On 11/08/2011 02:56 PM, Dan Scott wrote: > Hi, > > This is a great feature. It feels like I'm always re-installing VMs > and having to remove old SSH keys and re-accept new ones. > > One feature I'd like is to have this working cross-realm. We have 2 > IPA realms here and it would be great if I could configure SSSD to > check the local realm if I'm SSHing to a local PC and to check the > other IPA server(s) if my SSH target is part of the other realm. Even > better if it could do this without explicit configuration. > > Do you think it would be possible to do this securely?
When we start to support Cross Realm Kerberos Trusts for IPA to IPA I think this would be doable but then I do not think the ssh host keys will be used (needed). Simo, am I correct? > Dan > > On Tue, Nov 8, 2011 at 12:38, Jan Zelenı <jzel...@redhat.com> wrote: >> Hello everyone, >> there is a new effort in IPA and SSSD teams and that is SSH key integration >> in >> both parts of SSSD-IPA infrastructure. We've put together some basic plans >> and >> now we would like to know your opinion. >> >> Note that this is just shortened version to make it easier to read. It >> doesn't >> contain every bit of information about the design. For full version see >> https://fedorahosted.org/freeipa/wiki/SSH-FreeIPA-Integration >> >> Problems: >> ========= >> * the known_hosts file becomes outdated as machines get new host keys (e.g. >> re- >> installed systems in virtualized environment) >> * the user accepts any host key of the remote host without validating its >> authenticity >> >> >> Solution: >> ========= >> Instead of checking stale known_hosts file, provide a dynamic mechanism to >> lookup and deliver the public ssh key of the remote host to the client and >> use >> it for validation of the remote host identity. The dynamic mechanism would >> imply that no action is needed from the user because the source of the >> retrieved key is trusted. >> >> >> Limitations: >> ============ >> It is out of scope of this work to solve the problem in general. We propose a >> solution for following use case: >> >> Client host is a managed host meaning that it has SSSD installed and it is >> joined an IPA domain. It also has OpenSSH patched to interact with SSSD to >> get >> the information about the remote host >> >> Other UNIX machines or Windows machines as SSH clients are out of the scope >> of >> the current project. For the client hosts that can not be managed but can >> access IPA via the standard LDAP tools we will provide documentation on how >> to >> construct the content of the known_hosts file by querying LDAP server and >> saving the results. >> >> The remote host can be a managed (joined IPA domain via SSSD) or an unmanaged >> host. IPA server needs to provide a way to create entries for any managed and >> unmanaged hosts and store public keys for those hosts in that entries. >> >> What would change in IPA: >> ========================= >> * external host would have entries with the possibility of storing their >> public keys >> * new mechanism to work with keys through UI and CLI >> * host key fingerprints would be stored in SSHFP DNS records for each host >> joined in IPA domain >> >> What would change on the client: >> ================================ >> * SSSD would fetch and cache host public keys from IPA >> * joining to IPA domain would upload host public key >> * ssh client would communicate with SSSD, probably through ssh-agent, to >> check >> if the remote host is known >> >> It is still a question whether the solution is sufficient enough to address >> the >> needs and pains of the real deployments or other technologies outside the >> proposed should be used later (or instead). >> >> -- >> Thank you >> Jan Zeleny >> >> Red Hat Software Engineer >> Brno, Czech Republic >> >> _______________________________________________ >> Freeipa-users mailing list >> freeipa-us...@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > _______________________________________________ > Freeipa-devel mailing list > Freeipafirstname.lastname@example.org > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-devel