New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFE] Support for SSH Hostbased Authentication #5069
Comments
This RFE should be open against Meanwhile, besides workaround proposed in a comment here, another workaround was proposed in a mail thread:
|
Hi @alexey-tikhonov I can't understand why it should be open against PS: It's not the same as Host Based Access Control (HBAC), that's another feature. |
Hi @viniciusferrao,
If I understand correctly, Let me put it other way round: how do you imagine this RFE implementation? What does this - to "allow sshd fetch connecting client public keys from SSSD" - mean for SSSD? |
Dear Contributor/User, Recognizing the importance of addressing enhancements, bugs, and issues for the SSSD project's quality and reliability, we also need to consider our long-term goals and resource constraints. After thoughtful consideration, regrettably, we are unable to address this request at this time. To avoid any misconception, we're closing it; however, we encourage continued collaboration and contributions from anyone interested. We apologize for any inconvenience and appreciate your understanding of our resource limitations. While you're welcome to open a new issue (or reopen this one), immediate attention may not be guaranteed due to competing priorities. Thank you once again for sharing your feedback. We look forward to ongoing collaboration to deliver the best possible solutions, supporting in any way we can. Best regards, |
See: |
I'm not sure if this would help achieving hostbased authentication. |
@viniciusferrao on client the proxy command will run the sssd proxy in your command the missing part was GlobalKnownHostsFile
You said at https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/VBGBIAZD7CNS7L3DL7JZKWS676DK6YOW/, you forget the GlobalKnownHostsFile
|
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/4106
Hello, I'm extensively using FreeIPA and SSSD with SSH support. One of the features missing from SSSD is proper support for Hostbased Authentication.
As discussed on the FreeIPA mailing list we've mapped the missing parts for this RFE: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/BJBRN4R7VL7ZL5D6GA2GLFYMX7XW72XW/
Basically to setup Hostbased Authentication, the SSH daemon and client expects some configurations and features.
On the server side:
/etc/ssh/sshd_config
must setHostbasedAuthentication yes
./etc/ssh/ssh_known_hosts
must be populated with all the public hosts keys from the connecting clients./etc/ssh/shosts.equiv
must contains all the hosts allowed to connect from. So in my case, since I'm using FreeIPA, I can just put a netgroup and everything is fine.On the client side:
/etc/ssh/ssh_config
must setHostbasedAuthentication yes
andEnableSSHKeysign yes
So it's basically this, everything works as expected, but only one thing breaks, since it's not supported by SSSD. And it's on the server part: the
/etc/ssh/ssh_known_hosts
file.When a client connects to the server, the server read this file, and only this file, to check the client public keys. Since the file does not exists it does not work. But we are aware that SSSD generates a dynamic
known_hosts
file on/var/lib/sss/pubconf/known_hosts
, and if I simply create a symbolic link to this file to/etc/ssh/ssh_known_hosts
everything works as expected. The server allows the client to join in using Hostbased Authentication.This made the trick:
ln -s /var/lib/sss/pubconf/known_hosts /etc/ssh/ssh_known_hosts
But we have only one problem open, which is the generation of the
/var/lib/sss/pubconf/known_hosts
file. This file is generated when a SSH client tries to connect to another server, and then the dynamicknown_hosts
file starts to get populated. When using Hostbased Authentication this file isn't populated yet, and since only the SSH client can request this file to be populated, the server does not known any key during the connection from a client.To sum things up. The SSH daemon (sshd) should be able to require from SSSD the host keys from the client trying to connect to him. And them populating the list of hosts. Without this, Hostbased Authentication just fails.
That's the RFE: allow
sshd
fetch connecting client public keys from SSSD and feed the/var/lib/sss/pubconf/known_hosts
. The symbolic link can be done manually without any problem as part of the basic configuration.Comments
Comment from abbra at 2020-02-17 14:37:10
Would it help adding a systemd drop-in file to your sshd.service?
Something like
Then
systemctl daemon-reload
andsystemctl restart sshd
. Of course, you need sshd configuration to be updated but this way you ensure there is a link and we request the file to be created from SSSD.Comment from thalman at 2020-03-13 15:26:01
Metadata Update from @thalman:
The text was updated successfully, but these errors were encountered: