[Freeipa-users] Odd problem with SSSD and SSH keys

Dmitri Pal dpal at redhat.com
Mon Jan 13 19:52:07 UTC 2014 

On 01/13/2014 02:44 PM, Bret Wortman wrote:
> They're definitely different. I deleted the one in the file, then
> tried again. It put the bad key back in the file. I blew the whole
> file away and the same thing happened. Where is this key coming from
> if not from IPA?

Puppet?

>
>
> On 01/13/2014 02:36 PM, Rob Crittenden wrote:
>> Bret Wortman wrote:
>>> I've got a strange situation where some of my workstations are
>>> reporting
>>> difficulty when sshing to remote systems, but there's no pattern I can
>>> discern. One user's machine can't get to system A, but I can, though I
>>> can't ssh to his workstation directly.
>>>
>>> Here's the kind of thing I see when doing ssh -vvv:
>>>
>>> debug1: Server host key: RSA
>>> 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab
>>> debug3: load_hostkeys: loading entries for host "rs512" from file
>>> "/root/.ssh/known_hosts"
>>> debug3: load_hostkeys: loaded 0 keys
>>> debug3: load_hostkeys: loading entries for host "rs512" from file
>>> "/var/lib/sss/pubconf/known_hosts"
>>> debug3: load_hostkeys: found key type RSA in file
>>> /var/lib/sss/pubconf/known_hosts:2
>>> debug3: load_hostkeys: loaded 1 keys
>>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>>> @   WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
>>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>>> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
>>> Someone coudl be eavesdropping on you right now (man-in-the-middle
>>> attack)!
>>> It is also possible that a host key has just been changed.
>>> The fingerprint for the RSA key sent by the remote host is
>>> 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab
>>> Please contact your system administrator.
>>> Add correct host key in /root/.ssh/known_hosts to get rid of this
>>> message.
>>> Offending RSA key in /var/lib/sss/pubconf/known_hosts:2
>>> RSA host key for zw131 has changed and you have requested strict
>>> checking.
>>> Host key verification failed.
>>> #
>>>
>>> We haven't changed the host key; the public key files are dated October
>>> 23 of last year. Our configuration files for SSSD and SSH are
>>> managed by
>>> Puppet, so they are consistent from system to system. That said, I did
>>> compare a system that could remote to rs512 to one that could not and
>>> found no differences. Here are the files:
>>>
>>> /etc/sssd/sssd.conf:
>>> [domain/spx.net]
>>> cache_credentials = True
>>> krb5_store_password_if_offline = True
>>> ipa_domain = foo.net
>>> id_provider = ipa
>>> auth_provider = ipa
>>> access_provider = ipa
>>> ipa_hostname = zw129.foo.net
>>> chpass_provider = ipa
>>> ipa_dyndns_update = True
>>> ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49
>>> ldap_tls_cacert = /etc/ipa/ca.crt
>>> [domain/.spx.net]
>>> cache_credentials = True
>>> krb5_store_password_if_offline = True
>>> krb5_realm = FOO.NET
>>> ipa_domain = .foo.net
>>> id_provider = ipa
>>> auth_provider = ipa
>>> access_provider = ipa
>>> ldap_tls_cacert = /etc/ipa/ca.crt
>>> chpass_provider = ipa
>>> ipa_dyndns_update = True
>>> ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49
>>> ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net
>>> dns_discovery_domain = .spx.net
>>> [sssd]
>>> services = nss, pam, ssh
>>> config_file_version = 2
>>>
>>> domains = .spx.net, spx.net
>>> [nss]
>>>
>>> [pam]
>>>
>>> [sudo]
>>>
>>> [autofs]
>>>
>>> [ssh]
>>>
>>> Is there anything else relevant that I should be looking at?
>>
>> You might compare the value of the key in IPA to what is in
>> /var/lib/sss/pubconf/known_hosts
>>
>> rob
>>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140113/e27d35a3/attachment.htm>

More information about the Freeipa-users mailing list