Hi Rob
On 15 Oct 2019, at 10:22, Rob Crittenden
<rcritten@redhat.com<mailto:rcritten@redhat.com>> wrote:
Vinícius Ferrão via FreeIPA-users wrote:
Hello,
I’m trying to implement SSH Hostbased Authentication between IPA joined machines but I’m
with difficulties regarding:
* The /etc/ssh/ssh_known_hosts file.
In a FreeIPA environment the known_hosts are stored on IPA, and I’m aware of the
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy; but how can I create this file with the
entries from FreeIPA?
Why do you want to? That is the point of the proxy, so dynamic files
don't need to be maintained.
Because it appears to be a requirement. Unfortunately SSH does not look at
/var/lib/sss/pubconf/known_hosts:
debug1: userauth_hostbased: cuser admin chost
hpclab01.cluster.iq.ufrj.br<http://hpclab01.cluster.iq.ufrj.br>. pkalg
ecdsa-sha2-nistp256 slen 100 [preauth]
debug3: mm_key_allowed entering [preauth]
debug3: mm_request_send entering: type 22 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect entering: type 23 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 22
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x561842345040
debug2: hostbased_key_allowed: chost
hpclab01.cluster.iq.ufrj.br<http://hpclab01.cluster.iq.ufrj.br>. resolvedname
hpclab01.cluster.iq.ufrj.br<http://hpclab01.cluster.iq.ufrj.br> ipaddr 172.26.0.1
debug2: stripping trailing dot from chost
hpclab01.cluster.iq.ufrj.br<http://hpclab01.cluster.iq.ufrj.br>.
debug2: auth_rhosts2: clientuser admin hostname
hpclab01.cluster.iq.ufrj.br<http://hpclab01.cluster.iq.ufrj.br> ipaddr 172.26.0.1
debug1: temporarily_use_uid: 1683000000/1683000000 (e=0/0)
debug1: restore_uid: 0/0
debug1: fd 8 clearing O_NONBLOCK
debug2: hostbased_key_allowed: access allowed by auth_rhosts2
debug1: temporarily_use_uid: 1683000000/1683000000 (e=0/0)
debug1: restore_uid: 0/0
debug1: check_key_in_hostfiles: key for host
hpclab01.cluster.iq.ufrj.br<http://hpclab01.cluster.iq.ufrj.br> not found
debug1: temporarily_use_uid: 1683000000/1683000000 (e=0/0)
debug1: restore_uid: 0/0
debug1: check_key_in_hostfiles: key for host
hpclab01.cluster.iq.ufrj.br<http://hpclab01.cluster.iq.ufrj.br> not found
debug3: mm_answer_keyallowed: key 0x561842345040 is not allowed
Failed hostbased for admin from 172.26.0.1 port 55634 ssh2: ECDSA
SHA256:wJ0OVmkiVnMjuoiRe5sdBVz5sMTTKIbYRWorTk+CnUQ, client user "admin", client
host "hpclab01.cluster.iq.ufrj.br<http://hpclab01.cluster.iq.ufrj.br>”
If you look at the sshd log there is this:
debug1: check_key_in_hostfiles: key for host
hpclab01.cluster.iq.ufrj.br<http://hpclab01.cluster.iq.ufrj.br> not found
But if I create the file manually it will work:
debug1: check_key_in_hostfiles: key for
hpclab01.cluster.iq.ufrj.br<http://hpclab01.cluster.iq.ufrj.br> found at
/etc/ssh/ssh_known_hosts:1
Any ideias?
* Another issue is with the /etc/ssh/shosts.equiv file.
It supports plain hostnames or netgroups, which is a NIS thing. FreeIPA offers any
netgroups compatibility? I’m expecting to put something like: @nodes on this file to keep
it simple. Any changes on IPA hosts would be reflected automatically.
IPA hostgroups are automatically mirrored as netgroups.
Nice, this worked flawlessly!!!
rob
Thank you very much.
V.