From Fedora Project Wiki

Revision as of 06:48, 9 May 2013 by Stefw (talk | contribs) (Update requirements)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Verify FreeIPA's SSH public key management using realmd to join the current machine to a FreeIPA domain.


  1. If you have not already done so, run through the test case to join the domain.

How to test

Note: All examples below are executed either on server or client. The right place should be indicated by prompt:


Verify installation

First authenticate as admin:

user@server$ kinit admin

Verify that the host entry of has the correct SSH public keys set:

user@server$ ipa host-show --all
Host name:
Principal name: host/
SSH public key fingerprint: 5A:CE:70:8F:A3:AF:57:C1:D1:C0:C6:28:FC:D4:42:07 (ssh-dss), 76:2B:1F:98:1C:02:EE:29:43:C1:18:FD:75:57:36:8F (ssh-rsa)
Password: False
Keytab: True
Managed by:

user@server$ ssh-keygen -l -f /etc/ssh/
1024 5a:ce:70:8f:a3:af:57:c1:d1:c0:c6:28:fc:d4:42:07 (DSA)

user@server$ ssh-keygen -l -f /etc/ssh/
2048 76:2b:1f:98:1c:02:ee:29:43:c1:18:fd:75:57:36:8f (RSA)

The same procedure can be used to verify host public keys of

Verify that DNS SSHFP records were updated correctly for client:

user@client$ dig +short SSHFP
2 1 D017B7B96C1CF0DC9A9CC317AED198EBE61C8369
1 1 EEA71C381935401361301366B2E4E2627CB470CD

user@client$ ssh-keygen -r -f /etc/ssh/ IN SSHFP 2 1 d017b7b96c1cf0dc9a9cc317aed198ebe61c8369

user@client$ ssh-keygen -r -f /etc/ssh/ IN SSHFP 1 1 eea71c381935401361301366b2e4e2627cb470cd

Public key management

Generate a SSH keypair and create new FreeIPA user with the public key set:

user@server$ ssh-keygen -t rsa

user@server$ ipa user-add sshuser --first=SSH --last=User --sshpubkey="cat .ssh/"

Verify that the user entry has the correct SSH public key set:

user@server$ ipa user-show sshuser
User login: sshuser
First name: SSH
Last name: User
Home directory: /home/sshuser
Login shell: /bin/sh
UID: 12345678
GID: 12345678
Account disabled: False
SSH public key fingerprint: 38:FA:5A:79:DF:21:D6:C6:EC:F0:5C:98:8A:4F:AF:04 (ssh-rsa)
Password: False
Member of groups: ipausers
Kerberos keys available: False

user@server$ ssh-keygen -l -f .ssh/
2048 38:fa:5a:79:df:21:d6:c6:ec:f0:5c:98:8a:4f:af:04 (RSA)

Generate another SSH keypair on

user@client$ ssh-keygen -t rsa

user@client$ cat .ssh/
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt

Add the public key to sshuser:

user@server$ ipa user-mod sshuser --addattr ipasshpubkey='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt'

You can experiment further with ipa user-add, ipa user-mod, ipa host-add, ipa host-mod commands, all of them allow setting SSH public keys (in OpenSSH authorized_keys format, see man sshd) using the --sshpubkey option. Note that --sshpubkey overwrites the public keys of user or host with the new value(s), if you want to add or delete public keys, you have to use --addattr ipasshpubkey=... or --delattr ipasshpubkey=... instead.

Expected Results

Now that public keys for both hosts and user are set, you can try using ssh to log in remotely from to and vice-versa:

user@server$ ssh
user@client$ ssh

Both these commands should work without any warnings or errors and should NOT prompt for verification of host identity or password.


Known Issue [openssh], [freeipa],[freeipa]: Ssh to other host still asks password. Please add to file /etc/ssh/sshd_config

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody