22.6. Configuring SSSD to Provide a Cache for the OpenSSH Services
The System Security Services Daemon (SSSD) provides interfaces towards several system services, including OpenSSH.
This section describes how you can configure SSSD to cache SSH keys for machines and users.
22.6.1. How SSSD Works with OpenSSH
OpenSSH is an SSH protocol implementation. OpenSSH creates secure, encrypted connections between two systems based on public-private key pairs that identify the authenticating entity. For details, see OpenSSH in the System Administrator's Guide.
SSSD can serve as a credentials cache for SSH public keys for machines and users. In this setup:
- OpenSSH is configured to reference SSSD to check for cached keys.
- SSSD uses an Identity Management (IdM) domain, and IdM stores the public keys and host information.
Note
Only Linux machines in the IdM domain can use SSSD as a key cache for OpenSSH. Other machines, including Windows machines, cannot.
How SSSD Manages Host Keys
To manage host keys, SSSD performs the following:
- Retrieves the public host key from the host system.
- Stores the host key in the
/var/lib/sss/pubconf/known_hostsfile. - Establishes a connection with the host machine.
See Section 22.6.2, “Configuring OpenSSH to Use SSSD for Host Keys” for details on the required configuration steps.
How SSSD Manages User Keys
To manage user keys, SSSD performs the following:
- Retrieves the user's public key from the user entries in the IdM domain.
- Stores the user key in the
.ssh/sss_authorized_keysfile in the standard authorized keys format.
See Section 22.6.3, “Configuring OpenSSH to Use SSSD for User Keys” for details on the required configuration steps.
22.6.2. Configuring OpenSSH to Use SSSD for Host Keys
You can change the configuration on a per-user basis or for the whole system.
- Open the required configuration file.
- To change user-specific configuration, open the
~/.ssh/configfile. - To change system-wide configuration, open the
/etc/ssh/sshd_configfile.
- Use the
ProxyCommandoption to specify what command will be used to connect to the SSH client (thesss_ssh_knownhostsproxyutility with the required arguments and host name).For details onsss_ssh_knownhostsproxy, see the sss_ssh_knownhostsproxy(1) man page. - Use the
GlobalKnownHostsFileoption to specify the location of the SSSD hosts file:/var/lib/sss/pubconf/known_hosts. This file will be used instead of the default OpenSSHknown_hostsfile.
The following example configures SSH to look for public keys in the SSSD domain and connect over the supplied port and host:
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
For details on configuring SSH and on the configuration files, see the ssh_config(5) man page.
22.6.3. Configuring OpenSSH to Use SSSD for User Keys
You can change the configuration for the whole system.
- Open the
/etc/ssh/sshd_configfile. - Use the
AuthorizedKeysCommandoption to specify the command that will be executed to retrieve user keys. - Use the
AuthorizedKeysCommandUseroption to specify the user under whose account the command will be run.
The following example configures SSH to run the
sss_ssh_authorizedkeys utility under the account of user.
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser user
For details on the
sss_ssh_authorizedkeys, see the sss_ssh_authorizedkeys(1) man page.
For details on configuring SSH and on the configuration files, see the ssh_config(5) man page.
