[Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query
Rob Crittenden
rcritten at redhat.com
Tue Jul 5 17:01:49 UTC 2016
Neal Harrington | i-Neda Ltd wrote:
> Hi,
>
>
> I have successfully installed FreeIPA server version 4.2.0 on CentOS
> 7.2, including replication between servers. I have a few
> dozen Ubuntu 14.04 servers joined into IPA for authentication with
> various user groups controlling access, sudo permissions etc and overall
> I'm very happy.
>
>
> I have however managed to trip myself up by installing the
> Ubuntu clients with the --ssh-trust-dns option and now my users ssh keys
> are not trusted and ssh login falls back to password based on the Ubuntu
> clients.
>
>
> If I uninstall a client, reboot and then reinstall without the
> --ssh-trust-dns option then the users ssh key I imported into the web
> interface is used and login is automatic over ssh.
>
>
> I've looked through all the obvious places (/etc/ssh, sss, pam, etc) and
> can't see anything to control this. Most of my online searches cover
> other aspects of ssh host keys in DNS. If I've missed anything obvious
> then please point me in the right direction.
>
>
> I have a reasonable number of servers to make this change on and ideally
> I'd like to push out the change to a config file and maybe restart a
> service. Is this behaviour easy to configure or would it be easier to go
> through the uninstall/reboot/reinstall loop? Luckily these are all
> testing servers so not a show stopper but I'd prefer to learn what is
> actually controlling this.
As far as I can tell this option sets this in sshd.conf:
VerifyHostKeyDNS = yes
HostKeyAlgorithms = ssh-rsa,ssh-dss
I assume your DNS doesn't contain the SSHFP entries?
rob
More information about the Freeipa-users
mailing list