ssh fails with: ****************************************************************************** Your system is configured to use the obsolete tool sss_ssh_knownhostsproxy. Please read the sss_ssh_knownhosts(1) man page to learn about its replacement. ****************************************************************************** But man sss_ssh_knownhosts contains just: SSS_SSH_KNOWNHOSTS(1) SSSD Manual pages SSS_SSH_KNOWNHOSTS(1) NAME sss_ssh_knownhosts - get OpenSSH known hosts public keys SYNOPSIS sss_ssh_knownhosts [options] HOST DESCRIPTION sss_ssh_knownhosts acquires SSH public keys for host HOST and outputs them in OpenSSH known_hosts key format (see the “SSH_KNOWN_HOSTS FILE FORMAT” section of sshd(8) for more information). ssh(1) can be configured to use sss_ssh_knownhosts for public key host authentication using the “KnownHostsCommand” option: KnownHostsCommand /usr/bin/sss_ssh_knownhosts %H Please refer to the ssh_config(5) man page for more details about this option. OPTIONS -d,--domain DOMAIN Search for host public keys in SSSD domain DOMAIN. -?,--help Display help message and exit. EXIT STATUS In case of successful execution, even if no key was found, 0 is returned. 1 is returned in case of error. SEE ALSO sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd-krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(1), sss_ssh_knownhosts(1), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5) sssd-systemtap(5) AUTHORS The SSSD upstream - https://github.com/SSSD/sssd/ SSSD 07/22/2024 SSS_SSH_KNOWNHOSTS(1) and no information about a replacement or it being obsolete. sssd-2.10.0~beta2-3.fc41.x86_64 Reproducible: Always
Okay, apparently I'm a complete idiot - as sss_ssh_knownhosts is the replacement for sss_ssh_knownhostsproxy - but maybe others will be confused like me. Another question - does this: KnownHostsCommand /usr/bin/sss_ssh_knownhosts %H replace both of these: ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts /etc/ssh/ssh_known_hosts or just the ProxyCommand line?
Also, is it really supposed to break ssh already?
(In reply to Orion Poplawski from comment #1) > > Another question - does this: > > KnownHostsCommand /usr/bin/sss_ssh_knownhosts %H > > replace both of these: > > ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h > GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts > /etc/ssh/ssh_known_hosts > > or just the ProxyCommand line? I believe both: https://github.com/freeipa/freeipa/commit/7d54a6daaf0ef91d608d67b3c70e2d566868be05 (In reply to Orion Poplawski from comment #2) > Also, is it really supposed to break ssh already? Starting F41 old helper isn't built: https://src.fedoraproject.org/rpms/sssd/blob/f41/f/sssd.spec#_45 But if you have IPA package(s) on this system then config should be update during upgrade: https://github.com/freeipa/freeipa/commit/b34525c76e9f8182950bbbdd6fa3ae62f5301064
After upgrading to F41, I have the following. Strange that GlobalKnownHostsFile is commented and re-added. # IPA-related configuration changes to ssh_config # added by ipa-client update GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts/ # PubkeyAuthentication yes # disabled by ipa-client update # GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts VerifyHostKeyDNS yes # assumes that if a user does not have shell (/sbin/nologin), # this will return nonzero exit code and proxy command will be ignored Match exec true # replaced by ipa-client update # replaced by ipa-client update KnownHostsCommand /usr/bin/sss_ssh_knownhosts %H
(In reply to Orion Poplawski from comment #0) > and no information about a replacement or it being obsolete. > > sssd-2.10.0~beta2-3.fc41.x86_64 > sss_ssh_knownhosts replaces sss_ssh_knownhostsproxy. This latter is obsolete: - https://docs.fedoraproject.org/en-US/fedora/f40/release-notes/sysadmin/#_sss_ssh_knownhostsproxy_tool_will_be_replaced_in_future_releases - https://docs.fedoraproject.org/en-US/fedora/f41/release-notes/sysadmin/#_removal_of_the_sss_ssh_knownhostsproxy_tool I guess rawhide does not have these release notes. Also on SSSD's Release Notes: - https://sssd.io/release-notes/sssd-2.10.0-beta1.html (in the New Features section) - https://sssd.io/release-notes/sssd-2.10.0.html (in the New Features section) (In reply to Orion Poplawski from comment #1) > Another question - does this: > > KnownHostsCommand /usr/bin/sss_ssh_knownhosts %H > > replace both of these: > > ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h > GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts > /etc/ssh/ssh_known_hosts As you said, the new line replaces both old ones. But have in mind that ipa-client-install also takes care of this, but please consider that these changes may not have made it to rawhide yet. (Above Alexey gave the links to the corresponding commits: https://bugzilla.redhat.com/show_bug.cgi?id=2305856#c3 ) (In reply to Orion Poplawski from comment #2) > Also, is it really supposed to break ssh already? What do you mean? There are a few fixes already: - https://issues.redhat.com/browse/RHEL-56701 - https://github.com/SSSD/sssd/issues/7664 (In reply to Anthony Messina from comment #4) > After upgrading to F41, I have the following. Strange that > GlobalKnownHostsFile is commented and re-added. You can safely remove the re-added line. If this behavior can be reproduced, then you can open a bug against FreeIPA.
In addition, the man pasge for sss_ssh_knownhostsproxy(1) included in Fedora 40 the following warning: LIFE-CYCLE This tool is deprecated and will be removed in the future. Consider using the more reliable sss_ssh_knownhosts instead.
(In reply to Alejandro López from comment #5) > (In reply to Anthony Messina from comment #4) > > After upgrading to F41, I have the following. Strange that > > GlobalKnownHostsFile is commented and re-added. > > You can safely remove the re-added line. If this behavior can be reproduced, > then you can open a bug against FreeIPA. Thank you for your guidance. I have updated my files and remove the GlobalKnownHostsFile line(s) on all my upgraded machines. I have filed https://pagure.io/freeipa/issue/9688 upstream.
(In reply to Orion Poplawski from comment #2) > Also, is it really supposed to break ssh already? Can you explain what you mean with this? What is failing for you? In which situation?
Several different question were asked in this ticket. All of them but one were answered. The one without answer is really unclear. Since no more details were provided, I'm closing the ticket.