[Freeipa-users] Odd problem with SSSD and SSH keys
Jan Cholasta
jcholast at redhat.com
Wed Jan 15 08:33:39 UTC 2014
On 14.1.2014 12:34, Bret Wortman wrote:
> The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA for the
> host in question. It should not have had any connectivity issues; it's
> co-located with several of our IPA masters.
Can you also check if the MD5 fingerprint reported by ssh (e.g.
2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab in your original post)
matches the MD5 fingerprint for the host in IPA?
>
> I'd be happy to run sss_ssh_knownhostsproxy manually but haven't been
> able to locate the proxy command to use via Google yet. Any guidance?
I don't think you need to do that, it will just update
/var/lib/sss/pubconf/known_hosts again.
>
>
> On 01/14/2014 05:43 AM, Jan Cholasta wrote:
>> On 13.1.2014 22:18, Jakub Hrozek wrote:
>>> On Mon, Jan 13, 2014 at 02:44:29PM -0500, Bret Wortman wrote:
>>>> They're definitely different. I deleted the one in the file, then
>>>> tried again. It put the bad key back in the file. I blew the whole
>>>> file away and the same thing happened. Where is this key coming from
>>>> if not from IPA?
>>>
>>> Can you try running sss_ssh_knownhostsproxy manually to see what key
>>> does it return?
>>>
>>> The keys are propagated to the file from the sssd database. If the
>>> client
>>> was offline, the client could use stale records. Can you verify the
>>> client
>>> has no connectivity issues?
>>>
>>> Honza (CC-ed) might have some more hints.
>>>
>>
>> Compare the public key in /etc/ssh/ssh_host_rsa_key.pub on the host
>> with the public key for that host in IPA. If they do not match, the
>> host key was changed after IPA client was installed and the host
>> record in IPA must be manually updated with the new key.
>>
>> Honza
>>
--
Jan Cholasta
More information about the Freeipa-users
mailing list