[Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query
Rob Crittenden
rcritten at redhat.com
Wed Jul 6 13:02:30 UTC 2016
Neal Harrington | i-Neda Ltd wrote:
> Hi Rob,
>
>
> Thank you very much for your message. Unfortunately/fortunately after
> rebooting or restarting the ssh server this morning it is all working as
> I would expect. I'm not sure what I was missing yesterday but suspect a
> combination of sssd caching may have been confusing me as I'm sure
> I'd already tried this several times.
Very strange indeed. The sssd cache is persistent so rebooting shouldn't
have affected it at all.
rob
>
>
> Thanks again,
> Neal.
> ------------------------------------------------------------------------
> *From:* Rob Crittenden <rcritten at redhat.com>
> *Sent:* 05 July 2016 18:01
> *To:* Neal Harrington | i-Neda Ltd; freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and
> user ssh key query
> Neal Harrington | i-Neda Ltd wrote:
>> Hi,
>>
>>
>> I have successfully installed FreeIPA server version 4.2.0 on CentOS
>> 7.2, including replication between servers. I have a few
>> dozen Ubuntu 14.04 servers joined into IPA for authentication with
>> various user groups controlling access, sudo permissions etc and overall
>> I'm very happy.
>>
>>
>> I have however managed to trip myself up by installing the
>> Ubuntu clients with the --ssh-trust-dns option and now my users ssh keys
>> are not trusted and ssh login falls back to password based on the Ubuntu
>> clients.
>>
>>
>> If I uninstall a client, reboot and then reinstall without the
>> --ssh-trust-dns option then the users ssh key I imported into the web
>> interface is used and login is automatic over ssh.
>>
>>
>> I've looked through all the obvious places (/etc/ssh, sss, pam, etc) and
>> can't see anything to control this. Most of my online searches cover
>> other aspects of ssh host keys in DNS. If I've missed anything obvious
>> then please point me in the right direction.
>>
>>
>> I have a reasonable number of servers to make this change on and ideally
>> I'd like to push out the change to a config file and maybe restart a
>> service. Is this behaviour easy to configure or would it be easier to go
>> through the uninstall/reboot/reinstall loop? Luckily these are all
>> testing servers so not a show stopper but I'd prefer to learn what is
>> actually controlling this.
>
> As far as I can tell this option sets this in sshd.conf:
>
> VerifyHostKeyDNS = yes
> HostKeyAlgorithms = ssh-rsa,ssh-dss
>
> I assume your DNS doesn't contain the SSHFP entries?
>
> rob
>
>
More information about the Freeipa-users
mailing list