[Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query

[Neal Harrington | i-Neda Ltd]

Hi,


I have successfully installed FreeIPA server version 4.2.0 on CentOS 7.2, including replication between servers. I have a few dozen Ubuntu 14.04 servers joined into IPA for authentication with various user groups controlling access, sudo permissions etc and overall I'm very happy.


I have however managed to trip myself up by installing the Ubuntu clients with the --ssh-trust-dns option and now my users ssh keys are not trusted and ssh login falls back to password based on the Ubuntu clients.


If I uninstall a client, reboot and then reinstall without the --ssh-trust-dns option then the users ssh key I imported into the web interface is used and login is automatic over ssh.


I've looked through all the obvious places (/etc/ssh, sss, pam, etc) and can't see anything to control this. Most of my online searches cover other aspects of ssh host keys in DNS. If I've missed anything obvious then please point me in the right direction.


I have a reasonable number of servers to make this change on and ideally I'd like to push out the change to a config file and maybe restart a service. Is this behaviour easy to configure or would it be easier to go through the uninstall/reboot/reinstall loop? Luckily these are all testing servers so not a show stopper but I'd prefer to learn what is actually controlling this.


Thanks,

Neal.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160705/4931f2d3/attachment.htm>