Russ Long via FreeIPA-users wrote: > In my homelab, where I only have a single IPA server, I have had to rebuild / > replace it due to issues outside of IPA. I was unable to restore the VM from > a snapshot, however I was able to rebuild and use a backup created by > ipa-backup to perform a restore. Everything appeared to work fine, and IPA > clients are working, as well as LDAP and other services. The only issue I'm > encountering is that when I try to ssh to the IPA server from one of the > clients, SSH hangs here: > > $ ssh -vvvvv master > OpenSSH_8.1p1, OpenSSL 1.1.1d FIPS 10 Sep 2019 > debug1: Reading configuration data /etc/ssh/ssh_config > debug3: /etc/ssh/ssh_config line 51: Including file > /etc/ssh/ssh_config.d/05-redhat.conf depth 0 > debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf > debug2: checking match for 'final all' host master originally master > debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: not matched 'final' > debug2: match not found > debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file > /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only) > debug1: Reading configuration data > /etc/crypto-policies/back-ends/openssh.config > debug3: gss kex names ok: [gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-] > debug3: kex names ok: > [curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1] > debug1: configuration requests final Match pass > debug1: re-parsing configuration > debug1: Reading configuration data /etc/ssh/ssh_config > debug3: /etc/ssh/ssh_config line 51: Including file > /etc/ssh/ssh_config.d/05-redhat.conf depth 0 > debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf > debug2: checking match for 'final all' host master originally master > debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: matched 'final' > debug2: match found > debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file > /etc/crypto-policies/back-ends/openssh.config depth 1 > debug1: Reading configuration data > /etc/crypto-policies/back-ends/openssh.config > debug3: gss kex names ok: [gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-] > debug3: kex names ok: > [curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1] > debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 > master > debug1: identity file /home/rlong/.ssh/id_rsa type -1 > debug1: identity file /home/rlong/.ssh/id_rsa-cert type -1 > debug1: identity file /home/rlong/.ssh/id_dsa type -1 > debug1: identity file /home/rlong/.ssh/id_dsa-cert type -1 > debug1: identity file /home/rlong/.ssh/id_ecdsa type -1 > debug1: identity file /home/rlong/.ssh/id_ecdsa-cert type -1 > debug1: identity file /home/rlong/.ssh/id_ed25519 type -1 > debug1: identity file /home/rlong/.ssh/id_ed25519-cert type -1 > debug1: identity file /home/rlong/.ssh/id_xmss type -1 > debug1: identity file /home/rlong/.ssh/id_xmss-cert type -1 > debug1: Local version string SSH-2.0-OpenSSH_8.1 > > > I'm assuming it has something to do with the knownhostsproxy setup, but I > can't find any information on how to confirm that or what to do to resolve > it. I am able to ssh to the IPA server from any system that is not enrolled > as an IPA client. > > Any ideas?
Maybe see if it can get the keys from the master: sss_ssh_knownhostsproxy -k master rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org