<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I was assuming that the key was being re-inserted by the ssh
authentication request, but to eliminate puppet, I just tried this
sequence:<br>
<br>
<font face="Courier New, Courier, monospace"># puppet agent
--disable<br>
# rm -f /var/lib/sss/pubconf/known_hosts<br>
# ls -l /var/lib/sss/pubconf/known_hosts<br>
# ssh zw131<br>
:<br>
: </font>(errors about the key being incorrect<font face="Courier
New, Courier, monospace">)<br>
:<br>
# cat /var/lib/sss/pubconf/known_hosts<br>
:<br>
<br>
</font>it now contained the bad key again.<br>
<br>
<br>
<div class="moz-cite-prefix">On 01/13/2014 02:52 PM, Dmitri Pal
wrote:<br>
</div>
<blockquote cite="mid:52D443E7.3000300@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
On 01/13/2014 02:44 PM, Bret Wortman wrote:
<blockquote cite="mid:52D4421D.6040109@damascusgrp.com"
type="cite">They're definitely different. I deleted the one in
the file, then tried again. It put the bad key back in the file.
I blew the whole file away and the same thing happened. Where is
this key coming from if not from IPA? <br>
</blockquote>
<br>
Puppet?<br>
<br>
<blockquote cite="mid:52D4421D.6040109@damascusgrp.com"
type="cite"> <br>
<br>
On 01/13/2014 02:36 PM, Rob Crittenden wrote: <br>
<blockquote type="cite">Bret Wortman wrote: <br>
<blockquote type="cite">I've got a strange situation where
some of my workstations are reporting <br>
difficulty when sshing to remote systems, but there's no
pattern I can <br>
discern. One user's machine can't get to system A, but I
can, though I <br>
can't ssh to his workstation directly. <br>
<br>
Here's the kind of thing I see when doing ssh -vvv: <br>
<br>
debug1: Server host key: RSA
2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab <br>
debug3: load_hostkeys: loading entries for host "rs512" from
file <br>
"/root/.ssh/known_hosts" <br>
debug3: load_hostkeys: loaded 0 keys <br>
debug3: load_hostkeys: loading entries for host "rs512" from
file <br>
"/var/lib/sss/pubconf/known_hosts" <br>
debug3: load_hostkeys: found key type RSA in file <br>
/var/lib/sss/pubconf/known_hosts:2 <br>
debug3: load_hostkeys: loaded 1 keys <br>
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ <br>
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ <br>
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ <br>
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! <br>
Someone coudl be eavesdropping on you right now
(man-in-the-middle attack)! <br>
It is also possible that a host key has just been changed. <br>
The fingerprint for the RSA key sent by the remote host is <br>
2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab <br>
Please contact your system administrator. <br>
Add correct host key in /root/.ssh/known_hosts to get rid of
this message. <br>
Offending RSA key in /var/lib/sss/pubconf/known_hosts:2 <br>
RSA host key for zw131 has changed and you have requested
strict checking. <br>
Host key verification failed. <br>
# <br>
<br>
We haven't changed the host key; the public key files are
dated October <br>
23 of last year. Our configuration files for SSSD and SSH
are managed by <br>
Puppet, so they are consistent from system to system. That
said, I did <br>
compare a system that could remote to rs512 to one that
could not and <br>
found no differences. Here are the files: <br>
<br>
/etc/sssd/sssd.conf: <br>
[domain/spx.net] <br>
cache_credentials = True <br>
krb5_store_password_if_offline = True <br>
ipa_domain = foo.net <br>
id_provider = ipa <br>
auth_provider = ipa <br>
access_provider = ipa <br>
ipa_hostname = zw129.foo.net <br>
chpass_provider = ipa <br>
ipa_dyndns_update = True <br>
ipa_server = 192.168.208.46, _srv_, 192.168.10.111,
192.168.8.49 <br>
ldap_tls_cacert = /etc/ipa/ca.crt <br>
[domain/.spx.net] <br>
cache_credentials = True <br>
krb5_store_password_if_offline = True <br>
krb5_realm = FOO.NET <br>
ipa_domain = .foo.net <br>
id_provider = ipa <br>
auth_provider = ipa <br>
access_provider = ipa <br>
ldap_tls_cacert = /etc/ipa/ca.crt <br>
chpass_provider = ipa <br>
ipa_dyndns_update = True <br>
ipa_server = 192.168.208.46, _srv_, 192.168.10.111,
192.168.8.49 <br>
ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net <br>
dns_discovery_domain = .spx.net <br>
[sssd] <br>
services = nss, pam, ssh <br>
config_file_version = 2 <br>
<br>
domains = .spx.net, spx.net <br>
[nss] <br>
<br>
[pam] <br>
<br>
[sudo] <br>
<br>
[autofs] <br>
<br>
[ssh] <br>
<br>
Is there anything else relevant that I should be looking at?
<br>
</blockquote>
<br>
You might compare the value of the key in IPA to what is in
/var/lib/sss/pubconf/known_hosts <br>
<br>
rob <br>
<br>
</blockquote>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</body>
</html>