FreeIPA (via sssd) adds the following to my /etc/ssh/ssh_config:
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
PubkeyAuthentication yes
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
If I understand correctly, that means that `/etc/ssh/ssh_known_hosts` will
not be referenced, correct?
If I add an entry to /var/lib/sss/pubconf/known_hosts manually, it is not
persistent. After I add the host key for my GitHub Enterprise host, for
example, I still get the message:
The authenticity of host 'github.example.com (<no hostip for proxy
command>)' can't be established.
When I check /var/lib/sss/pubconf/known_hosts after the attempted
connection, the file is empty -- zero bytes.
(I also noted in the man page for sssd.conf that the
ssh_known_hosts_timeout has a default value of 180 seconds.)
Is there a way to add public keys for arbitrary external hosts? If not,
what are others doing as a workaround?
Currently I am overriding the GlobalKnownHostsFile and ProxyCommand
settings on a per user or per user per host basis, e.g.:
GlobalKnownHostsFile /etc/ssh/ssh_known_hosts
ProxyCommand none
I'd rather avoid that if possible.
--
Chris Herdt
UIS Systems Administrator
cherdt(a)umn.edu
Show replies by date