freeipa

Clone
Source Code
GIT

#6042 host-find, host-show do not show ssh fingerprint by default
Closed: Invalid None Opened 7 years ago by mbasti.

Closed: Invalid
Reopen Issue

It is expected that in output of host-find and host-show the fingerprint of all SSH keys should be shown.

Got:

ipa host-show vm-058-188.abc.idm.lab.eng.brq.redhat.com
  Host name: vm-058-188.abc.idm.lab.eng.brq.redhat.com
  Principal name: host/vm-058-188.abc.idm.lab.eng.brq.redhat.com@DOM-012.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
  Password: False
  Member of host-groups: ipaservers
  Keytab: True
  Managed by: vm-058-188.abc.idm.lab.eng.brq.redhat.com

Expected:

ipa host-show vm-058-188.abc.idm.lab.eng.brq.redhat.com
  Host name: vm-058-188.abc.idm.lab.eng.brq.redhat.com
  Principal name: host/vm-058-188.abc.idm.lab.eng.brq.redhat.com@DOM-012.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
  Password: False
  Member of host-groups: ipaservers
  Keytab: True
  Managed by: vm-058-188.abc.idm.lab.eng.brq.redhat.com
  SSH fingerprint: B5:AE:22:61:9A:2E:B3:11:15:35:8C:90:60:FE:78:49 (ssh-rsa), E0:A7:72:95:43:93:22:91:B2:E6:F9:7D:B1:22:9B:7F (ecdsa-sha2-nistp256), 3A:C5:EC:89:FE:C2:46:7B:D3:9D:92:9F:CC:BC:61:EA (ssh-ed25519)

Actually API call returns fingeprints, only on client side they are not shown.

    "result": {
        "result": {
            "dn": "fqdn=vm-058-188.abc.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom-012,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com", 
            "fqdn": [
                "vm-058-188.abc.idm.lab.eng.brq.redhat.com"
            ], 
            "has_keytab": true, 
            "has_password": false, 
            "krbprincipalname": [
                "host/vm-058-188.abc.idm.lab.eng.brq.redhat.com@DOM-012.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM"
            ], 
            "managedby_host": [
                "vm-058-188.abc.idm.lab.eng.brq.redhat.com"
            ], 
            "memberof_hostgroup": [
                "ipaservers"
            ], 
            "sshpubkeyfp": [
                "B5:AE:22:61:9A:2E:B3:11:15:35:8C:90:60:FE:78:49 (ssh-rsa)", 
                "E0:A7:72:95:43:93:22:91:B2:E6:F9:7D:B1:22:9B:7F (ecdsa-sha2-nistp256)", 
                "3A:C5:EC:89:FE:C2:46:7B:D3:9D:92:9F:CC:BC:61:EA (ssh-ed25519)"
            ]
        }, 
        "summary": null, 
        "value": "vm-058-188.abc.idm.lab.eng.brq.redhat.com"

Probably caused by think client feature.

Is this still an issue? I was not able to reproduce it on the current master (12.7.2016) with freshly installed ipa server.

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1356142

attachment
host_find.out

attachment
host_show0.out

attachment
host_show1.out

So when I was fiddling with the ipa host-show and host-find, I found out that fingerprints weren't displayed sometimes. The fingerprints would have been hidden for hosts that I failed to install as replicas and their records might have been corrupted.

However, when I installed the certain host even as a client, the fingeprint would appear back again.

Attaching console outputs - host_find and host_show0 are before proper client installation, host_show1 after it.

The main question here whether fingerprint is displayed for hosts which have sshpubkey record in LDAP (ideally check with DM rights). That is the only trusted source to determine if sshkey is there or not. Host-find or host-show can lie as well.

I cannot reproduce this anymore, it was probably fixed.

Metadata Update from @mbasti:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.4.1
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
defect
None
None
IPA
None
0
regression
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1356142
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.