Bug 870060
Summary: | SSH host keys are not being removed from the cache | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Dmitri Pal <dpal> |
Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> |
Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.4 | CC: | grajaiya, jcholast, jgalipea, nsoman, pbrezina, spoore |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.9.2-6.el6 | Doc Type: | Bug Fix |
Doc Text: |
No Documentation Needed
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-21 09:38:41 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dmitri Pal
2012-10-25 13:43:45 UTC
*** Bug 825489 has been marked as a duplicate of this bug. *** Forget my last change, this was the wrong bug... Honza, can you put the steps the QE should follow while verifying the issue? You know the code best. Let's assume we have an IPA server installed on server.example.com and IPA client on client.example.com. The client should have its host keys uploaded to IPA by ipa-client-install. 1. Verify that the client's host keys are indeed stored in IPA: user@server$ ipa host-show client.example.com ... SSH public key fingerprint: <fingerprints> ... 2. Ssh to the client to make SSSD update the cache with the host keys: user@server$ ssh client.example.com user@client$ exit 3. Verify that the host keys are in SSSD's cache: user@server$ sudo ldbsearch -H /var/lib/sss/db/cache_example.com.ldb -b name=client.example.com,cn=ssh_hosts,cn=custom,cn=example.com,cn=sysdb # record 1 dn: name=client.example.com,cn=ssh_hosts,cn=custom,cn=example.com,cn=sysdb ... sshPublicKey: <data> ... 4. Remove the host keys from IPA: user@server$ ipa host-mod client.example.com --sshpubkey= 5. Ssh to the client to make SSSD update the cache again: (see 2.) 6. Verify that the host keys are gone from SSSD's cache: (see 3. - there should be no sshPublicKey attribute this time) Verified. Version :: sssd-1.9.2-30.el6.x86_64 Manual Test Results :: [root@rhel6-1 .ssh]# ipa host-show --all --raw $MYREPLICA1 dn: fqdn=rhel6-2.testrelm.com,cn=computers,cn=accounts,dc=testrelm,dc=com fqdn: rhel6-2.testrelm.com krbprincipalname: host/rhel6-2.testrelm.com ipasshpubkey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1HJdcBvnKqW+ZeOyg/4saw3sTIs6qnF+oSOpGwabfz4DE858rd1U8ZXok0NAN+Sw3ZDT0F6acCuMui7PQnERzA908LQSewB7Q+OApa+LwgjtBbt8wgcrZ8REljweHLhlbPzHLTjFqGvsgn0Ye79mnDmd5ugL9kQJSRqrK1Ze9MZzqmR94IvYdoXIcBI5XB/+3akc7GfOiXhVNnmqZb8fNcZYOS4o+P07uCdF3JOiQAa8UHJ3AMKRcYlQ5K49bF5H/SqWbRmyURzoRfzuoMORgnKeqZyYKI1PEIIO8+g9x3lF+c5nEZSHcIZytrydzdYmFuCi+K6PX1SKtAdMmNvIrQ== ipasshpubkey: ssh-dss AAAAB3NzaC1kc3MAAACBAJBwTLd2XqKnEXiby96fdRgUPxyrvqa3Ugfdwi+DPaS5TJPvMxUD0dzcLvh/PaPxQYuY0q5/vTp/xIc6/aPGoGUxHkqbrdE5IIyVbsZiIY8Fr+qbZPbHQ8BdoRBrYShft+KWX+6hg210jBKIzz/b2tob/4K8TbLVlcovI30xOcKFAAAAFQDcIuBBdXJ43OfBNNjlxsYE06DCqQAAAIBuA06Eyzciy8AbKLTYpsCwnjZUlYqvfTLl4db8Pg2HcnlJQPcPpRG/lalSD5m1o9uSGy06411bVvlRMhbsj7QRTQtCP4Ikm7Qs3lg3xKfsAyxouDtt0nyEizyciwV9yjp4eV8UJoWUtwD4UrbL0Vr66PoaQEEiIhevdWOCMHPb3wAAAIBl702vp1SlfvylZvAq11qahKo5TQ/N0QfzmM0MjUL0V2XbsD83FmlxA9OhyKjvFjJj0+sA0EwGuEe0CLJ3vt4BPgUyVh11eZ7VXVB0dcY9EBKE2B4aPbCzpvn0mvholgihuf+OwlSly0fjGIMGFlXS2XuOa0wNFRgRN+2Lin0PsA== has_password: False has_keytab: True managedby: fqdn=rhel6-2.testrelm.com,cn=computers,cn=accounts,dc=testrelm,dc=com sshpubkeyfp: 5F:A4:46:34:99:80:F7:8B:1B:76:F0:E7:D6:97:25:24 (ssh-rsa) sshpubkeyfp: 0B:E5:D9:90:33:8B:2F:3D:96:30:AE:F0:11:2C:0B:3A (ssh-dss) cn: rhel6-2.testrelm.com ipauniqueid: 369ac9da-3f08-11e2-8894-525400640002 krbextradata: AAIHkL9Qcm9vdC9hZG1pbkBURVNUUkVMTS5DT00A krblastpwdchange: 20121205181847Z managing: fqdn=rhel6-2.testrelm.com,cn=computers,cn=accounts,dc=testrelm,dc=com memberof: ipaUniqueID=0a46e0ec-41ad-11e2-b3fb-525400640001,cn=ng,cn=alt,dc=testrelm,dc=com memberofindirect: ipauniqueid=3661ef20-418d-11e2-9258-525400640001,cn=ng,cn=alt,dc=testrelm,dc=com objectclass: top objectclass: ipaobject objectclass: nshost objectclass: ipahost objectclass: ipaservice objectclass: pkiuser objectclass: krbprincipalaux objectclass: krbprincipal objectclass: krbticketpolicyaux objectclass: ipasshhost objectclass: ipaSshGroupOfPubKeys serverhostname: rhel6-2 [root@rhel6-1 .ssh]# kdestroy [root@rhel6-1 .ssh]# expect <<-EOF > $tmpout > set timeout 3 > set force_conservative 0 > set send_slow {1 .1} > spawn ssh admin@${MYREPLICA1} -q -o StrictHostKeyChecking=yes echo 'login successful' > expect "*ssword:" > send -s -- "${ADMINPW}\r" > expect eof > EOF [root@rhel6-1 .ssh]# cat $tmpout spawn ssh admin.com -q -o StrictHostKeyChecking=yes echo 'login successful' admin.com's password: Could not chdir to home directory /home/admin: No such file or directory login successful [root@rhel6-1 .ssh]# echo $ADMINPW|kinit admin Password for admin: [root@rhel6-1 .ssh]# ldbsearch -H /var/lib/sss/db/cache_$DOMAIN.ldb -b name=$MYREPLICA1,cn=ssh_hosts,cn=custom,cn=$DOMAIN,cn=sysdb asq: Unable to register control with rootdse! # record 1 dn: name=rhel6-2.testrelm.com,cn=ssh_hosts,cn=custom,cn=testrelm.com,cn=sysdb name: rhel6-2.testrelm.com objectClass: sshHost nameAlias: 192.168.122.62 sshPublicKey: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBQkl3QUFBUUVBMUhKZGNCdm5LcVcr WmVPeWcvNHNhdzNzVElzNnFuRitvU09wR3dhYmZ6NERFODU4cmQxVThaWG9rME5BTitTdzNaRFQwR jZhY0N1TXVpN1BRbkVSekE5MDhMUVNld0I3UStPQXBhK0x3Z2p0QmJ0OHdnY3JaOFJFbGp3ZUhMaG xiUHpITFRqRnFHdnNnbjBZZTc5bW5EbWQ1dWdMOWtRSlNScXJLMVplOU1aenFtUjk0SXZZZG9YSWN CSTVYQi8rM2FrYzdHZk9pWGhWTm5tcVpiOGZOY1pZT1M0bytQMDd1Q2RGM0pPaVFBYThVSEozQU1L UmNZbFE1SzQ5YkY1SC9TcVdiUm15VVJ6b1JmenVvTU9SZ25LZXFaeVlLSTFQRUlJTzgrZzl4M2xGK 2M1bkVaU0hjSVp5dHJ5ZHpkWW1GdUNpK0s2UFgxU0t0QWRNbU52SXJRPT0= sshPublicKey: c3NoLWRzcyBBQUFBQjNOemFDMWtjM01BQUFDQkFKQndUTGQyWHFLbkVYaWJ5OTZm ZFJnVVB4eXJ2cWEzVWdmZHdpK0RQYVM1VEpQdk14VUQwZHpjTHZoL1BhUHhRWXVZMHE1L3ZUcC94S WM2L2FQR29HVXhIa3FicmRFNUlJeVZic1ppSVk4RnIrcWJaUGJIUThCZG9SQnJZU2hmdCtLV1grNm hnMjEwakJLSXp6L2IydG9iLzRLOFRiTFZsY292STMweE9jS0ZBQUFBRlFEY0l1QkJkWEo0M09mQk5 Oamx4c1lFMDZEQ3FRQUFBSUJ1QTA2RXl6Y2l5OEFiS0xUWXBzQ3dualpVbFlxdmZUTGw0ZGI4UGcy SGNubEpRUGNQcFJHL2xhbFNENW0xbzl1U0d5MDY0MTFiVnZsUk1oYnNqN1FSVFF0Q1A0SWttN1FzM 2xnM3hLZnNBeXhvdUR0dDBueUVpenljaXdWOXlqcDRlVjhVSm9XVXR3RDRVcmJMMFZyNjZQb2FRRU VpSWhldmRXT0NNSFBiM3dBQUFJQmw3MDJ2cDFTbGZ2eWxadkFxMTFxYWhLbzVUUS9OMFFmem1NME1 qVUwwVjJYYnNEODNGbWx4QTlPaHlLanZGakpqMCtzQTBFd0d1RWUwQ0xKM3Z0NEJQZ1V5VmgxMWVa N1ZYVkIwZGNZOUVCS0UyQjRhUGJDenB2bjBtdmhvbGdpaHVmK093bFNseTBmakdJTUdGbFhTMlh1T 2Ewd05GUmdSTisyTGluMFBzQT09 lastUpdate: 1355025335 sshKnownHostsExpire: 1355025515 distinguishedName: name=rhel6-2.testrelm.com,cn=ssh_hosts,cn=custom,cn=testrel m.com,cn=sysdb # returned 1 records # 1 entries # 0 referrals [root@rhel6-1 .ssh]# ipa host-mod $MYREPLICA1 --sshpubkey='' ------------------------------------ Modified host "rhel6-2.testrelm.com" ------------------------------------ Host name: rhel6-2.testrelm.com Principal name: host/rhel6-2.testrelm.com Password: False Member of netgroups: testng2 Indirect Member of netgroup: testng1 Keytab: True Managed by: rhel6-2.testrelm.com [root@rhel6-1 .ssh]# kdestroy [root@rhel6-1 .ssh]# expect <<-EOF > $tmpout > set timeout 3 > set force_conservative 0 > set send_slow {1 .1} > spawn ssh admin@${MYREPLICA1} -q -o StrictHostKeyChecking=yes echo 'login successful' > expect "*ssword:" > send -s -- "${ADMINPW}\r" > expect eof > EOF [root@rhel6-1 .ssh]# cat $tmpout spawn ssh admin.com -q -o StrictHostKeyChecking=yes echo 'login successful' admin.com's password: Could not chdir to home directory /home/admin: No such file or directory login successful [root@rhel6-1 .ssh]# echo $ADMINPW|kinit admin Password for admin: [root@rhel6-1 .ssh]# ldbsearch -H /var/lib/sss/db/cache_$DOMAIN.ldb -b name=$MYREPLICA1,cn=ssh_hosts,cn=custom,cn=$DOMAIN,cn=sysdb asq: Unable to register control with rootdse! # record 1 dn: name=rhel6-2.testrelm.com,cn=ssh_hosts,cn=custom,cn=testrelm.com,cn=sysdb name: rhel6-2.testrelm.com objectClass: sshHost nameAlias: 192.168.122.62 lastUpdate: 1355025428 sshKnownHostsExpire: 1355025608 distinguishedName: name=rhel6-2.testrelm.com,cn=ssh_hosts,cn=custom,cn=testrel m.com,cn=sysdb # returned 1 records # 1 entries # 0 referrals [root@rhel6-1 .ssh]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0508.html |