subject:"\[Freeipa\-users\] Re\: SSHFP records"

[Freeipa-users] Re: SSHFP records

2022-02-09 Thread Rob Crittenden via FreeIPA-users

Simon Matthews via FreeIPA-users wrote:
> My primary nameserver is on another machine. It is already configured with an 
> RNDC key to allow updates from DHCP. 
> 
> How would I tell IPA to use this RNDC key to update the primary? 
> 
> I assume that these updates come from the IPA server, not the client when 
> enrolling a client. 
> 
> Currently, the SSH keys are in the user's home directory, which will be 
> accessible on any machine that a user would log into, but it might be useful 
> to have an alternative to this. 

The updates come from the client directly, they own the keys after all.
The IPA client only supports GSS-TSIG and unauthenticated updates. If
the GSS-TSIG fails during ipa-client-install then it will fall back and
try an unauthenticated nsupdate with 4.9.6+. Prior to that only GSS-TSIG
was supported.

This of course requires the DNS admin to configure their zones to allow
unauthenticated dynamic DNS updates which isn't a terrific idea.

See https://bugzilla.redhat.com/show_bug.cgi?id=1854557

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: SSHFP records

2022-02-09 Thread Simon Matthews via FreeIPA-users

My primary nameserver is on another machine. It is already configured with an 
RNDC key to allow updates from DHCP. 

How would I tell IPA to use this RNDC key to update the primary? 

I assume that these updates come from the IPA server, not the client when 
enrolling a client. 

Currently, the SSH keys are in the user's home directory, which will be 
accessible on any machine that a user would log into, but it might be useful to 
have an alternative to this. 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: SSHFP records

2022-02-09 Thread Sam Morris via FreeIPA-users

Only a problem if you want to use SSHFP records to verify the host keys 
presented by the SSH server running on the client.

When SSHing to the client from another machine that has been enrolled, the host 
key will usually be verified by sss_ssh_knownhostsproxy which does not use 
SSHFP records.

You might use these records in conjunction with DNSSEC to allow non-enrolled 
clients to have a secure way to fetch a host's public keys for verification, 
but that setup is not the default & requires extra work.

More generally, it sounds like sssd's is not going to be able to update the A 
records for your clients either.

-- 
Sam Morris 
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: SSHFP Records on external DNS

2017-12-03 Thread Anvar Kuchkartaev via FreeIPA-users

From client command line ssh-keygen -r `hostname` will give you sshfp records.

Anvar Kuchkartaev 
an...@aegisnet.eu 
  Original Message  
From: Günther J. Niederwimmer via FreeIPA-users
Sent: domingo, 3 de diciembre de 2017 15:50
To: freeipa-users@lists.fedorahosted.org
Reply To: FreeIPA users list
Cc: Günther J. Niederwimmer
Subject: [Freeipa-users] SSHFP Records on external DNS

Hello,

I mean I have a Problem ;-).

I like to include the SSHPF records on a external DNS Server but I don't found 
the correct entries created by ipa-client-install ??

Is there a way to found the SSHPF records to include on the external DNS 
Server.

Thanks for the Help!

CentOS 7.4
FreeIPA 4.5
-- 
mit freundlichen Grüssen / best regards,

Günther J. Niederwimmer
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: SSHFP records

[Freeipa-users] Re: SSHFP records

[Freeipa-users] Re: SSHFP records

[Freeipa-users] Re: SSHFP Records on external DNS

4 matches

Site Navigation

Mail list logo

Footer information