[Freeipa-users] Certificate and key problems in Linux

nathan at nathanpeters.com nathan at nathanpeters.com
Fri Mar 20 23:41:03 UTC 2015 

> On 03/20/2015 04:51 PM, nathan at nathanpeters.com wrote:
>> I have FreeIPA installed on several types of Linux machines and they are
>> all experiencing strange issues with certificates and host keys.
>> Here is the setup:
>>
>> Server : FreeIPA 4.1.2 on Centos 7
>> Client 1&2 : FreeIPA 3.0.0-42.el6 with sssd 1.11.6-30.el6_6.4 on CentOS
>> 6.5
>> Client 3&4 : FreeIPA 4.1.2-1.el7 on Centos 7
>>
>>
>> First the FreeIPA clients running client 3.0.0 do not seem to be
>> properly
>> getting their host keys from the server.  Whenever I ssh from one client
>> to another (or even to the IPA server itself) I am prompted to answer
>> yes
>> or no to the host key.  The host keys are both listed in the host record
>> if I login to the domain controller web interface (and match what is on
>> the server), and the DNS SSHFP records exist also.
>>
>> # sss_ssh_authorizedkeys --debug 10 admin
>> (Fri Mar 20 13:43:52:706986 2015) [sss_ssh_authorizedkeys] [main]
>> (0x0020): sss_ssh_get_ent() failed (2): No such file or directory
>> Error looking up public keys
>
> It seems that you might be missing the integration between sssd and ssh.
> Can you please check you configuration as described here:
> http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf
>

Actually this was the problem :

I had added the following line to the [sssd] section of sssd.conf :
[sssd]
default_domain_suffix = addomain.net

The reason I had added this is because our business asked if our active
directory trusted users can be allowed to login without entering their
fqdn.  Setting the default_domain_suffix allows them to just login as
'aduser' instead of 'aduser at addomain.net'.

However, this apparently breaks host key checking.  Turning debugging on
the sssd up to 9 revealed that it was appending the default_domain_suffix
line to all hostnames (fully qualified and not) before asking FreeIPA for
their host keys:

(Fri Mar 20 23:19:55 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next]
(0x0400): Requesting SSH host public keys for
[ipaclient1-sandbox-atdev-van.ipadomain.net at addomain.net]
(Fri Mar 20 23:19:55 2015) [sssd[ssh]] [sysdb_search_ssh_hosts] (0x0400):
No such host

So 2 more questions:
1. Is this a bug?

2. If it is not a bug or is expected behavior, is there a way to both
A) Have ad users able to login as 'aduser' instead of 'aduser at addomain.net'
AND
B) Still get host key checking working properly?

More information about the Freeipa-users mailing list