FreeIPA and IdM

Ticket #2655 (new enhancement)

Opened 4 years ago

Last modified 5 months ago

[RFE] Add an ‘ipa-client-sshkey –refresh’ command to allow a host principal to update its SSH public host key

Reported by: sgallagh Owned by: jcholast
Priority: major Milestone: Future Releases
Component: Client Version:
Keywords: Cc: martin@…
Blocked By: Blocking:
Affects Documentation: no Patch posted for review: yes
Red Hat Bugzilla: 0 Patch review by:
External tracker: Design link:
Test coverage: Test by:
Test case: Needs UI design:
Feature: Source:
Expertise:
Release Notes:

Description

It would be useful for hosts to be able to roll their host keys, as well as for reinstalled hosts to generate new keys (rather than trying to escrow the old ones).

To this end, I propose that the public host keys should be writable by the host principal and an XMLRPC routine should be written to be able to update and replace the public key in LDAP.

Attachments

ipa-client-install-sshupdate.patch (5.2 KB) – added by mstefany 6 months ago.
initial patch for review
freeipa-mstefany-0001-Add-new-parameter-ssh-update.patch (7.1 KB) – added by mstefany 6 months ago.

Change History

comment:1 Changed 4 years ago by rcritten

Hosts can do this now. Is it not working for you?

comment:2 Changed 4 years ago by dpal

Is there a way to generate a new host SSH key pair and tell IPA client to update in the central location? I am not sure if it is possible. I have not haired that it is. We should call it out as a feature explicitly if it does.

comment:3 Changed 4 years ago by rcritten

# kinit host/client.example.com -kt /etc/krb5.keytab
# yum -y install ipa-admintools
# ipa host-mod --sshpubkey=<base64_blob_of_key> client.example.com

This will replace the existing key(s) with this one.

Last edited 4 years ago by rcritten (previous) (diff)

comment:4 Changed 4 years ago by dpal

I do not think this would fly. This would turn the client into a management station. IMO it is too heavy. I was looking for something like ipa-join or certmonger to grow this capability without requiring the full administrative package. Alternatively we can start fragmenting the ipa_admintools and extract host management tools into a separate package if possible. I mean have a subset of the interface that includes only commands that can be executed by the host using host credential.

comment:5 Changed 4 years ago by sgallagh

Ok, I was not aware that the XMLRPC call was already available (presumably that’s what’s happening under the hood with ipa host-mod).

I agree with Dmitri however that this functionality should be part of the ipa-client package and not the ipa-admintools package (for the reason that this function at least should be available on all hosts, not just those hosts that will administer IPA).

I assume that since the XMLRPC already exists it should be fairly trivial to build a utility script to perform just that function.

comment:6 Changed 4 years ago by rcritten

That’s fine, I was just pointing out that this is already possible.

So a new command like ipa-client-sshkey –refresh? This would re-read all local keys and upload them to IPA?

comment:7 Changed 4 years ago by sgallagh

What do you mean by “all local keys”. Shouldn’t there only be a single host key?

comment:8 Changed 4 years ago by rcritten

It may have different kinds of keys, like a DSS and RSA key.

comment:9 Changed 4 years ago by dpal

Can we close it then?

comment:10 Changed 4 years ago by sgallagh

  • Summary changed from [RFE] Add an XMLRPC call to allow a host principal to update its SSH public host key to [RFE] Add an ‘ipa-client-sshkey –refresh’ command to allow a host principal to update its SSH public host key

No, but I’ve changed the title to more accurately reflect what we’re asking for now.

comment:11 follow-up: ↓ 12 Changed 4 years ago by jcholast

This can be done with:

$ ipa host-mod $HOSTNAME `awk '{ print "--sshpubkey", $2 }' /etc/ssh/ssh_host_*_key.pub`

Isn’t that good enough?

comment:12 in reply to: ↑ 11 Changed 4 years ago by sgallagh

Replying to jcholast:

This can be done with:

$ ipa host-mod $HOSTNAME `awk '{ print "--sshpubkey", $2 }' /etc/ssh/ssh_host_*_key.pub`

Isn’t that good enough?

See comment 5. The issue is that the ‘ipa’ command is only available if you have the ‘freeipa-admintools’ package installed. However, this functionality should be a part of all client installs, not just those that will be administering the system.

So this request is for a new tool that can be included in the ‘freeipa-client’ package.

comment:13 Changed 4 years ago by jcholast

I see, sorry for not reading all the comments.

I don’t think a new tool is necessary for this, I would suggest doing something like ipa-client-install --ssh-update.

comment:14 Changed 4 years ago by jcholast

  • Owner changed from someone to jcholast

comment:15 Changed 4 years ago by dpal

  • Red Hat Bugzilla set to 0
  • Milestone changed from 0.0 NEEDS_TRIAGE to 3.0 Core Remaining Work 05 May Y12

comment:16 Changed 4 years ago by jcholast

It might be nice to (also) do this as part of a generic client refresh operation, as requested in #1609.

comment:17 Changed 4 years ago by mkosek

  • Milestone changed from 3.0 Core Remaining Work 05 May Y12 to 3.0 Core Remaining Work 06 June Y12

Moving to next month iteration.

comment:18 Changed 4 years ago by dpal

  • Milestone changed from 3.0 Core Remaining Work 06 June Y12 to 3.2 Backlog

comment:19 Changed 2 years ago by mkosek

  • Component changed from IPA to Client

Duplicate: #4320.

comment:20 Changed 2 years ago by dpal

  • Milestone changed from Ticket Backlog to 0.0 NEEDS_TRIAGE

Since there is now another request for this functionality moving to triage bucket for re-review.

comment:21 Changed 2 years ago by mkosek

  • Milestone changed from 0.0 NEEDS_TRIAGE to FreeIPA 4.1 Backlog

Moving to earlier release, we will re-assess in 4.1.

comment:22 Changed 23 months ago by dpal

  • mark set to 0

comment:23 Changed 18 months ago by mkosek

  • Milestone changed from FreeIPA 4.2 Backlog to Future Releases

The FreeIPA 4.2 was already shaped (see FreeIPA 4.2 milestone), this does not fit. Pushing out.

If anyone is willing to help and contribute to this one, please let us know!

Changed 6 months ago by mstefany

initial patch for review

comment:24 Changed 6 months ago by mstefany

  • Cc martin@… added
  • Patch posted for review set

I have extracted existing lines of code from install() and uninstall() functions in ipa-client-install to create functionality described above, added a command-line param group and option.

ipa-client-install works only under root, to work with the API you need user’s principal, to update SSHFP records you need access to hosts keytab and host’s principal, so current workflow is either:

$ sudo kinit admin
$ sudo ipa-client-install --ssh-update

or:

$ sudo -s
# kinit admin
# ipa-client-install --ssh-update

Example:

$ ipa host-show vpns1 --raw --all | grep ipaSshPubKey
  ipaSshPubKey: c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUROT1d2YUpKSkp0Yy9VeHhabVB0djNLNVlGNVdzMW00clAxU1hQT2RkcUI=
  ipaSshPubKey: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDNjNCbU5HQUx3QTVsNXRUM3E0SXBrWFI1MDJDUFBrdGp4TmUraTREUmViL3JGamVmSXdMWENmbGhFNlF1b2ZJVENTR0xwRGFjMDJLd1JDcmlIN0g0Zm5GeUhab0c3d0JONVpLSEM1K2pSMDMyYVBCOGZFem9XNU1sUEtPMkU4ZzZqSGJPZGVkWS9KakZQOHNXdkIydldFVFNUWUlFTkxxSzBSRElwaG9RaTJsOU1BcUNmOE9tY1VkdWNUUi8xY1BEMHlSdVhUSjlKbzFjZlZ3WGN5eGN3aEFJb3U0dHlQa3FXZGhDR1lXSVpmdi9QRVNWK3I2Sk1BWHg5RUtYZmhrYi9PWDdIa1VTT2Fmc1gxeE9McmljWHA3OEo3WmNvWGVka25QWEI0dXIzTzByNGpPR1MrWTlaWEdSMzJnalk3THp5dnpTTlBhY21kQTJWYnJhWDBoeFo=
  ipaSshPubKey: ZWNkc2Etc2hhMi1uaXN0cDI1NiBBQUFBRTJWalpITmhMWE5vWVRJdGJtbHpkSEF5TlRZQUFBQUlibWx6ZEhBeU5UWUFBQUJCQlA4Y2VYSmRNb0I3VTFZNis2bG05R2tTbDJFS0VMQ3BUeXBYUS9zdi9HT1ZycVNRekQzNk83RC9NemUrYjNYOStZSWJCU2FJYXB3ck1sbU9LY2xzQ1M0PQ==
$ dig SSHFP vpns1.stefany.eu | grep -e "^vpns1.stefany.eu.*SSHFP"
vpns1.stefany.eu.       1200    IN      SSHFP   1 1 4DF7C131A3D38AC6450D4628571DB7237860B7C0
vpns1.stefany.eu.       1200    IN      SSHFP   1 2 A3EF01FC4F496FE670647E77520667B21628FB74DBBB005BA042C433 4F49E522
vpns1.stefany.eu.       1200    IN      SSHFP   3 1 FBB35AF6172ED04265193902C6F9A1228C205457
vpns1.stefany.eu.       1200    IN      SSHFP   3 2 F2DFB42664D9C6BA45ECFD0BDBF3455315A59D560984CBFDA84F6633 0CAFC1D1

# rm -fv /etc/ssh/ssh_host_*
removed ‘/etc/ssh/ssh_host_ecdsa_key’
removed ‘/etc/ssh/ssh_host_ecdsa_key.pub’
removed ‘/etc/ssh/ssh_host_ed25519_key’
removed ‘/etc/ssh/ssh_host_ed25519_key.pub’
removed ‘/etc/ssh/ssh_host_rsa_key’
removed ‘/etc/ssh/ssh_host_rsa_key.pub’
# systemctl start sshd-keygen.service
# ./ipa-client-install-sshupdate --ssh-update
trying https://idmc1.stefany.eu/ipa/session/json
Forwarding 'ping' to json server 'https://idmc1.stefany.eu/ipa/session/json'
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to json server 'https://idmc1.stefany.eu/ipa/session/json'

$ ipa host-show vpns1 --raw --all | grep ipaSshPubKey
  ipaSshPubKey: c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUkvTEthZWhuQ01mRG5MbjJtRythOEN3WjFaeHVRRSt3WXl1WGxBN1FFUWQ=
  ipaSshPubKey: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFEYlNSN3ZXWHdTS2VLazNvOGd6d0VIcGZzdzV1a2J3eGpqTEd3M2FRRFU0dm5OdWFRWlllNFhTTXZ6TUlKWUZ6aENDWTVRSVMvcWZ3Qyt6U0t6M1BkbERpbkorajZsOTVDN1JlK0pXOTVlWVpBYkNIbjVlSXB6OEhGMmVWZFBicVowRmVSU1lldWIrU1VkR2EwNFVOQU1uL25MQnE5K1g2SkNiYzBCS1hLUyt2dHdQSXRpRkFBZW9EMEhlV0M2ZlVZb0loQStINlI4dm9TeG5oUEdnNHhwZVNKVzYyVGl1QkFiN2djVFF0ZkpTUE9tWERwSXR3RjlRcVZ4b0JBL085UTV6Uk9KYVlSZ0xUKzBSUStQZUkzVTJtMnRJSnJtRjUwMDZBcFNPSzc2SGtrKzhTb3ZtU3lxS0dsNFlIVDk4WXA5ZU9VOE1ZSVRWZEZWZTdzU0F3MFg=
  ipaSshPubKey: ZWNkc2Etc2hhMi1uaXN0cDI1NiBBQUFBRTJWalpITmhMWE5vWVRJdGJtbHpkSEF5TlRZQUFBQUlibWx6ZEhBeU5UWUFBQUJCQkx6ZWtLQ0MzbGdnNW9jUDBjRlNzckN3NHp6YWM0cXFLeVZFVFBiS01NSE85MHlMV3IyV1ZNUHgrRk1iem9MdW5PbFJEeGc2dEswVzF4UzRSSW54Zno4PQ==
$ dig SSHFP vpns1.stefany.eu | grep -e "^vpns1.stefany.eu.*SSHFP"
vpns1.stefany.eu.       1200    IN      SSHFP   1 1 19FA9CC0FAACF573FDEFA048DD7C3B7FFF1E579E
vpns1.stefany.eu.       1200    IN      SSHFP   1 2 603EBDE93EAF676644092F71D17101634D3FE0D57C9168624B748425 26030B9F
vpns1.stefany.eu.       1200    IN      SSHFP   3 1 340012DA94DD9A2F9F64CCF37902CA2228082278
vpns1.stefany.eu.       1200    IN      SSHFP   3 2 10B1D3732D49C19CE0B9E42F0D0994AB84F87E725450751A166B4B71 1E295F36

Last edited 6 months ago by mstefany (previous) (diff)

Changed 6 months ago by mstefany

comment:25 Changed 5 months ago by mstefany

Approach changed from integrated ‘ipa-client-install’ functionality to separate command ‘ipa-sshupdate’, discussion and patch are being handled in freeipa-devel mailing list.