Bug 1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys
Summary: [bug] sssd always appends default_domain_suffix when checking for host keys
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 1401816
TreeView+ depends on / blocked
 
Reported: 2015-03-26 14:02 UTC by Jakub Hrozek
Modified: 2020-05-02 17:59 UTC (History)
10 users (show)

Fixed In Version: sssd-1.13.0-0.1.alpha.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1401816 (view as bug list)
Environment:
Last Closed: 2015-11-19 11:37:19 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github SSSD sssd issues 3650 None None None 2020-05-02 17:59:26 UTC
Red Hat Product Errata RHSA-2015:2355 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2015-11-19 10:27:42 UTC

Description Jakub Hrozek 2015-03-26 14:02:15 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2609

FreeIPA includes the ability to have the sssd use a host key proxy to check for host keys on the server, rather than using the local known_hosts file, but it breaks if you use the default_domain_suffix

If you have setup your sssd with the following settings:
default_domain_suffix = addomain.net
use_fully_qualified_names = true

This allows active directory users from a trusted Active Directory domain to login to your FreeIPA clients by entering only 'adusername' at the login prompt instead of 'adusername@addomain.net'.

However, when you turn this setting on, it breaks host key checking.  What happens is that the sssd is appending the default_domain_suffix all the time, whether it is needed or not.

Here are my sssd logs during a host key check when using ssh to connect from one FreeIPA host to another (same issue in FreeIPA 3.0.0/sssd 1.11 and 4.1.2 / sssd 1.12)

(Fri Mar 20 23:19:55 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next] (0x0400): Requesting SSH host public keys for [ipaclient1-sandbox-atdev-van.ipadomain.net@addomain.net]
(Fri Mar 20 23:19:55 2015) [sssd[ssh]] [sysdb_search_ssh_hosts] (0x0400): No such host

As you can see from the logs, even though I am sending it a fqdn (ipaclient1-sandbox-atdev-van.ipadomain.net it is still appending @addomain.net to the address before checking for a host key for that host.

Ideally, you would not want it to ever append the name, even if a fqdn is not given.  Here is why I think this should be the default behavior.

The default_domain_suffix is meant to be applied to usernames when logging in.  It is not meant to be applied to hostnames, especially since the fqdn is quite irrelevant when doing a host key check since you will always be looking for that host in the FreeIPA directory anyway.

Comment 1 Jakub Hrozek 2015-04-01 11:53:17 UTC
* master: eeecc48d22a28bb69da56f6ffd8824163fc9bf00

Comment 5 Sudhir Menon 2015-10-06 13:37:51 UTC
After cross checking the sssd_ssh.log file on the IPA-client box found that there is no such logging been done when the user tries to login from AD box using putty, even after setting the log level to 5/9. i.e debug_level = 5
and debug_level = 9 in sssd.conf file.

[debug level = 5, 0x0200: Function data
debug level =  9, 0x4000: Extremely low-level tracing information]

Comment 6 Jakub Hrozek 2015-10-06 15:44:29 UTC
(In reply to Sudhir Menon from comment #5)
> After cross checking the sssd_ssh.log file on the IPA-client box found that
> there is no such logging been done when the user tries to login from AD box
> using putty, even after setting the log level to 5/9. i.e debug_level = 5
> and debug_level = 9 in sssd.conf file.
> 
> [debug level = 5, 0x0200: Function data
> debug level =  9, 0x4000: Extremely low-level tracing information]

Can you check if the ssh responder is running?

Did you put the debug level into the [ssh] section?

Comment 7 Sudhir Menon 2015-10-07 07:28:56 UTC
1. ps -ef shows the below, not sure if this is the ssh responder you were referring to.

root     14904 14899  0 12:50 ?        00:00:00 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files

2. Yes, the debug_level = 9 was put under the [ssh] section in sssd.conf on the ipaclient.

[ssh]
debug_level = 9

Comment 8 Jakub Hrozek 2015-10-07 07:51:14 UTC
Ah, I know what's wrong. You were logging in from Windows -- that doesn't trigger the ssh responder. You need to log in from one IPA-managed host to another. It's also in the opening comment:
~~~~~
Here are my sssd logs during a host key check when using ssh to connect from one FreeIPA host to another (same issue in FreeIPA 3.0.0/sssd 1.11 and 4.1.2 / sssd 1.12)
~~~~~

Comment 9 Sudhir Menon 2015-10-07 13:01:37 UTC
Verified: sssd-1.13.0-36.el7.x86_64 on RHEL7.2

1. set the below parameter in sssd.conf on IPAclient.

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = labs01.test
default_domain_suffix = test.in   <---
use_fully_qualified_names = true  <---

[ssh]
debug_level = 7


2. Logged in as an IPA user from IPAclient to IPAServer.

#ssh -l test ipa01.labs01.test

3. sssd_log file on the IPAclient from where we are trying to do ssh, logs the below.

(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): Client connected!
(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0].
(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0].
(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Requested domain [<ALL>]
(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [sss_ssh_cmd_get_host_pubkeys] (0x0400): Requesting SSH host public keys for [ipa01.labs01.test][] from [<ALL>]
(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f1361089e20:ipa01.labs01.test@labs01.test]
(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [sss_dp_get_ssh_host_msg] (0x0400): Creating SSH host request for [labs01.test][0][name=ipa01.labs01.test]
(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f1361089e20:ipa01.labs01.test@labs01.test]
(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Success)
(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next] (0x0400): Requesting SSH host public keys for [ipa01.labs01.test@labs01.test]
(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [sysdb_update_ssh_known_host_expire] (0x0400): Updating known_hosts expire time of host ipa01.labs01.test
(Wed Oct  7 18:28:10 2015) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f1361089e20:ipa01.labs01.test@labs01.test]

3. Also tried logging as trusted AD user from the IPAclient on the IPAserver as below and found that the default domain suffix is not searched.

[root@ipaclient02 ~]# ssh -l smenon@test.in ipa01.labs01.test
(Wed Oct  7 18:35:37 2015) [sssd[ssh]] [client_recv] (0x0200): Client disconnected!
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): Client connected!
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0].
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0].
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Requested domain [<ALL>]
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [sss_ssh_cmd_get_host_pubkeys] (0x0400): Requesting SSH host public keys for [ipa01.labs01.test][] from [<ALL>]
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f1361089e20:ipa01.labs01.test@labs01.test]
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [sss_dp_get_ssh_host_msg] (0x0400): Creating SSH host request for [labs01.test][0][name=ipa01.labs01.test]
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f1361089e20:ipa01.labs01.test@labs01.test]
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Success)
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [ssh_host_pubkeys_search_next] (0x0400): Requesting SSH host public keys for [ipa01.labs01.test@labs01.test]
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [sysdb_update_ssh_known_host_expire] (0x0400): Updating known_hosts expire time of host ipa01.labs01.test
(Wed Oct  7 18:35:41 2015) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f1361089e20:ipa01.labs01.test@labs01.test]

4. default_domain_suffix is not searched in the case which is test.in as mentioned in sssd.conf on IPAclient.

Comment 10 errata-xmlrpc 2015-11-19 11:37:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html


Note You need to log in before you can comment on or make changes to this bug.