Bug 969024 - SSH host keys are not removed from cache when host is deleted in IPA
Summary: SSH host keys are not removed from cache when host is deleted in IPA
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-30 13:52 UTC by Dmitri Pal
Modified: 2014-06-18 04:02 UTC (History)
4 users (show)

Fixed In Version: sssd-1.10.0-18.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 13:30:02 UTC


Attachments (Terms of Use)

Description Dmitri Pal 2013-05-30 13:52:46 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1949

If a host is deleted in IPA, its host keys stay in SSSD's cache. This can lead to ssh refusing to connect to a host after reinstall, because its new host keys do not match those provided by SSSD.

Comment 1 Jakub Hrozek 2013-06-27 17:12:20 UTC
Pushed to master.

Comment 2 Jakub Hrozek 2013-10-04 13:24:09 UTC
Temporarily moving bugs to MODIFIED to work around errata tool bug

Comment 4 Namita Soman 2014-02-21 14:38:18 UTC
Verified using ipa-server-3.3.3-18.el7.x86_64

Steps taken:
1> Installed ipa master (mgmt8.testrelm.test)

2> installed ipa client
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Hostname: qe-blade-05.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: mgmt8.testrelm.test
BaseDN: dc=testrelm,dc=test

Continue to configure the system with these values? [no]: y
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Password for admin@TESTRELM.TEST: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TESTRELM.TEST
    Issuer:      CN=Certificate Authority,O=TESTRELM.TEST
    Valid From:  Thu Feb 20 19:04:26 2014 UTC
    Valid Until: Mon Feb 20 19:04:26 2034 UTC

Enrolled in IPA realm TESTRELM.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.TEST
trying https://mgmt8.testrelm.test/ipa/xml
Forwarding 'ping' to server 'https://mgmt8.testrelm.test/ipa/xml'
Forwarding 'env' to server 'https://mgmt8.testrelm.test/ipa/xml'
Hostname (qe-blade-05.testrelm.test) not found in DNS
DNS server record set to: qe-blade-05.testrelm.test -> 10.16.76.36
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Forwarding 'host_mod' to server 'https://mgmt8.testrelm.test/ipa/xml'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.


3> On master:
# ipa host-find
<..snip..>
 Host name: qe-blade-05.testrelm.test
  Certificate: MIIEHzCCAwegAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNUUkVMTS5URVNUMR4w
<..snip..>
  Principal name: host/qe-blade-05.testrelm.test@TESTRELM.TEST
  Password: False
  Keytab: True
  Managed by: qe-blade-05.testrelm.test
  Subject: CN=qe-blade-05.testrelm.test,O=TESTRELM.TEST
  Serial Number: 11
  Serial Number (hex): 0xB
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Fri Feb 21 14:00:09 2014 UTC
  Not After: Mon Feb 22 14:00:09 2016 UTC
  Fingerprint (MD5): 47:f6:1b:2d:da:f8:45:ac:51:06:fc:3d:55:c0:75:03
  Fingerprint (SHA1): eb:39:5a:28:b1:96:5b:26:cc:6b:7b:81:cb:23:2d:14:ba:08:65:9a
  SSH public key fingerprint: 1B:9E:78:C5:0C:FC:F2:49:6C:DF:38:2A:01:3D:79:EA (ecdsa-
                              sha2-nistp256), 56:CA:A9:B0:17:4A:8A:BC:4D:AB:91:6D:2A:19:BA:7A
                              (ssh-rsa)

3> on master 
# ipa user-add one
# ipa passwd one
# kinit one
# ssh one@<client ip>
and ssh'd from master to client successfully

4> on client
ssh one@mgmt8.testrelm.test
and ssh'd from client to master successfully

5> On Client
# ipa-client-install --uninstall
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
The original nsswitch.conf configuration has been restored.
You may need to restart services or reboot the machine.
Do you want to reboot the machine? [no]: 

6> on master
# ipa host-del qe-blade-05.testrelm.test --updatedns
----------------------------------------
Deleted host "qe-blade-05.testrelm.test"
----------------------------------------

Repeated steps 2-4
was able to ssh successfully.

Comment 5 Namita Soman 2014-02-21 16:28:55 UTC
Got steps to verify from jcholast. verified using steps below:

1> Installed ipa master (mgmt8.testrelm.test)

2> installed ipa client (qe-blade-05.testrelm.test)

3> you should ssh only to qe-blade-05.testrelm.test, also make sure the host key comes from SSSD: ssh -o UserKnownHostsFile= -o StrictHostKeyChecking=yes qe-blade-05.testrelm.test. this should not prompt you about host key verification

# kinit one
Password for one@TESTRELM.TEST: 


# ssh -o UserKnownHostsFile= -o StrictHostKeyChecking=yes qe-blade-05.testrelm.test -l one
Last login: Fri Feb 21 09:18:21 2014 from mgmt8.testrelm.test
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
                 This System is reserved by nsoman@redhat.com.

 To return this system early. You can run the command: return2beaker.sh
  Ensure you have your logs off the system before returning to Beaker

 To extend your reservation time. You can run the command:
  extendtesttime.sh
 This is an interactive script. You will be prompted for how many
  hours you would like to extend the reservation.

 You should verify the watchdog was updated succesfully after
  you extend your reservation.
  https://beaker.engineering.redhat.com/recipes/1236051

 For ssh, kvm, serial and power control operations please look here:
  https://beaker.engineering.redhat.com/view/qe-blade-05.idm.lab.bos.redhat.com

      Beaker Test information:
                         HOSTNAME=qe-blade-05.idm.lab.bos.redhat.com
                            JOBID=597146
                         RECIPEID=1236051
                    RESULT_SERVER=[::1]:7086
                           DISTRO=RHEL-7.0-20140217.n.0
                     ARCHITECTURE=x86_64

      Job Whiteboard: IPA :: RHEL 7.0 :: x86_64 :: client automount

      Recipe Whiteboard: CLIENT
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
Could not chdir to home directory /home/one: No such file or directory
-sh-4.2$ 
-sh-4.2$ logout
Connection to qe-blade-05.testrelm.test closed.


4> after you delete the host with "ipa host-del qe-blade-05.testrelm.test --updatedns" and ssh again, this time it *should* prompt you about host key verification
# ipa host-del qe-blade-05.testrelm.test --updatedns
----------------------------------------
Deleted host "qe-blade-05.testrelm.test"
----------------------------------------

# kinit one
Password for one@TESTRELM.TEST: 

# ssh -o UserKnownHostsFile= -o StrictHostKeyChecking=yes qe-blade-05.testrelm.test -l one
No ECDSA host key is known for qe-blade-05.testrelm.test and you have requested strict checking.
Host key verification failed.

Comment 6 Ludek Smid 2014-06-13 13:30:02 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.


Note You need to log in before you can comment on or make changes to this bug.