Bug 746036

Summary: [RFE] Host SSH keys
Product: Red Hat Enterprise Linux 7 Reporter: Sigbjorn Lie <sigbjorn>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED WONTFIX QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.0CC: dpal, jgalipea, mkosek
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-19 11:46:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 756082    

Description Sigbjorn Lie 2011-10-13 17:47:49 UTC 
Description of problem:
RFE: Following my IRC discussion with JrAquino_ Allowing IPA to have a host-object containing the host SSH key object would be very useful when reinstalling a machine. (Such as a workstation.)

Version-Release number of selected component (if applicable):
IPA 2.1.1

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Rob Crittenden 2011-10-13 17:51:42 UTC 
How would this key be used? We can add it as a lump of data relatively easily, but what do you want us to do with it?
Comment 3 Sigbjorn Lie 2011-10-13 17:57:05 UTC 
Put it back on the host when it's re-installed...

See my conversation with sgallagh on #freeipa.
Comment 4 Dmitri Pal 2011-10-13 18:00:23 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1978
Comment 5 Stephen Gallagher 2011-10-13 18:12:03 UTC 
I think the goal here is that if a host was reinstalled, we want ipa-client-install to be able to restore the host key saved in FreeIPA. (Or in the case of bulk enrollment, push it down on the initial install).

The same key will later be useful to have once we're supporting central host-keys for trust.
Comment 6 Rob Crittenden 2011-10-13 18:13:32 UTC 
Oh, you want to store SSH *private* keys in IPA!

We had some discussion about storing the public host keys, not sure that the private keys came up. We'd need to be pretty careful with them.
Comment 7 Stephen Gallagher 2011-10-13 18:14:10 UTC 
For the record, here is the original conversation:

01:25:51 PM) sgallagh: SSH key management is tricky (because the openssh community isn't very helpful)
(01:25:58 PM) Silikon: sgallagh: ok. will there be a ssh host key management at some point?
(01:26:12 PM) sgallagh: We'd like to
(01:26:24 PM) sgallagh: But I'm going to say probably not in 3.0
(01:26:33 PM) Silikon: sgallagh: hehe. :) isn't host key management easier to accomplish than user key management?
(01:27:15 PM) sgallagh: Ah, sorry. Missed the host/user comment.
(01:27:30 PM) sgallagh: Either way requires a certain amount of buy-in from the openssh developers
(01:27:42 PM) sgallagh: And they have a very strong "If I didn't think of it, it must be a bad idea" mentality
(01:27:52 PM) Silikon: that sucks...
(01:27:55 PM) sgallagh: Yes
(01:28:07 PM) sgallagh: But we're looking into it
(01:28:24 PM) sgallagh: But I wouldn't want you to oversell what we're going to have ready for 3.0 :)
(01:28:54 PM) Silikon: but...(you have probably though about this already, but here goes :) ).what if you store the ssh key with the host object, and deploy the ssh-host keys upon deployment of the ipa-client?
(01:29:17 PM) Silikon: sgallagh: ok, I will keep that in mind. :)
13:30
(01:30:17 PM) sgallagh: Silikon: The host keys are usually generated on the clients
(01:30:36 PM) sgallagh: The point of a host key storage would be so that users could ask FreeIPA for a list of trusted hosts
(01:30:37 PM) Silikon: sgallagh: I know, it drives me crazy!
(01:30:44 PM) sgallagh: This wouldn't help that
(01:31:02 PM) sgallagh: Clients connecting to those hosts would still have to click through the key verification the first time
(01:31:13 PM) sgallagh: Which we've cleverly trained people to blindly accept at this point :-(
(01:31:52 PM) Silikon: ah, ok. I was looking for a central store where the hosts' ssh key we're stored, so when I re-install a workstation the existing ssh key was re-used, not a new ssh-host-key generated.
(01:31:54 PM) Silikon: exactly!!
(01:32:09 PM) Silikon: I click (almost) blindly to yes as well
(01:32:22 PM) Silikon: it defies the entire purpose of the question
(01:32:36 PM) Silikon: I notice Ubuntu has even gone as far as auto-accepting a new hosts key!
(01:32:57 PM) sgallagh: Silikon: That's... horrific.
(01:33:17 PM) sgallagh: Yet another reason why anyone security-conscious shouldn't touch Ubuntu with a ten foot pole
(01:33:19 PM) Silikon: sgallagh: I know...I feel ashamed!!! :(
(01:33:37 PM) sgallagh: Silikon: That's an interesting idea though (about being able to re-provision with the same key)
(01:33:41 PM) Silikon: sgallagh: hehehheheheheheheh! :)
(01:33:46 PM) sgallagh: Silikon: Would you mind opening an RFE?
(01:34:53 PM) Silikon: sgallagh: sure, I'll get on to it
Comment 11 Martin Kosek 2016-02-19 11:46:27 UTC 
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. The request was cloned to the upstream tracker long time ago (see link to the upstream ticket above), but it was unfortunately not given a priority neither in the upstream project, nor in Red Hat Enterprise Linux.

Given that this request is not planned for a close release, it is highly unlikely it will be fixed in this major version of Red Hat Enterprise Linux. We are therefore closing the request as WONTFIX.

To request that Red Hat reconsiders the decision, please reopen the Bugzilla with the help of Red Hat Customer Service and provide additional business and/or technical details about it's importance to you. Please note that you can still track this request or even offer help in the referred upstream Trac ticket to expedite the solution.