Bug 782766

Summary: [RFE] Support centralized management of SSH host keys
Product: Red Hat Enterprise Linux 6 Reporter: Jan Cholasta <jcholast>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: dpal, jkodak, pvrabec, sgrubb, tmraz
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-18 12:34:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Cholasta 2012-01-18 12:05:14 UTC 
OpenSSH in RHEL supports centralized management of SSH user keys (https://bugzilla.redhat.com/show_bug.cgi?id=455350), but there is no support for centralized management of SSH host keys.

In FreeIPA and SSSD there is ongoing work to support management of SSH public keys for both users and hosts (https://fedorahosted.org/freeipa/ticket/754, https://fedorahosted.org/sssd/ticket/610). Without support in OpenSSH, centralized management of SSH host keys cannot be fully implemented.

There is a related feature request in upstream bugzilla: https://bugzilla.mindrot.org/show_bug.cgi?id=1777
Comment 2 Petr Lautrbach 2012-01-26 07:49:08 UTC 
I'd like to see this first in upstream, at least in Fedora.

On the other hand, Miroslav Trmac suggested that FreeIPA could start managing the /etc/ssh/ssh_known_hosts file (either refreshing it, say, once per hour, or, if possible, refreshing it whenever a host key is changed) and this is possible today without changes to ssh
Comment 3 Jan Cholasta 2012-01-26 08:33:31 UTC 
Updating known_hosts periodically is not very scalable approach. It could work well in a small domain, but in a large domain with thousands of users and computers the load on IPA servers would be enormous.

However, there is one approach that could work without patching OpenSSH: using a custom ProxyCommand to acquire host keys for the SSH server from IPA before connecting to it, update known_hosts file and then estabilish the connection.
Comment 4 Peter Vrabec 2012-01-26 12:09:52 UTC 
I'm not approving a solution that needs patching ssh and is not accepted in upstream. Setting devel NACK on Upstream.

Steve, could you please clarify if there is any violation with our certifications?


Is there any problem with the approach suggested by Jan? I mean the "custom ProxyCommand". What I like is that it does not touch ssh source code.
Comment 5 Dmitri Pal 2012-01-30 17:24:26 UTC 
We should explore two directions: one that does not touch SSH and can be delivered pretty quickly but might have some roughness and then have a proper functionality accepted upstream and brought into RHEL in a later major version.
Comment 9 RHEL Program Management 2012-05-03 05:18:16 UTC 
Since RHEL 6.3 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.