Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFE] Support for SSH Hostbased Authentication #5069

Closed
sssd-bot opened this issue May 2, 2020 · 7 comments
Closed

[RFE] Support for SSH Hostbased Authentication #5069

sssd-bot opened this issue May 2, 2020 · 7 comments
Assignees
@alexey-tikhonov
Labels
Candidate to close Future milestone

Comments

@sssd-bot
Copy link

sssd-bot commented May 2, 2020

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/4106

Hello, I'm extensively using FreeIPA and SSSD with SSH support. One of the features missing from SSSD is proper support for Hostbased Authentication.

As discussed on the FreeIPA mailing list we've mapped the missing parts for this RFE: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/BJBRN4R7VL7ZL5D6GA2GLFYMX7XW72XW/

Basically to setup Hostbased Authentication, the SSH daemon and client expects some configurations and features.

On the server side:

  1. /etc/ssh/sshd_config must set HostbasedAuthentication yes.
  2. /etc/ssh/ssh_known_hosts must be populated with all the public hosts keys from the connecting clients.
  3. /etc/ssh/shosts.equiv must contains all the hosts allowed to connect from. So in my case, since I'm using FreeIPA, I can just put a netgroup and everything is fine.

On the client side:

  1. /etc/ssh/ssh_config must set HostbasedAuthentication yes and EnableSSHKeysign yes

So it's basically this, everything works as expected, but only one thing breaks, since it's not supported by SSSD. And it's on the server part: the /etc/ssh/ssh_known_hosts file.

When a client connects to the server, the server read this file, and only this file, to check the client public keys. Since the file does not exists it does not work. But we are aware that SSSD generates a dynamic known_hosts file on /var/lib/sss/pubconf/known_hosts, and if I simply create a symbolic link to this file to /etc/ssh/ssh_known_hosts everything works as expected. The server allows the client to join in using Hostbased Authentication.

This made the trick: ln -s /var/lib/sss/pubconf/known_hosts /etc/ssh/ssh_known_hosts

But we have only one problem open, which is the generation of the /var/lib/sss/pubconf/known_hosts file. This file is generated when a SSH client tries to connect to another server, and then the dynamic known_hosts file starts to get populated. When using Hostbased Authentication this file isn't populated yet, and since only the SSH client can request this file to be populated, the server does not known any key during the connection from a client.

To sum things up. The SSH daemon (sshd) should be able to require from SSSD the host keys from the client trying to connect to him. And them populating the list of hosts. Without this, Hostbased Authentication just fails.

That's the RFE: allow sshd fetch connecting client public keys from SSSD and feed the /var/lib/sss/pubconf/known_hosts. The symbolic link can be done manually without any problem as part of the basic configuration.

Comments

Comment from abbra at 2020-02-17 14:37:10

Would it help adding a systemd drop-in file to your sshd.service?
Something like

# /etc/systemd/system/sshd.service.d/hba.conf
[Service]
ExecCondition=/bin/sh -c "test -f /var/lib/sss/pubconf/known_hosts || /usr/bin/sss_ssh_knownhostsproxy -k `hostname` 2>//dev/null"
ExecCondition=/bin/sh -c "test -h /etc/ssh/ssh_known_hosts || test -f /etc/ssh/ssh_known_hosts || ln -s /var/lib/sss/pubconf/known_hosts /etc/ssh/ssh_known_hosts"

Then systemctl daemon-reload and systemctl restart sshd. Of course, you need sshd configuration to be updated but this way you ensure there is a link and we request the file to be created from SSSD.

Comment from thalman at 2020-03-13 15:26:01

Metadata Update from @thalman:

  • Issue tagged with: Future milestone
@alexey-tikhonov
Copy link
Member

That's the RFE: allow sshd fetch connecting client public keys from SSSD

This RFE should be open against sshd in a first place.
It's just out of SSSD hands.

Meanwhile, besides workaround proposed in a comment here, another workaround was proposed in a mail thread:

As a workaround you can create a cron job which calls
'sss_ssh_knownhostsproxy -k client.ipa.domain' for all expected clients
on a regular basis to refresh the keys.

@alexey-tikhonov alexey-tikhonov closed this as not planned Won't fix, can't repro, duplicate, stale Jul 12, 2023
@viniciusferrao
Copy link

Hi @alexey-tikhonov I can't understand why it should be open against sshd first. sshd already supports Hostbased Authentication out of the box. What am I missing here? I may be ignorant on this matter but it always worked.

PS: It's not the same as Host Based Access Control (HBAC), that's another feature.

@alexey-tikhonov
Copy link
Member

Hi @viniciusferrao,

I can't understand why it should be open against sshd first

If I understand correctly, sshd doesn't have means to be configured to execute SSSD helper process to fetch keys.

Let me put it other way round: how do you imagine this RFE implementation? What does this - to "allow sshd fetch connecting client public keys from SSSD" - mean for SSSD?

@andreboscatto
Copy link
Contributor

Dear Contributor/User,

Recognizing the importance of addressing enhancements, bugs, and issues for the SSSD project's quality and reliability, we also need to consider our long-term goals and resource constraints.

After thoughtful consideration, regrettably, we are unable to address this request at this time. To avoid any misconception, we're closing it; however, we encourage continued collaboration and contributions from anyone interested.

We apologize for any inconvenience and appreciate your understanding of our resource limitations. While you're welcome to open a new issue (or reopen this one), immediate attention may not be guaranteed due to competing priorities.

Thank you once again for sharing your feedback. We look forward to ongoing collaboration to deliver the best possible solutions, supporting in any way we can.

Best regards,
André Boscatto

@andreboscatto andreboscatto closed this as not planned Won't fix, can't repro, duplicate, stale Nov 20, 2023
@bastien-roucaries
Copy link

See:
https://www.burnison.ca/notes/managing-ssh-known-hosts-with-sssd-and-ldap
Host *.example.com
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts

@viniciusferrao
Copy link

See: https://www.burnison.ca/notes/managing-ssh-known-hosts-with-sssd-and-ldap Host *.example.com ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts

I'm not sure if this would help achieving hostbased authentication.

@bastien-roucaries
Copy link

@viniciusferrao on client the proxy command will run the sssd proxy in your command the missing part was GlobalKnownHostsFile

Host *.example.com
    ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
    GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts

You said at https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/VBGBIAZD7CNS7L3DL7JZKWS676DK6YOW/, you forget the GlobalKnownHostsFile

Because it appears to be a requirement. Unfortunately SSH does not look
at /var/lib/sss/pubconf/known_hosts:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alexey-tikhonov alexey-tikhonov

Labels
Candidate to close Future milestone
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@viniciusferrao @bastien-roucaries @andreboscatto @alexey-tikhonov @sssd-bot