Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 46. Managing public SSH keys for users and hosts

Manage public SSH keys for users and hosts in Identity Management (IdM) to centralize SSH key distribution and simplify secure access across your domain. Storing SSH keys in IdM ensures consistent authentication without manually distributing key files.

46.1. About the SSH key format
Copy link

Identity Management (IdM) supports OpenSSH-style and raw RFC 4253-style SSH key formats, providing flexibility when uploading keys.

Note that IdM automatically converts RFC 4253-style keys into OpenSSH-style keys before saving them into the IdM LDAP server.

The IdM server can identify the type of key, such as an RSA or DSA key, from the uploaded key blob. In a key file such as ~/.ssh/known_hosts, a key entry is identified by the hostname and IP address of the server, its type, and the key. For example: 

host.example.com,1.2.3.4 ssh-rsa AAA...ZZZ==

This is different from a user public key entry, which has the elements in the order type key== comment: 

"ssh-rsa ABCD1234...== ipaclient.example.com"

A key file, such as id_rsa.pub, consists of three parts: the key type, the key, and an additional comment or identifier. When uploading a key to IdM, you can upload all three key parts or only the key. If you only upload the key, IdM automatically identifies the key type, such as RSA or DSA, from the uploaded key.

If you use the host public key entry from the ~/.ssh/known_hosts file, you must reorder it to match the format of a user key, type key== comment: 

ssh-rsa AAA...ZZZ== host.example.com,1.2.3.4

IdM can determine the key type automatically from the content of the public key. The comment is optional, to make identifying individual keys easier. The only required element is the public key blob.

IdM uses public keys stored in the following OpenSSH-style files:

  • Host public keys are in the known_hosts file.
  • User public keys are in the authorized_keys file.

46.2. About IdM and OpenSSH
Copy link

Identity Management (IdM) integrates with OpenSSH during server and client installation to centralize SSH key management through SSSD. This integration enables IdM to serve as a universal repository for user and host SSH keys.

During an IdM server or client installation, as part of the install script:

  • An OpenSSH server and client is configured on the IdM client machine.
  • SSSD is configured to store and retrieve user and host SSH keys in cache. This allows IdM to serve as a universal and centralized repository of SSH keys.

If you enable the SSH service during the client installation, an RSA key is created when the SSH service is started for the first time.

Note

When you run the ipa-client-install install script to add the machine as an IdM client, the client is created with two SSH keys, RSA and DSA.

As part of the installation, you can configure the following:

  • Configure OpenSSH to automatically trust the IdM DNS records where the key fingerprints are stored using the --ssh-trust-dns option.
  • Disable OpenSSH and prevent the install script from configuring the OpenSSH server using the --no-sshd option.
  • Prevent the host from creating DNS SSHFP records with its own DNS entries using the --no-dns-sshfp option.

If you do not configure the server or client during installation, you can manually configure SSSD later. For information on how to manually configure SSSD, see Configuring SSSD to Provide a Cache for the OpenSSH Services. Note that caching SSH keys by SSSD requires administrative privileges on the local machines.

46.3. Generating SSH keys
Copy link

Generate SSH key pairs using the ssh-keygen utility to enable secure, password-free authentication for users and hosts in Identity Management (IdM). SSH keys provide a more secure alternative to password-based authentication.

Procedure

  1. To generate an RSA SSH key, run the following command: 

    $ ssh-keygen -t rsa -C user@example.com
Generating public/private rsa key pair.

    Note if generating a host key, replace user@example.com with the required hostname, such as server.example.com,1.2.3.4.

  2. Specify the file where you are saving the key or press enter to accept the displayed default location. 

    Enter file in which to save the key (/home/user/.ssh/id_rsa):

    Note if generating a host key, save the key to a different location than the user’s ~/.ssh/ directory so you do not overwrite any existing keys. for example, /home/user/.ssh/host_keys.

  3. Specify a passphrase for your private key or press enter to leave the passphrase blank. 

    Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:ONxjcMX7hJ5zly8F8ID9fpbqcuxQK+ylVLKDMsJPxGA user4@example.com
The key's randomart image is:
+---[RSA 3072]----+
|         ..o     |
|         .o +    |
|     E. .  o =   |
|    ..o=  o . +  |
|      +oS. = + o.|
|    . .o .* B =.+|
|     o + . X.+.= |
|      + o o.*+. .|
|       .   o=o . |
+----[SHA256]-----+

    To upload this SSH key, use the public key string stored in the displayed file.

46.4. Managing public SSH keys for users
Copy link

Upload public SSH keys to Identity Management (IdM) user entries to enable SSH-based authentication without Kerberos credentials.

Users with the corresponding private key can log into IdM machines directly using SSH. If the private SSH key file is not available on a particular machine, Kerberos credentials can still be used for authentication.

Upload a public SSH key to a user entry in Identity Management (IdM) by using the IdM Web UI to enable SSH login to IdM machines without requiring Kerberos credentials.

Prerequisites

  • Administrator privileges for managing the IdM Web UI or User Administrator role.

Procedure

  1. Log into the IdM Web UI.
  2. Go to the Identity>Users tab.
  3. Click the name of the user to edit.
  4. In the Account Settings section, click the SSH public keys Add button.
  5. Paste the Base 64-encoded public key string into the SSH public key field.
  6. Click Set.
  7. Click Save at the top of the IdM Web UI window.

Verification

  • Under the Accounts Settings section, verify the key is listed under SSH public keys.

Upload a public SSH key to a user entry in Identity Management (IdM) by using the CLI to enable SSH login to IdM machines without requiring Kerberos credentials.

Prerequisites

  • Administrator privileges for managing the IdM CLI or User Administrator role.

Procedure

  1. Run the ipa user-mod command with the --sshpubkey option to upload the base64-encoded public key to the user entry. 

    $ ipa user-mod user --sshpubkey="ssh-rsa AAAAB3Nza...SNc5dv== client.example.com"

    Note in this example you upload the key type, the key, and the hostname identifier to the user entry.

  2. To upload multiple keys, use --sshpubkey multiple times. For example, to upload two SSH keys: 

    --sshpubkey="AAAAB3Nza...SNc5dv==" --sshpubkey="RjlzYQo...ZEt0TAo="

  3. To use command redirection and point to a file that contains the key instead of pasting the key string manually, use the following command: 

    $ ipa user-mod user --sshpubkey="$(cat ~/.ssh/id_rsa.pub)" --sshpubkey="$(cat ~/.ssh/id_rsa2.pub)"

Verification

  • Run the ipa user-show command to verify that the SSH public key is associated with the specified user: 

    $ ipa user-show user
User login: user
  First name: user
  Last name: user
  Home directory: /home/user
  Login shell: /bin/sh
  Principal name: user@IPA.TEST
  Principal alias: user@IPA.TEST
  Email address: user@ipa.test
  UID: 1118800019
  GID: 1118800019
  SSH public key fingerprint: SHA256:qGaqTZM60YPFTngFX0PtNPCKbIuudwf1D2LqmDeOcuA
                              user@IPA.TEST (ssh-rsa)
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Subordinate ids: 3167b7cc-8497-4ff2-ab4b-6fcb3cb1b047
  Kerberos keys available: False

You can delete SSH public keys from user profiles using the Identity Management (IdM) WebUI. Deleting invalid keys improves security by preventing unauthorized user authentication.

Prerequisites

  • Administrator privileges for managing the IdM Web UI or User Administrator role.

Procedure

  1. Log into the IdM Web UI.
  2. Go to the Identity>Users tab.
  3. Click the name of the user to edit.
  4. Under the Account Settings section, under SSH public key, click Delete next to the key you want to remove.
  5. Click Save at the top of the page.

Verification

  • Under the Account Settings section, verify the key is no longer listed under SSH public keys.

You can delete SSH public keys from user profiles using the Identity Management (IdM) CLI. Deleting invalid keys improves security by preventing unauthorized user authentication.

Prerequisites

  • Administrator privileges for managing the IdM CLI or User Administrator role.

Procedure

  1. To delete all SSH keys assigned to a user account, add the --sshpubkey option to the ipa user-mod command without specifying any key: 

    $ ipa user-mod user --sshpubkey=
  2. To only delete a specific SSH key or keys, use the --sshpubkey option to specify the keys you want to keep, omitting the key you are deleting.

Verification

  • Run the ipa user-show command to verify that the SSH public key is no longer associated with the specified user: 

    $ ipa user-show user
User login: user
  First name: user
  Last name: user
  Home directory: /home/user
  Login shell: /bin/sh
  Principal name: user@IPA.TEST
  Principal alias: user@IPA.TEST
  Email address: user@ipa.test
  UID: 1118800019
  GID: 1118800019
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Subordinate ids: 3167b7cc-8497-4ff2-ab4b-6fcb3cb1b047
  Kerberos keys available: False

46.5. Managing public SSH keys for hosts
Copy link

Manage public SSH keys for hosts in Identity Management (IdM) to centralize host authentication and simplify SSH access across your domain. Storing host SSH keys in IdM eliminates the need to distribute known_hosts files manually.

Traditionally, when a host first authenticates to another machine using OpenSSH, an administrator must manually approve the request. The target machine then stores the host’s public key in its known_hosts file and grants automatic access on subsequent connections. By storing host SSH keys centrally in IdM, you avoid managing these files on each machine individually.

Upload a public SSH key to a host entry in Identity Management (IdM) by using the IdM Web UI so that OpenSSH can authenticate the host without Kerberos credentials.

Prerequisites

  • Administrator privileges for managing the IdM Web UI or User Administrator role.

Procedure

  1. You can retrieve the key for your host from a ~/.ssh/known_hosts file. For example: 

    server.example.com,1.2.3.4 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApvjBvSFSkTU0WQW4eOweeo0DZZ08F9Ud21xlLy6FOhzwpXFGIyxvXZ52+siHBHbbqGL5+14N7UvElruyslIHx9LYUR/pPKSMXCGyboLy5aTNl5OQ5EHwrhVnFDIKXkvp45945R7SKYCUtRumm0Iw6wq0XD4o+ILeVbV3wmcB1bXs36ZvC/M6riefn9PcJmh6vNCvIsbMY6S+FhkWUTTiOXJjUDYRLlwM273FfWhzHK+SSQXeBp/zIn1gFvJhSZMRi9HZpDoqxLbBB9QIdIw6U4MIjNmKsSI/ASpkFm2GuQ7ZK9KuMItY2AoCuIRmRAdF8iYNHBTXNfFurGogXwRDjQ==

    You can also generate a host key. See Generating SSH keys.

  2. Copy the public key from the key file. The full key entry has the form host name,IP type key==. Only the key== is required, but you can store the entire entry. To use all elements in the entry, rearrange the entry so it has the order type key== [host name,IP]. 

    # cat /home/user/.ssh/host_keys.pub
ssh-rsa AAAAB3NzaC1yc2E...tJG1PK2Mq++wQ== server.example.com,1.2.3.4
  3. Log into the IdM Web UI.
  4. Go to the Identity>Hosts tab.
  5. Click the name of the host to edit.
  6. In the Host Settings section, click the SSH public keys Add button.
  7. Paste the public key for the host into the SSH public key field.
  8. Click Set.
  9. Click Save at the top of the IdM Web UI window.

Verification

  • Under the Hosts Settings section, verify the key is listed under SSH public keys.

Upload a public SSH key to a host entry in Identity Management (IdM) by using the CLI so that OpenSSH can authenticate the host without Kerberos credentials.

Host SSH keys are added to host entries in IdM when the host is created using ipa host-add, or by modifying the entry later using ipa host-mod. RSA and DSA host keys are also created automatically by the ipa-client-install command, unless the SSH service is explicitly disabled in the installation script.

Prerequisites

  • Administrator privileges for managing IdM or User Administrator role.

Procedure

  1. Run the host-mod command with the --sshpubkey option to upload the base64-encoded public key to the host entry.

    Because adding a host key changes the DNS Secure Shell fingerprint (SSHFP) record for the host, use the --updatedns option to update the host’s DNS entry. For example: 

    $ ipa host-mod --sshpubkey="ssh-rsa RjlzYQo==" --updatedns host1.example.com

    A real key also usually ends with an equal sign (=) but is longer.

  2. To upload more than one key, enter multiple --sshpubkey command-line parameters: 

    --sshpubkey="RjlzYQo==" --sshpubkey="ZEt0TAo=="

    Note that a host can have multiple public keys.

  3. After uploading the host keys, configure SSSD to use Identity Management as one of its identity domains and set up OpenSSH to use the SSSD tools for managing host keys, covered in Configuring SSSD to Provide a Cache for the OpenSSH Services.

Verification

  • Run the ipa host-show command to verify that the SSH public key is associated with the specified host: 

    $ ipa host-show client.ipa.test
...
SSH public key fingerprint: SHA256:qGaqTZM60YPFTngFX0PtNPCKbIuudwf1D2LqmDeOcuA
                              client@IPA.TEST (ssh-rsa)
...

You can delete SSH public keys from host entries using the Identity Management (IdM) WebUI. Deleting invalid keys improves security by preventing unauthorized host authentication.

Prerequisites

  • Administrator privileges for managing the IdM Web UI or Host Administrator role.

Procedure

  1. Log into the IdM Web UI.
  2. Go to the Identity>Hosts tab.
  3. Click the name of the host to edit.
  4. Under the Host Settings section, click Delete next to the SSH public key you want to remove.
  5. Click Save at the top of the page.

Verification

  • Under the Host Settings section, verify the key is no longer listed under SSH public keys.

You can delete SSH public keys from host entries using the Identity Management (IdM) CLI. Deleting invalid keys improves security by preventing unauthorized host authentication.

Prerequisites

  • Administrator privileges for managing the IdM CLI or Host Administrator role.

Procedure

  • To delete all SSH keys assigned to a host account, add the --sshpubkey option to the ipa host-mod command without specifying any key: 

    $ kinit admin
$ ipa host-mod --sshpubkey= --updatedns host1.example.com

    Note that it is good practice to use the --updatedns option to update the host’s DNS entry.

    IdM determines the key type automatically from the key, if the type is not included in the uploaded key.

Verification

  • Run the ipa host-show command to verify that the SSH public key is no longer associated with the specified host: 

    $ ipa host-show client.ipa.test
  Host name: client.ipa.test
  Platform: x86_64
  Operating system: 4.18.0-240.el8.x86_64
  Principal name: host/client.ipa.test@IPA.TEST
  Principal alias: host/client.ipa.test@IPA.TEST
  Password: False
  Member of host-groups: ipaservers
  Roles: helpdesk
  Member of netgroups: test
  Member of Sudo rule: test2
  Member of HBAC rule: test
  Keytab: True
  Managed by: client.ipa.test, server.ipa.test
  Users allowed to retrieve keytab: user1, user2, user3
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top