[Freeipa-users] Odd problem with SSSD and SSH keys
Bret Wortman
bret.wortman at damascusgrp.com
Tue Jan 14 11:34:01 UTC 2014
The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA for the
host in question. It should not have had any connectivity issues; it's
co-located with several of our IPA masters.
I'd be happy to run sss_ssh_knownhostsproxy manually but haven't been
able to locate the proxy command to use via Google yet. Any guidance?
On 01/14/2014 05:43 AM, Jan Cholasta wrote:
> On 13.1.2014 22:18, Jakub Hrozek wrote:
>> On Mon, Jan 13, 2014 at 02:44:29PM -0500, Bret Wortman wrote:
>>> They're definitely different. I deleted the one in the file, then
>>> tried again. It put the bad key back in the file. I blew the whole
>>> file away and the same thing happened. Where is this key coming from
>>> if not from IPA?
>>
>> Can you try running sss_ssh_knownhostsproxy manually to see what key
>> does it return?
>>
>> The keys are propagated to the file from the sssd database. If the
>> client
>> was offline, the client could use stale records. Can you verify the
>> client
>> has no connectivity issues?
>>
>> Honza (CC-ed) might have some more hints.
>>
>
> Compare the public key in /etc/ssh/ssh_host_rsa_key.pub on the host
> with the public key for that host in IPA. If they do not match, the
> host key was changed after IPA client was installed and the host
> record in IPA must be manually updated with the new key.
>
> Honza
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140114/3452e172/attachment.p7s>
More information about the Freeipa-users
mailing list