[Freeipa-users] re-enrolling clients with --force-join getting /var/lib/sss/pubconf/known_hosts conflicts
Brian J. Murrell
brian at interlinx.bc.ca
Thu Nov 5 21:14:10 UTC 2015
On Wed, 2015-11-04 at 15:37 -0500, Brian J. Murrell wrote:
> I am trying to re-enroll clients after re-installing their O/S (EL6)
> using:
>
> # ipa-client-install --force-join ...
>
> Per http://www.freeipa.org/page/V3/Forced_client_re-enrollment but I
> am
> finding that after doing that for a given host, trying to ssh to it
> from another enrolled IPA client I am getting:
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle
> attack)!
> It is also possible that a host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> 15:db:4d:e2:8b:c2:b8:3d:da:93:90:06:f2:f1:d6:21.
> Please contact your system administrator.
> Add correct host key in /dev/null to get rid of this message.
> Offending DSA key in /var/lib/sss/pubconf/known_hosts:4
> Keyboard-interactive authentication is disabled to avoid man-in-the
> -middle attacks.
> Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
So the problem here was not really anything to do with the above but
rather that ipa-client-install is flaky and can fail when running it a
few seconds later it succeeds. Since I am provisioning multiple
systems at a time in a script, it was not clearly obvious to me that it
was failing.
And so when ipa-client-install flakes out, of course what is left is
the previous instance of the node in FreeIPA complete with the previous
instance's SSH keys.
b.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151105/a74b56f7/attachment.sig>
More information about the Freeipa-users
mailing list