[Freeipa-users] Antwort: Re: Multiple Domains and SSH

Jan Cholasta jcholast at redhat.com
Thu Nov 20 12:06:44 UTC 2014 

Hi,

Dne 19.11.2014 v 09:45 Christoph Kaminski napsal(a):
> this is an example of a host here and the ways how can I reach it via ssh:
> (they are all in dns forward and reverse resolving)

(note I redacted the hostnames and IP addresses in the output below)

>
> host host.mgmt
> host.mgmt has address 192.168.1.1
> host 192.168.1.1
> 1.1.168.192.in-addr.arpa domain name pointer host.mgmt.
> host host.mydom.int
> host.mydom.int has address 192.168.2.1
> host 192.168.2.1
> 1.2.168.192.in-addr.arpa domain name pointer host.mydom.int.
> host host.mydom.net
> host.mydom.net has address 192.168.3.1
> host 192.168.3.1
> 1.3.168.192.in-addr.arpa domain name pointer host.mydom.net.

So it's a host with multiple IP addresses? You have 2 options then:

  1. Add a host entry with the SSH public key to IPA for each of the 
hostnames then, as Dmitri suggested.

  2. Manually add the additional hostnames to the fqdn attribute of the 
host entry using ldapmodify.

>
> MfG
> Christoph Kaminski
>
>
>
>
> Von: Jan Cholasta <jcholast at redhat.com>
> An: Jakub Hrozek <jhrozek at redhat.com>, dpal at redhat.com
> Kopie: freeipa-users at redhat.com
> Datum: 19.11.2014 07:53
> Betreff: Re: [Freeipa-users] Multiple Domains and SSH
> Gesendet von: freeipa-users-bounces at redhat.com
> ------------------------------------------------------------------------
>
>
>
> Hi,
>
> Dne 18.11.2014 v 23:53 Jakub Hrozek napsal(a):
>  >
>  >> On 18 Nov 2014, at 23:12, Dmitri Pal <dpal at redhat.com> wrote:
>  >>
>  >> On 11/18/2014 01:07 AM, Christoph Kaminski wrote:
>  >>> Hi
>  >>>
>  >>> I can reach each host here via ssh on multiple domains:
>  >>>
>  >>> host.mydom.int
>  >>> host mydom.net
>  >>> host.mgmt
>  >>>
>  >>> sss_ssh_knownhostproxy does work only on the domain which I have
> use to register to ipa (mgmt), on the other domains I get ever "The
> authenticity of host 'host.mydom.int (<no hostip for proxy command>)'
> can't be established."... why?
>
> Because it does not know that the hostnames refer to the same host.
>
> Do you have a reverse DNS record set up for the host? Does it point to
> the same hostname that you used to register the host in IPA?
>
>  >>>
>  >>
>  >>
>  >> And other hosts in those domains are not registered?
>  >> May be you should try to add a host entry and SSH digest to IPA even
> if they are not enrolled?
>
> This would work too.
>
>  >>
>  >
>  > Maybe Honza would have some tips for debugging...
>
> See pages 13-16 of
> <http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf>.
>
> Honza
>
> --
> Jan Cholasta
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org <http://freeipa.org/>for more info on the project
>
>
>
> www.biotronik.com <http://www.biotronik.com>
> ------------------------------------------------------------------------
> *BIOTRONIK - excellence for life*
> Established with the development of the first German pacemaker in 1963,
> BIOTRONIK has upheld the highest quality standards in the fields of
> cardiac rhythm management and vascular intervention in more than 100
> countries worldwide. We’ve developed advanced technologies and products
> such as BIOTRONIK Home Monitoring®, Closed Loop Stimulation (CLS) and
> Orsiro, the industry’s first hybrid drug eluting stent. BIOTRONIK also
> offers the broadest portfolio of cardiac devices with ProMRI®, an
> advanced technology that gives patients access to magnetic resonance
> (MR) scanning.
> ------------------------------------------------------------------------
> BIOTRONIK SE & Co. KG
> Woermannkehre 1, 12359 Berlin, Germany
> Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501
>
> Vertreten durch ihre Komplementärin:
> BIOTRONIK MT SE
> Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
> Geschäftsführende Direktoren: Christoph Böhmer, Dr. Lothar Krings
> ------------------------------------------------------------------------
> This e-mail and the information it contains including attachments are
> confidential and meant only for use by the intended recipient(s);
> disclosure or copying is strictly prohibited. If you are not addressed,
> but in the possession of this e-mail, please notify the sender
> immediately and delete the document.

Honza

-- 
Jan Cholasta

More information about the Freeipa-users mailing list