[Freeipa-users] Certificate and key problems in Linux

Dmitri Pal dpal at redhat.com
Fri Mar 20 23:43:21 UTC 2015 

On 03/20/2015 07:41 PM, nathan at nathanpeters.com wrote:
>> On 03/20/2015 04:51 PM, nathan at nathanpeters.com wrote:
>>> I have FreeIPA installed on several types of Linux machines and they are
>>> all experiencing strange issues with certificates and host keys.
>>> Here is the setup:
>>>
>>> Server : FreeIPA 4.1.2 on Centos 7
>>> Client 1&2 : FreeIPA 3.0.0-42.el6 with sssd 1.11.6-30.el6_6.4 on CentOS
>>> 6.5
>>> Client 3&4 : FreeIPA 4.1.2-1.el7 on Centos 7
>>>
>>>
>>> First the FreeIPA clients running client 3.0.0 do not seem to be
>>> properly
>>> getting their host keys from the server.  Whenever I ssh from one client
>>> to another (or even to the IPA server itself) I am prompted to answer
>>> yes
>>> or no to the host key.  The host keys are both listed in the host record
>>> if I login to the domain controller web interface (and match what is on
>>> the server), and the DNS SSHFP records exist also.
>>>
>>> # sss_ssh_authorizedkeys --debug 10 admin
>>> (Fri Mar 20 13:43:52:706986 2015) [sss_ssh_authorizedkeys] [main]
>>> (0x0020): sss_ssh_get_ent() failed (2): No such file or directory
>>> Error looking up public keys
>> It seems that you might be missing the integration between sssd and ssh.
>> Can you please check you configuration as described here:
>> http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf
>>
> Actually this was the problem :
>
> I had added the following line to the [sssd] section of sssd.conf :
> [sssd]
> default_domain_suffix = addomain.net
>
> The reason I had added this is because our business asked if our active
> directory trusted users can be allowed to login without entering their
> fqdn.  Setting the default_domain_suffix allows them to just login as
> 'aduser' instead of 'aduser at addomain.net'.
>
> However, this apparently breaks host key checking.  Turning debugging on
> the sssd up to 9 revealed that it was appending the default_domain_suffix
> line to all hostnames (fully qualified and not) before asking FreeIPA for
> their host keys:
>
> (Fri Mar 20 23:19:55 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next]
> (0x0400): Requesting SSH host public keys for
> [ipaclient1-sandbox-atdev-van.ipadomain.net at addomain.net]
> (Fri Mar 20 23:19:55 2015) [sssd[ssh]] [sysdb_search_ssh_hosts] (0x0400):
> No such host
>
> So 2 more questions:
> 1. Is this a bug?
>
> 2. If it is not a bug or is expected behavior, is there a way to both
> A) Have ad users able to login as 'aduser' instead of 'aduser at addomain.net'
> AND
> B) Still get host key checking working properly?
>
>
Probably a bug.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list