Bug 2323496

Summary: sss_ssh_knownhosts throws error when trying to establish ssh session to an ip address
Product: [Fedora] Fedora Reporter: rob.verduijn
Component: sssdAssignee: Alejandro López <allopez>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 41CC: abokovoy, atikhono, lslebodn, mzidek, pbrezina, r3pek, sbose, ssorce, sssd-maintainers
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-2.10.0-2.fc41 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-11-13 03:12:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description rob.verduijn 2024-11-03 13:05:50 UTC 
Tested on a fedora41 client member of an ipa domain.

When trying to establish an ssh connection to an ip address the sss_ssh_knownhosts binary trows an error.

```
KnownHostsCommand-ORDER /usr/bin/sss_ssh_knownhosts 172.16.1.123 failed, status 1
KnownHostsCommand failed
```

If I manually edit the /etc/hosts to contain an fqdn entry for this ip
ie 172.16.1.123 myhost.somedomain.com myhost

The ssh-connection succeeds

using the ssh command to connect to any pc in the ipa domain works fine.




Reproducible: Always

Steps to Reproduce:
1.set up ipa domain
2.set up fedora41 ipa domain client
3.set up fedora system that is not an ipa domain client (and does not have a FQDN)
4.use the fedora41 ipa domain client to ssh to the ip of the non ipa-domain client
5. /usr/bin/sss_ssh_knownhosts will throw an error

6 on the ipa domain client add fqdn entry to the /etc/hosts for the non ipa-domain client
7 from the fedora41 client ssh into the /etc/hosts defined fqdn of the non ipa-domain client
8 ssh login will succeed
Actual Results:  
failed to login with error:
KnownHostsCommand-ORDER /usr/bin/sss_ssh_knownhosts 172.16.1.123 failed, status 1
KnownHostsCommand failed


Expected Results:  
normal ssh login to the system with the ip address
Comment 1 Sumit Bose 2024-11-03 16:14:02 UTC 
Hi,

thank you for your report, this is a known issue, please see SSSD upstream ticket https://github.com/SSSD/sssd/issues/7664 and the fix at https://github.com/SSSD/sssd/pull/7670.

bye,
Sumit
Comment 2 rob.verduijn 2024-11-03 17:51:34 UTC 
Cool,

Hope that merge request gets aproved soon.

Rob
Comment 3 Alexey Tikhonov 2024-11-07 10:08:09 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/7670

* `master`
    * 76682050022cba204ec5450f274a6e10a3726943 - SSH: sss_ssh_knownhosts must ignore DNS errors
* `sssd-2-10`
    * fe72979318b171e2ab4fd95890c806401afb5296 - SSH: sss_ssh_knownhosts must ignore DNS errors
Comment 4 Carlos Mogas da Silva 2024-11-10 13:20:08 UTC 
Can we get some kind of "urgency" on this? It's kinda breaking not being able to ssh into hosts by IP...
Comment 5 Alexey Tikhonov 2024-11-11 10:47:07 UTC 
https://src.fedoraproject.org/rpms/sssd/c/bf6e886cb3d80aa6575814e7b019384e805d4bff?branch=rawhide
https://src.fedoraproject.org/rpms/sssd/c/7f69cc4fb805b7ac1bc3de6cb95fe15ca8c15bf9?branch=f41
Comment 6 Fedora Update System 2024-11-11 10:50:09 UTC 
FEDORA-2024-bfd5344277 (sssd-2.10.0-2.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-bfd5344277
Comment 7 Fedora Update System 2024-11-12 02:06:27 UTC 
FEDORA-2024-bfd5344277 has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-bfd5344277`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-bfd5344277

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2024-11-13 03:12:34 UTC 
FEDORA-2024-bfd5344277 (sssd-2.10.0-2.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.