On (30/09/19 11:25), Lawrence Kearney wrote: >A question concerning the following SSSD directives: > >ldap_user_ssh_public_key = >ldap_host_ssh_public_key = > >Both default to "sshPublicKey" values, but other than the obvious stated >use cases (in the directive names and man file entries) I feel I'm missing >something concerning the " ldap_host_ssh_public_key" directive. > >For example, using the default configuration, the SSSD pulls down the >public key(s) stored for a user stored in the " sshPublicKey" attribute >using the "/usr/bin/sss_ssh_authorizedkeys" utility. to facilitate access >to a predetermined set of hosts. > >What is the use case for the " ldap_host_ssh_public_key" directive? Is it >somehow used to store the public Key for a particular host (and why?) and >does it have any relationship to the "/usr/bin/sss_ssh_knownhostsproxy" >utility used to centralise (and distribute?) host keys? >
yes, this used used by openssh client. So you woudl not get annoying question in the first connection e.g. sh$ ssh [email protected] The authenticity of host 'example.host.com (10.16.200.69)' can't be established. ECDSA key fingerprint is SHA256:9RlZb/DPjYlOC4dMWB5EZfU4lZ8aprJwkU1aRMAeuL0. Are you sure you want to continue connecting (yes/no/[fingerprint])? SSSD can already get that info in trusted way (TLS/GSSAPI) from the ldap server. But it is mostly usefull for freeIPA which automatically add such entries to LDAP. BTW sss_ssh_knownhostsproxy need to be configured for openssh client (either /etc/$opensshdir/ssh_config, ~/.ssh/config; as ProxyCommand) And sss_ssh_authorizedkeys need to be configured on openssh server (/etc/$opensshdir/sshd_config; AuthorizedKeysCommand ) LS _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
