746036 – [RFE] Host SSH keys

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 746036 - [RFE] Host SSH keys

Summary: [RFE] Host SSH keys

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	756082
TreeView+	depends on / blocked

Reported:	2011-10-13 17:47 UTC by Sigbjorn Lie
Modified:	2016-02-19 11:46 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-02-19 11:46:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Sigbjorn Lie 2011-10-13 17:47:49 UTC

Description of problem:
RFE: Following my IRC discussion with JrAquino_ Allowing IPA to have a host-object containing the host SSH key object would be very useful when reinstalling a machine. (Such as a workstation.)

Version-Release number of selected component (if applicable):
IPA 2.1.1

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Rob Crittenden 2011-10-13 17:51:42 UTC

How would this key be used? We can add it as a lump of data relatively easily, but what do you want us to do with it?

Comment 3 Sigbjorn Lie 2011-10-13 17:57:05 UTC

Put it back on the host when it's re-installed...

See my conversation with sgallagh on #freeipa.

Comment 4 Dmitri Pal 2011-10-13 18:00:23 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1978

Comment 5 Stephen Gallagher 2011-10-13 18:12:03 UTC

I think the goal here is that if a host was reinstalled, we want ipa-client-install to be able to restore the host key saved in FreeIPA. (Or in the case of bulk enrollment, push it down on the initial install).

The same key will later be useful to have once we're supporting central host-keys for trust.

Comment 6 Rob Crittenden 2011-10-13 18:13:32 UTC

Oh, you want to store SSH *private* keys in IPA!

We had some discussion about storing the public host keys, not sure that the private keys came up. We'd need to be pretty careful with them.

Comment 7 Stephen Gallagher 2011-10-13 18:14:10 UTC

For the record, here is the original conversation:

01:25:51 PM) sgallagh: SSH key management is tricky (because the openssh community isn't very helpful)
(01:25:58 PM) Silikon: sgallagh: ok. will there be a ssh host key management at some point?
(01:26:12 PM) sgallagh: We'd like to
(01:26:24 PM) sgallagh: But I'm going to say probably not in 3.0
(01:26:33 PM) Silikon: sgallagh: hehe. :) isn't host key management easier to accomplish than user key management?
(01:27:15 PM) sgallagh: Ah, sorry. Missed the host/user comment.
(01:27:30 PM) sgallagh: Either way requires a certain amount of buy-in from the openssh developers
(01:27:42 PM) sgallagh: And they have a very strong "If I didn't think of it, it must be a bad idea" mentality
(01:27:52 PM) Silikon: that sucks...
(01:27:55 PM) sgallagh: Yes
(01:28:07 PM) sgallagh: But we're looking into it
(01:28:24 PM) sgallagh: But I wouldn't want you to oversell what we're going to have ready for 3.0 :)
(01:28:54 PM) Silikon: but...(you have probably though about this already, but here goes :) ).what if you store the ssh key with the host object, and deploy the ssh-host keys upon deployment of the ipa-client?
(01:29:17 PM) Silikon: sgallagh: ok, I will keep that in mind. :)
13:30
(01:30:17 PM) sgallagh: Silikon: The host keys are usually generated on the clients
(01:30:36 PM) sgallagh: The point of a host key storage would be so that users could ask FreeIPA for a list of trusted hosts
(01:30:37 PM) Silikon: sgallagh: I know, it drives me crazy!
(01:30:44 PM) sgallagh: This wouldn't help that
(01:31:02 PM) sgallagh: Clients connecting to those hosts would still have to click through the key verification the first time
(01:31:13 PM) sgallagh: Which we've cleverly trained people to blindly accept at this point :-(
(01:31:52 PM) Silikon: ah, ok. I was looking for a central store where the hosts' ssh key we're stored, so when I re-install a workstation the existing ssh key was re-used, not a new ssh-host-key generated.
(01:31:54 PM) Silikon: exactly!!
(01:32:09 PM) Silikon: I click (almost) blindly to yes as well
(01:32:22 PM) Silikon: it defies the entire purpose of the question
(01:32:36 PM) Silikon: I notice Ubuntu has even gone as far as auto-accepting a new hosts key!
(01:32:57 PM) sgallagh: Silikon: That's... horrific.
(01:33:17 PM) sgallagh: Yet another reason why anyone security-conscious shouldn't touch Ubuntu with a ten foot pole
(01:33:19 PM) Silikon: sgallagh: I know...I feel ashamed!!! :(
(01:33:37 PM) sgallagh: Silikon: That's an interesting idea though (about being able to re-provision with the same key)
(01:33:41 PM) Silikon: sgallagh: hehehheheheheheheh! :)
(01:33:46 PM) sgallagh: Silikon: Would you mind opening an RFE?
(01:34:53 PM) Silikon: sgallagh: sure, I'll get on to it

Comment 11 Martin Kosek 2016-02-19 11:46:27 UTC

Thank you taking your time and submitting this request for Red Hat Enterprise Linux. The request was cloned to the upstream tracker long time ago (see link to the upstream ticket above), but it was unfortunately not given a priority neither in the upstream project, nor in Red Hat Enterprise Linux.

Given that this request is not planned for a close release, it is highly unlikely it will be fixed in this major version of Red Hat Enterprise Linux. We are therefore closing the request as WONTFIX.

To request that Red Hat reconsiders the decision, please reopen the Bugzilla with the help of Red Hat Customer Service and provide additional business and/or technical details about it's importance to you. Please note that you can still track this request or even offer help in the referred upstream Trac ticket to expedite the solution.

Note You need to log in before you can comment on or make changes to this bug.