[Freeipa-users] [Freeipa-devel] OpenSSH integration - known_hosts

Dmitri Pal dpal at redhat.com
Tue Nov 8 22:57:20 UTC 2011 

On 11/08/2011 02:56 PM, Dan Scott wrote:
> Hi,
>
> This is a great feature. It feels like I'm always re-installing VMs
> and having to remove old SSH keys and re-accept new ones.
>
> One feature I'd like is to have this working cross-realm. We have 2
> IPA realms here and it would be great if I could configure SSSD to
> check the local realm if I'm SSHing to a local PC and to check the
> other IPA server(s) if my SSH target is part of the other realm. Even
> better if it could do this without explicit configuration.
>
> Do you think it would be possible to do this securely?

When we start to support Cross Realm Kerberos Trusts for IPA to IPA I
think this would be doable but then I do not think the ssh host keys
will be used (needed). Simo, am I correct?

> Dan
>
> On Tue, Nov 8, 2011 at 12:38, Jan Zelenı <jzeleny at redhat.com> wrote:
>> Hello everyone,
>> there is a new effort in IPA and SSSD teams and that is SSH key integration in
>> both parts of SSSD-IPA infrastructure. We've put together some basic plans and
>> now we would like to know your opinion.
>>
>> Note that this is just shortened version to make it easier to read. It doesn't
>> contain every bit of information about the design. For full version see
>> https://fedorahosted.org/freeipa/wiki/SSH-FreeIPA-Integration
>>
>> Problems:
>> =========
>> * the known_hosts file becomes outdated as machines get new host keys (e.g. re-
>> installed systems in virtualized environment)
>> * the user accepts any host key of the remote host without validating its
>> authenticity
>>
>>
>> Solution:
>> =========
>> Instead of checking stale known_hosts file, provide a dynamic mechanism to
>> lookup and deliver the public ssh key of the remote host to the client and use
>> it for validation of the remote host identity. The dynamic mechanism would
>> imply that no action is needed from the user because the source of the
>> retrieved key is trusted.
>>
>>
>> Limitations:
>> ============
>> It is out of scope of this work to solve the problem in general. We propose a
>> solution for following use case:
>>
>> Client host is a managed host meaning that it has SSSD installed and it is
>> joined an IPA domain. It also has OpenSSH patched to interact with SSSD to get
>> the information about the remote host
>>
>> Other UNIX machines or Windows machines as SSH clients are out of the scope of
>> the current project. For the client hosts that can not be managed but can
>> access IPA via the standard LDAP tools we will provide documentation on how to
>> construct the content of the known_hosts file by querying LDAP server and
>> saving the results.
>>
>> The remote host can be a managed (joined IPA domain via SSSD) or an unmanaged
>> host. IPA server needs to provide a way to create entries for any managed and
>> unmanaged hosts and store public keys for those hosts in that entries.
>>
>> What would change in IPA:
>> =========================
>> * external host would have entries with the possibility of storing their
>> public keys
>> * new mechanism to work with keys through UI and CLI
>> * host key fingerprints would be stored in SSHFP DNS records for each host
>> joined in IPA domain
>>
>> What would change on the client:
>> ================================
>> * SSSD would fetch and cache host public keys from IPA
>> * joining to IPA domain would upload host public key
>> * ssh client would communicate with SSSD, probably through ssh-agent, to check
>> if the remote host is known
>>
>> It is still a question whether the solution is sufficient enough to address the
>> needs and pains of the real deployments or other technologies outside the
>> proposed should be used later (or instead).
>>
>> --
>> Thank you
>> Jan Zeleny
>>
>> Red Hat Software Engineer
>> Brno, Czech Republic
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list