Ticket #1356 (closed defect: fixed)

Opened 2 years ago

Last modified 23 months ago

sss_ssh_knownhostsproxy prevents connection to machine without reverse address

Reported by: jhrozek Owned by: jcholast
Priority: major Milestone: SSSD 1.8.5 (LTM)
Component: SSSD Version:
Keywords: Cc:
Blocked By: Blocking:
Tests Updated: no Coverity Bug:
Patch Submitted: yes Red Hat Bugzilla: 825316
Design link:
Feature Milestone:
Design review: Fedora test page:
Chosen: Candidate to push out:
Release Notes:

Description

https://bugzilla.redhat.com/show_bug.cgi?id=825316 (Fedora)

Description of problem:
When I install IPA server with SSH support (and thus sss_ssh_knownhostsproxy is
used as a ProxyCommand in ssh_config) , I cannot ssh to machine without a
reverse address:

# host vm-050.idm.lab.bos.redhat.com
vm-050.idm.lab.bos.redhat.com has address 10.16.78.50
# host 10.16.78.50
Host 50.78.16.10.in-addr.arpa. not found: 3(NXDOMAIN)

# ssh -vv vm-050.idm.lab.bos.redhat.com
OpenSSH_5.9p1, OpenSSL 1.0.0j-fips 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22
vm-050.idm.lab.bos.redhat.com
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: permanently_drop_suid: 0
Reverse lookup failed
ssh_exchange_identification: Connection closed by remote host


When the proxy command is commented, the connection to the same machine works.

This is too strict, we cannot require working reverse records for every machine
we want to connect to.

Version-Release number of selected component (if applicable):
sssd-1.8.3-11.fc17.x86_64

How reproducible:


Steps to Reproduce:
1. Install IPA server on a machine
2. On that machine, try to connect to other machine without a reverse record
3.

Actual results:
Connection is rejected

Expected results:
Connection is accepted


Additional info:
I think this issue is present also in RHEL 6.3 Beta.

Change History

comment:1 Changed 2 years ago by jcholast

  • Tests Updated unset
  • upgrade set to 0
  • Status changed from new to assigned
  • tests set to 0
  • Owner changed from somebody to jcholast

comment:2 Changed 2 years ago by jcholast

  • Patch Submitted set

comment:3 Changed 23 months ago by dpal

  • Milestone changed from NEEDS_TRIAGE to SSSD 1.8.5 (LTM)

comment:4 Changed 23 months ago by jcholast

  • Resolution set to fixed
  • Status changed from assigned to closed
Note: See TracTickets for help on using tickets.