Description
Verify FreeIPA's SSH public key management using realmd to join the current machine to a FreeIPA domain.
Setup
- Run through the test case to join the domain.
How to test
Note: All examples below are executed either on server or client. The right place should be indicated by prompt:
user@server$ user@client$
Verify installation
First authenticate as admin:
user@server$ kinit admin
Verify that the host entry of server.ipa.example.org
has the correct SSH public keys set:
user@server$ ipa host-show server.ipa.example.org --all Host name: server.ipa.example.org Principal name: host/server.ipa.example.org@IPA.EXAMPLE.ORG SSH public key fingerprint: 5A:CE:70:8F:A3:AF:57:C1:D1:C0:C6:28:FC:D4:42:07 (ssh-dss), 76:2B:1F:98:1C:02:EE:29:43:C1:18:FD:75:57:36:8F (ssh-rsa) Password: False Keytab: True Managed by: server.ipa.example.org user@server$ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub 1024 5a:ce:70:8f:a3:af:57:c1:d1:c0:c6:28:fc:d4:42:07 (DSA) user@server$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub 2048 76:2b:1f:98:1c:02:ee:29:43:c1:18:fd:75:57:36:8f (RSA)
The same procedure can be used to verify host public keys of client.ipa.example.org
.
Verify that DNS SSHFP records were updated correctly for client:
user@client$ dig +short client.ipa.example.org SSHFP 2 1 D017B7B96C1CF0DC9A9CC317AED198EBE61C8369 1 1 EEA71C381935401361301366B2E4E2627CB470CD user@client$ ssh-keygen -r client.ipa.example.org -f /etc/ssh/ssh_host_dsa_key.pub client.ipa.example.org IN SSHFP 2 1 d017b7b96c1cf0dc9a9cc317aed198ebe61c8369 user@client$ ssh-keygen -r client.ipa.example.org -f /etc/ssh/ssh_host_rsa_key.pub client.ipa.example.org IN SSHFP 1 1 eea71c381935401361301366b2e4e2627cb470cd
Public key management
Generate a SSH keypair and create new FreeIPA user with the public key set:
user@server$ ssh-keygen -t rsa
user@server$ ipa user-add sshuser --first=SSH --last=User --sshpubkey="cat .ssh/id_rsa.pub
"
Verify that the user entry has the correct SSH public key set:
user@server$ ipa user-show sshuser User login: sshuser First name: SSH Last name: User Home directory: /home/sshuser Login shell: /bin/sh UID: 12345678 GID: 12345678 Account disabled: False SSH public key fingerprint: 38:FA:5A:79:DF:21:D6:C6:EC:F0:5C:98:8A:4F:AF:04 user@server.ipa.example.org (ssh-rsa) Password: False Member of groups: ipausers Kerberos keys available: False user@server$ ssh-keygen -l -f .ssh/id_rsa.pub 2048 38:fa:5a:79:df:21:d6:c6:ec:f0:5c:98:8a:4f:af:04 user@server.ipa.example.org (RSA)
Generate another SSH keypair on client.ipa.example.org
:
user@client$ ssh-keygen -t rsa
user@client$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.org
Add the public key to sshuser
:
user@server$ ipa user-mod sshuser --addattr ipasshpubkey='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.org'
You can experiment further with ipa user-add
, ipa user-mod
, ipa host-add
, ipa host-mod
commands, all of them allow setting SSH public keys (in OpenSSH authorized_keys format, see man sshd
) using the --sshpubkey
option. Note that --sshpubkey
overwrites the public keys of user or host with the new value(s), if you want to add or delete public keys, you have to use --addattr ipasshpubkey=...
or --delattr ipasshpubkey=...
instead.
Expected Results
Now that public keys for both hosts and user are set, you can try using ssh to log in remotely from server.ipa.example.org
to client.ipa.example.org
and vice-versa:
user@server$ ssh sshuser@client
user@client$ ssh sshuser@server
Both these commands should work without any warnings or errors and should NOT prompt for verification of host identity or password.
Troubleshooting
Known Issue: Ssh to other host still asks password. Please add to file /etc/ssh/sshd_config
AuthorizedKeysCommandUser nobody
The selinux profile for realmd isn't yet stable, so you may want turn off enforcement. Please do still file bugs for the SElinux AVC notifications you see.
Known Issue [Selinux]: You need to turn off selinux to complete the join. Please do:
$ sudo setenforce 0
Please file all realmd AVC's at this bug: https://bugzilla.redhat.com/show_bug.cgi?id=952830
$ sudo grep realmd /var/log/audit/audit.log