On Wed, Sep 15, 2021 at 10:57:55AM -0400, Rob Crittenden via FreeIPA-users wrote: > Dominik Vogt via FreeIPA-users wrote: > > However, host key files in rsa and ecdsa format keep reappearing. > > I'm not exactly sure when this happens. Does it have something to > > do with sssd? > > I believe sshd generates keys on startup if they do not exist.
For the records, I've fixed the problem with $ systemctl mask sshd-keygen@rsa.service $ systemctl mask sshd-keygen@ecdsa.service $ systemctl mask sshd-keygen@ed25519.service > You probably want to include the --no-dns-sshfp option for > ipa-client-install to prevent any existing SSH keys from appearing in DNS. Yes. > > Caching the keys in sssd would be in order if we can make sure > > that sssd does not cache the old keys at any time. Running > > "sss_cache -H" does not seem to affect the cached known_hosts file > > in /var/lib though. We now remove /var/lib/sss/.../known_hosts at startup. Our ssh connection problems because of old keys in the sss cache are gone, and no keys are being generated when sshd starts up. Thanks for the help! Dominik ^_^ ^_^ -- Dominik Vogt _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
