From Fedora Project Wiki

Description

Verify FreeIPA's SSH public key management using realmd to join the current machine to a FreeIPA domain.

Setup

  1. If you have not already done so, run through the test case to join the domain.

How to test

Note: All examples below are executed either on server or client. The right place should be indicated by prompt:

user@server$
user@client$

Verify installation

First authenticate as admin:

user@server$ kinit admin

Verify that the host entry of server.ipa.example.org has the correct SSH public keys set:

user@server$ ipa host-show server.ipa.example.org --all
Host name: server.ipa.example.org
Principal name: host/server.ipa.example.org@IPA.EXAMPLE.ORG
SSH public key fingerprint: 5A:CE:70:8F:A3:AF:57:C1:D1:C0:C6:28:FC:D4:42:07 (ssh-dss), 76:2B:1F:98:1C:02:EE:29:43:C1:18:FD:75:57:36:8F (ssh-rsa)
Password: False
Keytab: True
Managed by: server.ipa.example.org

user@server$ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub
1024 5a:ce:70:8f:a3:af:57:c1:d1:c0:c6:28:fc:d4:42:07 (DSA)

user@server$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
2048 76:2b:1f:98:1c:02:ee:29:43:c1:18:fd:75:57:36:8f (RSA)

The same procedure can be used to verify host public keys of client.ipa.example.org.

Verify that DNS SSHFP records were updated correctly for client:

user@client$ dig +short client.ipa.example.org SSHFP
2 1 D017B7B96C1CF0DC9A9CC317AED198EBE61C8369
1 1 EEA71C381935401361301366B2E4E2627CB470CD

user@client$ ssh-keygen -r client.ipa.example.org -f /etc/ssh/ssh_host_dsa_key.pub
client.ipa.example.org IN SSHFP 2 1 d017b7b96c1cf0dc9a9cc317aed198ebe61c8369

user@client$ ssh-keygen -r client.ipa.example.org -f /etc/ssh/ssh_host_rsa_key.pub
client.ipa.example.org IN SSHFP 1 1 eea71c381935401361301366b2e4e2627cb470cd

Public key management

Generate a SSH keypair and create new FreeIPA user with the public key set:

user@server$ ssh-keygen -t rsa

user@server$ ipa user-add sshuser --first=SSH --last=User --sshpubkey="cat .ssh/id_rsa.pub"

Verify that the user entry has the correct SSH public key set:

user@server$ ipa user-show sshuser
User login: sshuser
First name: SSH
Last name: User
Home directory: /home/sshuser
Login shell: /bin/sh
UID: 12345678
GID: 12345678
Account disabled: False
SSH public key fingerprint: 38:FA:5A:79:DF:21:D6:C6:EC:F0:5C:98:8A:4F:AF:04 user@server.ipa.example.org (ssh-rsa)
Password: False
Member of groups: ipausers
Kerberos keys available: False

user@server$ ssh-keygen -l -f .ssh/id_rsa.pub
2048 38:fa:5a:79:df:21:d6:c6:ec:f0:5c:98:8a:4f:af:04 user@server.ipa.example.org (RSA)

Generate another SSH keypair on client.ipa.example.org:

user@client$ ssh-keygen -t rsa

user@client$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.org

Add the public key to sshuser:

user@server$ ipa user-mod sshuser --addattr ipasshpubkey='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.org'

You can experiment further with ipa user-add, ipa user-mod, ipa host-add, ipa host-mod commands, all of them allow setting SSH public keys (in OpenSSH authorized_keys format, see man sshd) using the --sshpubkey option. Note that --sshpubkey overwrites the public keys of user or host with the new value(s), if you want to add or delete public keys, you have to use --addattr ipasshpubkey=... or --delattr ipasshpubkey=... instead.

Expected Results

Now that public keys for both hosts and user are set, you can try using ssh to log in remotely from server.ipa.example.org to client.ipa.example.org and vice-versa:

user@server$ ssh sshuser@ipa.example.org@client.ipa.example.org
user@client$ ssh sshuser@ipa.example.org@server.ipa.example.org

Both these commands should work without any warnings or errors and should NOT prompt for verification of host identity or password.



Troubleshooting

Known Issue [openssh], [freeipa],[freeipa]: Ssh to other host still asks password. Please add to file /etc/ssh/sshd_config

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody