Ticket #1356 (closed defect: fixed)
sss_ssh_knownhostsproxy prevents connection to machine without reverse address
|Reported by:||jhrozek||Owned by:||jcholast|
|Priority:||major||Milestone:||SSSD 1.8.5 (LTM)|
|Tests Updated:||no||Coverity Bug:|
|Patch Submitted:||yes||Red Hat Bugzilla:||825316|
|Design review:||Fedora test page:|
|Chosen:||Candidate to push out:|
Description of problem: When I install IPA server with SSH support (and thus sss_ssh_knownhostsproxy is used as a ProxyCommand in ssh_config) , I cannot ssh to machine without a reverse address: # host vm-050.idm.lab.bos.redhat.com vm-050.idm.lab.bos.redhat.com has address 10.16.78.50 # host 10.16.78.50 Host 188.8.131.52.in-addr.arpa. not found: 3(NXDOMAIN) # ssh -vv vm-050.idm.lab.bos.redhat.com OpenSSH_5.9p1, OpenSSL 1.0.0j-fips 10 May 2012 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 54: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 vm-050.idm.lab.bos.redhat.com debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: permanently_drop_suid: 0 Reverse lookup failed ssh_exchange_identification: Connection closed by remote host When the proxy command is commented, the connection to the same machine works. This is too strict, we cannot require working reverse records for every machine we want to connect to. Version-Release number of selected component (if applicable): sssd-1.8.3-11.fc17.x86_64 How reproducible: Steps to Reproduce: 1. Install IPA server on a machine 2. On that machine, try to connect to other machine without a reverse record 3. Actual results: Connection is rejected Expected results: Connection is accepted Additional info: I think this issue is present also in RHEL 6.3 Beta.
- upgrade set to 0
- tests set to 0
- Owner changed from somebody to jcholast
- Tests Updated unset
- Status changed from new to assigned
Note: See TracTickets for help on using tickets.