Bug 2015070

Summary:	Consistency in defaults between OpenSSH and SSSD
Product:	Red Hat Enterprise Linux 8	Reporter:	Alexey Tikhonov <atikhono>
Component:	sssd	Assignee:	Alexey Tikhonov <atikhono>
Status:	CLOSED ERRATA	QA Contact:	Dhairya Parmar <dparmar>
Severity:	unspecified	Docs Contact:	lmcgarry
Priority:	unspecified
Version:	8.5	CC:	dlavu, grajaiya, jhrozek, lslebodn, mzidek, pbrezina, tscherf
Target Milestone:	rc	Keywords:	Triaged
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:	sync-to-jira
Fixed In Version:	sssd-2.6.1-1.el8	Doc Type:	Enhancement
Doc Text:	.SSSD default SSH hashing value is now consistent with the OpenSSH setting The default value of `ssh_hash_known_hosts` has been changed to false. It is now consistent with the OpenSSH setting, which does not hash host names by default. However, if you need to continue to hash host names, add `ssh_hash_known_hosts = True` to the `[ssh]` section of the `/etc/sssd/sssd.conf` configuration file.	Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-05-10 15:26:44 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Alexey Tikhonov 2021-10-18 10:55:56 UTC

This bug was initially created as a copy of Bug #2014249

I am copying this bug because: to track change for RHEL8



Description of problem:
In SSSD the default value for ssh_hash_known_hosts is set to true

It should be changed to false for consistency with the OpenSSH setting that does not hashes host names by default.

Additionally, although currently allowed, the HMAC-SHA-1 algorithm will be eventually blocked in FIPS mode, causing errors in the default configuration in FIPS mode. Unfortunately there is no other encoding supported beyond plain text so the default should be off in order to be compatible with a FIPS world where HMAC-SHA-1 is disabled.
(note it is perfectly clear that is is not a cryptographic use, but in FIPS mode libraries are strict regalrdles).

Comment 1 Alexey Tikhonov 2021-10-27 17:13:25 UTC

https://github.com/SSSD/sssd/issues/5848

Comment 2 Alexey Tikhonov 2021-10-27 18:09:33 UTC

Upstream PR: https://github.com/SSSD/sssd/pull/5849

Comment 3 Alexey Tikhonov 2021-11-04 11:17:41 UTC

Pushed PR: https://github.com/SSSD/sssd/pull/5849

* `master`
    * e8b43cc82339c6ff19b8e6bf19d7d7c39ea481f7 - SSH: changed default value of `ssh_hash_known_hosts` to false

Comment 4 Dhairya Parmar 2021-12-03 11:45:57 UTC

Tested against sssd-2.4.0-9.el8_4.2.x86_64


#### ssh_hash_known_hosts is not used, default value is True ####

[root@localhost pubconf]# cat /etc/sssd/sssd.conf 
[domain/example.com]

id_provider = ipa
ipa_server = _srv_, server.example.com
ipa_domain = example.com
ipa_hostname = client.example.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh, sudo

domains = example.com
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[secrets]

[session_recording]
[root@localhost pubconf]# systemctl stop sssd.service 
[root@localhost pubconf]# rm -f /var/lib/sss/pubconf/known_hosts
[root@localhost pubconf]# systemctl start sssd.service
[root@localhost pubconf]# ssh -l user1 server.example.com echo 'login successful'
Password: 
Could not chdir to home directory /home/user1: No such file or directory
login successful
[root@localhost pubconf]# cat /var/lib/sss/pubconf/known_hosts 
|1|avLOS3vrD82NCfLSVO7PDq97qEs=|TYmqqapY3I+UGxtP/IrBSwck9M0= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIplnECM2yS18pQMoMwc4t4ZVPt8Hamp0rWonAHD6+wf9zO2xzAUEufuyivlUhkrRfAfxDHE+qnM6Pm1PjvpZC0=
|1|wo4wGZAA/2gD1l9CKaX+8gdp7Dk=|U9QquCrWcOAhRk/WO5l4ZqJeX0c= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIplnECM2yS18pQMoMwc4t4ZVPt8Hamp0rWonAHD6+wf9zO2xzAUEufuyivlUhkrRfAfxDHE+qnM6Pm1PjvpZC0=
|1|2XSUnSkqveT5JA3hG3xTAcMKnCM=|kifh7N0W0HMy1OvD6Ht2vVaTR5c= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbcSMO8MXDcua6EZE00xaoZI9OJHgIdHKvPB8forZ2E
|1|M9G7mCDtq3KgzhuJdkKHWHAtS5Q=|QZ03laxOb0dCCfVtEm34uyuvsW4= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbcSMO8MXDcua6EZE00xaoZI9OJHgIdHKvPB8forZ2E
|1|vvK1+wtLRoyoje+DELTEiE+//wI=|a92ki2LRP12a26invIQX6pa+2aM= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGatmskdWO47NLbnGcovDWiKQQKtCnTAKuPhoOgeFyD+lzHGJ+mt2i/JjrVZnDYwtNYfPXsFiabijcIRFhgnTF2ZNnhDtRTbeM6mIkKGod6OmHwUGPrfg0BMJk7mKqazuHskIwTKATav/JKHj+aLBH77LhruWWkKgT4Qdlq1A6ysur2ePbHpS3Sjd9sPbkA+OR4VuG3W7sWWh+qpaqd7lQyBj8a0OckGdmP5srUv4YxtqDyPdVpk/89oQVR/7Jv5/r0pgjBTGJuIRiVv2h/YIZizsheoh8gTOJoaIiw8Sg/jsiHN0WP4TtkFFCFsO/Y7IDexREporUeIUl/vcboWebkfWss8594Edd1xShO3h090gjrGaGpTK3kirr2JdN/2O230lt4TsDbXhEX7w3FdtZffJFar5HXjhTsWvzc5jU5UfB6Gw8M/PmdXEAHK5q4BmKrnTXqfJBgW6aFWvkSLspwFqN8h3Ano2OrAyobPlLUvvAN9ixmW0k7NbVm35uSdk=
|1|GVuJhM99Iu64zOCKr83ehXKv1tI=|YyEvVnA8diYk0Y+k7EPVJ07Bs+k= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGatmskdWO47NLbnGcovDWiKQQKtCnTAKuPhoOgeFyD+lzHGJ+mt2i/JjrVZnDYwtNYfPXsFiabijcIRFhgnTF2ZNnhDtRTbeM6mIkKGod6OmHwUGPrfg0BMJk7mKqazuHskIwTKATav/JKHj+aLBH77LhruWWkKgT4Qdlq1A6ysur2ePbHpS3Sjd9sPbkA+OR4VuG3W7sWWh+qpaqd7lQyBj8a0OckGdmP5srUv4YxtqDyPdVpk/89oQVR/7Jv5/r0pgjBTGJuIRiVv2h/YIZizsheoh8gTOJoaIiw8Sg/jsiHN0WP4TtkFFCFsO/Y7IDexREporUeIUl/vcboWebkfWss8594Edd1xShO3h090gjrGaGpTK3kirr2JdN/2O230lt4TsDbXhEX7w3FdtZffJFar5HXjhTsWvzc5jU5UfB6Gw8M/PmdXEAHK5q4BmKrnTXqfJBgW6aFWvkSLspwFqN8h3Ano2OrAyobPlLUvvAN9ixmW0k7NbVm35uSdk=

#### ssh_hash_known_hosts = True ####

[root@localhost pubconf]# cat /etc/sssd/sssd.conf 
[domain/example.com]

id_provider = ipa
ipa_server = _srv_, server.example.com
ipa_domain = example.com
ipa_hostname = client.example.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh, sudo

domains = example.com
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]
ssh_hash_known_hosts = True

[pac]

[ifp]

[secrets]

[session_recording]
[root@localhost pubconf]# grep '\[ssh' -A1 /etc/sssd/sssd.conf
[ssh]
ssh_hash_known_hosts = True
[root@localhost pubconf]# systemctl stop sssd.service 
[root@localhost pubconf]# rm -f /var/lib/sss/pubconf/known_hosts
[root@localhost pubconf]# systemctl start sssd.service
[root@localhost pubconf]# ssh -l user1 server.example.com echo 'login successful'
Password: 
Could not chdir to home directory /home/user1: No such file or directory
login successful
[root@localhost pubconf]# cat /var/lib/sss/pubconf/known_hosts 
|1|6EBBD7AjQe1o3LNclVkhrKZoy9M=|nDqVAA8QEKnOEkmOXEmTwhShGJo= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIplnECM2yS18pQMoMwc4t4ZVPt8Hamp0rWonAHD6+wf9zO2xzAUEufuyivlUhkrRfAfxDHE+qnM6Pm1PjvpZC0=
|1|WZ+QryzlFSlaymdLosN27ieHMJo=|Wv1zYjwOQy+HgBKVox/FXncGkCA= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIplnECM2yS18pQMoMwc4t4ZVPt8Hamp0rWonAHD6+wf9zO2xzAUEufuyivlUhkrRfAfxDHE+qnM6Pm1PjvpZC0=
|1|GRecr5DuykAaNrdybkBtLXDiIjo=|twfC41XasD8sclFsVBaoPUx9qEs= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbcSMO8MXDcua6EZE00xaoZI9OJHgIdHKvPB8forZ2E
|1|GbpvylM0NqZPGVoHS8ZCm3s0KRE=|xw/syt+aKE0ZIQ5Q93nHrs2SRTM= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbcSMO8MXDcua6EZE00xaoZI9OJHgIdHKvPB8forZ2E
|1|p9GPmi0ezAFqqUbaEcUipjNoJsg=|cG4SLs4bNf2JDnc9foN/MfGrAUY= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGatmskdWO47NLbnGcovDWiKQQKtCnTAKuPhoOgeFyD+lzHGJ+mt2i/JjrVZnDYwtNYfPXsFiabijcIRFhgnTF2ZNnhDtRTbeM6mIkKGod6OmHwUGPrfg0BMJk7mKqazuHskIwTKATav/JKHj+aLBH77LhruWWkKgT4Qdlq1A6ysur2ePbHpS3Sjd9sPbkA+OR4VuG3W7sWWh+qpaqd7lQyBj8a0OckGdmP5srUv4YxtqDyPdVpk/89oQVR/7Jv5/r0pgjBTGJuIRiVv2h/YIZizsheoh8gTOJoaIiw8Sg/jsiHN0WP4TtkFFCFsO/Y7IDexREporUeIUl/vcboWebkfWss8594Edd1xShO3h090gjrGaGpTK3kirr2JdN/2O230lt4TsDbXhEX7w3FdtZffJFar5HXjhTsWvzc5jU5UfB6Gw8M/PmdXEAHK5q4BmKrnTXqfJBgW6aFWvkSLspwFqN8h3Ano2OrAyobPlLUvvAN9ixmW0k7NbVm35uSdk=
|1|56RQ9krc2Livj4eWae6bvdep0JU=|XiyKEa3XPi32WlIKQqbbJiA34N4= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGatmskdWO47NLbnGcovDWiKQQKtCnTAKuPhoOgeFyD+lzHGJ+mt2i/JjrVZnDYwtNYfPXsFiabijcIRFhgnTF2ZNnhDtRTbeM6mIkKGod6OmHwUGPrfg0BMJk7mKqazuHskIwTKATav/JKHj+aLBH77LhruWWkKgT4Qdlq1A6ysur2ePbHpS3Sjd9sPbkA+OR4VuG3W7sWWh+qpaqd7lQyBj8a0OckGdmP5srUv4YxtqDyPdVpk/89oQVR/7Jv5/r0pgjBTGJuIRiVv2h/YIZizsheoh8gTOJoaIiw8Sg/jsiHN0WP4TtkFFCFsO/Y7IDexREporUeIUl/vcboWebkfWss8594Edd1xShO3h090gjrGaGpTK3kirr2JdN/2O230lt4TsDbXhEX7w3FdtZffJFar5HXjhTsWvzc5jU5UfB6Gw8M/PmdXEAHK5q4BmKrnTXqfJBgW6aFWvkSLspwFqN8h3Ano2OrAyobPlLUvvAN9ixmW0k7NbVm35uSdk=


#### ssh_hash_known_hosts = False ####

[root@localhost pubconf]# cat /etc/sssd/sssd.conf 
[domain/example.com]

id_provider = ipa
ipa_server = _srv_, server.example.com
ipa_domain = example.com
ipa_hostname = client.example.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh, sudo

domains = example.com
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]
ssh_hash_known_hosts = False

[pac]

[ifp]

[secrets]

[session_recording]
[root@localhost pubconf]# grep '\[ssh' -A1 /etc/sssd/sssd.conf
[ssh]
ssh_hash_known_hosts = False
[root@localhost pubconf]# systemctl stop sssd.service 
[root@localhost pubconf]# rm -f /var/lib/sss/pubconf/known_hosts
[root@localhost pubconf]# systemctl start sssd.service
[root@localhost pubconf]# ssh -l user1 server.example.com echo 'login successful'
Password: 
Could not chdir to home directory /home/user1: No such file or directory
login successful
[root@localhost pubconf]# cat /var/lib/sss/pubconf/known_hosts 
server.example.com,server.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIplnECM2yS18pQMoMwc4t4ZVPt8Hamp0rWonAHD6+wf9zO2xzAUEufuyivlUhkrRfAfxDHE+qnM6Pm1PjvpZC0=
server.example.com,server.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbcSMO8MXDcua6EZE00xaoZI9OJHgIdHKvPB8forZ2E
server.example.com,server.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGatmskdWO47NLbnGcovDWiKQQKtCnTAKuPhoOgeFyD+lzHGJ+mt2i/JjrVZnDYwtNYfPXsFiabijcIRFhgnTF2ZNnhDtRTbeM6mIkKGod6OmHwUGPrfg0BMJk7mKqazuHskIwTKATav/JKHj+aLBH77LhruWWkKgT4Qdlq1A6ysur2ePbHpS3Sjd9sPbkA+OR4VuG3W7sWWh+qpaqd7lQyBj8a0OckGdmP5srUv4YxtqDyPdVpk/89oQVR/7Jv5/r0pgjBTGJuIRiVv2h/YIZizsheoh8gTOJoaIiw8Sg/jsiHN0WP4TtkFFCFsO/Y7IDexREporUeIUl/vcboWebkfWss8594Edd1xShO3h090gjrGaGpTK3kirr2JdN/2O230lt4TsDbXhEX7w3FdtZffJFar5HXjhTsWvzc5jU5UfB6Gw8M/PmdXEAHK5q4BmKrnTXqfJBgW6aFWvkSLspwFqN8h3Ano2OrAyobPlLUvvAN9ixmW0k7NbVm35uSdk=



Tested against sssd-2.6.1-1.el8.x86_64


#### ssh_hash_known_hosts is not used, default value is False ####

[root@localhost pubconf]# cat /etc/sssd/sssd.conf 
[domain/example.com]

id_provider = ipa
ipa_server = _srv_, server.example.com
ipa_domain = example.com
ipa_hostname = client.example.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh, sudo

domains = example.com
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[secrets]

[session_recording]
[root@localhost pubconf]# systemctl stop sssd.service 
[root@localhost pubconf]# rm -f /var/lib/sss/pubconf/known_hosts
[root@localhost pubconf]# systemctl start sssd.service
[root@localhost pubconf]# ssh -l user1 server.example.com echo 'login successful'
Password: 
Could not chdir to home directory /home/user1: No such file or directory
login successful     
[root@localhost pubconf]# cat /var/lib/sss/pubconf/known_hosts 
server.example.com,server.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIplnECM2yS18pQMoMwc4t4ZVPt8Hamp0rWonAHD6+wf9zO2xzAUEufuyivlUhkrRfAfxDHE+qnM6Pm1PjvpZC0=
server.example.com,server.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbcSMO8MXDcua6EZE00xaoZI9OJHgIdHKvPB8forZ2E
server.example.com,server.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGatmskdWO47NLbnGcovDWiKQQKtCnTAKuPhoOgeFyD+lzHGJ+mt2i/JjrVZnDYwtNYfPXsFiabijcIRFhgnTF2ZNnhDtRTbeM6mIkKGod6OmHwUGPrfg0BMJk7mKqazuHskIwTKATav/JKHj+aLBH77LhruWWkKgT4Qdlq1A6ysur2ePbHpS3Sjd9sPbkA+OR4VuG3W7sWWh+qpaqd7lQyBj8a0OckGdmP5srUv4YxtqDyPdVpk/89oQVR/7Jv5/r0pgjBTGJuIRiVv2h/YIZizsheoh8gTOJoaIiw8Sg/jsiHN0WP4TtkFFCFsO/Y7IDexREporUeIUl/vcboWebkfWss8594Edd1xShO3h090gjrGaGpTK3kirr2JdN/2O230lt4TsDbXhEX7w3FdtZffJFar5HXjhTsWvzc5jU5UfB6Gw8M/PmdXEAHK5q4BmKrnTXqfJBgW6aFWvkSLspwFqN8h3Ano2OrAyobPlLUvvAN9ixmW0k7NbVm35uSdk=

### ssh_hash_known_hosts = True ###

[root@localhost pubconf]# cat /etc/sssd/sssd.conf 
[domain/example.com]

id_provider = ipa
ipa_server = _srv_, server.example.com
ipa_domain = example.com
ipa_hostname = client.example.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh, sudo

domains = example.com
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]
ssh_hash_known_hosts = True

[pac]

[ifp]

[secrets]

[session_recording]
[root@localhost pubconf]# grep '\[ssh' -A1 /etc/sssd/sssd.conf
[ssh]
ssh_hash_known_hosts = True
[root@localhost pubconf]# systemctl stop sssd.service 
[root@localhost pubconf]# rm -f /var/lib/sss/pubconf/known_hosts
[root@localhost pubconf]# systemctl start sssd.service
[root@localhost pubconf]# ssh -l user1 server.example.com echo 'login successful'
Password: 
Could not chdir to home directory /home/user1: No such file or directory
login successful
[root@localhost pubconf]# cat /var/lib/sss/pubconf/known_hosts 
|1|B6Ucb3ix4rI1IG0pDLdeFQlTIbA=|A673GCvAYu8RqGQM2nd1LW9XgMg= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIplnECM2yS18pQMoMwc4t4ZVPt8Hamp0rWonAHD6+wf9zO2xzAUEufuyivlUhkrRfAfxDHE+qnM6Pm1PjvpZC0=
|1|QFut6zSDJrkc8MAWyz3ddhxfLHA=|Q1LWk5H4yRnv0BgV3AKH+Ztsa/A= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIplnECM2yS18pQMoMwc4t4ZVPt8Hamp0rWonAHD6+wf9zO2xzAUEufuyivlUhkrRfAfxDHE+qnM6Pm1PjvpZC0=
|1|W7mMiNVK06LtPp8d4+T6slEgNuI=|9ASTvwWh6w9bnKFdISixi2ELn58= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbcSMO8MXDcua6EZE00xaoZI9OJHgIdHKvPB8forZ2E
|1|JpzbpSk0L5Aj7mfTF4zrgAaExak=|sNEDgydl0ELgI/IoyDrtOKHRV3k= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbcSMO8MXDcua6EZE00xaoZI9OJHgIdHKvPB8forZ2E
|1|pJSmYmBqObc3GAXq2/KVpGUdEiQ=|osJYD0aO56395TD3u49HBCBdx/c= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGatmskdWO47NLbnGcovDWiKQQKtCnTAKuPhoOgeFyD+lzHGJ+mt2i/JjrVZnDYwtNYfPXsFiabijcIRFhgnTF2ZNnhDtRTbeM6mIkKGod6OmHwUGPrfg0BMJk7mKqazuHskIwTKATav/JKHj+aLBH77LhruWWkKgT4Qdlq1A6ysur2ePbHpS3Sjd9sPbkA+OR4VuG3W7sWWh+qpaqd7lQyBj8a0OckGdmP5srUv4YxtqDyPdVpk/89oQVR/7Jv5/r0pgjBTGJuIRiVv2h/YIZizsheoh8gTOJoaIiw8Sg/jsiHN0WP4TtkFFCFsO/Y7IDexREporUeIUl/vcboWebkfWss8594Edd1xShO3h090gjrGaGpTK3kirr2JdN/2O230lt4TsDbXhEX7w3FdtZffJFar5HXjhTsWvzc5jU5UfB6Gw8M/PmdXEAHK5q4BmKrnTXqfJBgW6aFWvkSLspwFqN8h3Ano2OrAyobPlLUvvAN9ixmW0k7NbVm35uSdk=
|1|CGb3Sa611HpSn6JkYJF7lEv15b8=|Bc6lJMSAa5SE/Q9IkQ0KZfCH0hM= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGatmskdWO47NLbnGcovDWiKQQKtCnTAKuPhoOgeFyD+lzHGJ+mt2i/JjrVZnDYwtNYfPXsFiabijcIRFhgnTF2ZNnhDtRTbeM6mIkKGod6OmHwUGPrfg0BMJk7mKqazuHskIwTKATav/JKHj+aLBH77LhruWWkKgT4Qdlq1A6ysur2ePbHpS3Sjd9sPbkA+OR4VuG3W7sWWh+qpaqd7lQyBj8a0OckGdmP5srUv4YxtqDyPdVpk/89oQVR/7Jv5/r0pgjBTGJuIRiVv2h/YIZizsheoh8gTOJoaIiw8Sg/jsiHN0WP4TtkFFCFsO/Y7IDexREporUeIUl/vcboWebkfWss8594Edd1xShO3h090gjrGaGpTK3kirr2JdN/2O230lt4TsDbXhEX7w3FdtZffJFar5HXjhTsWvzc5jU5UfB6Gw8M/PmdXEAHK5q4BmKrnTXqfJBgW6aFWvkSLspwFqN8h3Ano2OrAyobPlLUvvAN9ixmW0k7NbVm35uSdk=


#### ssh_hash_known_hosts = False ####

[root@localhost pubconf]# cat /etc/sssd/sssd.conf 
[domain/example.com]

id_provider = ipa
ipa_server = _srv_, server.example.com
ipa_domain = example.com
ipa_hostname = client.example.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh, sudo

domains = example.com
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]
ssh_hash_known_hosts = False

[pac]

[ifp]

[secrets]

[session_recording]
[root@localhost pubconf]# grep '\[ssh' -A1 /etc/sssd/sssd.conf
[ssh]
ssh_hash_known_hosts = False
[root@localhost pubconf]# systemctl stop sssd.service 
[root@localhost pubconf]# rm -f /var/lib/sss/pubconf/known_hosts
[root@localhost pubconf]# systemctl start sssd.service
[root@localhost pubconf]# ssh -l user1 server.example.com echo 'login successful'
Password: 
Could not chdir to home directory /home/user1: No such file or directory
login successful
[root@localhost pubconf]# cat /var/lib/sss/pubconf/known_hosts 
server.example.com,server.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIplnECM2yS18pQMoMwc4t4ZVPt8Hamp0rWonAHD6+wf9zO2xzAUEufuyivlUhkrRfAfxDHE+qnM6Pm1PjvpZC0=
server.example.com,server.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbcSMO8MXDcua6EZE00xaoZI9OJHgIdHKvPB8forZ2E
server.example.com,server.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGatmskdWO47NLbnGcovDWiKQQKtCnTAKuPhoOgeFyD+lzHGJ+mt2i/JjrVZnDYwtNYfPXsFiabijcIRFhgnTF2ZNnhDtRTbeM6mIkKGod6OmHwUGPrfg0BMJk7mKqazuHskIwTKATav/JKHj+aLBH77LhruWWkKgT4Qdlq1A6ysur2ePbHpS3Sjd9sPbkA+OR4VuG3W7sWWh+qpaqd7lQyBj8a0OckGdmP5srUv4YxtqDyPdVpk/89oQVR/7Jv5/r0pgjBTGJuIRiVv2h/YIZizsheoh8gTOJoaIiw8Sg/jsiHN0WP4TtkFFCFsO/Y7IDexREporUeIUl/vcboWebkfWss8594Edd1xShO3h090gjrGaGpTK3kirr2JdN/2O230lt4TsDbXhEX7w3FdtZffJFar5HXjhTsWvzc5jU5UfB6Gw8M/PmdXEAHK5q4BmKrnTXqfJBgW6aFWvkSLspwFqN8h3Ano2OrAyobPlLUvvAN9ixmW0k7NbVm35uSdk=



Manual verification comment

Comment 7 Dhairya Parmar 2021-12-06 12:20:26 UTC

the tested package is available in nightly compose

Comment 14 errata-xmlrpc 2022-05-10 15:26:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2070