known_hosts
file or for the remote user in authorized_keys
. Whenever that remote machine or user attempts to authenticate again, the local system simply checks the known_hosts
or authorized_keys
file first to see if that remote entity is recognized and trusted. If it is, then access is granted.
known_hosts
file is a triplet of the machine name, its IP address, and its public key:
server.example.com,255.255.255.255 ssh-rsa AbcdEfg1234ZYX098776/AbcdEfg1234ZYX098776/AbcdEfg1234ZYX098776=
known_hosts
file can quickly become outdated for a number of different reasons: systems using DHCP cycle through IP addresses, new keys can be re-issued periodically, or virtual machines or services can be brought online and removed. This changes the hostname, IP address, and key triplet.
known_hosts
file to maintain security. (Or system users get in the habit of simply accepting any machine and key presented, which negates the security benefits of key-based security.)
known_hosts
file has not been updated uniformly.
NOTE
known_hosts
file.
~/.ssh/config
) or a system-wide configuration file (/etc/ssh/ssh_config
). The user file has precedence over the system settings and the first obtained value for a paramter is used. The formatting and conventions for this file are covered in Chapter 8, OpenSSH.
sss_ssh_knownhostsproxy
, which performs three operations:
.ssh/sss_known_hosts
.
sss_ssh_knownhostsproxy [-d sssd_domain] [-p ssh_port] HOST [PROXY_COMMAND]
Table 7.9. sss_ssh_knownhostsproxy Options
Short Argument | Long Argument | Description |
---|---|---|
HOSTNAME | Gives the hostname of the host to check and connect to. In the OpenSSH configuration file, this can be a token, %h . | |
PROXY_COMMAND | Passes a proxy command to use to connect to the SSH client. This is similar to running ssh -o ProxyCommand= value. This option is used when running sss_ssh_knownhostsproxy from the command line or through another script, but is not necessary in the OpenSSH configuration file. | |
-d sssd_domain | --domain sssd_domain | Only searches for public keys in entries in the specified domain. If not given, SSSD searches for keys in all configured domains. |
-p port | --port port | Uses this port to connect to the SSH client. By default, this is port 22. |
ssh_config
or ~/.ssh/config
file:
ProxyCommand
). This is the sss_ssh_knownhostsproxy
, with the desired arguments and hostname.
known_hosts
file (UserKnownHostsFile
). The SSSD hosts file is .ssh/sss_known_hosts
.
IPA1
SSSD domain and connects over whatever port and host are supplied:
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p -d IPA1 %h UserKnownHostsFile2 .ssh/sss_known_hosts
authorized_keys
file for OpenSSH. As with hosts, SSSD can maintain and automatically update a separate cache of user public keys for OpenSSH to refer to. This is kept in the .ssh/sss_authorized_keys
file.
~/.ssh/config
) or a system-wide configuration file (/etc/ssh/ssh_config
). The user file has precedence over the system settings and the first obtained value for a paramter is used. The formatting and conventions for this file are covered in Chapter 8, OpenSSH.
sss_ssh_authorizedkeys
, which performs two operations:
.ssh/sss_authorized_keys
, in the standard authorized keys format.
sss_ssh_authorizedkeys [-d sssd_domain] USER
Table 7.10. sss_ssh_authorizedkeys Options
Short Argument | Long Argument | Description |
---|---|---|
USER | Gives the username or account name for which to obtain the public key. In the OpenSSH configuration file, this can be represented by a token, %u . | |
-d sssd_domain | --domain sssd_domain | Only searches for public keys in entries in the specified domain. If not given, SSSD searches for keys in all configured domains. |
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u