A question concerning the following SSSD directives:
ldap_user_ssh_public_key = ldap_host_ssh_public_key =
Both default to "sshPublicKey" values, but other than the obvious stated use cases (in the directive names and man file entries) I feel I'm missing something concerning the " ldap_host_ssh_public_key" directive.
For example, using the default configuration, the SSSD pulls down the public key(s) stored for a user stored in the " sshPublicKey" attribute using the "/usr/bin/sss_ssh_authorizedkeys" utility. to facilitate access to a predetermined set of hosts.
What is the use case for the " ldap_host_ssh_public_key" directive? Is it somehow used to store the public Key for a particular host (and why?) and does it have any relationship to the "/usr/bin/sss_ssh_knownhostsproxy" utility used to centralise (and distribute?) host keys?
Any info would be most useful and as always, thank you!
-- lawrence
On Mon, Sep 30, 2019 at 11:25:13AM -0400, Lawrence Kearney wrote:
A question concerning the following SSSD directives:
ldap_user_ssh_public_key = ldap_host_ssh_public_key =
Both default to "sshPublicKey" values, but other than the obvious stated use cases (in the directive names and man file entries) I feel I'm missing something concerning the " ldap_host_ssh_public_key" directive.
For example, using the default configuration, the SSSD pulls down the public key(s) stored for a user stored in the " sshPublicKey" attribute using the "/usr/bin/sss_ssh_authorizedkeys" utility. to facilitate access to a predetermined set of hosts.
What is the use case for the " ldap_host_ssh_public_key" directive? Is it somehow used to store the public Key for a particular host (and why?) and does it have any relationship to the "/usr/bin/sss_ssh_knownhostsproxy" utility used to centralise (and distribute?) host keys?
Yes, please see man sss_ssh_knownhostsproxy for details. Additionally there are slides describinf this feature at https://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf. Although the slides are for FreeIPA the feature itself is not specific to FreeIPA but can be used with other LDAP servers as well.
HTH
bye, Sumit
Any info would be most useful and as always, thank you!
-- lawrence
-- Lawrence Kearney
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Sumit, I did see the freeIPA slide deck. It had some good info but seemed a bit dated. I'll look into the referenced man file as well.
-- lawrence
On Mon, Sep 30, 2019, 11:38 AM Sumit Bose sbose@redhat.com wrote:
On Mon, Sep 30, 2019 at 11:25:13AM -0400, Lawrence Kearney wrote:
A question concerning the following SSSD directives:
ldap_user_ssh_public_key = ldap_host_ssh_public_key =
Both default to "sshPublicKey" values, but other than the obvious stated use cases (in the directive names and man file entries) I feel I'm
missing
something concerning the " ldap_host_ssh_public_key" directive.
For example, using the default configuration, the SSSD pulls down the public key(s) stored for a user stored in the " sshPublicKey" attribute using the "/usr/bin/sss_ssh_authorizedkeys" utility. to facilitate access to a predetermined set of hosts.
What is the use case for the " ldap_host_ssh_public_key" directive? Is it somehow used to store the public Key for a particular host (and why?) and does it have any relationship to the "/usr/bin/sss_ssh_knownhostsproxy" utility used to centralise (and distribute?) host keys?
Yes, please see man sss_ssh_knownhostsproxy for details. Additionally there are slides describinf this feature at https://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf . Although the slides are for FreeIPA the feature itself is not specific to FreeIPA but can be used with other LDAP servers as well.
HTH
bye, Sumit
Any info would be most useful and as always, thank you!
-- lawrence
-- Lawrence Kearney
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On (30/09/19 11:25), Lawrence Kearney wrote:
A question concerning the following SSSD directives:
ldap_user_ssh_public_key = ldap_host_ssh_public_key =
Both default to "sshPublicKey" values, but other than the obvious stated use cases (in the directive names and man file entries) I feel I'm missing something concerning the " ldap_host_ssh_public_key" directive.
For example, using the default configuration, the SSSD pulls down the public key(s) stored for a user stored in the " sshPublicKey" attribute using the "/usr/bin/sss_ssh_authorizedkeys" utility. to facilitate access to a predetermined set of hosts.
What is the use case for the " ldap_host_ssh_public_key" directive? Is it somehow used to store the public Key for a particular host (and why?) and does it have any relationship to the "/usr/bin/sss_ssh_knownhostsproxy" utility used to centralise (and distribute?) host keys?
yes, this used used by openssh client. So you woudl not get annoying question in the first connection
e.g.
sh$ ssh root@example.host.com The authenticity of host 'example.host.com (10.16.200.69)' can't be established. ECDSA key fingerprint is SHA256:9RlZb/DPjYlOC4dMWB5EZfU4lZ8aprJwkU1aRMAeuL0. Are you sure you want to continue connecting (yes/no/[fingerprint])?
SSSD can already get that info in trusted way (TLS/GSSAPI) from the ldap server. But it is mostly usefull for freeIPA which automatically add such entries to LDAP.
BTW sss_ssh_knownhostsproxy need to be configured for openssh client (either /etc/$opensshdir/ssh_config, ~/.ssh/config; as ProxyCommand)
And sss_ssh_authorizedkeys need to be configured on openssh server (/etc/$opensshdir/sshd_config; AuthorizedKeysCommand )
LS
sssd-users@lists.fedorahosted.org