FreeIPA is currently setting SSH's ProxyCommand to use sss_ssh_knownhostsproxy. This tool is being deprecated by SSSD in favor of a news tool named /usr/bin/sss_ssh_knownhosts which can be used with SSH's KnownHostsCommand option (available starting in 8.5). More details in this SSSD ticket. The deprecated tool is kept for the moment, but will be removed at some time in the future.
ProxyCommand
sss_ssh_knownhostsproxy
/usr/bin/sss_ssh_knownhosts
KnownHostsCommand
Because of these changes in SSSD, ipa-client-install needs to be modified to configure the new tool in the /etc/ssh/ssh_config.d/04-ipa.conf file.
ipa-client-install
/etc/ssh/ssh_config.d/04-ipa.conf
The file currently generated is:
# IPA-related configuration changes to ssh_config # PubkeyAuthentication yes GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts #VerifyHostKeyDNS yes # assumes that if a user does not have shell (/sbin/nologin), # this will return nonzero exit code and proxy command will be ignored Match exec true ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
GlobalKnownHostsFile
KnownHostsCommand /usr/bin/sss_ssh_knownhosts %H
Match exec true
I don't know if FreeIPA is expected to support several versions of SSSD. If that's the case, the new configuration can be produced if /usr/bin/sss_ssh_knownhosts is present, but turning back to generate the old configuration if this tool is absent.
@allopez thanks for reporting the issue, but we already have a ticket to track this piece of work: #9536 Client configuration of ssh: Replace sss_ssh_knownhostsproxy with sss_ssh_knownhosts Closing as duplicate.
Metadata Update from @frenaud: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.