[Freeipa-users] ssh known hosts gets recreated on client
Lukas Slebodnik
lslebodn at redhat.com
Wed Jun 10 13:37:44 UTC 2015
On (10/06/15 11:33), Bob Hinton wrote:
>Hello,
>
>If I uninstall the ipa client with "ipa-client-install --uninstall" then
>reinstall it to the same ipa master then most functions work fine.
>However, if I attempt to ssh from the client to the master then I get.
>
>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
>Someone could be eavesdropping on you right now (man-in-the-middle attack)!
>It is also possible that the RSA host key has just been changed.
>The fingerprint for the RSA key sent by the remote host is
>86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1.
>Please contact your system administrator.
>Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this
>message.
>Offending key in /var/lib/sss/pubconf/known_hosts:1
>RSA host key for ipa004.jackland.co.uk has changed and you have
>requested strict checking.
>Host key verification failed.
>
>I've tried stopping the sssd service on the client, removing
>/var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting
>sssd, but /var/lib/sss/pubconf just gets recreated with the old contents
>and I get the same error (it seems odd that it's reporting that the host
>key of the master has changed when it's the client that has been
>reinstalled). How do I clear-out the client's knowledge of the old host
>keys?
>
>In this case I'm using ipa-client v3.0.0 on RHEL6.6
>
You removed /var/lib/sss/pubconf/known_hosts
and also sssd cache, but you still have problem after restarting sssd.
So the only explanation is that wrong host public key is stored in FreeIPA.
Could you try to check host public key with ldapsearch in FreeIPA.
I think you wold need to do it as an admin.
LS
More information about the Freeipa-users
mailing list