[Freeipa-users] ssh known hosts gets recreated on client

Bob Hinton bob at jackland.demon.co.uk
Wed Jun 10 16:09:06 UTC 2015 

On 10/06/2015 14:37, Lukas Slebodnik wrote:
> On (10/06/15 11:33), Bob Hinton wrote:
>> Hello,
>>
>> If I uninstall the ipa client with "ipa-client-install --uninstall" then
>> reinstall it to the same ipa master then most functions work fine.
>> However, if I attempt to ssh from the client to the master then I get.
>>
>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
>> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
>> It is also possible that the RSA host key has just been changed.
>> The fingerprint for the RSA key sent by the remote host is
>> 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1.
>> Please contact your system administrator.
>> Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this
>> message.
>> Offending key in /var/lib/sss/pubconf/known_hosts:1
>> RSA host key for ipa004.jackland.co.uk has changed and you have
>> requested strict checking.
>> Host key verification failed.
>>
>> I've tried stopping the sssd service on the client, removing
>> /var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting
>> sssd, but /var/lib/sss/pubconf just gets recreated with the old contents
>> and I get the same error (it seems odd that it's reporting that the host
>> key of the master has changed when it's the client that has been
>> reinstalled). How do I clear-out the client's knowledge of the old host
>> keys?
>>
>> In this case I'm using ipa-client v3.0.0 on RHEL6.6
>>
> You removed /var/lib/sss/pubconf/known_hosts
> and also sssd cache, but you still have problem after restarting sssd.
>
> So the only explanation is that wrong host public key is stored in FreeIPA.
> Could you try to check host public key with ldapsearch in FreeIPA.
> I think you wold need to do it as an admin.
>
> LS
> .
>
The two rsa keys look like they're the same (see below) though the
finger-prints are evidently different. I copied and pasted the two keys
into files and ran diff over these to prove that they match.

I can actually fix the problem by copying the ipa master host keys to a
file, removing them with

ipa host-mod ipa004.jackland.co.uk --sshpubkey=''

then I can ssh from the client to the master without the error. I can
finally restore the keys from the file using the ipa host-mod command
again and all is well. So this looks like a long-winded way of clearing
some sort of cache of the key finger-print on the client. It would just
be nice to know if there's a more direct way of doing this. Also I know
this works for one client, but it would be a pain to have to go through
this procedure for lots of them.

Thanks

Bob

-sh-4.2$ ipa host-show ipa004.jackland.co.uk --all
  dn:
fqdn=ipa004.jackland.co.uk,cn=computers,cn=accounts,dc=jackland,dc=co,dc=uk
  Host name: ipa004.jackland.co.uk
  Principal name: host/ipa004.jackland.co.uk at JACKLAND.CO.UK
  SSH public key: ssh-rsa
                 
AAAAB3NzaC1yc2EAAAADAQABAAABAQClPcH8nnghnG3+knwkdg70I106jxO/zIeKggF71C4OHLCu0MJ/loEOcySZ2WH5YPWzRhX1LVN9FyDUKiOc3SNKnjpxjPsJXxk7r77X99jPmk+1QBgYGpn4yrYw/ebEAQLSjHGK86KfNvIbG2RSbNn6uQzC/mciXLEO+7lQ6Vq+DE3Du7+2iuyC2qKeNA9VVzc1NLm0phHT5nOKHpUZ3208GK1vn6r/5YiPmPy5zh8cGmedRft2Fc/J0rOlw5zvwW6kKYZldLvBK7xD2Pm3i2fs38nkH1JA3t83/FXXR/S/F7cY9aI1J/s/UuzawYmeBFXhrbexsUJicY7sS4LqtfBl,
                  ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAILt/SPXhj9izWvjQv5ChWozlOgqRzmSFMZkVj4amRGh/,
ecdsa-sha2-nistp256
                 
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM4R+8D6KCGntBbpGhwDzgH7YJt0xw1Ze21NH+rlsfnoLFStuM7T46/T1L2b2II8hwCmu6dt7F+NSd4YXUpk0/M=
  Requires pre-authentication: True
  Trusted for delegation: False
  Password: False
  Keytab: True
  Managed by: ipa004.jackland.co.uk
  Managing: ipa004.jackland.co.uk
  SSH public key fingerprint:
DA:92:FD:52:AE:C2:65:00:9A:F6:0B:AA:20:51:8E:04 (ssh-rsa),
                             
53:79:39:CE:D8:13:23:D2:3C:2C:8E:E4:56:7E:41:76 (ssh-ed25519),
                             
56:28:C4:62:3F:64:18:5D:EC:B9:E0:1F:8B:48:EA:0B (ecdsa-sha2-nistp256)
  cn: ipa004.jackland.co.uk
  ipauniqueid: 0ffd1566-fd61-11e4-b868-000c29f1a817
  krblastpwdchange: 20150518132324Z
  objectclass: ipaSshGroupOfPubKeys, ipaobject, krbprincipal, nshost,
top, ipaservice, pkiuser, ipahost,
               krbticketpolicyaux, krbprincipalaux, ipasshhost
  serverhostname: ipa004
-sh-4.2$

-sh-4.1$ ssh ipa004.jackland.co.uk
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1.
Please contact your system administrator.
Add correct host key in /home/adminuser/.ssh/known_hosts to get rid of
this message.
Offending key in /var/lib/sss/pubconf/known_hosts:1
RSA host key for ipa004.jackland.co.uk has changed and you have
requested strict checking.
Host key verification failed.

-sh-4.1$ head -1 /var/lib/sss/pubconf/known_hosts
|1|SsQw9iAjhWz7sgcE9OwLuSC6hsM=|DgSaVQaJDU2dW6U4vN/quyySzvk= ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQClPcH8nnghnG3+knwkdg70I106jxO/zIeKggF71C4OHLCu0MJ/loEOcySZ2WH5YPWzRhX1LVN9FyDUKiOc3SNKnjpxjPsJXxk7r77X99jPmk+1QBgYGpn4yrYw/ebEAQLSjHGK86KfNvIbG2RSbNn6uQzC/mciXLEO+7lQ6Vq+DE3Du7+2iuyC2qKeNA9VVzc1NLm0phHT5nOKHpUZ3208GK1vn6r/5YiPmPy5zh8cGmedRft2Fc/J0rOlw5zvwW6kKYZldLvBK7xD2Pm3i2fs38nkH1JA3t83/FXXR/S/F7cY9aI1J/s/UuzawYmeBFXhrbexsUJicY7sS4LqtfBl
-sh-4.1$

More information about the Freeipa-users mailing list