sssd disable known_hosts hashing

If you use Fedora GNU/Linux, and you want bash autocompletion for the hosts in your FreeIPA domain when using the OpenSSH client, you have to disable knownhosts hashing in the global knownhosts file.

To find the global knownhosts file, check /etc/ssh/ssh_config

# grep -i knownhosts /etc/ssh/ssh_config
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts

The file displayed here is the default on Fedora: /var/lib/sss/pubconf/known_hosts.

Now, to disable the hashing inside that file, you have to configure sssd.

# cat /etc/sssd/conf.d/50_ssh_hash_known_hosts.conf 
ssh_hash_known_hosts = false

I don’t know at what version the dot-dee directory for sssd.conf was introduced specifically (other then when it is compiled with libini>=1.3.0), but mine had it as of Fedora 27 and sssd-1.16.0. But with this entry in the config, restart sssd and maybe delete the previous /var/lib/sss/pubconf/known_hosts file which will be re-generated as it needs it.



Shell functions for testing other functions

When I am updating or adding to my scripts package, I like to find out the fastest way to execute a task.

This involves using the time command and a few wrapper functions.

Here’s an example. I was updating my lsd (list directories) function, and I wanted to see how fast it is compared to a variant I was considering.

func() { pushd "${1}" 1>/dev/null 2>&1 ; find $( find . -maxdepth 1 -type d -printf '%p\n' | sed -r -e 's/^\.\/?//;' | sed -r -e '/^\s*$/d' ) -maxdepth 0 -exec ls -ldF --color=always {} + ; popd 1>/dev/null 2>&1 ;  } ;

func_wrapper() { __x=0 ; while test ${__x} -lt ${1} ; do __x=$(( __x + 1 )) ; __func "${2}" "{$3}" ; done ; }

So now you can run the wrapper and tell it how many times to loop:

time func_wrapper 1000 . 1>/dev/null

real    0m6.081s
user    0m2.103s
sys     0m5.157s

My best practice for html links

  • Don’t use target=”_blank” because that forces only one behavior, opening in a new tab. I should expect the user to open a link in a new tab if he wants to.
  • Don’t omit the referrer, which is done by including rel=”noreferrer”. I want other sites to know who is linking to them, in the hopes of getting cross-traffic.
  • Do include rel=”noopener” to protect users (reference 1).




List current xvnc sessions in xrdp so you can reconnect to your old one


{ echo "user pid Xdisplay port"; { ps -ef | awk '/Xvnc :[[:digit:]]+/ {print $1,$2,$9}' | while read tu tpid tvnc; do sudo netstat -tlpn | awk -v "tpid=${tpid}" '$0 ~ tpid {print $4;}' | sed -r -e 's/^.*://;' -e "s/^/${tu} ${tpid} ${tvnc} /;" ; done ; } | sort -k3 ; } | column -c4 -t

The story

I connected to a gnome session on a terminal server, and disconnected. I wanted to reconnect to my current session, but apparently I got a new X session. After some research, I learned you can configure xrdp to prompt for the port number so you can get back to the previous session. However, then you have to know what to type in. After doing a manual ps and netstat, I found some useful numbers. What I needed to enter was the tcp port number, so 5919.

The explanation

You can have an entry in the /etc/xrdp/xrdp.ini file like the following block.


When you connect over RDP, select the “Reconnect” module and type in a port number, which you can find from the output of the oneliner.

{ echo "user pid Xdisplay port"; { ps -ef | awk '/Xvnc :[[:digit:]]+/ {print $1,$2,$9}' | while read tu tpid tvnc; do sudo netstat -tlpn | awk -v "tpid=${tpid}" '$0 ~ tpid {print $4;}' | sed -r -e 's/^.*://;' -e "s/^/${tu} ${tpid} ${tvnc} /;" ; done ; } | sort -k3 ; } | column -c4 -t
user       pid    Xdisplay  port
mjohnso    11448  :17       5917
mjohnso    12939  :18       5918
bgstack15  1219   :19       5919




Getting Firefox and Java to work with jnlp files

If you are having trouble opening a jnlp file (e.g., for IPMI console access) you can try some of these steps.

Tell Firefox to allow pop-up windows for this site

Tell Firefox how to handle the filetype .jnlp

Tell it to open it with /usr/bin/javaws

Tell Java to allow the site to run applications

If you get “Application Blocked by Java Security” you can fix that by editing an exceptions list.

Modify file ~/.java/deployment/security/exception.sites

Each line in this file should be a protocol and domain name or IP address for the exception, e.g.:





I needed to query certain information about a user on a Linux system. Specifically this output:

user: bgstack15
getent: YES
getent_type: sss
can_ssh: YES
can_sss: YES

I wanted to know if a user is defined (getent), and if so, in which database (local or in Active Directory). Also, is the user in the AllowUsers list of the sshd_config, or a member of a group in the AllowGroups list. And then the same question for the sssd config file.

The script

Hash certificate directory for ldap trust

When you work with openldap clients on GNU/Linux, you might have to interact with Active Directory. And you want to secure your connection with ssl.

When you want to tell ldap to trust the ssl certificates, it might take you a while to get it to actually trust it. You have to fetch the root ca certificate, and do one of several things to it:

  • Save to a file, and update /etc/openldap/ldap.conf variable TLS_CACERT
  • Save to the nssdb using certutil
  • Save to a file in a directory with the right name (from openssl x509 -hash -noout -in FILENAME) and set variable TLS_CACERTDIR

Or you could set “TLS_REQCERT allow” in the conf, but you decided that you actually want the trust to work, for once.

I’ve written a script that takes all the files in /etc/pki/ca-trust/source/anchors/ and makes symlinks to them with the right filenames in /etc/openldap/cacerts/ directory.
Then you can just set “TLS_CACERTDIR /etc/openldap/cacerts” and be done.