Bug 825316

Summary: sss_ssh_knownhostsproxy prevents connection to machine without reverse address
Product: [Fedora] Fedora Reporter: Martin Kosek <mkosek>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 17CC: igeorgex, jhrozek, sbose, sgallagh, ssorce
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-06 10:57:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Kosek 2012-05-25 16:06:49 UTC
Description of problem:
When I install IPA server with SSH support (and thus sss_ssh_knownhostsproxy is used as a ProxyCommand in ssh_config) , I cannot ssh to machine without a reverse address:

# host vm-050.idm.lab.bos.redhat.com
vm-050.idm.lab.bos.redhat.com has address 10.16.78.50
# host 10.16.78.50
Host 50.78.16.10.in-addr.arpa. not found: 3(NXDOMAIN)

# ssh -vv vm-050.idm.lab.bos.redhat.com
OpenSSH_5.9p1, OpenSSL 1.0.0j-fips 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 vm-050.idm.lab.bos.redhat.com
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: permanently_drop_suid: 0
Reverse lookup failed
ssh_exchange_identification: Connection closed by remote host


When the proxy command is commented, the connection to the same machine works.

This is too strict, we cannot require working reverse records for every machine we want to connect to.

Version-Release number of selected component (if applicable):
sssd-1.8.3-11.fc17.x86_64

How reproducible:


Steps to Reproduce:
1. Install IPA server on a machine
2. On that machine, try to connect to other machine without a reverse record
3.
  
Actual results:
Connection is rejected

Expected results:
Connection is accepted


Additional info:
I think this issue is present also in RHEL 6.3 Beta.

Comment 1 Stephen Gallagher 2012-05-25 16:07:47 UTC

*** This bug has been marked as a duplicate of bug 825313 ***

Comment 2 Martin Kosek 2012-05-25 16:14:06 UTC
(In reply to comment #1)
> 
> *** This bug has been marked as a duplicate of bug 825313 ***

You were too fast, bug 825313 was closed as it did not has the fields filled correctly. Reopening this bug.

Comment 3 Jakub Hrozek 2012-05-28 13:40:21 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1356

Comment 4 Jakub Hrozek 2012-09-06 10:57:59 UTC
This bug has been fixed in all supported Fedora releases -- either as part of upstream release (rawhide, f18) or as a separate patch (f16, f17).

Closing.