Managing SSH Known Hosts With SSSD And LDAP

For various reasons, I manage on-premises, non-cloud infrastructure. For centralized authentication, I use PAM and OpenLDAP along with SSSD for purposes of caching for availability and load reduction. I rely on the openssh-lpk.openldap.schema LDAP schema for passwordless authentication with OpenSSH, and, recently, I discovered that the same schema can be used to centralize SSH known hosts. This post isn't intended to be a how-to, but documents some of my findings that don't seem to be too well documented anywhere else.

Up until my discovery, I had been managing SSH known hosts with an Ansible playbook. In particular, each host public key was added into a managed GlobalKnownHostsFile that each client was configured to use. The SSH hosts keys were manually added into a playbook that was then applied to all the infrastructure. Or, well, maybe applied to all of the infrastructure. This approach worked well enough, but it was inconvenient because not all machines had 24/7 uptime.

If you're unfamiliar with the openssh-lpk.openldap.schema, it allows you to add an arbitrary number of sshPublicKey attributes to an LDAP entry. For example, a posixAccount object may list all public SSH keys that the user may authenticate with:

dn: uid=jsmith,ou=People,dc=example,dc=com
cn: John Smith
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: ldapPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDIqh1s3idPZ8h7aSOu9Xx4/tBlSkP1Xy...

When the SSH server is configured to use the AuthorizedKeysCommand command with sss_ssh_authorizedkeys binary, SSHD will connect to the SSSD server and look-up the connecting user's public keys using the configured ldap_search_base and/or ldap_user_search_base SSSD configurations. If the authorized key is listed, authentication succeeds.

I recently discovered that this sshPublicKey mechanism can further be used to manage SSH know hosts!

To accomplish this, SSSD ships with a binary, sss_ssh_knownhostsproxy, that can be used as an SSH ProxyCommand to automatically look-up and cache SSH host keys within LDAP. When paired with an ldap_host_search_base, the sss_ssh_knownhostproxy binary will have the SSSD server perform an LDAP search to get the sshPublicKey attributes of an object representing the SSH server. If the host key offered by the SSH server is listed in its list of sshPublicKey attributes, the key is accepted without any user intervention and the connection succeeds.

The default configuration that SSSD uses didn't entirely match my current LDAP database (I'm probably using it wrong!), but with some configuration, it can be made to work. Given a host entry like this

dn: cn=somehost,ou=Hosts,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: hostObject
objectClass: ldapPublicKey
cn: somehost
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4y3W1prXnx8tc6Amq+tN0fEjIPW6f+qM...

A matching SSSD configuration is capable of performing the SSH host key lookup

ldap_host_search_base = ou=Hosts,dc=example,dc=com
ldap_host_object_class = hostObject
ldap_host_fqdn = host

With SSH clients configured with a ProxyCommand of sss_ssh_knownhostproxy, the task of key management is completely eliminated:

Host *
    ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
    GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts

I struggled a fair bit to connect all the dots, but now that it's working, I hope this posting can be useful for somebody else.