> On 03/20/2015 04:51 PM, nat...@nathanpeters.com wrote:
>> I have FreeIPA installed on several types of Linux machines and they are
>> all experiencing strange issues with certificates and host keys.
>> Here is the setup:
>> Server : FreeIPA 4.1.2 on Centos 7
>> Client 1&2 : FreeIPA 3.0.0-42.el6 with sssd 1.11.6-30.el6_6.4 on CentOS
>> 6.5
>> Client 3&4 : FreeIPA 4.1.2-1.el7 on Centos 7
>> First the FreeIPA clients running client 3.0.0 do not seem to be
>> properly
>> getting their host keys from the server.  Whenever I ssh from one client
>> to another (or even to the IPA server itself) I am prompted to answer
>> yes
>> or no to the host key.  The host keys are both listed in the host record
>> if I login to the domain controller web interface (and match what is on
>> the server), and the DNS SSHFP records exist also.
>> # sss_ssh_authorizedkeys --debug 10 admin
>> (Fri Mar 20 13:43:52:706986 2015) [sss_ssh_authorizedkeys] [main]
>> (0x0020): sss_ssh_get_ent() failed (2): No such file or directory
>> Error looking up public keys
> It seems that you might be missing the integration between sssd and ssh.
> Can you please check you configuration as described here:
> http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf

Actually this was the problem :

I had added the following line to the [sssd] section of sssd.conf :
default_domain_suffix = addomain.net

The reason I had added this is because our business asked if our active
directory trusted users can be allowed to login without entering their
fqdn.  Setting the default_domain_suffix allows them to just login as
'aduser' instead of 'adu...@addomain.net'.

However, this apparently breaks host key checking.  Turning debugging on
the sssd up to 9 revealed that it was appending the default_domain_suffix
line to all hostnames (fully qualified and not) before asking FreeIPA for
their host keys:

(Fri Mar 20 23:19:55 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next]
(0x0400): Requesting SSH host public keys for
(Fri Mar 20 23:19:55 2015) [sssd[ssh]] [sysdb_search_ssh_hosts] (0x0400):
No such host

So 2 more questions:
1. Is this a bug?

2. If it is not a bug or is expected behavior, is there a way to both
A) Have ad users able to login as 'aduser' instead of 'adu...@addomain.net'
B) Still get host key checking working properly?

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to