Red Hat Summit48.5. Managing public SSH keys for hosts
OpenSSH uses public keys to authenticate hosts. One machine attempts to access another machine and presents its key pair. The first time the host authenticates, the administrator on the target machine has to approve the request manually. The machine then stores the host’s public key in a known_hosts file. Any time that the remote machine attempts to access the target machine again, the target machine checks its known_hosts file and then grants access automatically to approved hosts.
48.5.1. Uploading SSH keys for a host using the IdM Web UI
Identity Management allows you to upload a public SSH key to a host entry. OpenSSH uses public keys to authenticate hosts.
Prerequisites
- Administrator privileges for managing the IdM Web UI or User Administrator role.
Procedure
You can retrieve the key for your host from a
~/.ssh/known_hostsfile. For example:server.example.com,1.2.3.4 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApvjBvSFSkTU0WQW4eOweeo0DZZ08F9Ud21xlLy6FOhzwpXFGIyxvXZ52+siHBHbbqGL5+14N7UvElruyslIHx9LYUR/pPKSMXCGyboLy5aTNl5OQ5EHwrhVnFDIKXkvp45945R7SKYCUtRumm0Iw6wq0XD4o+ILeVbV3wmcB1bXs36ZvC/M6riefn9PcJmh6vNCvIsbMY6S+FhkWUTTiOXJjUDYRLlwM273FfWhzHK+SSQXeBp/zIn1gFvJhSZMRi9HZpDoqxLbBB9QIdIw6U4MIjNmKsSI/ASpkFm2GuQ7ZK9KuMItY2AoCuIRmRAdF8iYNHBTXNfFurGogXwRDjQ==You can also generate a host key. See Generating SSH keys.
Copy the public key from the key file. The full key entry has the form
host name,IP type key==. Only thekey==is required, but you can store the entire entry. To use all elements in the entry, rearrange the entry so it has the ordertype key== [host name,IP].# cat /home/user/.ssh/host_keys.pub ssh-rsa AAAAB3NzaC1yc2E...tJG1PK2Mq++wQ== server.example.com,1.2.3.4- Log into the IdM Web UI.
- Go to the Identity>Hosts tab.
- Click the name of the host to edit.
- In the Host Settings section, click the SSH public keys Add button.
- Paste the public key for the host into the SSH public key field.
- Click Set.
- Click Save at the top of the IdM Web UI window.
Verification
- Under the Hosts Settings section, verify the key is listed under SSH public keys.
48.5.2. Uploading SSH keys for a host using the IdM CLI
Identity Management allows you to upload a public SSH key to a host entry. OpenSSH uses public keys to authenticate hosts. Host SSH keys are added to host entries in IdM, when the host is created using host-add or by modifying the entry later.
Note RSA and DSA host keys are created by the ipa-client-install command, unless the SSH service is explicitly disabled in the installation script.
Prerequisites
- Administrator privileges for managing IdM or User Administrator role.
Procedure
Run the
host-modcommand with the--sshpubkeyoption to upload the base64-encoded public key to the host entry.Because adding a host key changes the DNS Secure Shell fingerprint (SSHFP) record for the host, use the
--updatednsoption to update the host’s DNS entry. For example:$ ipa host-mod --sshpubkey="ssh-rsa RjlzYQo==" --updatedns host1.example.comA real key also usually ends with an equal sign (=) but is longer.
To upload more than one key, enter multiple --sshpubkey command-line parameters:
--sshpubkey="RjlzYQo==" --sshpubkey="ZEt0TAo=="Note that a host can have multiple public keys.
- After uploading the host keys, configure SSSD to use Identity Management as one of its identity domains and set up OpenSSH to use the SSSD tools for managing host keys, covered in Configuring SSSD to Provide a Cache for the OpenSSH Services.
Verification
Run the
ipa host-showcommand to verify that the SSH public key is associated with the specified host:$ ipa host-show client.ipa.test ... SSH public key fingerprint: SHA256:qGaqTZM60YPFTngFX0PtNPCKbIuudwf1D2LqmDeOcuA client@IPA.TEST (ssh-rsa) ...
48.5.3. Deleting SSH keys for a host using the IdM Web UI
You can remove the host keys once they expire or are no longer valid. Follow the steps below to remove an individual host key by using the IdM Web UI.
Prerequisites
- Administrator privileges for managing the IdM Web UI or Host Administrator role.
Procedure
- Log into the IdM Web UI.
- Go to the Identity>Hosts tab.
- Click the name of the host to edit.
- Under the Host Settings section, click Delete next to the SSH public key you want to remove.
- Click Save at the top of the page.
Verification
- Under the Host Settings section, verify the key is no longer listed under SSH public keys.
48.5.4. Deleting SSH keys for a host using the IdM CLI
You can remove the host keys once they expire or are no longer valid. Follow the steps below to remove an individual host key by using the IdM CLI.
Prerequisites
- Administrator privileges for managing the IdM CLI or Host Administrator role.
Procedure
To delete all SSH keys assigned to a host account, add the
--sshpubkeyoption to theipa host-modcommand without specifying any key:$ kinit admin $ ipa host-mod --sshpubkey= --updatedns host1.example.comNote that it is good practice to use the
--updatednsoption to update the host’s DNS entry.IdM determines the key type automatically from the key, if the type is not included in the uploaded key.
Verification
Run the
ipa host-showcommand to verify that the SSH public key is no longer associated with the specified host:$ ipa host-show client.ipa.test Host name: client.ipa.test Platform: x86_64 Operating system: 4.18.0-240.el8.x86_64 Principal name: host/client.ipa.test@IPA.TEST Principal alias: host/client.ipa.test@IPA.TEST Password: False Member of host-groups: ipaservers Roles: helpdesk Member of netgroups: test Member of Sudo rule: test2 Member of HBAC rule: test Keytab: True Managed by: client.ipa.test, server.ipa.test Users allowed to retrieve keytab: user1, user2, user3
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}