[Freeipa-users] ssh known hosts gets recreated on client

Bob Hinton bob at jackland.demon.co.uk
Wed Jun 10 18:57:36 UTC 2015 

OK. I think the original problem wasn't what I thought it was.

The keys in /etc/ssh/*.pub on the ipamaster didn't match the ones stored
in IPA. I'm not sure how this happened, however the master is a test VM
that's been used to test ipa-backup and ipa-restore (it's a V4.1.0
master even though the client is V3.0)

Anyway, I repaired this by setting the keys in IPA to the ones in the
files by doing the following on the ipa master :-

echo "ipa host-mod ipa004.jackland.co.uk --sshpubkey='" > keyfix.sh
sudo cat /etc/ssh/ssh_host_rsa_key.pub >> keyfix.sh
echo -n ',' >> keyfix.sh
sudo cat /etc/ssh/ssh_host_ecdsa_key.pub >> keyfix.sh
echo -n ',' >> keyfix.sh
sudo cat /etc/ssh/ssh_host_ed25519_key.pub >> keyfix.sh
echo "'" >> keyfix.sh
vi keyfix.sh       (keep pressing J to join everything into one long line)
sh keyfix.sh

On 10/06/2015 17:09, Bob Hinton wrote:
> On 10/06/2015 14:37, Lukas Slebodnik wrote:
>> On (10/06/15 11:33), Bob Hinton wrote:
>>> Hello,
>>>
>>> If I uninstall the ipa client with "ipa-client-install --uninstall" then
>>> reinstall it to the same ipa master then most functions work fine.
>>> However, if I attempt to ssh from the client to the master then I get.
>>>
>>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>>> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
>>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>>> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
>>> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
>>> It is also possible that the RSA host key has just been changed.
>>> The fingerprint for the RSA key sent by the remote host is
>>> 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1.
>>> Please contact your system administrator.
>>> Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this
>>> message.
>>> Offending key in /var/lib/sss/pubconf/known_hosts:1
>>> RSA host key for ipa004.jackland.co.uk has changed and you have
>>> requested strict checking.
>>> Host key verification failed.
>>>
>>> I've tried stopping the sssd service on the client, removing
>>> /var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting
>>> sssd, but /var/lib/sss/pubconf just gets recreated with the old contents
>>> and I get the same error (it seems odd that it's reporting that the host
>>> key of the master has changed when it's the client that has been
>>> reinstalled). How do I clear-out the client's knowledge of the old host
>>> keys?
>>>
>>> In this case I'm using ipa-client v3.0.0 on RHEL6.6
>>>
>> You removed /var/lib/sss/pubconf/known_hosts
>> and also sssd cache, but you still have problem after restarting sssd.
>>
>> So the only explanation is that wrong host public key is stored in FreeIPA.
>> Could you try to check host public key with ldapsearch in FreeIPA.
>> I think you wold need to do it as an admin.
>>
>> LS
>> .
>>
> The two rsa keys look like they're the same (see below) though the
> finger-prints are evidently different. I copied and pasted the two keys
> into files and ran diff over these to prove that they match.
>
> I can actually fix the problem by copying the ipa master host keys to a
> file, removing them with
>
> ipa host-mod ipa004.jackland.co.uk --sshpubkey=''
>
> then I can ssh from the client to the master without the error. I can
> finally restore the keys from the file using the ipa host-mod command
> again and all is well. So this looks like a long-winded way of clearing
> some sort of cache of the key finger-print on the client. It would just
> be nice to know if there's a more direct way of doing this. Also I know
> this works for one client, but it would be a pain to have to go through
> this procedure for lots of them.
>
> Thanks
>
> Bob
>
> -sh-4.2$ ipa host-show ipa004.jackland.co.uk --all
>   dn:
> fqdn=ipa004.jackland.co.uk,cn=computers,cn=accounts,dc=jackland,dc=co,dc=uk
>   Host name: ipa004.jackland.co.uk
>   Principal name: host/ipa004.jackland.co.uk at JACKLAND.CO.UK
>   SSH public key: ssh-rsa
>                  
> AAAAB3NzaC1yc2EAAAADAQABAAABAQClPcH8nnghnG3+knwkdg70I106jxO/zIeKggF71C4OHLCu0MJ/loEOcySZ2WH5YPWzRhX1LVN9FyDUKiOc3SNKnjpxjPsJXxk7r77X99jPmk+1QBgYGpn4yrYw/ebEAQLSjHGK86KfNvIbG2RSbNn6uQzC/mciXLEO+7lQ6Vq+DE3Du7+2iuyC2qKeNA9VVzc1NLm0phHT5nOKHpUZ3208GK1vn6r/5YiPmPy5zh8cGmedRft2Fc/J0rOlw5zvwW6kKYZldLvBK7xD2Pm3i2fs38nkH1JA3t83/FXXR/S/F7cY9aI1J/s/UuzawYmeBFXhrbexsUJicY7sS4LqtfBl,
>                   ssh-ed25519
> AAAAC3NzaC1lZDI1NTE5AAAAILt/SPXhj9izWvjQv5ChWozlOgqRzmSFMZkVj4amRGh/,
> ecdsa-sha2-nistp256
>                  
> AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM4R+8D6KCGntBbpGhwDzgH7YJt0xw1Ze21NH+rlsfnoLFStuM7T46/T1L2b2II8hwCmu6dt7F+NSd4YXUpk0/M=
>   Requires pre-authentication: True
>   Trusted for delegation: False
>   Password: False
>   Keytab: True
>   Managed by: ipa004.jackland.co.uk
>   Managing: ipa004.jackland.co.uk
>   SSH public key fingerprint:
> DA:92:FD:52:AE:C2:65:00:9A:F6:0B:AA:20:51:8E:04 (ssh-rsa),
>                              
> 53:79:39:CE:D8:13:23:D2:3C:2C:8E:E4:56:7E:41:76 (ssh-ed25519),
>                              
> 56:28:C4:62:3F:64:18:5D:EC:B9:E0:1F:8B:48:EA:0B (ecdsa-sha2-nistp256)
>   cn: ipa004.jackland.co.uk
>   ipauniqueid: 0ffd1566-fd61-11e4-b868-000c29f1a817
>   krblastpwdchange: 20150518132324Z
>   objectclass: ipaSshGroupOfPubKeys, ipaobject, krbprincipal, nshost,
> top, ipaservice, pkiuser, ipahost,
>                krbticketpolicyaux, krbprincipalaux, ipasshhost
>   serverhostname: ipa004
> -sh-4.2$
>
> -sh-4.1$ ssh ipa004.jackland.co.uk
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that the RSA host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1.
> Please contact your system administrator.
> Add correct host key in /home/adminuser/.ssh/known_hosts to get rid of
> this message.
> Offending key in /var/lib/sss/pubconf/known_hosts:1
> RSA host key for ipa004.jackland.co.uk has changed and you have
> requested strict checking.
> Host key verification failed.
>
> -sh-4.1$ head -1 /var/lib/sss/pubconf/known_hosts
> |1|SsQw9iAjhWz7sgcE9OwLuSC6hsM=|DgSaVQaJDU2dW6U4vN/quyySzvk= ssh-rsa
> AAAAB3NzaC1yc2EAAAADAQABAAABAQClPcH8nnghnG3+knwkdg70I106jxO/zIeKggF71C4OHLCu0MJ/loEOcySZ2WH5YPWzRhX1LVN9FyDUKiOc3SNKnjpxjPsJXxk7r77X99jPmk+1QBgYGpn4yrYw/ebEAQLSjHGK86KfNvIbG2RSbNn6uQzC/mciXLEO+7lQ6Vq+DE3Du7+2iuyC2qKeNA9VVzc1NLm0phHT5nOKHpUZ3208GK1vn6r/5YiPmPy5zh8cGmedRft2Fc/J0rOlw5zvwW6kKYZldLvBK7xD2Pm3i2fs38nkH1JA3t83/FXXR/S/F7cY9aI1J/s/UuzawYmeBFXhrbexsUJicY7sS4LqtfBl
> -sh-4.1$
>
>

More information about the Freeipa-users mailing list