On (30/09/19 11:25), Lawrence Kearney wrote:
A question concerning the following SSSD directives:
ldap_user_ssh_public_key = ldap_host_ssh_public_key =
Both default to "sshPublicKey" values, but other than the obvious stated use cases (in the directive names and man file entries) I feel I'm missing something concerning the " ldap_host_ssh_public_key" directive.
For example, using the default configuration, the SSSD pulls down the public key(s) stored for a user stored in the " sshPublicKey" attribute using the "/usr/bin/sss_ssh_authorizedkeys" utility. to facilitate access to a predetermined set of hosts.
What is the use case for the " ldap_host_ssh_public_key" directive? Is it somehow used to store the public Key for a particular host (and why?) and does it have any relationship to the "/usr/bin/sss_ssh_knownhostsproxy" utility used to centralise (and distribute?) host keys?
yes, this used used by openssh client. So you woudl not get annoying question in the first connection
e.g.
sh$ ssh root@example.host.com The authenticity of host 'example.host.com (10.16.200.69)' can't be established. ECDSA key fingerprint is SHA256:9RlZb/DPjYlOC4dMWB5EZfU4lZ8aprJwkU1aRMAeuL0. Are you sure you want to continue connecting (yes/no/[fingerprint])?
SSSD can already get that info in trusted way (TLS/GSSAPI) from the ldap server. But it is mostly usefull for freeIPA which automatically add such entries to LDAP.
BTW sss_ssh_knownhostsproxy need to be configured for openssh client (either /etc/$opensshdir/ssh_config, ~/.ssh/config; as ProxyCommand)
And sss_ssh_authorizedkeys need to be configured on openssh server (/etc/$opensshdir/sshd_config; AuthorizedKeysCommand )
LS