Debugging SSH “no hostip for proxy command” Warning: Host Key Verification Issues and SSSD Integration


2 views

When attempting to SSH into host.example.com with proper configuration in ~/.ssh/config, you might encounter:

The authenticity of host 'host.example.com (<no hostip for proxy command>)' can't be established.
RSA key fingerprint is 62:db:31:0b:ce:e3:7b:a1:c7:0f:46:d1:7d:e5:48:10.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.

Several important factors are present in this scenario:

  • SSH config is properly set up with IdentityFile
  • Host exists in /etc/ssh/ssh_known_hosts with matching fingerprint
  • No entry in user's ~/.ssh/known_hosts
  • System uses SSSD for host key management (/var/lib/sss/pubconf/known_hosts)

The warning occurs because SSH client checks host keys in this order:

  1. ~/.ssh/known_hosts
  2. /etc/ssh/ssh_known_hosts
  3. /var/lib/sss/pubconf/known_hosts (when SSSD is configured)

The <no hostip for proxy command> message suggests SSH is unable to resolve the host IP during proxy command execution, often occurring with complex SSH configurations or when using ProxyCommand/JumpHost setups.

For systems using FreeIPA/SSSD:

# Add host to SSSD managed known_hosts via FreeIPA
ipa host-add host.example.com
ipa service-add host/host.example.com

Alternative manual solution:

# Copy host key to SSSD location
sudo cp /etc/ssh/ssh_host_rsa_key.pub /var/lib/sss/pubconf/known_hosts
sudo chmod 644 /var/lib/sss/pubconf/known_hosts
sudo restorecon /var/lib/sss/pubconf/known_hosts

After implementing the solution, verify with:

ssh -vvv host.example.com

Check the debug output for lines similar to:

debug1: checking /var/lib/sss/pubconf/known_hosts
debug1: Host 'host.example.com' is known and matches the RSA host key.

For complex environments using ProxyCommand, ensure proper host resolution:

Host *.example.com
  User deployuser
  IdentityFile ~/.ssh/deployuser_key
  ProxyCommand ssh -W %h:%p bastion.example.com
  HostKeyAlias %h  # Ensure proper host key verification

The HostKeyAlias directive helps maintain proper host key verification when using jump hosts or proxies.

When executing ssh host.example.com, seeing <no hostip for proxy command> in the authenticity warning suggests SSH is having trouble resolving the host's IP during the initial connection phase. This typically occurs when:

1. ProxyCommand is misconfigured in ssh_config
2. System-wide known_hosts lookup fails
3. SSSD (System Security Services Daemon) is managing host keys

Despite having the host in /etc/ssh/ssh_known_hosts with matching fingerprints, SSH checks /var/lib/sss/pubconf/known_hosts first due to:

# Typical lookup order:
1. ~/.ssh/known_hosts
2. /var/lib/sss/pubconf/known_hosts (when SSSD is active)
3. /etc/ssh/ssh_known_hosts

Run with verbose debugging to see the actual lookup path:

ssh -vvv host.example.com 2>&1 | grep -i "hosts file"
# Example output:
# debug1: checking /var/lib/sss/pubconf/known_hosts
# debug1: checking /etc/ssh/ssh_known_hosts

When FreeIPA manages host keys through SSSD, add entries via:

ipa host-add-hostkey host.example.com --hostkey="$(ssh-keyscan -t rsa host.example.com | awk '{print $2,$3}')"

Override the default lookup behavior in ~/.ssh/config:

Host host.example.com
  User deployuser
  HostName host.example.com
  IdentityFile ~/.ssh/deployuser_key
  UserKnownHostsFile ~/.ssh/known_hosts
  GlobalKnownHostsFile /etc/ssh/ssh_known_hosts

If using jump hosts or complex proxy configurations, ensure proper IP resolution:

Host *.example.com
  ProxyCommand none
  CheckHostIP no

For advanced debugging, capture the full connection flow:

ssh -vvv -o "ProxyCommand=nc %h %p" host.example.com