[Freeipa-users] Odd problem with SSSD and SSH keys
Bret Wortman
bret.wortman at damascusgrp.com
Mon Jan 13 19:44:29 UTC 2014
They're definitely different. I deleted the one in the file, then tried
again. It put the bad key back in the file. I blew the whole file away
and the same thing happened. Where is this key coming from if not from IPA?
On 01/13/2014 02:36 PM, Rob Crittenden wrote:
> Bret Wortman wrote:
>> I've got a strange situation where some of my workstations are reporting
>> difficulty when sshing to remote systems, but there's no pattern I can
>> discern. One user's machine can't get to system A, but I can, though I
>> can't ssh to his workstation directly.
>>
>> Here's the kind of thing I see when doing ssh -vvv:
>>
>> debug1: Server host key: RSA
>> 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab
>> debug3: load_hostkeys: loading entries for host "rs512" from file
>> "/root/.ssh/known_hosts"
>> debug3: load_hostkeys: loaded 0 keys
>> debug3: load_hostkeys: loading entries for host "rs512" from file
>> "/var/lib/sss/pubconf/known_hosts"
>> debug3: load_hostkeys: found key type RSA in file
>> /var/lib/sss/pubconf/known_hosts:2
>> debug3: load_hostkeys: loaded 1 keys
>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
>> Someone coudl be eavesdropping on you right now (man-in-the-middle
>> attack)!
>> It is also possible that a host key has just been changed.
>> The fingerprint for the RSA key sent by the remote host is
>> 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab
>> Please contact your system administrator.
>> Add correct host key in /root/.ssh/known_hosts to get rid of this
>> message.
>> Offending RSA key in /var/lib/sss/pubconf/known_hosts:2
>> RSA host key for zw131 has changed and you have requested strict
>> checking.
>> Host key verification failed.
>> #
>>
>> We haven't changed the host key; the public key files are dated October
>> 23 of last year. Our configuration files for SSSD and SSH are managed by
>> Puppet, so they are consistent from system to system. That said, I did
>> compare a system that could remote to rs512 to one that could not and
>> found no differences. Here are the files:
>>
>> /etc/sssd/sssd.conf:
>> [domain/spx.net]
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = foo.net
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = zw129.foo.net
>> chpass_provider = ipa
>> ipa_dyndns_update = True
>> ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> [domain/.spx.net]
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> krb5_realm = FOO.NET
>> ipa_domain = .foo.net
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> chpass_provider = ipa
>> ipa_dyndns_update = True
>> ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49
>> ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net
>> dns_discovery_domain = .spx.net
>> [sssd]
>> services = nss, pam, ssh
>> config_file_version = 2
>>
>> domains = .spx.net, spx.net
>> [nss]
>>
>> [pam]
>>
>> [sudo]
>>
>> [autofs]
>>
>> [ssh]
>>
>> Is there anything else relevant that I should be looking at?
>
> You might compare the value of the key in IPA to what is in
> /var/lib/sss/pubconf/known_hosts
>
> rob
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140113/f3d4b449/attachment.p7s>
More information about the Freeipa-users
mailing list