Re: [Freeipa-users] [Freeipa-devel] OpenSSH integration - known_hosts
On Tue, 2011-11-08 at 17:57 -0500, Dmitri Pal wrote: On 11/08/2011 02:56 PM, Dan Scott wrote: Hi, This is a great feature. It feels like I'm always re-installing VMs and having to remove old SSH keys and re-accept new ones. One feature I'd like is to have this working cross-realm. We have 2 IPA realms here and it would be great if I could configure SSSD to check the local realm if I'm SSHing to a local PC and to check the other IPA server(s) if my SSH target is part of the other realm. Even better if it could do this without explicit configuration. Do you think it would be possible to do this securely? When we start to support Cross Realm Kerberos Trusts for IPA to IPA I think this would be doable but then I do not think the ssh host keys will be used (needed). Simo, am I correct? We do not have the GSSAPI key exchange patches in OpenSSH. With those the ssh host key is not necessary when using GSSAPI auth, even in the same realm. But when you want to use ssh host keys, across realm kerberos trust is not going to help. In order to validate keys from different realms I guess we could use DNSSEC where the signatures of one realm are trusted by the other. Then by storing ssh host keys as DNS fields a different domain could still trust those keys. This works only for enrolled hosts though, I guess. Or at least only for hosts in DNS domains that are controlled by IPA. For hosts in other DNS domains we cannot distribute keys through DNS. If that is necessary then we would have to define some sort of protocol to allow fetching of keys from one domain to the other. We could use a mechanism similar to what we will need to implement for sid2name resolution for windows domain trusts. Where the IPA server becomes a proxy to request host keys from other domains. Bottom line, we can come up with something but it is not scoped yet. And needs some more thinking so that we put in place something that scales well. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [Freeipa-devel] OpenSSH integration - known_hosts
On 11/08/2011 06:35 PM, Simo Sorce wrote: On Tue, 2011-11-08 at 17:57 -0500, Dmitri Pal wrote: On 11/08/2011 02:56 PM, Dan Scott wrote: Hi, This is a great feature. It feels like I'm always re-installing VMs and having to remove old SSH keys and re-accept new ones. One feature I'd like is to have this working cross-realm. We have 2 IPA realms here and it would be great if I could configure SSSD to check the local realm if I'm SSHing to a local PC and to check the other IPA server(s) if my SSH target is part of the other realm. Even better if it could do this without explicit configuration. Do you think it would be possible to do this securely? When we start to support Cross Realm Kerberos Trusts for IPA to IPA I think this would be doable but then I do not think the ssh host keys will be used (needed). Simo, am I correct? We do not have the GSSAPI key exchange patches in OpenSSH. With those the ssh host key is not necessary when using GSSAPI auth, even in the same realm. But when you want to use ssh host keys, across realm kerberos trust is not going to help. In order to validate keys from different realms I guess we could use DNSSEC where the signatures of one realm are trusted by the other. Then by storing ssh host keys as DNS fields a different domain could still trust those keys. This works only for enrolled hosts though, I guess. Or at least only for hosts in DNS domains that are controlled by IPA. For hosts in other DNS domains we cannot distribute keys through DNS. If that is necessary then we would have to define some sort of protocol to allow fetching of keys from one domain to the other. We could use a mechanism similar to what we will need to implement for sid2name resolution for windows domain trusts. Where the IPA server becomes a proxy to request host keys from other domains. Bottom line, we can come up with something but it is not scoped yet. And needs some more thinking so that we put in place something that scales well. Simo. Ok: https://fedorahosted.org/freeipa/ticket/2081 -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [Freeipa-devel] OpenSSH integration - known_hosts
Hi, On Tue, Nov 8, 2011 at 18:35, Simo Sorce s...@redhat.com wrote: On Tue, 2011-11-08 at 17:57 -0500, Dmitri Pal wrote: On 11/08/2011 02:56 PM, Dan Scott wrote: Hi, This is a great feature. It feels like I'm always re-installing VMs and having to remove old SSH keys and re-accept new ones. One feature I'd like is to have this working cross-realm. We have 2 IPA realms here and it would be great if I could configure SSSD to check the local realm if I'm SSHing to a local PC and to check the other IPA server(s) if my SSH target is part of the other realm. Even better if it could do this without explicit configuration. Do you think it would be possible to do this securely? When we start to support Cross Realm Kerberos Trusts for IPA to IPA I think this would be doable but then I do not think the ssh host keys will be used (needed). Simo, am I correct? We do not have the GSSAPI key exchange patches in OpenSSH. With those the ssh host key is not necessary when using GSSAPI auth, even in the same realm. But when you want to use ssh host keys, across realm kerberos trust is not going to help. I don't quite understand this. What trust is required, other than the cross-realm authentication of kerberos tickets? Surely each realm would manage its own host keys. All I'm looking for is an authenticated cross-realm key lookup so that my client can pre-cache entries in the known_hosts file. Wouldn't this just be an LDAP lookup? Dan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users