[Freeipa-users] re-enrolling clients with --force-join getting /var/lib/sss/pubconf/known_hosts conflicts
Brian J. Murrell
brian at interlinx.bc.ca
Wed Nov 4 20:37:54 UTC 2015
I am trying to re-enroll clients after re-installing their O/S (EL6)
using:
# ipa-client-install --force-join ...
Per http://www.freeipa.org/page/V3/Forced_client_re-enrollment but I am
finding that after doing that for a given host, trying to ssh to it
from another enrolled IPA client I am getting:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
15:db:4d:e2:8b:c2:b8:3d:da:93:90:06:f2:f1:d6:21.
Please contact your system administrator.
Add correct host key in /dev/null to get rid of this message.
Offending DSA key in /var/lib/sss/pubconf/known_hosts:4
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
Removing offending keys from /var/lib/sss/pubconf/known_hosts doesn't
fix things as the offending key just gets put right back.
Clearly something is going wrong with the re-enrollment and the SSH key
of the new instance vs. the SSH key of the old instance.
Am I doing something wrong or not doing something else I should be?
Cheers,
b.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151104/60a616bd/attachment.sig>
More information about the Freeipa-users
mailing list