<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 01/13/2014 02:44 PM, Bret Wortman wrote:
<blockquote cite="mid:52D4421D.6040109@damascusgrp.com" type="cite">They're
definitely different. I deleted the one in the file, then tried
again. It put the bad key back in the file. I blew the whole file
away and the same thing happened. Where is this key coming from if
not from IPA?
<br>
</blockquote>
<br>
Puppet?<br>
<br>
<blockquote cite="mid:52D4421D.6040109@damascusgrp.com" type="cite">
<br>
<br>
On 01/13/2014 02:36 PM, Rob Crittenden wrote:
<br>
<blockquote type="cite">Bret Wortman wrote:
<br>
<blockquote type="cite">I've got a strange situation where some
of my workstations are reporting
<br>
difficulty when sshing to remote systems, but there's no
pattern I can
<br>
discern. One user's machine can't get to system A, but I can,
though I
<br>
can't ssh to his workstation directly.
<br>
<br>
Here's the kind of thing I see when doing ssh -vvv:
<br>
<br>
debug1: Server host key: RSA
2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab
<br>
debug3: load_hostkeys: loading entries for host "rs512" from
file
<br>
"/root/.ssh/known_hosts"
<br>
debug3: load_hostkeys: loaded 0 keys
<br>
debug3: load_hostkeys: loading entries for host "rs512" from
file
<br>
"/var/lib/sss/pubconf/known_hosts"
<br>
debug3: load_hostkeys: found key type RSA in file
<br>
/var/lib/sss/pubconf/known_hosts:2
<br>
debug3: load_hostkeys: loaded 1 keys
<br>
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
<br>
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
<br>
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
<br>
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
<br>
Someone coudl be eavesdropping on you right now
(man-in-the-middle attack)!
<br>
It is also possible that a host key has just been changed.
<br>
The fingerprint for the RSA key sent by the remote host is
<br>
2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab
<br>
Please contact your system administrator.
<br>
Add correct host key in /root/.ssh/known_hosts to get rid of
this message.
<br>
Offending RSA key in /var/lib/sss/pubconf/known_hosts:2
<br>
RSA host key for zw131 has changed and you have requested
strict checking.
<br>
Host key verification failed.
<br>
#
<br>
<br>
We haven't changed the host key; the public key files are
dated October
<br>
23 of last year. Our configuration files for SSSD and SSH are
managed by
<br>
Puppet, so they are consistent from system to system. That
said, I did
<br>
compare a system that could remote to rs512 to one that could
not and
<br>
found no differences. Here are the files:
<br>
<br>
/etc/sssd/sssd.conf:
<br>
[domain/spx.net]
<br>
cache_credentials = True
<br>
krb5_store_password_if_offline = True
<br>
ipa_domain = foo.net
<br>
id_provider = ipa
<br>
auth_provider = ipa
<br>
access_provider = ipa
<br>
ipa_hostname = zw129.foo.net
<br>
chpass_provider = ipa
<br>
ipa_dyndns_update = True
<br>
ipa_server = 192.168.208.46, _srv_, 192.168.10.111,
192.168.8.49
<br>
ldap_tls_cacert = /etc/ipa/ca.crt
<br>
[domain/.spx.net]
<br>
cache_credentials = True
<br>
krb5_store_password_if_offline = True
<br>
krb5_realm = FOO.NET
<br>
ipa_domain = .foo.net
<br>
id_provider = ipa
<br>
auth_provider = ipa
<br>
access_provider = ipa
<br>
ldap_tls_cacert = /etc/ipa/ca.crt
<br>
chpass_provider = ipa
<br>
ipa_dyndns_update = True
<br>
ipa_server = 192.168.208.46, _srv_, 192.168.10.111,
192.168.8.49
<br>
ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net
<br>
dns_discovery_domain = .spx.net
<br>
[sssd]
<br>
services = nss, pam, ssh
<br>
config_file_version = 2
<br>
<br>
domains = .spx.net, spx.net
<br>
[nss]
<br>
<br>
[pam]
<br>
<br>
[sudo]
<br>
<br>
[autofs]
<br>
<br>
[ssh]
<br>
<br>
Is there anything else relevant that I should be looking at?
<br>
</blockquote>
<br>
You might compare the value of the key in IPA to what is in
/var/lib/sss/pubconf/known_hosts
<br>
<br>
rob
<br>
<br>
</blockquote>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>