Description
Verify FreeIPA's SSH public key management using realmd to join the current machine to a FreeIPA domain.
Setup
- If you have not already done so, run through the test case to join the domain.
How to test
Note: All examples below are executed either on server or client. The right place should be indicated by prompt:
user@server$ user@client$
Verify installation
First authenticate as admin:
user@server$ kinit admin
Verify that the host entry of server.ipa.example.org
has the correct SSH public keys set:
user@server$ ipa host-show server.ipa.example.org --all Host name: server.ipa.example.org Principal name: host/server.ipa.example.org@IPA.EXAMPLE.ORG SSH public key fingerprint: 5A:CE:70:8F:A3:AF:57:C1:D1:C0:C6:28:FC:D4:42:07 (ssh-dss), 76:2B:1F:98:1C:02:EE:29:43:C1:18:FD:75:57:36:8F (ssh-rsa) Password: False Keytab: True Managed by: server.ipa.example.org user@server$ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub 1024 5a:ce:70:8f:a3:af:57:c1:d1:c0:c6:28:fc:d4:42:07 (DSA) user@server$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub 2048 76:2b:1f:98:1c:02:ee:29:43:c1:18:fd:75:57:36:8f (RSA)
The same procedure can be used to verify host public keys of client.ipa.example.org
.
Verify that DNS SSHFP records were updated correctly for client:
user@client$ dig +short client.ipa.example.org SSHFP 2 1 D017B7B96C1CF0DC9A9CC317AED198EBE61C8369 1 1 EEA71C381935401361301366B2E4E2627CB470CD user@client$ ssh-keygen -r client.ipa.example.org -f /etc/ssh/ssh_host_dsa_key.pub client.ipa.example.org IN SSHFP 2 1 d017b7b96c1cf0dc9a9cc317aed198ebe61c8369 user@client$ ssh-keygen -r client.ipa.example.org -f /etc/ssh/ssh_host_rsa_key.pub client.ipa.example.org IN SSHFP 1 1 eea71c381935401361301366b2e4e2627cb470cd
Public key management
Generate a SSH keypair and create new FreeIPA user with the public key set:
user@server$ ssh-keygen -t rsa
user@server$ ipa user-add sshuser --first=SSH --last=User --sshpubkey="cat .ssh/id_rsa.pub
"
Verify that the user entry has the correct SSH public key set:
user@server$ ipa user-show sshuser User login: sshuser First name: SSH Last name: User Home directory: /home/sshuser Login shell: /bin/sh UID: 12345678 GID: 12345678 Account disabled: False SSH public key fingerprint: 38:FA:5A:79:DF:21:D6:C6:EC:F0:5C:98:8A:4F:AF:04 user@server.ipa.example.org (ssh-rsa) Password: False Member of groups: ipausers Kerberos keys available: False user@server$ ssh-keygen -l -f .ssh/id_rsa.pub 2048 38:fa:5a:79:df:21:d6:c6:ec:f0:5c:98:8a:4f:af:04 user@server.ipa.example.org (RSA)
Generate another SSH keypair on client.ipa.example.org
:
user@client$ ssh-keygen -t rsa
user@client$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.org
Add the public key to sshuser
:
user@server$ ipa user-mod sshuser --addattr ipasshpubkey='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.org'
You can experiment further with ipa user-add
, ipa user-mod
, ipa host-add
, ipa host-mod
commands, all of them allow setting SSH public keys (in OpenSSH authorized_keys format, see man sshd
) using the --sshpubkey
option. Note that --sshpubkey
overwrites the public keys of user or host with the new value(s), if you want to add or delete public keys, you have to use --addattr ipasshpubkey=...
or --delattr ipasshpubkey=...
instead.
Expected Results
Now that public keys for both hosts and user are set, you can try using ssh to log in remotely from server.ipa.example.org
to client.ipa.example.org
and vice-versa:
user@server$ ssh sshuser@ipa.example.org@client.ipa.example.org
user@client$ ssh sshuser@ipa.example.org@server.ipa.example.org
Both these commands should work without any warnings or errors and should NOT prompt for verification of host identity or password.
Troubleshooting
Known Issue [openssh], [freeipa],[freeipa]: Ssh to other host still asks password. Please add to file /etc/ssh/sshd_config
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody