[Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query
Neal Harrington | i-Neda Ltd
nharrington at i-neda.com
Wed Jul 6 11:55:05 UTC 2016
Hi Rob,
Thank you very much for your message. Unfortunately/fortunately after rebooting or restarting the ssh server this morning it is all working as I would expect. I'm not sure what I was missing yesterday but suspect a combination of sssd caching may have been confusing me as I'm sure I'd already tried this several times.
Thanks again,
Neal.
________________________________
From: Rob Crittenden <rcritten at redhat.com>
Sent: 05 July 2016 18:01
To: Neal Harrington | i-Neda Ltd; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query
Neal Harrington | i-Neda Ltd wrote:
> Hi,
>
>
> I have successfully installed FreeIPA server version 4.2.0 on CentOS
> 7.2, including replication between servers. I have a few
> dozen Ubuntu 14.04 servers joined into IPA for authentication with
> various user groups controlling access, sudo permissions etc and overall
> I'm very happy.
>
>
> I have however managed to trip myself up by installing the
> Ubuntu clients with the --ssh-trust-dns option and now my users ssh keys
> are not trusted and ssh login falls back to password based on the Ubuntu
> clients.
>
>
> If I uninstall a client, reboot and then reinstall without the
> --ssh-trust-dns option then the users ssh key I imported into the web
> interface is used and login is automatic over ssh.
>
>
> I've looked through all the obvious places (/etc/ssh, sss, pam, etc) and
> can't see anything to control this. Most of my online searches cover
> other aspects of ssh host keys in DNS. If I've missed anything obvious
> then please point me in the right direction.
>
>
> I have a reasonable number of servers to make this change on and ideally
> I'd like to push out the change to a config file and maybe restart a
> service. Is this behaviour easy to configure or would it be easier to go
> through the uninstall/reboot/reinstall loop? Luckily these are all
> testing servers so not a show stopper but I'd prefer to learn what is
> actually controlling this.
As far as I can tell this option sets this in sshd.conf:
VerifyHostKeyDNS = yes
HostKeyAlgorithms = ssh-rsa,ssh-dss
I assume your DNS doesn't contain the SSHFP entries?
rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160706/28da9ad3/attachment.htm>
More information about the Freeipa-users
mailing list