I think that freeipa in general handles SSHFP records badly. SSSD doesn't update them, so if you reset a host SSH key, they don't update. Delete and rebuild a host, and the SSHFP records are still around from the old host. Finally, sss caches the host record, and you can't delete the host key from the known hosts cache (I implemented a fix for this on the sssd mailing list however, it's just not been looked at or merged, see https://fedorahosted.org/sssd/ticket/2358)
When a host is added, it should take over that name and replace the sshfp records, and really, sssd should be updating those records. sssd is the gateway to ipa and the act of updating / changing a host ssh key is not unreasonable. Perhaps even if the DNS record were to become a managed entry of the host, this would resolve the issue, rather than relying on sssd to carry out this task at all. With DNSSEC on the road map for freeipa that certainly could become the root of trust for clients.
We plan to look at this issue during FreeIPA 4.2 development. Possible identified changes:
--updatedns
host-del
ipa-join
Also see https://bugzilla.redhat.com/show_bug.cgi?id=1146840 for other poor SSHFP handling.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1146840 (Red Hat Enterprise Linux 6)
Duplicate: #4851.
Processing leftovers from 4.2 backlog - this ticket was found as suitable for consideration in next big feature release - 4.4.
Metadata Update from @firstyear: - Issue assigned to mbasti - Issue set to the milestone: FreeIPA 4.5 backlog
Metadata Update from @mbasti: - Assignee reset
I think we need to consider another case too. When older IPA clients get updated (e.g. get a newer sshd) the can and do create more/new pubkeys. For example I have systems that were enrolled in IPA and got ECDSA keys in the meantime. That key gets added to ~/.ssh/known_hosts - which we'd like to avoid...
First step might be a script that checks for new keys and adds them to IPA. Something like https://github.com/mindfuckup/Scripts/blob/master/sshfpgen with update into IPA.
Best option could be that sssd recognizes the keys and updates them in IPA without admin invention.
In hindsight, I think SSHFP records are the wrong answer. They are too hard to sync, they cause too many issues, they aren't cleaned up.
In my view, LDAP SSH FP distribution is the only reasonable course of action for domain members. It's just too hard to fix otherwise, and too fragile with this feature enabled, :(
Metadata Update from @firstyear: - Issue close_status updated to: None
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.