13.2.9. Configuring Services: OpenSSH and Cached Keys
known_hostsfile or for the remote user in
authorized_keys. Whenever that remote machine or user attempts to authenticate again, the local system checks the
authorized_keysfile first to see if that remote entity is recognized and trusted. If it is, then access is granted.
known_hostsfile is a triplet of the machine name, its IP address, and its public key:
server.example.com,255.255.255.255 ssh-rsa AbcdEfg1234ZYX098776/AbcdEfg1234ZYX098776/AbcdEfg1234ZYX098776=
known_hostsfile can quickly become outdated for a number of different reasons: systems using DHCP cycle through IP addresses, new keys can be re-issued periodically, or virtual machines or services can be brought online and removed. This changes the host name, IP address, and key triplet.
known_hostsfile to maintain security. (Or system users get in the habit of accepting any machine and key presented, which negates the security benefits of key-based security.)
known_hostsfile has not been updated uniformly.
Configuring OpenSSH to Use SSSD for Host Keys
~/.ssh/config) or a system-wide configuration file (
/etc/ssh/ssh_config). The user file has precedence over the system settings and the first obtained value for a parameter is used. The formatting and conventions for this file are covered in Chapter 14, OpenSSH.
sss_ssh_knownhostsproxy, which performs two operations:
- Asks SSSD to retrieve the public host key from the Identity Management server and store it in the
- Establishes a connection with the host machine, using either a socket (the default) or a proxy command.
sss_ssh_knownhostsproxy [-d sssd_domain] [-p ssh_port] HOST [PROXY_COMMAND]
Table 13.4. sss_ssh_knownhostsproxy Options
|Short Argument||Long Argument||Description|
|HOSTNAME|| Gives the host name of the host to check and connect to. In the OpenSSH configuration file, this can be a token, |
|PROXY_COMMAND|| Passes a proxy command to use to connect to the SSH client. This is similar to running |
|-d sssd_domain||--domain sssd_domain||Only searches for public keys in entries in the specified domain. If not given, SSSD searches for keys in all configured domains.|
|-p port||--port port||Uses this port to connect to the SSH client. By default, this is port 22.|
- Specify the command to use to connect to the SSH client (
ProxyCommand). This is the
sss_ssh_knownhostsproxy, with the desired arguments and host name.
- Specify the location of the SSSD hosts file (
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
Configuring OpenSSH to Use SSSD for User Keys
sshd, directly from the output of the
sss_ssh_authorizedkeystool and are not stored in a file.
sshdto read a user's public keys from an external program, in this case the
sss_ssh_authorizedkeystool, use the AuthorizedKeysCommand directive in the
sss_ssh_authorizedkeystool can be used to acquire SSH public keys from the user entries in the Identity Management (IPA) domain and output them in OpenSSH
authorized_keysformat. The command has the following format:
sss_ssh_authorizedkeys [-d sssd_domain] USER
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandRunAs nobodyThese and further options are documented in the
sshd_config(5)man page. Note that the
sshdservice must be restarted for any changes to take effect.