Bug 870060 - SSH host keys are not being removed from the cache
SSH host keys are not being removed from the cache
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Jakub Hrozek
Kaushik Banerjee
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-25 09:43 EDT by Dmitri Pal
Modified: 2015-02-04 17:50 EST (History)
6 users (show)

See Also:
Fixed In Version: sssd-1.9.2-6.el6
Doc Type: Bug Fix
Doc Text:
No Documentation Needed
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 04:38:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dmitri Pal 2012-10-25 09:43:45 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1574

When host keys are removed from LDAP, they should be removed from the cache as well.
Comment 1 Mario Blättermann 2012-10-29 08:23:46 EDT
*** Bug 825489 has been marked as a duplicate of this bug. ***
Comment 2 Mario Blättermann 2012-10-29 08:29:58 EDT
Forget my last change, this was the wrong bug...
Comment 3 Jakub Hrozek 2012-11-06 05:24:27 EST
Honza, can you put the steps the QE should follow while verifying the issue? You know the code best.
Comment 5 Jan Cholasta 2012-11-12 09:37:48 EST
Let's assume we have an IPA server installed on server.example.com and IPA client on client.example.com. The client should have its host keys uploaded to IPA by ipa-client-install.

1. Verify that the client's host keys are indeed stored in IPA:

user@server$ ipa host-show client.example.com
...
SSH public key fingerprint: <fingerprints>
...

2. Ssh to the client to make SSSD update the cache with the host keys:

user@server$ ssh client.example.com

user@client$ exit

3. Verify that the host keys are in SSSD's cache:

user@server$ sudo ldbsearch -H /var/lib/sss/db/cache_example.com.ldb -b name=client.example.com,cn=ssh_hosts,cn=custom,cn=example.com,cn=sysdb
# record 1
dn: name=client.example.com,cn=ssh_hosts,cn=custom,cn=example.com,cn=sysdb
...
sshPublicKey: <data>
...

4. Remove the host keys from IPA:

user@server$ ipa host-mod client.example.com --sshpubkey=

5. Ssh to the client to make SSSD update the cache again:

(see 2.)

6. Verify that the host keys are gone from SSSD's cache:

(see 3. - there should be no sshPublicKey attribute this time)
Comment 6 Scott Poore 2012-12-13 20:17:22 EST
Verified.

Version ::

sssd-1.9.2-30.el6.x86_64

Manual Test Results ::

[root@rhel6-1 .ssh]# ipa host-show --all --raw $MYREPLICA1
  dn: fqdn=rhel6-2.testrelm.com,cn=computers,cn=accounts,dc=testrelm,dc=com
  fqdn: rhel6-2.testrelm.com
  krbprincipalname: host/rhel6-2.testrelm.com@TESTRELM.COM
  ipasshpubkey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1HJdcBvnKqW+ZeOyg/4saw3sTIs6qnF+oSOpGwabfz4DE858rd1U8ZXok0NAN+Sw3ZDT0F6acCuMui7PQnERzA908LQSewB7Q+OApa+LwgjtBbt8wgcrZ8REljweHLhlbPzHLTjFqGvsgn0Ye79mnDmd5ugL9kQJSRqrK1Ze9MZzqmR94IvYdoXIcBI5XB/+3akc7GfOiXhVNnmqZb8fNcZYOS4o+P07uCdF3JOiQAa8UHJ3AMKRcYlQ5K49bF5H/SqWbRmyURzoRfzuoMORgnKeqZyYKI1PEIIO8+g9x3lF+c5nEZSHcIZytrydzdYmFuCi+K6PX1SKtAdMmNvIrQ==
  ipasshpubkey: ssh-dss AAAAB3NzaC1kc3MAAACBAJBwTLd2XqKnEXiby96fdRgUPxyrvqa3Ugfdwi+DPaS5TJPvMxUD0dzcLvh/PaPxQYuY0q5/vTp/xIc6/aPGoGUxHkqbrdE5IIyVbsZiIY8Fr+qbZPbHQ8BdoRBrYShft+KWX+6hg210jBKIzz/b2tob/4K8TbLVlcovI30xOcKFAAAAFQDcIuBBdXJ43OfBNNjlxsYE06DCqQAAAIBuA06Eyzciy8AbKLTYpsCwnjZUlYqvfTLl4db8Pg2HcnlJQPcPpRG/lalSD5m1o9uSGy06411bVvlRMhbsj7QRTQtCP4Ikm7Qs3lg3xKfsAyxouDtt0nyEizyciwV9yjp4eV8UJoWUtwD4UrbL0Vr66PoaQEEiIhevdWOCMHPb3wAAAIBl702vp1SlfvylZvAq11qahKo5TQ/N0QfzmM0MjUL0V2XbsD83FmlxA9OhyKjvFjJj0+sA0EwGuEe0CLJ3vt4BPgUyVh11eZ7VXVB0dcY9EBKE2B4aPbCzpvn0mvholgihuf+OwlSly0fjGIMGFlXS2XuOa0wNFRgRN+2Lin0PsA==
  has_password: False
  has_keytab: True
  managedby: fqdn=rhel6-2.testrelm.com,cn=computers,cn=accounts,dc=testrelm,dc=com
  sshpubkeyfp: 5F:A4:46:34:99:80:F7:8B:1B:76:F0:E7:D6:97:25:24 (ssh-rsa)
  sshpubkeyfp: 0B:E5:D9:90:33:8B:2F:3D:96:30:AE:F0:11:2C:0B:3A (ssh-dss)
  cn: rhel6-2.testrelm.com
  ipauniqueid: 369ac9da-3f08-11e2-8894-525400640002
  krbextradata: AAIHkL9Qcm9vdC9hZG1pbkBURVNUUkVMTS5DT00A
  krblastpwdchange: 20121205181847Z
  managing: fqdn=rhel6-2.testrelm.com,cn=computers,cn=accounts,dc=testrelm,dc=com
  memberof: ipaUniqueID=0a46e0ec-41ad-11e2-b3fb-525400640001,cn=ng,cn=alt,dc=testrelm,dc=com
  memberofindirect: ipauniqueid=3661ef20-418d-11e2-9258-525400640001,cn=ng,cn=alt,dc=testrelm,dc=com
  objectclass: top
  objectclass: ipaobject
  objectclass: nshost
  objectclass: ipahost
  objectclass: ipaservice
  objectclass: pkiuser
  objectclass: krbprincipalaux
  objectclass: krbprincipal
  objectclass: krbticketpolicyaux
  objectclass: ipasshhost
  objectclass: ipaSshGroupOfPubKeys
  serverhostname: rhel6-2

[root@rhel6-1 .ssh]# kdestroy

[root@rhel6-1 .ssh]# expect <<-EOF > $tmpout
> set timeout 3
> set force_conservative 0
> set send_slow {1 .1}
> spawn ssh admin@${MYREPLICA1} -q -o StrictHostKeyChecking=yes echo 'login successful'
> expect "*ssword:"
> send -s -- "${ADMINPW}\r"
> expect eof
> EOF

[root@rhel6-1 .ssh]# cat $tmpout
spawn ssh admin@rhel6-2.testrelm.com -q -o StrictHostKeyChecking=yes echo 'login successful'
admin@rhel6-2.testrelm.com's password: 
Could not chdir to home directory /home/admin: No such file or directory
login successful

[root@rhel6-1 .ssh]# echo $ADMINPW|kinit admin
Password for admin@TESTRELM.COM: 

[root@rhel6-1 .ssh]# ldbsearch -H /var/lib/sss/db/cache_$DOMAIN.ldb -b name=$MYREPLICA1,cn=ssh_hosts,cn=custom,cn=$DOMAIN,cn=sysdb
asq: Unable to register control with rootdse!
# record 1
dn: name=rhel6-2.testrelm.com,cn=ssh_hosts,cn=custom,cn=testrelm.com,cn=sysdb
name: rhel6-2.testrelm.com
objectClass: sshHost
nameAlias: 192.168.122.62
sshPublicKey: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBQkl3QUFBUUVBMUhKZGNCdm5LcVcr
 WmVPeWcvNHNhdzNzVElzNnFuRitvU09wR3dhYmZ6NERFODU4cmQxVThaWG9rME5BTitTdzNaRFQwR
 jZhY0N1TXVpN1BRbkVSekE5MDhMUVNld0I3UStPQXBhK0x3Z2p0QmJ0OHdnY3JaOFJFbGp3ZUhMaG
 xiUHpITFRqRnFHdnNnbjBZZTc5bW5EbWQ1dWdMOWtRSlNScXJLMVplOU1aenFtUjk0SXZZZG9YSWN
 CSTVYQi8rM2FrYzdHZk9pWGhWTm5tcVpiOGZOY1pZT1M0bytQMDd1Q2RGM0pPaVFBYThVSEozQU1L
 UmNZbFE1SzQ5YkY1SC9TcVdiUm15VVJ6b1JmenVvTU9SZ25LZXFaeVlLSTFQRUlJTzgrZzl4M2xGK
 2M1bkVaU0hjSVp5dHJ5ZHpkWW1GdUNpK0s2UFgxU0t0QWRNbU52SXJRPT0=
sshPublicKey: c3NoLWRzcyBBQUFBQjNOemFDMWtjM01BQUFDQkFKQndUTGQyWHFLbkVYaWJ5OTZm
 ZFJnVVB4eXJ2cWEzVWdmZHdpK0RQYVM1VEpQdk14VUQwZHpjTHZoL1BhUHhRWXVZMHE1L3ZUcC94S
 WM2L2FQR29HVXhIa3FicmRFNUlJeVZic1ppSVk4RnIrcWJaUGJIUThCZG9SQnJZU2hmdCtLV1grNm
 hnMjEwakJLSXp6L2IydG9iLzRLOFRiTFZsY292STMweE9jS0ZBQUFBRlFEY0l1QkJkWEo0M09mQk5
 Oamx4c1lFMDZEQ3FRQUFBSUJ1QTA2RXl6Y2l5OEFiS0xUWXBzQ3dualpVbFlxdmZUTGw0ZGI4UGcy
 SGNubEpRUGNQcFJHL2xhbFNENW0xbzl1U0d5MDY0MTFiVnZsUk1oYnNqN1FSVFF0Q1A0SWttN1FzM
 2xnM3hLZnNBeXhvdUR0dDBueUVpenljaXdWOXlqcDRlVjhVSm9XVXR3RDRVcmJMMFZyNjZQb2FRRU
 VpSWhldmRXT0NNSFBiM3dBQUFJQmw3MDJ2cDFTbGZ2eWxadkFxMTFxYWhLbzVUUS9OMFFmem1NME1
 qVUwwVjJYYnNEODNGbWx4QTlPaHlLanZGakpqMCtzQTBFd0d1RWUwQ0xKM3Z0NEJQZ1V5VmgxMWVa
 N1ZYVkIwZGNZOUVCS0UyQjRhUGJDenB2bjBtdmhvbGdpaHVmK093bFNseTBmakdJTUdGbFhTMlh1T
 2Ewd05GUmdSTisyTGluMFBzQT09
lastUpdate: 1355025335
sshKnownHostsExpire: 1355025515
distinguishedName: name=rhel6-2.testrelm.com,cn=ssh_hosts,cn=custom,cn=testrel
 m.com,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals

[root@rhel6-1 .ssh]# ipa host-mod $MYREPLICA1 --sshpubkey=''
------------------------------------
Modified host "rhel6-2.testrelm.com"
------------------------------------
  Host name: rhel6-2.testrelm.com
  Principal name: host/rhel6-2.testrelm.com@TESTRELM.COM
  Password: False
  Member of netgroups: testng2
  Indirect Member of netgroup: testng1
  Keytab: True
  Managed by: rhel6-2.testrelm.com

[root@rhel6-1 .ssh]# kdestroy

[root@rhel6-1 .ssh]# expect <<-EOF > $tmpout
> set timeout 3
> set force_conservative 0
> set send_slow {1 .1}
> spawn ssh admin@${MYREPLICA1} -q -o StrictHostKeyChecking=yes echo 'login successful'
> expect "*ssword:"
> send -s -- "${ADMINPW}\r"
> expect eof
> EOF

[root@rhel6-1 .ssh]# cat $tmpout
spawn ssh admin@rhel6-2.testrelm.com -q -o StrictHostKeyChecking=yes echo 'login successful'
admin@rhel6-2.testrelm.com's password: 
Could not chdir to home directory /home/admin: No such file or directory
login successful

[root@rhel6-1 .ssh]# echo $ADMINPW|kinit admin
Password for admin@TESTRELM.COM: 

[root@rhel6-1 .ssh]# ldbsearch -H /var/lib/sss/db/cache_$DOMAIN.ldb -b name=$MYREPLICA1,cn=ssh_hosts,cn=custom,cn=$DOMAIN,cn=sysdb
asq: Unable to register control with rootdse!
# record 1
dn: name=rhel6-2.testrelm.com,cn=ssh_hosts,cn=custom,cn=testrelm.com,cn=sysdb
name: rhel6-2.testrelm.com
objectClass: sshHost
nameAlias: 192.168.122.62
lastUpdate: 1355025428
sshKnownHostsExpire: 1355025608
distinguishedName: name=rhel6-2.testrelm.com,cn=ssh_hosts,cn=custom,cn=testrel
 m.com,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals

[root@rhel6-1 .ssh]#
Comment 7 errata-xmlrpc 2013-02-21 04:38:41 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html

Note You need to log in before you can comment on or make changes to this bug.