Knowledge Base

Preserving for the future: Shell scripts, AoC, and more

FreeIPA on Devuan and sss ssh knownhosts proxy

bgstack15

Comments

After this month's updates to my operating systems, I have found something frustrating regarding sssd/freeipa.

Firstly, I had to udpate my package to depend on dnsutils | bind9-dnsutils, which was also shared with upstream Debian package by somebody else shortly afterwards. Seriously, I beat them by 1 hour!

Secondly, after updating, I would get a bogus error when using ssh client.

$ ssh server3

******************************************************************************
Your system is configured to use the obsolete tool sss_ssh_knownhostsproxy.
Please read the sss_ssh_knownhosts(1) man page to learn about its replacement.
******************************************************************************

Connection closed by UNKNOWN port 65535

Apparently file /etc/ssh/ssh_config.d/04-ipa.conf which is not directly owned by package freeipa-client (because it depends on freeipa being configured; i.e., the host being joined to a domain) contains a now-deprecated piece of information. I had to dig around to find info about this. It was back in version 4.12.0. The FreeIPA team wanted to replace sss_ssh_knownhostsproxy with sss_ssh_knownhosts (bug #9536). They solved their upgrade processes, presumably for the Fedora/Enterprise Linux world, but whatever fixes they did apparently don't run client-side on a Devuan/Debian freeipa client.

So I had to poke around to learn exactly what my 04-ipa.conf should look like. I found it:

# IPA-related configuration changes to ssh_config
# Last-modified: 2025-02-02-1 22:25 bgstack15
# References:
#    https://github.com/freeipa/freeipa/pull/7345/files
#    https://www.freeipa.org/release-notes/4-12-0.html
PubkeyAuthentication yes
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
#VerifyHostKeyDNS yes

Match exec true
   KnownHostsCommand /usr/bin/sss_ssh_knownhosts %H

# Deprecated as of v4.12.0
# assumes that if a user does not have shell (/sbin/nologin),
# this will return nonzero exit code and proxy command will be ignored
#Match exec true
#   ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

I wonder if this is something worth reporting to the Debian package. I'm not entirely certain how the "upgrade logic" is applied; I only was researching the end-effect in the config file. I just want my ssh client to work! A brief examination of my EL8 equivalent shows it's still on freeipa 4.9, and EL9 equivalent is on 4.12.2 but there's no /usr/bin/sss_ssh_knownhosts binary and that old sss_ssh_knownhostsproxy works correctly.

So I will just distribute this /etc/ssh/ssh_config.d/04-ipa.conf to all my Devuan systems and call it a day.

#!/bin/sh
# Startdate: 2025-02-03-2 08:38
# Purpose: install the freeipa >= 4.12.0 /etc/ssh/ssh_config.d/04-ipa.conf file
sudo install -m 0644 -o root -g root /mnt/public/Support/Platforms/devuan/04-ipa.conf /etc/ssh/ssh_config.d/04-ipa.conf

References

All links in-line.

Comments