Bug 2014249

Summary: Consistency in defaults between OpenSSH and SSSD
Product: Red Hat Enterprise Linux 9 Reporter: Simo Sorce <ssorce>
Component: sssdAssignee: Alexey Tikhonov <atikhono>
Status: CLOSED ERRATA QA Contact: Dhairya Parmar <dparmar>
Severity: unspecified Docs Contact: lmcgarry
Priority: unspecified    
Version: 9.0CC: atikhono, grajaiya, jhrozek, lmcgarry, lslebodn, mzidek, pasik, pbrezina, sgoveas, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.6.1-1.el9 Doc Type: Enhancement
Doc Text:
.SSSD default SSH hashing value is now consistent with the OpenSSH setting The default value of `ssh_hash_known_hosts` has been changed to false. It is now consistent with the OpenSSH setting, which does not hash host names by default. However, if you need to continue to hash host names, add `ssh_hash_known_hosts = True` to the `[ssh]` section of the `/etc/sssd/sssd.conf` configuration file.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 16:00:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Simo Sorce 2021-10-14 17:52:13 UTC 
Description of problem:
In SSSD the default value for ssh_hash_known_hosts is set to true

It should be changed to false for consistency with the OpenSSH setting that does not hashes host names by default.

Additionally, although currently allowed, the HMAC-SHA-1 algorithm will be eventually blocked in FIPS mode, causing errors in the default configuration in FIPS mode. Unfortunately there is no other encoding supported beyond plain text so the default should be off in order to be compatible with a FIPS world where HMAC-SHA-1 is disabled.
(note it is perfectly clear that is is not a cryptographic use, but in FIPS mode libraries are strict regalrdles).
Comment 1 Alexey Tikhonov 2021-10-27 17:11:21 UTC 
https://github.com/SSSD/sssd/issues/5848
Comment 2 Alexey Tikhonov 2021-10-27 18:09:20 UTC 
Upstream PR: https://github.com/SSSD/sssd/pull/5849
Comment 3 Alexey Tikhonov 2021-11-04 11:17:28 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/5849

* `master`
    * e8b43cc82339c6ff19b8e6bf19d7d7c39ea481f7 - SSH: changed default value of `ssh_hash_known_hosts` to false
Comment 5 Dhairya Parmar 2021-12-07 11:42:31 UTC 
Tested against sssd-2.5.2-5.el9.x86_64


#### ssh_hash_known_hosts is not used, default value is True ####

[root@client2 ~]# cat /etc/sssd/sssd.conf
[domain/example.com]

id_provider = ipa
ipa_server = _srv_, server1.example.com
ipa_domain = example.com
ipa_hostname = client2.example.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh, sudo

domains = example.com
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[secrets]

[session_recording]

[root@client2 ~]# systemctl stop sssd.service
[root@client2 ~]# rm -f /var/lib/sss/pubconf/known_hosts
[root@client2 ~]# systemctl start sssd.service
[root@client2 ~]# ssh -l user2 server1.example.com echo 'login successful'
(user2.com) Password: 
login successful
Could not chdir to home directory /home/user2: No such file or directory
[root@client2 ~]# cat /var/lib/sss/pubconf/known_hosts
|1|o6LVtsnrVCrgwOoVJNCMYYiCJnM=|qrAKJYuu+/wjtCS7vIWNiPlqvLU= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFO0X+82mj+2UWZTqjxxYgV7Zoqk8qtIyTLpmVE/vWQv/h3t7CVqxKtN0/FoEHbGVd+1Ic2BZZBJL8IMCZZ7gM6iJ3ZPi8UMigcs/F+NELZ1XadhpA6GiOyqtLM4wX5Xi5SlMVJBaXC9Tx9OafLlJPARj9/g4Np5vEPPY28UK9pG5St5vjHdQO6pg4hnjlrl1GDN6NJV59srZUZLv27V+4NI93kP0Ghzla5iak49RbnaaGnZK/C5cNdnspWdSs8TZGXo4W86HBIQiHYQxvab7RFyEnheTdOP5LGe4oXTF8EJ74g+0FU2gJ84sztM++kUCYwX81kKt071cGCXzi9ZdtHuWX/1Q5AEZt8wX2egF4BrDzntqOn21HVv8iaHpWYm94vG0fo27gVY/Fr7GsouNTmETZSagxjSeYjPCzo1XU8TmUq3QZNPm2jxGDwd51BptlB9J1jqZRwdcqYgyDBVDE3iuPldyFm/rbPdTQud8V5gVzTFEKqnRjDUvJjgL7wIs= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
|1|iftZcmnM84oh1v/pSyvcFCFg7Tw=|/o2kz7U8+VlCPIMDm0e4MB9Ms0Y= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFO0X+82mj+2UWZTqjxxYgV7Zoqk8qtIyTLpmVE/vWQv/h3t7CVqxKtN0/FoEHbGVd+1Ic2BZZBJL8IMCZZ7gM6iJ3ZPi8UMigcs/F+NELZ1XadhpA6GiOyqtLM4wX5Xi5SlMVJBaXC9Tx9OafLlJPARj9/g4Np5vEPPY28UK9pG5St5vjHdQO6pg4hnjlrl1GDN6NJV59srZUZLv27V+4NI93kP0Ghzla5iak49RbnaaGnZK/C5cNdnspWdSs8TZGXo4W86HBIQiHYQxvab7RFyEnheTdOP5LGe4oXTF8EJ74g+0FU2gJ84sztM++kUCYwX81kKt071cGCXzi9ZdtHuWX/1Q5AEZt8wX2egF4BrDzntqOn21HVv8iaHpWYm94vG0fo27gVY/Fr7GsouNTmETZSagxjSeYjPCzo1XU8TmUq3QZNPm2jxGDwd51BptlB9J1jqZRwdcqYgyDBVDE3iuPldyFm/rbPdTQud8V5gVzTFEKqnRjDUvJjgL7wIs= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
|1|93Q6+jbskU6JAAqLTAUvaQbiiRU=|Az9Tz1QX22KkFwVBEqi2nDIsR7k= ssh-dss AAAAB3NzaC1kc3MAAACBAOnh1wa6Z9YVid4gU1AmXMQG51dGXyGnUe+EJFkQYak1dM92JRSp0NUo/ceSSuoDYND6Ndc3KHOwN5tiGJCbsg2bVZ+xwRXX2j2O1tzhuvDoJgNM1BVpBeblNYj271D8j5IGVLZMlrk+T54Dz2oEOC9Wg0WDyUprZDCfjktUuqejAAAAFQD0gB6nyhWDHI8HPm4uuLSSaUGhgwAAAIAIi/FfBTL6UB1WZp1PXy4AEiIJvzen75Sf7wJUJZsVPfTZFu0k0O83vkOtbuvW83Uk99Sp3b11DiXdJ9LOrXO1wnbhv+eTMbEAZdt7+iEJEdHkK4wfoHS1uQPJPJYAHCQXbXLBaJhq+cm3mwD6UeVHLE8K81i0bKdUOwR5TMIyqwAAAIEAmfF0ja7XCsj3LArTC2tWfanrwnxD+HejHuZHUPfkHSy0VI6iqerIZiEB9edGLeD6XRzjWZBqbdBpvRE9Sw+BEhucWVyTuP+/A+iJPFh2YmGCww7TVGvAfby8GvvjEK3KSWH4euYxG0F+iXFf2SxHGh7bcu2JdE5W1mDBpqzq+C8= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
|1|ULjZjLwZkK8ZoxqNjqLsHf7XwQk=|WjA2sd6KORc3cfXt56kCFzPuZAE= ssh-dss AAAAB3NzaC1kc3MAAACBAOnh1wa6Z9YVid4gU1AmXMQG51dGXyGnUe+EJFkQYak1dM92JRSp0NUo/ceSSuoDYND6Ndc3KHOwN5tiGJCbsg2bVZ+xwRXX2j2O1tzhuvDoJgNM1BVpBeblNYj271D8j5IGVLZMlrk+T54Dz2oEOC9Wg0WDyUprZDCfjktUuqejAAAAFQD0gB6nyhWDHI8HPm4uuLSSaUGhgwAAAIAIi/FfBTL6UB1WZp1PXy4AEiIJvzen75Sf7wJUJZsVPfTZFu0k0O83vkOtbuvW83Uk99Sp3b11DiXdJ9LOrXO1wnbhv+eTMbEAZdt7+iEJEdHkK4wfoHS1uQPJPJYAHCQXbXLBaJhq+cm3mwD6UeVHLE8K81i0bKdUOwR5TMIyqwAAAIEAmfF0ja7XCsj3LArTC2tWfanrwnxD+HejHuZHUPfkHSy0VI6iqerIZiEB9edGLeD6XRzjWZBqbdBpvRE9Sw+BEhucWVyTuP+/A+iJPFh2YmGCww7TVGvAfby8GvvjEK3KSWH4euYxG0F+iXFf2SxHGh7bcu2JdE5W1mDBpqzq+C8= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
|1|K3GGskR7bq55QirU3FsDKtbf190=|mMrZooibrbkVR5Glkwtsi4GvgSQ= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIKW8/uOJoqOxhPnhElgUc4PPGyS8dJ3ZNK6rXjM7GtM/zqwGWzIpveaJb/f6jI6ABDMlxBqzcZT/iqzbMg+gls= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
|1|AlYvXke+R4w+ctMWL9iU63pKcOA=|bKNprYazk0cUJsmXY/khRpxYHAQ= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIKW8/uOJoqOxhPnhElgUc4PPGyS8dJ3ZNK6rXjM7GtM/zqwGWzIpveaJb/f6jI6ABDMlxBqzcZT/iqzbMg+gls= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
|1|ieFUdmz92/SO2ui6Afg8IQ+OEac=|4wsCwI/pMqnVP4HQgYh18isexas= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnapgRQ0PlTrKSVQ96+VeUX5oogrfXXIJtT4Ljt6S6Q root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
|1|lweZZ8+MmnOPXR9kmhd+jkiAEfA=|ghtVPG16vZ4vSr+P0+pNeAyY++s= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnapgRQ0PlTrKSVQ96+VeUX5oogrfXXIJtT4Ljt6S6Q root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26


#### ssh_hash_known_hosts = True ####

[root@client2 ~]# cat /etc/sssd/sssd.conf
[domain/example.com]

id_provider = ipa
ipa_server = _srv_, server1.example.com
ipa_domain = example.com
ipa_hostname = client2.example.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh, sudo

domains = example.com
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]
ssh_hash_known_hosts = True

[pac]

[ifp]

[secrets]

[session_recording]

[root@client2 ~]# systemctl stop sssd.service 
[root@client2 ~]# rm -f /var/lib/sss/pubconf/known_hosts
[root@client2 ~]# systemctl start sssd.service
[root@client2 ~]# ssh -l user2 server1.example.com echo 'login successful'
(user2.com) Password: 
login successful
Could not chdir to home directory /home/user2: No such file or directory
[root@client2 ~]# cat /var/lib/sss/pubconf/known_hosts
|1|msqJlaw8azwGTbgqTh4eAFCFbJI=|GJ5dnLRdKOYpbJaCOJvM82283hk= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFO0X+82mj+2UWZTqjxxYgV7Zoqk8qtIyTLpmVE/vWQv/h3t7CVqxKtN0/FoEHbGVd+1Ic2BZZBJL8IMCZZ7gM6iJ3ZPi8UMigcs/F+NELZ1XadhpA6GiOyqtLM4wX5Xi5SlMVJBaXC9Tx9OafLlJPARj9/g4Np5vEPPY28UK9pG5St5vjHdQO6pg4hnjlrl1GDN6NJV59srZUZLv27V+4NI93kP0Ghzla5iak49RbnaaGnZK/C5cNdnspWdSs8TZGXo4W86HBIQiHYQxvab7RFyEnheTdOP5LGe4oXTF8EJ74g+0FU2gJ84sztM++kUCYwX81kKt071cGCXzi9ZdtHuWX/1Q5AEZt8wX2egF4BrDzntqOn21HVv8iaHpWYm94vG0fo27gVY/Fr7GsouNTmETZSagxjSeYjPCzo1XU8TmUq3QZNPm2jxGDwd51BptlB9J1jqZRwdcqYgyDBVDE3iuPldyFm/rbPdTQud8V5gVzTFEKqnRjDUvJjgL7wIs= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
|1|BAWA93KNtJZfQHwsjrzDSnqJ+0o=|btXKPv6NonSQncZHk7QoUa1sYIU= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFO0X+82mj+2UWZTqjxxYgV7Zoqk8qtIyTLpmVE/vWQv/h3t7CVqxKtN0/FoEHbGVd+1Ic2BZZBJL8IMCZZ7gM6iJ3ZPi8UMigcs/F+NELZ1XadhpA6GiOyqtLM4wX5Xi5SlMVJBaXC9Tx9OafLlJPARj9/g4Np5vEPPY28UK9pG5St5vjHdQO6pg4hnjlrl1GDN6NJV59srZUZLv27V+4NI93kP0Ghzla5iak49RbnaaGnZK/C5cNdnspWdSs8TZGXo4W86HBIQiHYQxvab7RFyEnheTdOP5LGe4oXTF8EJ74g+0FU2gJ84sztM++kUCYwX81kKt071cGCXzi9ZdtHuWX/1Q5AEZt8wX2egF4BrDzntqOn21HVv8iaHpWYm94vG0fo27gVY/Fr7GsouNTmETZSagxjSeYjPCzo1XU8TmUq3QZNPm2jxGDwd51BptlB9J1jqZRwdcqYgyDBVDE3iuPldyFm/rbPdTQud8V5gVzTFEKqnRjDUvJjgL7wIs= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
|1|q+VL+CE5I4FLMgDNGj5q9Umfp2Y=|wHTnih6h3UDckxva9S8WXEkkOTk= ssh-dss AAAAB3NzaC1kc3MAAACBAOnh1wa6Z9YVid4gU1AmXMQG51dGXyGnUe+EJFkQYak1dM92JRSp0NUo/ceSSuoDYND6Ndc3KHOwN5tiGJCbsg2bVZ+xwRXX2j2O1tzhuvDoJgNM1BVpBeblNYj271D8j5IGVLZMlrk+T54Dz2oEOC9Wg0WDyUprZDCfjktUuqejAAAAFQD0gB6nyhWDHI8HPm4uuLSSaUGhgwAAAIAIi/FfBTL6UB1WZp1PXy4AEiIJvzen75Sf7wJUJZsVPfTZFu0k0O83vkOtbuvW83Uk99Sp3b11DiXdJ9LOrXO1wnbhv+eTMbEAZdt7+iEJEdHkK4wfoHS1uQPJPJYAHCQXbXLBaJhq+cm3mwD6UeVHLE8K81i0bKdUOwR5TMIyqwAAAIEAmfF0ja7XCsj3LArTC2tWfanrwnxD+HejHuZHUPfkHSy0VI6iqerIZiEB9edGLeD6XRzjWZBqbdBpvRE9Sw+BEhucWVyTuP+/A+iJPFh2YmGCww7TVGvAfby8GvvjEK3KSWH4euYxG0F+iXFf2SxHGh7bcu2JdE5W1mDBpqzq+C8= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
|1|tkLlFoaC93vwyduT1ZZ6t0G2kYc=|F32/RU6FD6d2MHNz6rWL8LJf+K0= ssh-dss AAAAB3NzaC1kc3MAAACBAOnh1wa6Z9YVid4gU1AmXMQG51dGXyGnUe+EJFkQYak1dM92JRSp0NUo/ceSSuoDYND6Ndc3KHOwN5tiGJCbsg2bVZ+xwRXX2j2O1tzhuvDoJgNM1BVpBeblNYj271D8j5IGVLZMlrk+T54Dz2oEOC9Wg0WDyUprZDCfjktUuqejAAAAFQD0gB6nyhWDHI8HPm4uuLSSaUGhgwAAAIAIi/FfBTL6UB1WZp1PXy4AEiIJvzen75Sf7wJUJZsVPfTZFu0k0O83vkOtbuvW83Uk99Sp3b11DiXdJ9LOrXO1wnbhv+eTMbEAZdt7+iEJEdHkK4wfoHS1uQPJPJYAHCQXbXLBaJhq+cm3mwD6UeVHLE8K81i0bKdUOwR5TMIyqwAAAIEAmfF0ja7XCsj3LArTC2tWfanrwnxD+HejHuZHUPfkHSy0VI6iqerIZiEB9edGLeD6XRzjWZBqbdBpvRE9Sw+BEhucWVyTuP+/A+iJPFh2YmGCww7TVGvAfby8GvvjEK3KSWH4euYxG0F+iXFf2SxHGh7bcu2JdE5W1mDBpqzq+C8= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
|1|9y6GYO0PEatNIF32lUaURhU0BMU=|KorDeswhctfHM2i3ZmdlfRn34rE= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIKW8/uOJoqOxhPnhElgUc4PPGyS8dJ3ZNK6rXjM7GtM/zqwGWzIpveaJb/f6jI6ABDMlxBqzcZT/iqzbMg+gls= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
|1|9IbgupWvdo9A6zfaZJxRrK3JREU=|nFfGAk+pZZnbmO1uNg0dHGvL0Jg= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIKW8/uOJoqOxhPnhElgUc4PPGyS8dJ3ZNK6rXjM7GtM/zqwGWzIpveaJb/f6jI6ABDMlxBqzcZT/iqzbMg+gls= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
|1|Yu7hoxqkOlsaDViK/2Om7VwpFSA=|RgO19U04TTqzKp3jjgGNI/zMYfs= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnapgRQ0PlTrKSVQ96+VeUX5oogrfXXIJtT4Ljt6S6Q root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
|1|OihqebHsVXWZMEy+QtS+zyuwUUA=|dfErc5lkHglhYTSNZwMv0YSFI1g= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnapgRQ0PlTrKSVQ96+VeUX5oogrfXXIJtT4Ljt6S6Q root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26


#### ssh_hash_known_hosts = False ####

[root@client2 ~]# cat /etc/sssd/sssd.conf 
[domain/example.com]

id_provider = ipa
ipa_server = _srv_, server1.example.com
ipa_domain = example.com
ipa_hostname = client2.example.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh, sudo

domains = example.com
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]
ssh_hash_known_hosts = False

[pac]

[ifp]

[secrets]

[session_recording]

[root@client2 ~]# systemctl stop sssd.service 
[root@client2 ~]# rm -f /var/lib/sss/pubconf/known_hosts
[root@client2 ~]# systemctl start sssd.service
[root@client2 ~]# ssh -l user2 server1.example.com echo 'login successful'
(user2.com) Password: 
login successful
Could not chdir to home directory /home/user2: No such file or directory
[root@client2 ~]# cat /var/lib/sss/pubconf/known_hosts 
server1.example.com,server1.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFO0X+82mj+2UWZTqjxxYgV7Zoqk8qtIyTLpmVE/vWQv/h3t7CVqxKtN0/FoEHbGVd+1Ic2BZZBJL8IMCZZ7gM6iJ3ZPi8UMigcs/F+NELZ1XadhpA6GiOyqtLM4wX5Xi5SlMVJBaXC9Tx9OafLlJPARj9/g4Np5vEPPY28UK9pG5St5vjHdQO6pg4hnjlrl1GDN6NJV59srZUZLv27V+4NI93kP0Ghzla5iak49RbnaaGnZK/C5cNdnspWdSs8TZGXo4W86HBIQiHYQxvab7RFyEnheTdOP5LGe4oXTF8EJ74g+0FU2gJ84sztM++kUCYwX81kKt071cGCXzi9ZdtHuWX/1Q5AEZt8wX2egF4BrDzntqOn21HVv8iaHpWYm94vG0fo27gVY/Fr7GsouNTmETZSagxjSeYjPCzo1XU8TmUq3QZNPm2jxGDwd51BptlB9J1jqZRwdcqYgyDBVDE3iuPldyFm/rbPdTQud8V5gVzTFEKqnRjDUvJjgL7wIs= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
server1.example.com,server1.example.com ssh-dss AAAAB3NzaC1kc3MAAACBAOnh1wa6Z9YVid4gU1AmXMQG51dGXyGnUe+EJFkQYak1dM92JRSp0NUo/ceSSuoDYND6Ndc3KHOwN5tiGJCbsg2bVZ+xwRXX2j2O1tzhuvDoJgNM1BVpBeblNYj271D8j5IGVLZMlrk+T54Dz2oEOC9Wg0WDyUprZDCfjktUuqejAAAAFQD0gB6nyhWDHI8HPm4uuLSSaUGhgwAAAIAIi/FfBTL6UB1WZp1PXy4AEiIJvzen75Sf7wJUJZsVPfTZFu0k0O83vkOtbuvW83Uk99Sp3b11DiXdJ9LOrXO1wnbhv+eTMbEAZdt7+iEJEdHkK4wfoHS1uQPJPJYAHCQXbXLBaJhq+cm3mwD6UeVHLE8K81i0bKdUOwR5TMIyqwAAAIEAmfF0ja7XCsj3LArTC2tWfanrwnxD+HejHuZHUPfkHSy0VI6iqerIZiEB9edGLeD6XRzjWZBqbdBpvRE9Sw+BEhucWVyTuP+/A+iJPFh2YmGCww7TVGvAfby8GvvjEK3KSWH4euYxG0F+iXFf2SxHGh7bcu2JdE5W1mDBpqzq+C8= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
server1.example.com,server1.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIKW8/uOJoqOxhPnhElgUc4PPGyS8dJ3ZNK6rXjM7GtM/zqwGWzIpveaJb/f6jI6ABDMlxBqzcZT/iqzbMg+gls= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
server1.example.com,server1.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnapgRQ0PlTrKSVQ96+VeUX5oogrfXXIJtT4Ljt6S6Q root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26


Tested against sssd-2.6.1-1.el9.x86_64

#### ssh_hash_known_hosts is not used, default value is False ####

[root@client2 ~]# cat /etc/sssd/sssd.conf 
[domain/example.com]

id_provider = ipa
ipa_server = _srv_, server1.example.com
ipa_domain = example.com
ipa_hostname = client2.example.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh, sudo

domains = example.com
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[secrets]

[session_recording]

[root@client2 ~]# systemctl stop sssd.service
[root@client2 ~]# rm -f /var/lib/sss/pubconf/known_hosts
[root@client2 ~]# systemctl start sssd.service
[root@client2 ~]# ssh -l user2 server1.example.com echo 'login successful'
(user2.com) Password: 
login successful
Could not chdir to home directory /home/user2: No such file or directory
[root@client2 ~]# cat /var/lib/sss/pubconf/known_hosts 
server1.example.com,server1.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFO0X+82mj+2UWZTqjxxYgV7Zoqk8qtIyTLpmVE/vWQv/h3t7CVqxKtN0/FoEHbGVd+1Ic2BZZBJL8IMCZZ7gM6iJ3ZPi8UMigcs/F+NELZ1XadhpA6GiOyqtLM4wX5Xi5SlMVJBaXC9Tx9OafLlJPARj9/g4Np5vEPPY28UK9pG5St5vjHdQO6pg4hnjlrl1GDN6NJV59srZUZLv27V+4NI93kP0Ghzla5iak49RbnaaGnZK/C5cNdnspWdSs8TZGXo4W86HBIQiHYQxvab7RFyEnheTdOP5LGe4oXTF8EJ74g+0FU2gJ84sztM++kUCYwX81kKt071cGCXzi9ZdtHuWX/1Q5AEZt8wX2egF4BrDzntqOn21HVv8iaHpWYm94vG0fo27gVY/Fr7GsouNTmETZSagxjSeYjPCzo1XU8TmUq3QZNPm2jxGDwd51BptlB9J1jqZRwdcqYgyDBVDE3iuPldyFm/rbPdTQud8V5gVzTFEKqnRjDUvJjgL7wIs= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
server1.example.com,server1.example.com ssh-dss AAAAB3NzaC1kc3MAAACBAOnh1wa6Z9YVid4gU1AmXMQG51dGXyGnUe+EJFkQYak1dM92JRSp0NUo/ceSSuoDYND6Ndc3KHOwN5tiGJCbsg2bVZ+xwRXX2j2O1tzhuvDoJgNM1BVpBeblNYj271D8j5IGVLZMlrk+T54Dz2oEOC9Wg0WDyUprZDCfjktUuqejAAAAFQD0gB6nyhWDHI8HPm4uuLSSaUGhgwAAAIAIi/FfBTL6UB1WZp1PXy4AEiIJvzen75Sf7wJUJZsVPfTZFu0k0O83vkOtbuvW83Uk99Sp3b11DiXdJ9LOrXO1wnbhv+eTMbEAZdt7+iEJEdHkK4wfoHS1uQPJPJYAHCQXbXLBaJhq+cm3mwD6UeVHLE8K81i0bKdUOwR5TMIyqwAAAIEAmfF0ja7XCsj3LArTC2tWfanrwnxD+HejHuZHUPfkHSy0VI6iqerIZiEB9edGLeD6XRzjWZBqbdBpvRE9Sw+BEhucWVyTuP+/A+iJPFh2YmGCww7TVGvAfby8GvvjEK3KSWH4euYxG0F+iXFf2SxHGh7bcu2JdE5W1mDBpqzq+C8= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
server1.example.com,server1.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIKW8/uOJoqOxhPnhElgUc4PPGyS8dJ3ZNK6rXjM7GtM/zqwGWzIpveaJb/f6jI6ABDMlxBqzcZT/iqzbMg+gls= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
server1.example.com,server1.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnapgRQ0PlTrKSVQ96+VeUX5oogrfXXIJtT4Ljt6S6Q root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26


### ssh_hash_known_hosts = True ###

[root@client2 ~]# cat /etc/sssd/sssd.conf 
[domain/example.com]

id_provider = ipa
ipa_server = _srv_, server1.example.com
ipa_domain = example.com
ipa_hostname = client2.example.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh, sudo

domains = example.com
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]
ssh_hash_known_hosts = True

[pac]

[ifp]

[secrets]

[session_recording]

[root@client2 ~]# systemctl stop sssd.service
[root@client2 ~]# rm -f /var/lib/sss/pubconf/known_hosts
[root@client2 ~]# systemctl start sssd.service
[root@client2 ~]# ssh -l user2 server1.example.com echo 'login successful'
(user2.com) Password: 
login successful
Could not chdir to home directory /home/user2: No such file or directory
[root@client2 ~]# cat /var/lib/sss/pubconf/known_hosts
|1|U9oZkfgU8nuB8z6PnsLeERu1000=|qsFy4RW6NFX6lQhjJhshRF6TtGs= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFO0X+82mj+2UWZTqjxxYgV7Zoqk8qtIyTLpmVE/vWQv/h3t7CVqxKtN0/FoEHbGVd+1Ic2BZZBJL8IMCZZ7gM6iJ3ZPi8UMigcs/F+NELZ1XadhpA6GiOyqtLM4wX5Xi5SlMVJBaXC9Tx9OafLlJPARj9/g4Np5vEPPY28UK9pG5St5vjHdQO6pg4hnjlrl1GDN6NJV59srZUZLv27V+4NI93kP0Ghzla5iak49RbnaaGnZK/C5cNdnspWdSs8TZGXo4W86HBIQiHYQxvab7RFyEnheTdOP5LGe4oXTF8EJ74g+0FU2gJ84sztM++kUCYwX81kKt071cGCXzi9ZdtHuWX/1Q5AEZt8wX2egF4BrDzntqOn21HVv8iaHpWYm94vG0fo27gVY/Fr7GsouNTmETZSagxjSeYjPCzo1XU8TmUq3QZNPm2jxGDwd51BptlB9J1jqZRwdcqYgyDBVDE3iuPldyFm/rbPdTQud8V5gVzTFEKqnRjDUvJjgL7wIs= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
|1|ZoxT1Y+AA9mgJq5s3GX3ZDAYA88=|MpafhHyiW9X1TTNitSUUQCc5zIA= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFO0X+82mj+2UWZTqjxxYgV7Zoqk8qtIyTLpmVE/vWQv/h3t7CVqxKtN0/FoEHbGVd+1Ic2BZZBJL8IMCZZ7gM6iJ3ZPi8UMigcs/F+NELZ1XadhpA6GiOyqtLM4wX5Xi5SlMVJBaXC9Tx9OafLlJPARj9/g4Np5vEPPY28UK9pG5St5vjHdQO6pg4hnjlrl1GDN6NJV59srZUZLv27V+4NI93kP0Ghzla5iak49RbnaaGnZK/C5cNdnspWdSs8TZGXo4W86HBIQiHYQxvab7RFyEnheTdOP5LGe4oXTF8EJ74g+0FU2gJ84sztM++kUCYwX81kKt071cGCXzi9ZdtHuWX/1Q5AEZt8wX2egF4BrDzntqOn21HVv8iaHpWYm94vG0fo27gVY/Fr7GsouNTmETZSagxjSeYjPCzo1XU8TmUq3QZNPm2jxGDwd51BptlB9J1jqZRwdcqYgyDBVDE3iuPldyFm/rbPdTQud8V5gVzTFEKqnRjDUvJjgL7wIs= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
|1|scL0lU2ki9KAzhh5MR5lWE+7tNc=|ZUEbkKKCc1NfgZXtBqBeitdj3iU= ssh-dss AAAAB3NzaC1kc3MAAACBAOnh1wa6Z9YVid4gU1AmXMQG51dGXyGnUe+EJFkQYak1dM92JRSp0NUo/ceSSuoDYND6Ndc3KHOwN5tiGJCbsg2bVZ+xwRXX2j2O1tzhuvDoJgNM1BVpBeblNYj271D8j5IGVLZMlrk+T54Dz2oEOC9Wg0WDyUprZDCfjktUuqejAAAAFQD0gB6nyhWDHI8HPm4uuLSSaUGhgwAAAIAIi/FfBTL6UB1WZp1PXy4AEiIJvzen75Sf7wJUJZsVPfTZFu0k0O83vkOtbuvW83Uk99Sp3b11DiXdJ9LOrXO1wnbhv+eTMbEAZdt7+iEJEdHkK4wfoHS1uQPJPJYAHCQXbXLBaJhq+cm3mwD6UeVHLE8K81i0bKdUOwR5TMIyqwAAAIEAmfF0ja7XCsj3LArTC2tWfanrwnxD+HejHuZHUPfkHSy0VI6iqerIZiEB9edGLeD6XRzjWZBqbdBpvRE9Sw+BEhucWVyTuP+/A+iJPFh2YmGCww7TVGvAfby8GvvjEK3KSWH4euYxG0F+iXFf2SxHGh7bcu2JdE5W1mDBpqzq+C8= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
|1|hbKoGZVZzp65DB36BBVfiKy0sWM=|F1oT8PgbXxvwcJthn//kcCgLCRw= ssh-dss AAAAB3NzaC1kc3MAAACBAOnh1wa6Z9YVid4gU1AmXMQG51dGXyGnUe+EJFkQYak1dM92JRSp0NUo/ceSSuoDYND6Ndc3KHOwN5tiGJCbsg2bVZ+xwRXX2j2O1tzhuvDoJgNM1BVpBeblNYj271D8j5IGVLZMlrk+T54Dz2oEOC9Wg0WDyUprZDCfjktUuqejAAAAFQD0gB6nyhWDHI8HPm4uuLSSaUGhgwAAAIAIi/FfBTL6UB1WZp1PXy4AEiIJvzen75Sf7wJUJZsVPfTZFu0k0O83vkOtbuvW83Uk99Sp3b11DiXdJ9LOrXO1wnbhv+eTMbEAZdt7+iEJEdHkK4wfoHS1uQPJPJYAHCQXbXLBaJhq+cm3mwD6UeVHLE8K81i0bKdUOwR5TMIyqwAAAIEAmfF0ja7XCsj3LArTC2tWfanrwnxD+HejHuZHUPfkHSy0VI6iqerIZiEB9edGLeD6XRzjWZBqbdBpvRE9Sw+BEhucWVyTuP+/A+iJPFh2YmGCww7TVGvAfby8GvvjEK3KSWH4euYxG0F+iXFf2SxHGh7bcu2JdE5W1mDBpqzq+C8= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
|1|RNRSNoHZndcN8ORdI+4KbVpT2S8=|/rdw/zPg6/TeQv+jZn+TC9uIET4= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIKW8/uOJoqOxhPnhElgUc4PPGyS8dJ3ZNK6rXjM7GtM/zqwGWzIpveaJb/f6jI6ABDMlxBqzcZT/iqzbMg+gls= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
|1|OrOwGpl9bMYhA6nCK/ho5rs7qIg=|xqSeYq089DnBEQLix3TL/GVXzIw= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIKW8/uOJoqOxhPnhElgUc4PPGyS8dJ3ZNK6rXjM7GtM/zqwGWzIpveaJb/f6jI6ABDMlxBqzcZT/iqzbMg+gls= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
|1|ZHhQNgQclkLoH4n8ZtnG2CYw6Zk=|r+Rt4bh48fVGZYGWB9OwPkZxV08= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnapgRQ0PlTrKSVQ96+VeUX5oogrfXXIJtT4Ljt6S6Q root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
|1|bnR373vJj7gMOPhjjzlOlzT+lrY=|yPZNSGTv5vEElXXaw6uosWpsfDw= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnapgRQ0PlTrKSVQ96+VeUX5oogrfXXIJtT4Ljt6S6Q root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26


#### ssh_hash_known_hosts = False ####

[root@client2 ~]# cat /etc/sssd/sssd.conf
[domain/example.com]

id_provider = ipa
ipa_server = _srv_, server1.example.com
ipa_domain = example.com
ipa_hostname = client2.example.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh, sudo

domains = example.com
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]
ssh_hash_known_hosts = False

[pac]

[ifp]

[secrets]

[session_recording]

[root@client2 ~]# systemctl stop sssd.service
[root@client2 ~]# rm -f /var/lib/sss/pubconf/known_hosts
[root@client2 ~]# systemctl start sssd.service
[root@client2 ~]# ssh -l user2 server1.example.com echo 'login successful'
(user2.com) Password: 
login successful
Could not chdir to home directory /home/user2: No such file or directory
[root@client2 ~]# cat /var/lib/sss/pubconf/known_hosts 
server1.example.com,server1.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFO0X+82mj+2UWZTqjxxYgV7Zoqk8qtIyTLpmVE/vWQv/h3t7CVqxKtN0/FoEHbGVd+1Ic2BZZBJL8IMCZZ7gM6iJ3ZPi8UMigcs/F+NELZ1XadhpA6GiOyqtLM4wX5Xi5SlMVJBaXC9Tx9OafLlJPARj9/g4Np5vEPPY28UK9pG5St5vjHdQO6pg4hnjlrl1GDN6NJV59srZUZLv27V+4NI93kP0Ghzla5iak49RbnaaGnZK/C5cNdnspWdSs8TZGXo4W86HBIQiHYQxvab7RFyEnheTdOP5LGe4oXTF8EJ74g+0FU2gJ84sztM++kUCYwX81kKt071cGCXzi9ZdtHuWX/1Q5AEZt8wX2egF4BrDzntqOn21HVv8iaHpWYm94vG0fo27gVY/Fr7GsouNTmETZSagxjSeYjPCzo1XU8TmUq3QZNPm2jxGDwd51BptlB9J1jqZRwdcqYgyDBVDE3iuPldyFm/rbPdTQud8V5gVzTFEKqnRjDUvJjgL7wIs= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
server1.example.com,server1.example.com ssh-dss AAAAB3NzaC1kc3MAAACBAOnh1wa6Z9YVid4gU1AmXMQG51dGXyGnUe+EJFkQYak1dM92JRSp0NUo/ceSSuoDYND6Ndc3KHOwN5tiGJCbsg2bVZ+xwRXX2j2O1tzhuvDoJgNM1BVpBeblNYj271D8j5IGVLZMlrk+T54Dz2oEOC9Wg0WDyUprZDCfjktUuqejAAAAFQD0gB6nyhWDHI8HPm4uuLSSaUGhgwAAAIAIi/FfBTL6UB1WZp1PXy4AEiIJvzen75Sf7wJUJZsVPfTZFu0k0O83vkOtbuvW83Uk99Sp3b11DiXdJ9LOrXO1wnbhv+eTMbEAZdt7+iEJEdHkK4wfoHS1uQPJPJYAHCQXbXLBaJhq+cm3mwD6UeVHLE8K81i0bKdUOwR5TMIyqwAAAIEAmfF0ja7XCsj3LArTC2tWfanrwnxD+HejHuZHUPfkHSy0VI6iqerIZiEB9edGLeD6XRzjWZBqbdBpvRE9Sw+BEhucWVyTuP+/A+iJPFh2YmGCww7TVGvAfby8GvvjEK3KSWH4euYxG0F+iXFf2SxHGh7bcu2JdE5W1mDBpqzq+C8= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
server1.example.com,server1.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIKW8/uOJoqOxhPnhElgUc4PPGyS8dJ3ZNK6rXjM7GtM/zqwGWzIpveaJb/f6jI6ABDMlxBqzcZT/iqzbMg+gls= root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
server1.example.com,server1.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnapgRQ0PlTrKSVQ96+VeUX5oogrfXXIJtT4Ljt6S6Q root@prereserve-1mt-rhel-9-0-0-20211129-2-2044-2021-12-07-06-26
Comment 13 errata-xmlrpc 2022-05-17 16:00:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: sssd), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:4015