969024 – SSH host keys are not removed from cache when host is deleted in IPA

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 969024 - SSH host keys are not removed from cache when host is deleted in IPA

Summary: SSH host keys are not removed from cache when host is deleted in IPA

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-05-30 13:52 UTC by Dmitri Pal
Modified:	2020-05-02 17:22 UTC (History)
CC List:	4 users (show)
Fixed In Version:	sssd-1.10.0-18.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 13:30:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2991	0	None	None	None	2020-05-02 17:22:17 UTC

Description Dmitri Pal 2013-05-30 13:52:46 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1949

If a host is deleted in IPA, its host keys stay in SSSD's cache. This can lead to ssh refusing to connect to a host after reinstall, because its new host keys do not match those provided by SSSD.

Comment 1 Jakub Hrozek 2013-06-27 17:12:20 UTC

Pushed to master.

Comment 2 Jakub Hrozek 2013-10-04 13:24:09 UTC

Temporarily moving bugs to MODIFIED to work around errata tool bug

Comment 4 Namita Soman 2014-02-21 14:38:18 UTC

Verified using ipa-server-3.3.3-18.el7.x86_64

Steps taken:
1> Installed ipa master (mgmt8.testrelm.test)

2> installed ipa client
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Hostname: qe-blade-05.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: mgmt8.testrelm.test
BaseDN: dc=testrelm,dc=test

Continue to configure the system with these values? [no]: y
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Password for admin: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TESTRELM.TEST
    Issuer:      CN=Certificate Authority,O=TESTRELM.TEST
    Valid From:  Thu Feb 20 19:04:26 2014 UTC
    Valid Until: Mon Feb 20 19:04:26 2034 UTC

Enrolled in IPA realm TESTRELM.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.TEST
trying https://mgmt8.testrelm.test/ipa/xml
Forwarding 'ping' to server 'https://mgmt8.testrelm.test/ipa/xml'
Forwarding 'env' to server 'https://mgmt8.testrelm.test/ipa/xml'
Hostname (qe-blade-05.testrelm.test) not found in DNS
DNS server record set to: qe-blade-05.testrelm.test -> 10.16.76.36
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Forwarding 'host_mod' to server 'https://mgmt8.testrelm.test/ipa/xml'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.


3> On master:
# ipa host-find
<..snip..>
 Host name: qe-blade-05.testrelm.test
  Certificate: MIIEHzCCAwegAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNUUkVMTS5URVNUMR4w
<..snip..>
  Principal name: host/qe-blade-05.testrelm.test
  Password: False
  Keytab: True
  Managed by: qe-blade-05.testrelm.test
  Subject: CN=qe-blade-05.testrelm.test,O=TESTRELM.TEST
  Serial Number: 11
  Serial Number (hex): 0xB
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Fri Feb 21 14:00:09 2014 UTC
  Not After: Mon Feb 22 14:00:09 2016 UTC
  Fingerprint (MD5): 47:f6:1b:2d:da:f8:45:ac:51:06:fc:3d:55:c0:75:03
  Fingerprint (SHA1): eb:39:5a:28:b1:96:5b:26:cc:6b:7b:81:cb:23:2d:14:ba:08:65:9a
  SSH public key fingerprint: 1B:9E:78:C5:0C:FC:F2:49:6C:DF:38:2A:01:3D:79:EA (ecdsa-
                              sha2-nistp256), 56:CA:A9:B0:17:4A:8A:BC:4D:AB:91:6D:2A:19:BA:7A
                              (ssh-rsa)

3> on master 
# ipa user-add one
# ipa passwd one
# kinit one
# ssh one@<client ip>
and ssh'd from master to client successfully

4> on client
ssh one.test
and ssh'd from client to master successfully

5> On Client
# ipa-client-install --uninstall
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
The original nsswitch.conf configuration has been restored.
You may need to restart services or reboot the machine.
Do you want to reboot the machine? [no]: 

6> on master
# ipa host-del qe-blade-05.testrelm.test --updatedns
----------------------------------------
Deleted host "qe-blade-05.testrelm.test"
----------------------------------------

Repeated steps 2-4
was able to ssh successfully.

Comment 5 Namita Soman 2014-02-21 16:28:55 UTC

Got steps to verify from jcholast. verified using steps below:

1> Installed ipa master (mgmt8.testrelm.test)

2> installed ipa client (qe-blade-05.testrelm.test)

3> you should ssh only to qe-blade-05.testrelm.test, also make sure the host key comes from SSSD: ssh -o UserKnownHostsFile= -o StrictHostKeyChecking=yes qe-blade-05.testrelm.test. this should not prompt you about host key verification

# kinit one
Password for one: 


# ssh -o UserKnownHostsFile= -o StrictHostKeyChecking=yes qe-blade-05.testrelm.test -l one
Last login: Fri Feb 21 09:18:21 2014 from mgmt8.testrelm.test
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
                 This System is reserved by nsoman.

 To return this system early. You can run the command: return2beaker.sh
  Ensure you have your logs off the system before returning to Beaker

 To extend your reservation time. You can run the command:
  extendtesttime.sh
 This is an interactive script. You will be prompted for how many
  hours you would like to extend the reservation.

 You should verify the watchdog was updated succesfully after
  you extend your reservation.
  https://beaker.engineering.redhat.com/recipes/1236051

 For ssh, kvm, serial and power control operations please look here:
  https://beaker.engineering.redhat.com/view/qe-blade-05.idm.lab.bos.redhat.com

      Beaker Test information:
                         HOSTNAME=qe-blade-05.idm.lab.bos.redhat.com
                            JOBID=597146
                         RECIPEID=1236051
                    RESULT_SERVER=[::1]:7086
                           DISTRO=RHEL-7.0-20140217.n.0
                     ARCHITECTURE=x86_64

      Job Whiteboard: IPA :: RHEL 7.0 :: x86_64 :: client automount

      Recipe Whiteboard: CLIENT
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
Could not chdir to home directory /home/one: No such file or directory
-sh-4.2$ 
-sh-4.2$ logout
Connection to qe-blade-05.testrelm.test closed.


4> after you delete the host with "ipa host-del qe-blade-05.testrelm.test --updatedns" and ssh again, this time it *should* prompt you about host key verification
# ipa host-del qe-blade-05.testrelm.test --updatedns
----------------------------------------
Deleted host "qe-blade-05.testrelm.test"
----------------------------------------

# kinit one
Password for one: 

# ssh -o UserKnownHostsFile= -o StrictHostKeyChecking=yes qe-blade-05.testrelm.test -l one
No ECDSA host key is known for qe-blade-05.testrelm.test and you have requested strict checking.
Host key verification failed.

Comment 6 Ludek Smid 2014-06-13 13:30:02 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.