Chapter 48. Managing public SSH keys for users and hosts

SSH (Secure Shell) is a protocol which provides secure communications between two systems using a client-server architecture. SSH allows users to log in to server host systems remotely and also allows one host machine to access another machine.

48.1. About the SSH key format

IdM accepts the following two SSH key formats:

  • OpenSSH-style key
  • Raw RFC 4253-style key

Note that IdM automatically converts RFC 4253-style keys into OpenSSH-style keys before saving them into the IdM LDAP server.

The IdM server can identify the type of key, such as an RSA or DSA key, from the uploaded key blob. In a key file such as ~/.ssh/known_hosts, a key entry is identified by the hostname and IP address of the server, its type, and the key. For example: 

host.example.com,1.2.3.4 ssh-rsa AAA...ZZZ==

This is different from a user public key entry, which has the elements in the order type key== comment: 

"ssh-rsa ABCD1234...== ipaclient.example.com"

A key file, such as id_rsa.pub, consists of three parts: the key type, the key, and an additional comment or identifier. When uploading a key to IdM, you can upload all three key parts or only the key. If you only upload the key, IdM automatically identifies the key type, such as RSA or DSA, from the uploaded key.

If you use the host public key entry from the ~/.ssh/known_hosts file, you must reorder it to match the format of a user key, type key== comment: 

ssh-rsa AAA...ZZZ== host.example.com,1.2.3.4

IdM can determine the key type automatically from the content of the public key. The comment is optional, to make identifying individual keys easier. The only required element is the public key blob.

IdM uses public keys stored in the following OpenSSH-style files:

  • Host public keys are in the known_hosts file.
  • User public keys are in the authorized_keys file.

Additional resources

48.2. About IdM and OpenSSH

During an IdM server or client installation, as part of the install script:

  • An OpenSSH server and client is configured on the IdM client machine.
  • SSSD is configured to store and retrieve user and host SSH keys in cache. This allows IdM to serve as a universal and centralized repository of SSH keys.

If you enable the SSH service during the client installation, an RSA key is created when the SSH service is started for the first time.

Note

When you run the ipa-client-install install script to add the machine as an IdM client, the client is created with two SSH keys, RSA and DSA.

As part of the installation, you can configure the following:

  • Configure OpenSSH to automatically trust the IdM DNS records where the key fingerprints are stored using the --ssh-trust-dns option.
  • Disable OpenSSH and prevent the install script from configuring the OpenSSH server using the --no-sshd option.
  • Prevent the host from creating DNS SSHFP records with its own DNS entries using the --no-dns-sshfp option.

If you do not configure the server or client during installation, you can manually configure SSSD later. For information on how to manually configure SSSD, see Configuring SSSD to Provide a Cache for the OpenSSH Services. Note that caching SSH keys by SSSD requires administrative privileges on the local machines.

48.3. Generating SSH keys

You can generate an SSH key by using the OpenSSH ssh-keygen utility.

Procedure

  1. To generate an RSA SSH key, run the following command: 

    $ ssh-keygen -t rsa -C user@example.com
Generating public/private rsa key pair.

    Note if generating a host key, replace user@example.com with the required hostname, such as server.example.com,1.2.3.4.

  2. Specify the file where you are saving the key or press enter to accept the displayed default location. 

    Enter file in which to save the key (/home/user/.ssh/id_rsa):

    Note if generating a host key, save the key to a different location than the user’s ~/.ssh/ directory so you do not overwrite any existing keys. for example, /home/user/.ssh/host_keys.

  3. Specify a passphrase for your private key or press enter to leave the passphrase blank. 

    Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:ONxjcMX7hJ5zly8F8ID9fpbqcuxQK+ylVLKDMsJPxGA user4@example.com
The key's randomart image is:
+---[RSA 3072]----+
|         ..o     |
|         .o +    |
|     E. .  o =   |
|    ..o=  o . +  |
|      +oS. = + o.|
|    . .o .* B =.+|
|     o + . X.+.= |
|      + o o.*+. .|
|       .   o=o . |
+----[SHA256]-----+

    To upload this SSH key, use the public key string stored in the displayed file.

48.4. Managing public SSH keys for hosts

OpenSSH uses public keys to authenticate hosts. One machine attempts to access another machine and presents its key pair. The first time the host authenticates, the administrator on the target machine has to approve the request manually. The machine then stores the host’s public key in a known_hosts file. Any time that the remote machine attempts to access the target machine again, the target machine checks its known_hosts file and then grants access automatically to approved hosts.

48.4.1. Uploading SSH keys for a host using the IdM Web UI

Identity Management allows you to upload a public SSH key to a host entry. OpenSSH uses public keys to authenticate hosts.

Prerequisites

  • Administrator privileges for managing the IdM Web UI or User Administrator role.

Procedure

  1. You can retrieve the key for your host from a ~/.ssh/known_hosts file. For example: 

    server.example.com,1.2.3.4 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApvjBvSFSkTU0WQW4eOweeo0DZZ08F9Ud21xlLy6FOhzwpXFGIyxvXZ52+siHBHbbqGL5+14N7UvElruyslIHx9LYUR/pPKSMXCGyboLy5aTNl5OQ5EHwrhVnFDIKXkvp45945R7SKYCUtRumm0Iw6wq0XD4o+ILeVbV3wmcB1bXs36ZvC/M6riefn9PcJmh6vNCvIsbMY6S+FhkWUTTiOXJjUDYRLlwM273FfWhzHK+SSQXeBp/zIn1gFvJhSZMRi9HZpDoqxLbBB9QIdIw6U4MIjNmKsSI/ASpkFm2GuQ7ZK9KuMItY2AoCuIRmRAdF8iYNHBTXNfFurGogXwRDjQ==

    You can also generate a host key. See Generating SSH keys.

  2. Copy the public key from the key file. The full key entry has the form host name,IP type key==. Only the key== is required, but you can store the entire entry. To use all elements in the entry, rearrange the entry so it has the order type key== [host name,IP]. 

    cat /home/user/.ssh/host_keys.pub
ssh-rsa AAAAB3NzaC1yc2E...tJG1PK2Mq++wQ== server.example.com,1.2.3.4
  3. Log into the IdM Web UI.
  4. Go to the Identity>Hosts tab.
  5. Click the name of the host to edit.
  6. In the Host Settings section, click the SSH public keys Add button.
  7. Paste the public key for the host into the SSH public key field.
  8. Click Set.
  9. Click Save at the top of the IdM Web UI window.

Verification

  • Under the Hosts Settings section, verify the key is listed under SSH public keys.

48.4.2. Uploading SSH keys for a host using the IdM CLI

Identity Management allows you to upload a public SSH key to a host entry. OpenSSH uses public keys to authenticate hosts. Host SSH keys are added to host entries in IdM, when the host is created using host-add or by modifying the entry later.

Note RSA and DSA host keys are created by the ipa-client-install command, unless the SSH service is explicitly disabled in the installation script.

Prerequisites

  • Administrator privileges for managing IdM or User Administrator role.

Procedure

  1. Run the host-mod command with the --sshpubkey option to upload the base64-encoded public key to the host entry.

    Because adding a host key changes the DNS Secure Shell fingerprint (SSHFP) record for the host, use the --updatedns option to update the host’s DNS entry. For example: 

    $ ipa host-mod --sshpubkey="ssh-rsa RjlzYQo==" --updatedns host1.example.com

    A real key also usually ends with an equal sign (=) but is longer.

  2. To upload more than one key, enter multiple --sshpubkey command-line parameters: 

    --sshpubkey="RjlzYQo==" --sshpubkey="ZEt0TAo=="
    Note

    A host can have multiple public keys.

  3. After uploading the host keys, configure SSSD to use Identity Management as one of its identity domains and set up OpenSSH to use the SSSD tools for managing host keys, covered in Configuring SSSD to Provide a Cache for the OpenSSH Services.

Verification

  • Run the ipa host-show command to verify that the SSH public key is associated with the specified host: 

    $ ipa host-show client.ipa.test
...
SSH public key fingerprint: SHA256:qGaqTZM60YPFTngFX0PtNPCKbIuudwf1D2LqmDeOcuA
                              client@IPA.TEST (ssh-rsa)
...

48.4.3. Deleting SSH keys for a host using the IdM Web UI

You can remove the host keys once they expire or are no longer valid. Follow the steps below to remove an individual host key by using the IdM Web UI.

Prerequisites

  • Administrator privileges for managing the IdM Web UI or Host Administrator role.

Procedure

  1. Log into the IdM Web UI.
  2. Go to the Identity>Hosts tab.
  3. Click the name of the host to edit.
  4. Under the Host Settings section, click Delete next to the SSH public key you want to remove.
  5. Click Save at the top of the page.

Verification

  • Under the Host Settings section, verify the key is no longer listed under SSH public keys.

48.4.4. Deleting SSH keys for a host using the IdM CLI

You can remove the host keys once they expire or are no longer valid. Follow the steps below to remove an individual host key by using the IdM CLI.

Prerequisites

  • Administrator privileges for managing the IdM CLI or Host Administrator role.

Procedure

  • To delete all SSH keys assigned to a host account, add the --sshpubkey option to the ipa host-mod command without specifying any key: 

    $ kinit admin
$ ipa host-mod --sshpubkey= --updatedns host1.example.com

    Note that it is good practice to use the --updatedns option to update the host’s DNS entry.

IdM determines the key type automatically from the key, if the type is not included in the uploaded key.

Verification

  • Run the ipa host-show command to verify that the SSH public key is no longer associated with the specified host: 

    ipa host-show client.ipa.test
  Host name: client.ipa.test
  Platform: x86_64
  Operating system: 4.18.0-240.el8.x86_64
  Principal name: host/client.ipa.test@IPA.TEST
  Principal alias: host/client.ipa.test@IPA.TEST
  Password: False
  Member of host-groups: ipaservers
  Roles: helpdesk
  Member of netgroups: test
  Member of Sudo rule: test2
  Member of HBAC rule: test
  Keytab: True
  Managed by: client.ipa.test, server.ipa.test
  Users allowed to retrieve keytab: user1, user2, user3

48.5. Managing public SSH keys for users

Identity Management allows you to upload a public SSH key to a user entry. The user who has access to the corresponding private SSH key can use SSH to log into an IdM machine without using Kerberos credentials. Note that users can still authenticate by providing their Kerberos credentials if they are logging in from a machine where their private SSH key file is not available.

48.5.1. Uploading SSH keys for a user using the IdM Web UI

Identity Management allows you to upload a public SSH key to a user entry. The user who has access to the corresponding private SSH key can use SSH to log into an IdM machine without using Kerberos credentials.

Prerequisites

  • Administrator privileges for managing the IdM Web UI or User Administrator role.

Procedure

  1. Log into the IdM Web UI.
  2. Go to the Identity>Users tab.
  3. Click the name of the user to edit.
  4. In the Account Settings section, click the SSH public keys Add button.
  5. Paste the Base 64-encoded public key string into the SSH public key field.
  6. Click Set.
  7. Click Save at the top of the IdM Web UI window.

Verification

  • Under the Accounts Settings section, verify the key is listed under SSH public keys.

48.5.2. Uploading SSH keys for a user using the IdM CLI

Identity Management allows you to upload a public SSH key to a user entry. The user who has access to the corresponding private SSH key can use SSH to log into an IdM machine without using Kerberos credentials.

Prerequisites

  • Administrator privileges for managing the IdM CLI or User Administrator role.

Procedure

  1. Run the ipa user-mod command with the --sshpubkey option to upload the base64-encoded public key to the user entry. 

    $ ipa user-mod user --sshpubkey="ssh-rsa AAAAB3Nza...SNc5dv== client.example.com"

    Note in this example you upload the key type, the key, and the hostname identifier to the user entry.

  2. To upload multiple keys, use --sshpubkey multiple times. For example, to upload two SSH keys: 

    --sshpubkey="AAAAB3Nza...SNc5dv==" --sshpubkey="RjlzYQo...ZEt0TAo="

  3. To use command redirection and point to a file that contains the key instead of pasting the key string manually, use the following command: 

    ipa user-mod user --sshpubkey="$(cat ~/.ssh/id_rsa.pub)" --sshpubkey="$(cat ~/.ssh/id_rsa2.pub)"

Verification

  • Run the ipa user-show command to verify that the SSH public key is associated with the specified user: 

    $ ipa user-show user
User login: user
  First name: user
  Last name: user
  Home directory: /home/user
  Login shell: /bin/sh
  Principal name: user@IPA.TEST
  Principal alias: user@IPA.TEST
  Email address: user@ipa.test
  UID: 1118800019
  GID: 1118800019
  SSH public key fingerprint: SHA256:qGaqTZM60YPFTngFX0PtNPCKbIuudwf1D2LqmDeOcuA
                              user@IPA.TEST (ssh-rsa)
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Subordinate ids: 3167b7cc-8497-4ff2-ab4b-6fcb3cb1b047
  Kerberos keys available: False

48.5.3. Deleting SSH keys for a user using the IdM Web UI

Follow this procedure to delete an SSH key from a user profile in the IdM Web UI.

Prerequisites

  • Administrator privileges for managing the IdM Web UI or User Administrator role.

Procedure

  1. Log into the IdM Web UI.
  2. Go to the Identity>Users tab.
  3. Click the name of the user to edit.
  4. Under the Account Settings section, under SSH public key, click Delete next to the key you want to remove.
  5. Click Save at the top of the page.

Verification

  • Under the Account Settings section, verify the key is no longer listed under SSH public keys.

48.5.4. Deleting SSH keys for a user using the IdM CLI

Follow this procedure to delete an SSH key from a user profile by using the IdM CLI.

Prerequisites

  • Administrator privileges for managing the IdM CLI or User Administrator role.

Procedure

  1. To delete all SSH keys assigned to a user account, add the --sshpubkey option to the ipa user-mod command without specifying any key: 

    $ ipa user-mod user --sshpubkey=
  2. To only delete a specific SSH key or keys, use the --sshpubkey option to specify the keys you want to keep, omitting the key you are deleting.

Verification

  • Run the ipa user-show command to verify that the SSH public key is no longer associated with the specified user: 

    $ ipa user-show user
User login: user
  First name: user
  Last name: user
  Home directory: /home/user
  Login shell: /bin/sh
  Principal name: user@IPA.TEST
  Principal alias: user@IPA.TEST
  Email address: user@ipa.test
  UID: 1118800019
  GID: 1118800019
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Subordinate ids: 3167b7cc-8497-4ff2-ab4b-6fcb3cb1b047
  Kerberos keys available: False