 1E295F36

Approach changed from integrated 'ipa-client-install' functionality to separate command 'ipa-sshupdate', discussion and patch are being handled in freeipa-devel mailing list.

Metadata Update from @sgallagh:
- Issue assigned to jcholast
- Issue set to the milestone: Future Releases

2 years ago

Login to comment on this ticket.