<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css" style="display:none;"></style> </head> <body dir="ltr"> <div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;"> <p>Hi Rob,</p> <p><br> </p> <p>Thank you very much for your message. Unfortunately/fortunately after rebooting or restarting the ssh server this morning it is all working as I would expect. <span>I'm not sure what I was missing yesterday but suspect a combination of sssd caching may have been confusing me as I'm sure I'd already tried this several times.</span></p> <br> Thanks again, <div>Neal.<br> <div style="color: rgb(0, 0, 0);"> <div> <hr tabindex="-1" style="display:inline-block; width:98%"> <div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Rob Crittenden <rcritten@redhat.com><br> <b>Sent:</b> 05 July 2016 18:01<br> <b>To:</b> Neal Harrington | i-Neda Ltd; freeipa-users@redhat.com<br> <b>Subject:</b> Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query</font> <div> </div> </div> </div> <font size="2"><span style="font-size:10pt;"> <div class="PlainText">Neal Harrington | i-Neda Ltd wrote:<br> > Hi,<br> ><br> ><br> > I have successfully installed FreeIPA server version 4.2.0 on CentOS<br> > 7.2, including replication between servers. I have a few<br> > dozen Ubuntu 14.04 servers joined into IPA for authentication with<br> > various user groups controlling access, sudo permissions etc and overall<br> > I'm very happy.<br> ><br> ><br> > I have however managed to trip myself up by installing the<br> > Ubuntu clients with the --ssh-trust-dns option and now my users ssh keys<br> > are not trusted and ssh login falls back to password based on the Ubuntu<br> > clients.<br> ><br> ><br> > If I uninstall a client, reboot and then reinstall without the<br> > --ssh-trust-dns option then the users ssh key I imported into the web<br> > interface is used and login is automatic over ssh.<br> ><br> ><br> > I've looked through all the obvious places (/etc/ssh, sss, pam, etc) and<br> > can't see anything to control this. Most of my online searches cover<br> > other aspects of ssh host keys in DNS. If I've missed anything obvious<br> > then please point me in the right direction.<br> ><br> ><br> > I have a reasonable number of servers to make this change on and ideally<br> > I'd like to push out the change to a config file and maybe restart a<br> > service. Is this behaviour easy to configure or would it be easier to go<br> > through the uninstall/reboot/reinstall loop? Luckily these are all<br> > testing servers so not a show stopper but I'd prefer to learn what is<br> > actually controlling this.<br> <br> As far as I can tell this option sets this in sshd.conf:<br> <br> VerifyHostKeyDNS = yes<br> HostKeyAlgorithms = ssh-rsa,ssh-dss<br> <br> I assume your DNS doesn't contain the SSHFP entries?<br> <br> rob<br> <br> <br> </div> </span></font></div> </div> </div> </body> </html>