As admin , I want to define mutliple permitopen in a ssh-key so that the user can only create tunnels to those IP-adresses.
I want to create a user which can only be used to create ssh-tunnels to specific targets. I was able to restrict such a user to only be able to create a ssh-tunnel to one specific adress via permitopen in the ssh-key. However I am unable to define a second tunnel. Accoriding to the man-page of authorized_keys "Multiple permitopen options may be applied separated by commas." which doesn't work. It seems that freeipa removes the second permitopen.
I was expecting freeipa to write multiple permitopen which sssd would use as an authorized_keys file
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server ipa-server-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64 ipa-client-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64 389-ds-base-1.4.2.4-8.module_el8.2.0+366+71e3276f.x86_64 pki-ca-10.8.3-2.module_el8.2.0+371+f5726439.noarch krb5-server-1.17-18.el8.x86_64
Thanks in advance for your time and effort!
I'm guessing that the first key was cached. See sss_cache(8).
The erorr in step 7 is expected since you made no changes.
I don't think it is a caching issue. I've created a new test user and added a sshkey with both permitopen. However it only saves one permitopen :-(
I can reproduce the issue. ipapython.ssh.SSHPublicKey._parse_openssh_with_options() uses a temporary dictionary to hold options. The parser does not handle multi-valued options. The last occurence of an option wins.
ipapython.ssh.SSHPublicKey._parse_openssh_with_options()
$ ipa user-mod sshtest1 --sshpubkey="command=\"\",no-agent-forwarding,no-pty,no-x11-forwarding,permitopen=\"192.168.178.3:9000\",permitopen=\"192.168.178.4:6666\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0J8xibGLByZZIpmotatS99R3EQZAZ1hl8tEb7oaGIEDYv/KrNSBKwYgs3u8OvuREJWnls5Grp3AlQx5liirefzRg5s/gY1N0rxI/1eKkUyI854HN+NucqUHts9UVwMtuBfakBhJu0mfY+/8KuOFWnDsUIKtUUDIIeETWFmSuBDZiPCbaX9VUcTfjtyQqejH6Nyq/0+imZrkWlhskdRxAL9YxWbmzTA9yEyj9fMS9lJ7mh6/SNg1rOys4sl4HCLPcnQxx/HijyNpV/+6CPwHT3eaFJY2LvRuUxcjx2xLoKuhuM+0fR/eizwPfcdN66rpS3yb1FtqIDasO80I2SfmiFweGUnk0ixKjwXJPWMoNFZJ9qiAJTe88M4/Im3HitOfjv2iLfp2xKMHwOev5IFgI+3SKf91Jz7fjAi6R3a1Z4bnHhJnI9G8mm8zy2Jvo9eLZNibQy+pmaw17NEKfMRsg0eRCQx483A7XrrO2MsTS179G305asYQNw6503ZE9xfnM=" ------------------------ Modified user "sshtest1" ------------------------ User login: sshtest1 First name: SSH Last name: Test1 Home directory: /home/sshtest1 Login shell: /bin/sh Principal name: sshtest1@FAS.EXAMPLE Principal alias: sshtest1@FAS.EXAMPLE Email address: sshtest1@fas.example UID: 748400010 GID: 748400010 SSH public key: command="",no-agent-forwarding,no-pty,no-x11-forwarding,permitopen="192.168.178.4:6666" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0J8xibGLByZZIpmotatS99R3EQZAZ1hl8tEb7oaGIEDYv/KrNSBKwYgs3u8OvuREJWnls5Grp3AlQx5liirefzRg5s/gY1N0rxI/1eKkUyI854HN+NucqUHts9UVwMtuBfakBhJu0mfY+/8KuOFWnDsUIKtUUDIIeETWFmSuBDZiPCbaX9VUcTfjtyQqejH6Nyq/0+imZrkWlhskdRxAL9YxWbmzTA9yEyj9fMS9lJ7mh6/SNg1rOys4sl4HCLPcnQxx/HijyNpV/+6CPwHT3eaFJY2LvRuUxcjx2xLoKuhuM+0fR/eizwPfcdN66rpS3yb1FtqIDasO80I2SfmiFweGUnk0ixKjwXJPWMoNFZJ9qiAJTe88M4/Im3HitOfjv2iLfp2xKMHwOev5IFgI+3SKf91Jz7fjAi6R3a1Z4bnHhJnI9G8mm8zy2Jvo9eLZNibQy+pmaw17NEKfMRsg0eRCQx483A7XrrO2MsTS179G305asYQNw6503ZE9xfnM= SSH public key fingerprint: SHA256:2aeRnE+UU3BRADK98VgNuVx5LA6z91WYHvJGYfiZgww (ssh-rsa) Account disabled: False Password: False Member of groups: ipausers Kerberos keys available: False
Metadata Update from @antorres: - Issue assigned to antorres
https://github.com/freeipa/freeipa/pull/5587
master:
Metadata Update from @antorres: - Custom field affects_doc adjusted to on - Custom field knownissue adjusted to on - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-9:
Login to comment on this ticket.