Dominik Vogt via FreeIPA-users wrote: > I have a problem with ssh host keys being automatically > generated(?). Our installation process looks like this: > > 1) Install IdM server and clients. > 2) Generate ssh host keys for all machines in a special way > because of a requirement about available entropy that is not > 3) Distribute the new keys to all machines but do not install > them. (Any required known_hosts files are also generated > and distributed). and known_hosts files > 4) Reboot all machines at the same time. > 5) During reboot, a script installs the new keys and deletes the > old ones (rsa and ecdsa format). > > However, host key files in rsa and ecdsa format keep reappearing. > I'm not exactly sure when this happens. Does it have something to > do with sssd?
I believe sshd generates keys on startup if they do not exist. You probably want to include the --no-dns-sshfp option for ipa-client-install to prevent any existing SSH keys from appearing in DNS. ipa-client-install will add any keys to the host entry at the time of enrollment. > > -- > > So, we need to disable > > * automatic generation of ssh keys, > * restoring them from backups (in case some component does that). > > Caching the keys in sssd would be in order if we can make sure > that sssd does not cache the old keys at any time. Running > "sss_cache -H" does not seem to affect the cached known_hosts file > in /var/lib though. > > I understand that IdM can manage host keys, but we don't want to > use that feature because of the underlying system requirements, > and we'll never add new machines anyway. I don't believe there is an easy way to prevent ssh keys from getting into IPA. There is an ACI that grants a host write access to their own ssh pub keys but there is no equivalent permission for it. You could, for example, try tweaking the write to read and see if that helps. It'll prevent keys from getting into IPA so that sssd can never find them. My spidey sense isn't tingling with this suggestion but that doesn't mean there isn't the possibility of a side-effort or future upgrade issues. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
