<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="GENERATOR" content="GtkHTML/4.6.5"> </head> <body> Thanks! I changed that last line in my ssh_config, reloaded sshd, and was able to log in! -Kenny On Wed, 2013-07-17 at 16:46 +0200, Jan Cholasta wrote: <blockquote type="CITE"> <pre> On 17.7.2013 16:22, Armstrong, Kenneth Lawrence wrote: > Ok, hopefully my last SSH key question. > > I've been following the instructions here: > <a href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/host-keys.html#installing-host-keys">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/host-keys.html#installing-host-keys</a> > > and here: > > <a href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/openssh-sssd.html">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/openssh-sssd.html</a> > > I have my host's public key set, it shows up in the web UI, and I have > these lines added to the end of the /etc/ssh/ssh_config file on the > client machine (that is also a member of the IdM domain): > > ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p -d > LINUXTEST.LIBERTY.EDU %h > UserKnownHostsFile2 .ssh/sss_known_hosts > > I have reloaded the SSH service on the client. I go to connect from my > client to my linuxtest server (which happens to be my IdM server), and I > get this: > > [karmstrong@linuxclient <<a href="mailto:karmstrong@linuxclient">mailto:karmstrong@linuxclient</a>> ~]$ ssh > <a href="mailto:karmstrong@linuxtest.liberty.edu">karmstrong@linuxtest.liberty.edu</a> <<a href="mailto:karmstrong@linuxtest.liberty.edu">mailto:karmstrong@linuxtest.liberty.edu</a>> > The authenticity of host 'linuxtest.liberty.edu (<no hostip for proxy > command>)' can't be established. > RSA key fingerprint is ad:22:28:8d:91:81:3c:07:47:9d:5a:0d:09:33:18:e1. > Are you sure you want to continue connecting (yes/no)? no > Host key verification failed. > > The public key fingerprint matches what is set on the host's page in the > IdM interface. > > I do not have a known_hosts in the karmstrong .ssh directory. > > I have also tried adding the FQDN, and FQDN,ip address into the SSH key > on the IdM server through the Web UI, but I still get the bit about not > finding an IP for the proxy command to use when it tries to authenticate > the host. > > I have also verified that there is a PTR record in DNS for the host > itself, so I believe that it is not a name resolution error. > > Am I missing something? No. The documentation is wrong for some reason. This is what you should have in ssh_config: ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts Honza </pre> </blockquote> <table cellspacing="0" cellpadding="0" width="100%"> <tbody> <tr> <td>-- Kenny Armstrong System Administrator IS Operations <a href="http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg"><img src="cid:1374072793.31709.11.camel@localhost.localdomain" align="bottom" alt="http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg" border="0"></a> Training Champions for Christ since 1971 </td> </tr> </tbody> </table> </body> </html>