[Freeipa-users] Odd problem with SSSD and SSH keys

Rob Crittenden rcritten at redhat.com
Mon Jan 13 19:36:05 UTC 2014 

Bret Wortman wrote:
> I've got a strange situation where some of my workstations are reporting
> difficulty when sshing to remote systems, but there's no pattern I can
> discern. One user's machine can't get to system A, but I can, though I
> can't ssh to his workstation directly.
>
> Here's the kind of thing I see when doing ssh -vvv:
>
> debug1: Server host key: RSA 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab
> debug3: load_hostkeys: loading entries for host "rs512" from file
> "/root/.ssh/known_hosts"
> debug3: load_hostkeys: loaded 0 keys
> debug3: load_hostkeys: loading entries for host "rs512" from file
> "/var/lib/sss/pubconf/known_hosts"
> debug3: load_hostkeys: found key type RSA in file
> /var/lib/sss/pubconf/known_hosts:2
> debug3: load_hostkeys: loaded 1 keys
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @   WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone coudl be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that a host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab
> Please contact your system administrator.
> Add correct host key in /root/.ssh/known_hosts to get rid of this message.
> Offending RSA key in /var/lib/sss/pubconf/known_hosts:2
> RSA host key for zw131 has changed and you have requested strict checking.
> Host key verification failed.
> #
>
> We haven't changed the host key; the public key files are dated October
> 23 of last year. Our configuration files for SSSD and SSH are managed by
> Puppet, so they are consistent from system to system. That said, I did
> compare a system that could remote to rs512 to one that could not and
> found no differences. Here are the files:
>
> /etc/sssd/sssd.conf:
> [domain/spx.net]
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = foo.net
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = zw129.foo.net
> chpass_provider = ipa
> ipa_dyndns_update = True
> ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49
> ldap_tls_cacert = /etc/ipa/ca.crt
> [domain/.spx.net]
> cache_credentials = True
> krb5_store_password_if_offline = True
> krb5_realm = FOO.NET
> ipa_domain = .foo.net
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt
> chpass_provider = ipa
> ipa_dyndns_update = True
> ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49
> ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net
> dns_discovery_domain = .spx.net
> [sssd]
> services = nss, pam, ssh
> config_file_version = 2
>
> domains = .spx.net, spx.net
> [nss]
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> Is there anything else relevant that I should be looking at?

You might compare the value of the key in IPA to what is in 
/var/lib/sss/pubconf/known_hosts

rob

More information about the Freeipa-users mailing list