From Fedora Project Wiki

Revision as of 14:15, 12 September 2012 by Jcholast (talk | contribs) (Added Koji link to sssd)


SSH public key management and OpenSSH integration.


  • Make sure you have SSSD 1.9.0beta7 or later installed (Koji build).
  • Install FreeIPA server with DNS on one machine,, and FreeIPA client on another machine, (see Basic installation tests).

How to test

Verify installation

First authenticate as admin:

user@server$ kinit admin

Verify that the host entry of has the correct SSH public keys set:

user@server$ ipa host-show --all
Host name:
Principal name: host/
SSH public key fingerprint: 5A:CE:70:8F:A3:AF:57:C1:D1:C0:C6:28:FC:D4:42:07 (ssh-dss), 76:2B:1F:98:1C:02:EE:29:43:C1:18:FD:75:57:36:8F (ssh-rsa)
Password: False
Keytab: True
Managed by:

user@server$ ssh-keygen -l -f /etc/ssh/
1024 5a:ce:70:8f:a3:af:57:c1:d1:c0:c6:28:fc:d4:42:07 (DSA)

user@server$ ssh-keygen -l -f /etc/ssh/
2048 76:2b:1f:98:1c:02:ee:29:43:c1:18:fd:75:57:36:8f (RSA)

The same procedure can be used to verify host public keys of

Verify that DNS SSHFP records were updated correctly:

user@server$ dig +short SSHFP
2 1 D017B7B96C1CF0DC9A9CC317AED198EBE61C8369
1 1 EEA71C381935401361301366B2E4E2627CB470CD

user@server$ ssh-keygen -r -f /etc/ssh/ IN SSHFP 2 1 d017b7b96c1cf0dc9a9cc317aed198ebe61c8369

user@server$ ssh-keygen -r -f /etc/ssh/ IN SSHFP 1 1 eea71c381935401361301366b2e4e2627cb470cd

Again, the same procedure can be used to verify DNS SSHFP records of

Public key management

Generate a SSH keypair and create new FreeIPA user with the public key set:

user@server$ ssh-keygen -t rsa

user@server$ ipa user-add user --uid=$UID --first=User --last=Test --sshpubkey=‘cat .ssh/‘

Verify that the user entry has the correct SSH public key set:

user@server$ ipa user-show user
User login: user
First name: User
Last name: Test
Home directory: /home/user
Login shell: /bin/sh
UID: 1000
GID: 1000
Account disabled: False
SSH public key fingerprint: 38:FA:5A:79:DF:21:D6:C6:EC:F0:5C:98:8A:4F:AF:04 (ssh-rsa)
Password: False
Member of groups: ipausers
Kerberos keys available: False

user@server$ ssh-keygen -l -f .ssh/
2048 38:fa:5a:79:df:21:d6:c6:ec:f0:5c:98:8a:4f:af:04 (RSA)

You can experiment further with ipa user-add, ipa user-mod, ipa host-add, ipa host-mod commands, all of them allow setting SSH public keys using the --sshpubkey option. Note that you can't use --sshpubkey to add or delete public keys of a user or host, you have to use --addattr ipasshpubkey=... or --delattr ipasshpubkey=... instead.

OpenSSH integration

Now that public keys for both hosts and user are set, you can try using ssh to log in remotely from to and vice-versa:

user@server$ ssh user@client
user@client$ ssh user@server

Both these commands should work without any warnings or errors and should NOT prompt for verification of host identity or password.

Expected Results

All the test steps should end with the specified results.