FreeIPA (via sssd) adds the following to my /etc/ssh/ssh_config:

    GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
    PubkeyAuthentication yes
    ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

If I understand correctly, that means that `/etc/ssh/ssh_known_hosts` will not be referenced, correct?

If I add an entry to /var/lib/sss/pubconf/known_hosts manually, it is not persistent. After I add the host key for my GitHub Enterprise host, for example, I still get the message:

The authenticity of host 'github.example.com (<no hostip for proxy command>)' can't be established.

When I check /var/lib/sss/pubconf/known_hosts after the attempted connection, the file is empty -- zero bytes.

(I also noted in the man page for sssd.conf that the ssh_known_hosts_timeout has a default value of 180 seconds.)

Is there a way to add public keys for arbitrary external hosts? If not, what are others doing as a workaround?

Currently I am overriding the GlobalKnownHostsFile and ProxyCommand settings on a per user or per user per host basis, e.g.:

GlobalKnownHostsFile /etc/ssh/ssh_known_hosts

ProxyCommand none

I'd rather avoid that if possible.

Chris Herdt
UIS Systems Administrator
cherdt@umn.edu