[Freeipa-users] Odd problem with SSSD and SSH keys

Bret Wortman bret.wortman at damascusgrp.com
Tue Jan 14 11:46:51 UTC 2014 

I was assuming that the key was being re-inserted by the ssh 
authentication request, but to eliminate puppet, I just tried this sequence:

# puppet agent --disable
# rm -f /var/lib/sss/pubconf/known_hosts
# ls -l /var/lib/sss/pubconf/known_hosts
# ssh zw131
:
: (errors about the key being incorrect)
:
# cat /var/lib/sss/pubconf/known_hosts
:

it now contained the bad key again.


On 01/13/2014 02:52 PM, Dmitri Pal wrote:
> On 01/13/2014 02:44 PM, Bret Wortman wrote:
>> They're definitely different. I deleted the one in the file, then 
>> tried again. It put the bad key back in the file. I blew the whole 
>> file away and the same thing happened. Where is this key coming from 
>> if not from IPA?
>
> Puppet?
>
>>
>>
>> On 01/13/2014 02:36 PM, Rob Crittenden wrote:
>>> Bret Wortman wrote:
>>>> I've got a strange situation where some of my workstations are 
>>>> reporting
>>>> difficulty when sshing to remote systems, but there's no pattern I can
>>>> discern. One user's machine can't get to system A, but I can, though I
>>>> can't ssh to his workstation directly.
>>>>
>>>> Here's the kind of thing I see when doing ssh -vvv:
>>>>
>>>> debug1: Server host key: RSA 
>>>> 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab
>>>> debug3: load_hostkeys: loading entries for host "rs512" from file
>>>> "/root/.ssh/known_hosts"
>>>> debug3: load_hostkeys: loaded 0 keys
>>>> debug3: load_hostkeys: loading entries for host "rs512" from file
>>>> "/var/lib/sss/pubconf/known_hosts"
>>>> debug3: load_hostkeys: found key type RSA in file
>>>> /var/lib/sss/pubconf/known_hosts:2
>>>> debug3: load_hostkeys: loaded 1 keys
>>>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>>>> @   WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
>>>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>>>> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
>>>> Someone coudl be eavesdropping on you right now (man-in-the-middle 
>>>> attack)!
>>>> It is also possible that a host key has just been changed.
>>>> The fingerprint for the RSA key sent by the remote host is
>>>> 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab
>>>> Please contact your system administrator.
>>>> Add correct host key in /root/.ssh/known_hosts to get rid of this 
>>>> message.
>>>> Offending RSA key in /var/lib/sss/pubconf/known_hosts:2
>>>> RSA host key for zw131 has changed and you have requested strict 
>>>> checking.
>>>> Host key verification failed.
>>>> #
>>>>
>>>> We haven't changed the host key; the public key files are dated 
>>>> October
>>>> 23 of last year. Our configuration files for SSSD and SSH are 
>>>> managed by
>>>> Puppet, so they are consistent from system to system. That said, I did
>>>> compare a system that could remote to rs512 to one that could not and
>>>> found no differences. Here are the files:
>>>>
>>>> /etc/sssd/sssd.conf:
>>>> [domain/spx.net]
>>>> cache_credentials = True
>>>> krb5_store_password_if_offline = True
>>>> ipa_domain = foo.net
>>>> id_provider = ipa
>>>> auth_provider = ipa
>>>> access_provider = ipa
>>>> ipa_hostname = zw129.foo.net
>>>> chpass_provider = ipa
>>>> ipa_dyndns_update = True
>>>> ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49
>>>> ldap_tls_cacert = /etc/ipa/ca.crt
>>>> [domain/.spx.net]
>>>> cache_credentials = True
>>>> krb5_store_password_if_offline = True
>>>> krb5_realm = FOO.NET
>>>> ipa_domain = .foo.net
>>>> id_provider = ipa
>>>> auth_provider = ipa
>>>> access_provider = ipa
>>>> ldap_tls_cacert = /etc/ipa/ca.crt
>>>> chpass_provider = ipa
>>>> ipa_dyndns_update = True
>>>> ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49
>>>> ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net
>>>> dns_discovery_domain = .spx.net
>>>> [sssd]
>>>> services = nss, pam, ssh
>>>> config_file_version = 2
>>>>
>>>> domains = .spx.net, spx.net
>>>> [nss]
>>>>
>>>> [pam]
>>>>
>>>> [sudo]
>>>>
>>>> [autofs]
>>>>
>>>> [ssh]
>>>>
>>>> Is there anything else relevant that I should be looking at?
>>>
>>> You might compare the value of the key in IPA to what is in 
>>> /var/lib/sss/pubconf/known_hosts
>>>
>>> rob
>>>
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> -- 
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140114/0127411a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140114/0127411a/attachment.p7s>

More information about the Freeipa-users mailing list