Russ Long via FreeIPA-users wrote:
> In my homelab, where I only have a single IPA server, I have had to rebuild / 
> replace it due to issues outside of IPA.  I was unable to restore the VM from 
> a snapshot, however I was able to rebuild and use a backup created by 
> ipa-backup to perform a restore.  Everything appeared to work fine, and IPA 
> clients are working, as well as LDAP and other services.  The only issue I'm 
> encountering is that when I try to ssh to the IPA server from one of the 
> clients, SSH hangs here:
> 
> $ ssh -vvvvv master
> OpenSSH_8.1p1, OpenSSL 1.1.1d FIPS  10 Sep 2019
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug3: /etc/ssh/ssh_config line 51: Including file 
> /etc/ssh/ssh_config.d/05-redhat.conf depth 0
> debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
> debug2: checking match for 'final all' host master originally master
> debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: not matched 'final'
> debug2: match not found
> debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file 
> /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
> debug1: Reading configuration data 
> /etc/crypto-policies/back-ends/openssh.config
> debug3: gss kex names ok: [gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-]
> debug3: kex names ok: 
> [curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
> debug1: configuration requests final Match pass
> debug1: re-parsing configuration
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug3: /etc/ssh/ssh_config line 51: Including file 
> /etc/ssh/ssh_config.d/05-redhat.conf depth 0
> debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
> debug2: checking match for 'final all' host master originally master
> debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: matched 'final'
> debug2: match found
> debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file 
> /etc/crypto-policies/back-ends/openssh.config depth 1
> debug1: Reading configuration data 
> /etc/crypto-policies/back-ends/openssh.config
> debug3: gss kex names ok: [gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-]
> debug3: kex names ok: 
> [curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
> debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 
> master
> debug1: identity file /home/rlong/.ssh/id_rsa type -1
> debug1: identity file /home/rlong/.ssh/id_rsa-cert type -1
> debug1: identity file /home/rlong/.ssh/id_dsa type -1
> debug1: identity file /home/rlong/.ssh/id_dsa-cert type -1
> debug1: identity file /home/rlong/.ssh/id_ecdsa type -1
> debug1: identity file /home/rlong/.ssh/id_ecdsa-cert type -1
> debug1: identity file /home/rlong/.ssh/id_ed25519 type -1
> debug1: identity file /home/rlong/.ssh/id_ed25519-cert type -1
> debug1: identity file /home/rlong/.ssh/id_xmss type -1
> debug1: identity file /home/rlong/.ssh/id_xmss-cert type -1
> debug1: Local version string SSH-2.0-OpenSSH_8.1
> 
> 
> I'm assuming it has something to do with the knownhostsproxy setup, but I 
> can't find any information on how to confirm that or what to do to resolve 
> it.  I am able to ssh to the IPA server from any system that is not enrolled 
> as an IPA client.
> 
> Any ideas?

Maybe see if it can get the keys from the master:

sss_ssh_knownhostsproxy -k master

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to