Product SiteDocumentation Site

6.8. Managing Public SSH Keys for Hosts

OpenSSH uses public-private key pairs to authenticate hosts. One machine attempts to access another machine and presents its key pair. The first time the host authenticates, the administrator on the target machine has to approve the request manually. The machine then stores the host's public key in a known_hosts file. Any time that the remote machine attempts to access the target machine again, the target machine simply checks its known_hosts file and then grants access automatically to approved hosts.
There are a few problems with this system:
On Fedora, the System Security Services Daemon (SSSD) can be configured to cache and retrieve host SSH keys so that applications and services only have to look in one location for host keys. Because SSSD can use FreeIPA as one of its identity information providers, FreeIPA provides a universal and centralized repository of keys. Administrators do not need to worry about distributing, updating, or verifying host SSH keys.

6.8.1. About FreeIPA Clients and OpenSSH

The ipa-client-install script, by default, configures an OpenSSH server and client on the FreeIPA client machine. It also configures SSSD to perform host and user key caching. Essentially, simply configuring the client does all of the configuration necessary for the host to use SSSD, OpenSSH, and FreeIPA for key caching and retrieval.


Even if the machine is added as an FreeIPA client using ipa-client-install, the client is not created with any SSH keys. These keys need to be created separately and added to the host account, as described in Section 6.8.2, “Adding Host Keys”.
There is an additional client configuration option, --ssh-trust-dns, which can be run with ipa-client-install and automatically configures OpenSSH to trust the FreeIPA DNS records, where the host keys are stored.
Alternatively, it is also possible to disable OpenSSH at the time the client is installed, using the --no-sshd option. This prevents the install script from configuring the OpenSSH server.
Another option, --no-dns-sshfp, prevents the host from creating DNS SSHFP records with its own DNS entries. This can be used with or without the --no-sshd option.

6.8.2. Adding Host Keys

Host SSH keys are added to host entries in FreeIPA, either when the host is created using host-add or by modifying the entry later.
In a key file, such as a user's file, a key entry is identified by its type and then the key itself. For example, for an RSA key:
ssh-rsa ABCD1234==
Only the second part, the base 64-encoded key itself, is uploaded to the user entry.


Host keys are not created by the ipa-client-install command.
  1. Run the host-mod command with the --sshpubkey option to upload the 64 bit-encoded public key to the host entry.
    Adding a host key also changes the DNS SSHFP entry for the host, so also use the --updatedns option to update the host's DNS entry.
    For example:
    [jsmith@server ~]$ ipa host-mod --sshpubkey="12345abcde=" --updatedns
    With a real key, the key is longer and usually ends with an equals sign (=).
    To upload multiple keys, pass a comma-separated list of keys with a single --sshpubkey option:


    A host can have multiple public keys.
  2. After uploading the user keys, configure SSSD to use FreeIPA as one of its identity domains and set up OpenSSH to use the SSSD tooling for managing user keys. This is covered in the Fedora Deployment Guide.

6.8.3. Removing Host Keys

Host keys can be removed once they expire or are no longer valid.
Use the --sshpubkey= with a blank value; this removes all public keys for the host. Also, use the --updatedns option to update the host's DNS entry.
For example:
[jsmith@server ~]$ ipa host-mod --sshpubkey= --updatedns