870060 – SSH host keys are not being removed from the cache

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 870060 - SSH host keys are not being removed from the cache

Summary: SSH host keys are not being removed from the cache

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-10-25 13:43 UTC by Dmitri Pal
Modified:	2020-05-02 17:01 UTC (History)
CC List:	6 users (show)
Fixed In Version:	sssd-1.9.2-6.el6
Doc Type:	Bug Fix
Doc Text:	No Documentation Needed
Clone Of:
Environment:
Last Closed:	2013-02-21 09:38:41 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2616	0	None	None	None	2020-05-02 17:01:26 UTC
Red Hat Product Errata	RHSA-2013:0508	0	normal	SHIPPED_LIVE	Low: sssd security, bug fix and enhancement update	2013-02-20 21:30:10 UTC

Description Dmitri Pal 2012-10-25 13:43:45 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1574

When host keys are removed from LDAP, they should be removed from the cache as well.

Comment 1 Mario Blättermann 2012-10-29 12:23:46 UTC

*** Bug 825489 has been marked as a duplicate of this bug. ***

Comment 2 Mario Blättermann 2012-10-29 12:29:58 UTC

Forget my last change, this was the wrong bug...

Comment 3 Jakub Hrozek 2012-11-06 10:24:27 UTC

Honza, can you put the steps the QE should follow while verifying the issue? You know the code best.

Comment 5 Jan Cholasta 2012-11-12 14:37:48 UTC

Let's assume we have an IPA server installed on server.example.com and IPA client on client.example.com. The client should have its host keys uploaded to IPA by ipa-client-install.

1. Verify that the client's host keys are indeed stored in IPA:

user@server$ ipa host-show client.example.com
...
SSH public key fingerprint: <fingerprints>
...

2. Ssh to the client to make SSSD update the cache with the host keys:

user@server$ ssh client.example.com

user@client$ exit

3. Verify that the host keys are in SSSD's cache:

user@server$ sudo ldbsearch -H /var/lib/sss/db/cache_example.com.ldb -b name=client.example.com,cn=ssh_hosts,cn=custom,cn=example.com,cn=sysdb
# record 1
dn: name=client.example.com,cn=ssh_hosts,cn=custom,cn=example.com,cn=sysdb
...
sshPublicKey: <data>
...

4. Remove the host keys from IPA:

user@server$ ipa host-mod client.example.com --sshpubkey=

5. Ssh to the client to make SSSD update the cache again:

(see 2.)

6. Verify that the host keys are gone from SSSD's cache:

(see 3. - there should be no sshPublicKey attribute this time)

Comment 6 Scott Poore 2012-12-14 01:17:22 UTC

Verified.

Version ::

sssd-1.9.2-30.el6.x86_64

Manual Test Results ::

[root@rhel6-1 .ssh]# ipa host-show --all --raw $MYREPLICA1
  dn: fqdn=rhel6-2.testrelm.com,cn=computers,cn=accounts,dc=testrelm,dc=com
  fqdn: rhel6-2.testrelm.com
  krbprincipalname: host/rhel6-2.testrelm.com
  ipasshpubkey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1HJdcBvnKqW+ZeOyg/4saw3sTIs6qnF+oSOpGwabfz4DE858rd1U8ZXok0NAN+Sw3ZDT0F6acCuMui7PQnERzA908LQSewB7Q+OApa+LwgjtBbt8wgcrZ8REljweHLhlbPzHLTjFqGvsgn0Ye79mnDmd5ugL9kQJSRqrK1Ze9MZzqmR94IvYdoXIcBI5XB/+3akc7GfOiXhVNnmqZb8fNcZYOS4o+P07uCdF3JOiQAa8UHJ3AMKRcYlQ5K49bF5H/SqWbRmyURzoRfzuoMORgnKeqZyYKI1PEIIO8+g9x3lF+c5nEZSHcIZytrydzdYmFuCi+K6PX1SKtAdMmNvIrQ==
  ipasshpubkey: ssh-dss AAAAB3NzaC1kc3MAAACBAJBwTLd2XqKnEXiby96fdRgUPxyrvqa3Ugfdwi+DPaS5TJPvMxUD0dzcLvh/PaPxQYuY0q5/vTp/xIc6/aPGoGUxHkqbrdE5IIyVbsZiIY8Fr+qbZPbHQ8BdoRBrYShft+KWX+6hg210jBKIzz/b2tob/4K8TbLVlcovI30xOcKFAAAAFQDcIuBBdXJ43OfBNNjlxsYE06DCqQAAAIBuA06Eyzciy8AbKLTYpsCwnjZUlYqvfTLl4db8Pg2HcnlJQPcPpRG/lalSD5m1o9uSGy06411bVvlRMhbsj7QRTQtCP4Ikm7Qs3lg3xKfsAyxouDtt0nyEizyciwV9yjp4eV8UJoWUtwD4UrbL0Vr66PoaQEEiIhevdWOCMHPb3wAAAIBl702vp1SlfvylZvAq11qahKo5TQ/N0QfzmM0MjUL0V2XbsD83FmlxA9OhyKjvFjJj0+sA0EwGuEe0CLJ3vt4BPgUyVh11eZ7VXVB0dcY9EBKE2B4aPbCzpvn0mvholgihuf+OwlSly0fjGIMGFlXS2XuOa0wNFRgRN+2Lin0PsA==
  has_password: False
  has_keytab: True
  managedby: fqdn=rhel6-2.testrelm.com,cn=computers,cn=accounts,dc=testrelm,dc=com
  sshpubkeyfp: 5F:A4:46:34:99:80:F7:8B:1B:76:F0:E7:D6:97:25:24 (ssh-rsa)
  sshpubkeyfp: 0B:E5:D9:90:33:8B:2F:3D:96:30:AE:F0:11:2C:0B:3A (ssh-dss)
  cn: rhel6-2.testrelm.com
  ipauniqueid: 369ac9da-3f08-11e2-8894-525400640002
  krbextradata: AAIHkL9Qcm9vdC9hZG1pbkBURVNUUkVMTS5DT00A
  krblastpwdchange: 20121205181847Z
  managing: fqdn=rhel6-2.testrelm.com,cn=computers,cn=accounts,dc=testrelm,dc=com
  memberof: ipaUniqueID=0a46e0ec-41ad-11e2-b3fb-525400640001,cn=ng,cn=alt,dc=testrelm,dc=com
  memberofindirect: ipauniqueid=3661ef20-418d-11e2-9258-525400640001,cn=ng,cn=alt,dc=testrelm,dc=com
  objectclass: top
  objectclass: ipaobject
  objectclass: nshost
  objectclass: ipahost
  objectclass: ipaservice
  objectclass: pkiuser
  objectclass: krbprincipalaux
  objectclass: krbprincipal
  objectclass: krbticketpolicyaux
  objectclass: ipasshhost
  objectclass: ipaSshGroupOfPubKeys
  serverhostname: rhel6-2

[root@rhel6-1 .ssh]# kdestroy

[root@rhel6-1 .ssh]# expect <<-EOF > $tmpout
> set timeout 3
> set force_conservative 0
> set send_slow {1 .1}
> spawn ssh admin@${MYREPLICA1} -q -o StrictHostKeyChecking=yes echo 'login successful'
> expect "*ssword:"
> send -s -- "${ADMINPW}\r"
> expect eof
> EOF

[root@rhel6-1 .ssh]# cat $tmpout
spawn ssh admin.com -q -o StrictHostKeyChecking=yes echo 'login successful'
admin.com's password: 
Could not chdir to home directory /home/admin: No such file or directory
login successful

[root@rhel6-1 .ssh]# echo $ADMINPW|kinit admin
Password for admin: 

[root@rhel6-1 .ssh]# ldbsearch -H /var/lib/sss/db/cache_$DOMAIN.ldb -b name=$MYREPLICA1,cn=ssh_hosts,cn=custom,cn=$DOMAIN,cn=sysdb
asq: Unable to register control with rootdse!
# record 1
dn: name=rhel6-2.testrelm.com,cn=ssh_hosts,cn=custom,cn=testrelm.com,cn=sysdb
name: rhel6-2.testrelm.com
objectClass: sshHost
nameAlias: 192.168.122.62
sshPublicKey: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBQkl3QUFBUUVBMUhKZGNCdm5LcVcr
 WmVPeWcvNHNhdzNzVElzNnFuRitvU09wR3dhYmZ6NERFODU4cmQxVThaWG9rME5BTitTdzNaRFQwR
 jZhY0N1TXVpN1BRbkVSekE5MDhMUVNld0I3UStPQXBhK0x3Z2p0QmJ0OHdnY3JaOFJFbGp3ZUhMaG
 xiUHpITFRqRnFHdnNnbjBZZTc5bW5EbWQ1dWdMOWtRSlNScXJLMVplOU1aenFtUjk0SXZZZG9YSWN
 CSTVYQi8rM2FrYzdHZk9pWGhWTm5tcVpiOGZOY1pZT1M0bytQMDd1Q2RGM0pPaVFBYThVSEozQU1L
 UmNZbFE1SzQ5YkY1SC9TcVdiUm15VVJ6b1JmenVvTU9SZ25LZXFaeVlLSTFQRUlJTzgrZzl4M2xGK
 2M1bkVaU0hjSVp5dHJ5ZHpkWW1GdUNpK0s2UFgxU0t0QWRNbU52SXJRPT0=
sshPublicKey: c3NoLWRzcyBBQUFBQjNOemFDMWtjM01BQUFDQkFKQndUTGQyWHFLbkVYaWJ5OTZm
 ZFJnVVB4eXJ2cWEzVWdmZHdpK0RQYVM1VEpQdk14VUQwZHpjTHZoL1BhUHhRWXVZMHE1L3ZUcC94S
 WM2L2FQR29HVXhIa3FicmRFNUlJeVZic1ppSVk4RnIrcWJaUGJIUThCZG9SQnJZU2hmdCtLV1grNm
 hnMjEwakJLSXp6L2IydG9iLzRLOFRiTFZsY292STMweE9jS0ZBQUFBRlFEY0l1QkJkWEo0M09mQk5
 Oamx4c1lFMDZEQ3FRQUFBSUJ1QTA2RXl6Y2l5OEFiS0xUWXBzQ3dualpVbFlxdmZUTGw0ZGI4UGcy
 SGNubEpRUGNQcFJHL2xhbFNENW0xbzl1U0d5MDY0MTFiVnZsUk1oYnNqN1FSVFF0Q1A0SWttN1FzM
 2xnM3hLZnNBeXhvdUR0dDBueUVpenljaXdWOXlqcDRlVjhVSm9XVXR3RDRVcmJMMFZyNjZQb2FRRU
 VpSWhldmRXT0NNSFBiM3dBQUFJQmw3MDJ2cDFTbGZ2eWxadkFxMTFxYWhLbzVUUS9OMFFmem1NME1
 qVUwwVjJYYnNEODNGbWx4QTlPaHlLanZGakpqMCtzQTBFd0d1RWUwQ0xKM3Z0NEJQZ1V5VmgxMWVa
 N1ZYVkIwZGNZOUVCS0UyQjRhUGJDenB2bjBtdmhvbGdpaHVmK093bFNseTBmakdJTUdGbFhTMlh1T
 2Ewd05GUmdSTisyTGluMFBzQT09
lastUpdate: 1355025335
sshKnownHostsExpire: 1355025515
distinguishedName: name=rhel6-2.testrelm.com,cn=ssh_hosts,cn=custom,cn=testrel
 m.com,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals

[root@rhel6-1 .ssh]# ipa host-mod $MYREPLICA1 --sshpubkey=''
------------------------------------
Modified host "rhel6-2.testrelm.com"
------------------------------------
  Host name: rhel6-2.testrelm.com
  Principal name: host/rhel6-2.testrelm.com
  Password: False
  Member of netgroups: testng2
  Indirect Member of netgroup: testng1
  Keytab: True
  Managed by: rhel6-2.testrelm.com

[root@rhel6-1 .ssh]# kdestroy

[root@rhel6-1 .ssh]# expect <<-EOF > $tmpout
> set timeout 3
> set force_conservative 0
> set send_slow {1 .1}
> spawn ssh admin@${MYREPLICA1} -q -o StrictHostKeyChecking=yes echo 'login successful'
> expect "*ssword:"
> send -s -- "${ADMINPW}\r"
> expect eof
> EOF

[root@rhel6-1 .ssh]# cat $tmpout
spawn ssh admin.com -q -o StrictHostKeyChecking=yes echo 'login successful'
admin.com's password: 
Could not chdir to home directory /home/admin: No such file or directory
login successful

[root@rhel6-1 .ssh]# echo $ADMINPW|kinit admin
Password for admin: 

[root@rhel6-1 .ssh]# ldbsearch -H /var/lib/sss/db/cache_$DOMAIN.ldb -b name=$MYREPLICA1,cn=ssh_hosts,cn=custom,cn=$DOMAIN,cn=sysdb
asq: Unable to register control with rootdse!
# record 1
dn: name=rhel6-2.testrelm.com,cn=ssh_hosts,cn=custom,cn=testrelm.com,cn=sysdb
name: rhel6-2.testrelm.com
objectClass: sshHost
nameAlias: 192.168.122.62
lastUpdate: 1355025428
sshKnownHostsExpire: 1355025608
distinguishedName: name=rhel6-2.testrelm.com,cn=ssh_hosts,cn=custom,cn=testrel
 m.com,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals

[root@rhel6-1 .ssh]#

Comment 7 errata-xmlrpc 2013-02-21 09:38:41 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html

Note You need to log in before you can comment on or make changes to this bug.