[Freeipa-users] Odd problem with SSSD and SSH keys
Bret Wortman
bret.wortman at damascusgrp.com
Wed Jan 15 12:56:49 UTC 2014
The fingerprint does match.
On 01/15/2014 03:33 AM, Jan Cholasta wrote:
>
>
> On 14.1.2014 12:34, Bret Wortman wrote:
>> The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA for the
>> host in question. It should not have had any connectivity issues; it's
>> co-located with several of our IPA masters.
>
> Can you also check if the MD5 fingerprint reported by ssh (e.g.
> 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab in your original post)
> matches the MD5 fingerprint for the host in IPA?
>
>>
>> I'd be happy to run sss_ssh_knownhostsproxy manually but haven't been
>> able to locate the proxy command to use via Google yet. Any guidance?
>
> I don't think you need to do that, it will just update
> /var/lib/sss/pubconf/known_hosts again.
>
>>
>>
>> On 01/14/2014 05:43 AM, Jan Cholasta wrote:
>>> On 13.1.2014 22:18, Jakub Hrozek wrote:
>>>> On Mon, Jan 13, 2014 at 02:44:29PM -0500, Bret Wortman wrote:
>>>>> They're definitely different. I deleted the one in the file, then
>>>>> tried again. It put the bad key back in the file. I blew the whole
>>>>> file away and the same thing happened. Where is this key coming from
>>>>> if not from IPA?
>>>>
>>>> Can you try running sss_ssh_knownhostsproxy manually to see what key
>>>> does it return?
>>>>
>>>> The keys are propagated to the file from the sssd database. If the
>>>> client
>>>> was offline, the client could use stale records. Can you verify the
>>>> client
>>>> has no connectivity issues?
>>>>
>>>> Honza (CC-ed) might have some more hints.
>>>>
>>>
>>> Compare the public key in /etc/ssh/ssh_host_rsa_key.pub on the host
>>> with the public key for that host in IPA. If they do not match, the
>>> host key was changed after IPA client was installed and the host
>>> record in IPA must be manually updated with the new key.
>>>
>>> Honza
>>>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140115/b7ce2109/attachment.p7s>
More information about the Freeipa-users
mailing list