[Freeipa-users] OpenSSH integration - known_hosts

Tue Nov 8 17:38:08 UTC 2011

Hello everyone,
there is a new effort in IPA and SSSD teams and that is SSH key integration in 
both parts of SSSD-IPA infrastructure. We've put together some basic plans and 
now we would like to know your opinion.

Note that this is just shortened version to make it easier to read. It doesn't 
contain every bit of information about the design. For full version see 
https://fedorahosted.org/freeipa/wiki/SSH-FreeIPA-Integration

Problems:
=========
* the known_hosts file becomes outdated as machines get new host keys (e.g. re-
installed systems in virtualized environment)
* the user accepts any host key of the remote host without validating its 
authenticity

Solution:
=========
Instead of checking stale known_hosts file, provide a dynamic mechanism to 
lookup and deliver the public ssh key of the remote host to the client and use 
it for validation of the remote host identity. The dynamic mechanism would 
imply that no action is needed from the user because the source of the 
retrieved key is trusted.

Limitations:
============
It is out of scope of this work to solve the problem in general. We propose a 
solution for following use case:

Client host is a managed host meaning that it has SSSD installed and it is 
joined an IPA domain. It also has OpenSSH patched to interact with SSSD to get 
the information about the remote host

Other UNIX machines or Windows machines as SSH clients are out of the scope of 
the current project. For the client hosts that can not be managed but can 
access IPA via the standard LDAP tools we will provide documentation on how to 
construct the content of the known_hosts file by querying LDAP server and 
saving the results.

The remote host can be a managed (joined IPA domain via SSSD) or an unmanaged 
host. IPA server needs to provide a way to create entries for any managed and 
unmanaged hosts and store public keys for those hosts in that entries.

What would change in IPA:
=========================
* external host would have entries with the possibility of storing their 
public keys
* new mechanism to work with keys through UI and CLI
* host key fingerprints would be stored in SSHFP DNS records for each host 
joined in IPA domain

What would change on the client:
================================
* SSSD would fetch and cache host public keys from IPA
* joining to IPA domain would upload host public key
* ssh client would communicate with SSSD, probably through ssh-agent, to check 
if the remote host is known

It is still a question whether the solution is sufficient enough to address the 
needs and pains of the real deployments or other technologies outside the 
proposed should be used later (or instead).

-- 
Thank you
Jan Zeleny

Red Hat Software Engineer
Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20111108/03e4b051/attachment.sig>