On Thu, Oct 17, 2019 at 04:32:05AM +0000, Vinícius Ferrão wrote: > > > On 16 Oct 2019, at 16:01, Rob Crittenden > <rcrit...@redhat.com<mailto:rcrit...@redhat.com>> wrote: > > Vinícius Ferrão wrote: > > > On 15 Oct 2019, at 17:49, Rob Crittenden > <rcrit...@redhat.com<mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com>> wrote: > > Vinícius Ferrão wrote: > Hi Rob > > On 15 Oct 2019, at 10:22, Rob Crittenden > <rcrit...@redhat.com<mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com>> wrote: > > Vinícius Ferrão via FreeIPA-users wrote: > Hello, > > I’m trying to implement SSH Hostbased Authentication between IPA > joined machines but I’m with difficulties regarding: > > * The /etc/ssh/ssh_known_hosts file. > > In a FreeIPA environment the known_hosts are stored on IPA, and I’m > aware of the ProxyCommand /usr/bin/sss_ssh_knownhostsproxy; but how > can I create this file with the entries from FreeIPA? > > Why do you want to? That is the point of the proxy, so dynamic files > don't need to be maintained. > > Because it appears to be a requirement. Unfortunately SSH does not look > at /var/lib/sss/pubconf/known_hosts: > > debug1: userauth_hostbased: cuser admin chost > hpclab01.cluster.iq.ufrj.br<http://hpclab01.cluster.iq.ufrj.br> > <http://hpclab01.cluster.iq.ufrj.br> > <http://hpclab01.cluster.iq.ufrj.br>. pkalg > ecdsa-sha2-nistp256 slen 100 [preauth] > debug3: mm_key_allowed entering [preauth] > debug3: mm_request_send entering: type 22 [preauth] > debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth] > debug3: mm_request_receive_expect entering: type 23 [preauth] > debug3: mm_request_receive entering [preauth] > debug3: mm_request_receive entering > debug3: monitor_read: checking request 22 > debug3: mm_answer_keyallowed entering > debug3: mm_answer_keyallowed: key_from_blob: 0x561842345040 > debug2: hostbased_key_allowed: chost > hpclab01.cluster.iq.ufrj.br<http://hpclab01.cluster.iq.ufrj.br> > <http://hpclab01.cluster.iq.ufrj.br> > <http://hpclab01.cluster.iq.ufrj.br>. resolvedname > hpclab01.cluster.iq.ufrj.br<http://hpclab01.cluster.iq.ufrj.br> > <http://hpclab01.cluster.iq.ufrj.br> > <http://hpclab01.cluster.iq.ufrj.br> ipaddr > 172.26.0.1 > debug2: stripping trailing dot from chost > hpclab01.cluster.iq.ufrj.br<http://hpclab01.cluster.iq.ufrj.br> > <http://hpclab01.cluster.iq.ufrj.br> > <http://hpclab01.cluster.iq.ufrj.br>. > debug2: auth_rhosts2: clientuser admin hostname > hpclab01.cluster.iq.ufrj.br<http://hpclab01.cluster.iq.ufrj.br> > <http://hpclab01.cluster.iq.ufrj.br> > <http://hpclab01.cluster.iq.ufrj.br> ipaddr > 172.26.0.1 > debug1: temporarily_use_uid: 1683000000/1683000000 (e=0/0) > debug1: restore_uid: 0/0 > debug1: fd 8 clearing O_NONBLOCK > debug2: hostbased_key_allowed: access allowed by auth_rhosts2 > debug1: temporarily_use_uid: 1683000000/1683000000 (e=0/0) > debug1: restore_uid: 0/0 > debug1: check_key_in_hostfiles: key for host > hpclab01.cluster.iq.ufrj.br<http://hpclab01.cluster.iq.ufrj.br> > <http://hpclab01.cluster.iq.ufrj.br> > <http://hpclab01.cluster.iq.ufrj.br> not found > debug1: temporarily_use_uid: 1683000000/1683000000 (e=0/0) > debug1: restore_uid: 0/0 > debug1: check_key_in_hostfiles: key for host > hpclab01.cluster.iq.ufrj.br<http://hpclab01.cluster.iq.ufrj.br> > <http://hpclab01.cluster.iq.ufrj.br> > <http://hpclab01.cluster.iq.ufrj.br> not found > debug3: mm_answer_keyallowed: key 0x561842345040 is not allowed > Failed hostbased for admin from 172.26.0.1 port 55634 ssh2: ECDSA > SHA256:wJ0OVmkiVnMjuoiRe5sdBVz5sMTTKIbYRWorTk+CnUQ, client user "admin", > client host "hpclab01.cluster.iq.ufrj.br<http://hpclab01.cluster.iq.ufrj.br> > <http://hpclab01.cluster.iq.ufrj.br> > <http://hpclab01.cluster.iq.ufrj.br>” > > It does for me: > > debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts" > debug3: hostkeys_foreach: reading file "/var/lib/sss/pubconf/known_hosts" > debug3: record_hostkey: found key type ED25519 in file > /var/lib/sss/pubconf/known_hosts:2 > debug3: record_hostkey: found key type RSA in file > /var/lib/sss/pubconf/known_hosts:4 > debug3: record_hostkey: found key type ECDSA in file > /var/lib/sss/pubconf/known_hosts:6 > > The client only pushes the SSHFP records on enrollment if IPA is serving > DNS. > > Rob, I’m not sure if we are talking about the same thing. In fact this > part works for me too: > > You're right, I missed the hostbased-part. I don't know that anyone has > tried this before. Perhaps someone from the sssd team would know since > they manage the proxy. > > rob > > Hi again Rob, it’s ok. HBA is not a common thing. > > I digged further on this issue and I got almost everything working as > expected, except for the known_hosts issue. The netgroup worked through > FreeIPA which is what I was looking for. So the only missing piece are the > keys. > > What is happening is that the server (the destination machine, running sshd) > must know the public key of the client (the connecting machine). And by > default it looks on /etc/ssh/ssh_known_hosts. I’m almost certain that this is > by design for Hostbased Authentication. > > This is OK, since I can symlink from /var/lib/sss/pubconf/known_hosts to > /etc/ssh/ssh_known_hosts and Hostbased Authentication works! But… > > Since the destination machine, haven’t issued any ssh connection to outside, > it does not have an /var/lib/sss/pubconf/known_hosts file populated. It does > not know about other machines, and when trying to connect with Hostbased it > simply fails. > > The /var/lib/sss/pubconf/known_hosts file is generated when the ssh client > tries to connect to a remote joined IPA host. On /etc/ssh/ssh_config we have > this lines: > > GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts > PubkeyAuthentication yes > ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h > > But that’s the problem. Only the client runs those commands. Theres nothing > similar, or nothing that I know for /etc/ssh/sshd_config, which manages the > server configuration. > > So that’s the problem basically. > > Do you have any ideia who should I contact about this? You said that’s > probably from the sssd team but even with this explanation it’s still from > sssd? I’m not sure if this will be solved without an RFE or anything like > that.
Hi, yes, this most probably is an RFE for SSSD. Hostbased authentication was not considered when the SSH related features were added to SSSD. Do I understand correctly that if you link /var/lib/sss/pubconf/known_hosts and /etc/ssh/ssh_known_hosts on the server side and then call sss_ssh_knownhostsproxy -k client.ipa.domain to refresh /var/lib/sss/pubconf/known_hosts with the client keys you can connect from the client to the server with hostbased authentication as expected? > > The /usr/bin/sss_ssh_knownhostsproxy executable can be called by sshd, the > server daemon during the client connection? If yes perhaps we can find a > solution. I'm not aware of an automatic solution. sshd can check authorized keys with the help of AuthorizedKeysCommand but it looks like there is nothing for hostbased authentication. As a workaround you can create a cron job which calls 'sss_ssh_knownhostsproxy -k client.ipa.domain' for all expected clients on a regular basis to refresh the keys. HTH bye, Sumit > > Thank you very much Rob. > > V. > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org