On Tue, Apr 12, 2022 at 7:05 PM lejeczek via FreeIPA-users < [email protected]> wrote:
> > > On 12/04/2022 11:21, Florence Blanc-Renaud wrote: > > Hi, > > > > if you already have ssh public keys in > > /etc/ssh/ssh_host_*.pub, you can do > > # ipa host-mod --updatedns --sshpubkey "*ssh-rsa > > AAAAB3NzaC...*" client.ipa.test > > (where the bold text is the content of your .pub file). > > > > Then in order to check what was done: > > # ipa dnsrecord-show ipa.test client > > Record name: client > > A record: 10.0.147.130 > > SSHFP record: 1 1 > > 2D9747370DF5CEDDE66AC4DC354076326F466A0A, 1 2 > > 0B1FB068265381BE51CEA14D315C3A2647E98BC9672B0640045C9D5131BA404C > > > > You can check that they correspond using > > # ssh-keygen -r client.ipa.test -f > > /etc/ssh/ssh_host_rsa_key.pub > > client.ipa.test IN SSHFP 1 1 > > 2d9747370df5cedde66ac4dc354076326f466a0a > > client.ipa.test IN SSHFP 1 2 > > 0b1fb068265381be51cea14d315c3a2647e98bc9672b0640045c9d5131ba404c > > > > The fingerprints are also visible using > > # ipa host-show client.ipa.test > > ... > > SSH public key fingerprint: SHA256:Cx... > > > > and can be checked using > > # ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub > > 3072 SHA256:Cx... > > > > Does it help? > > flo > > > > On Mon, Apr 11, 2022 at 9:20 PM lejeczek via FreeIPA-users > > <[email protected]> wrote: > > > > Hi guys. > > > > What is the correct way to update/modify server's > > sshfp records? > > > > I assumed those are in: /etc/ssh/ssh_host_*.pub > > and I should use 'host-mod --updatedns ..' > > but then such records do not look like what IPA > > had/created. > > > > many thanks, L > > _______________________________________________ > > > I've probably phrased poorly what I wanted to say. > I did that, as I said I did: 'host-mod --updatedns ..' and... > just after this I did: 'ipa host-show' > which showed also "ssh public key (FP separately as usually) > records" which puzzled me a bit as, those where not there > for/from "regular" client/replica install (including this > host prior to manual update), but...! > now those "ssh public key" records 'ipa host-show' does not > show anymore... now I begin to worry, or.. it's how IPA > "behaves"? > Ok, so I didn't understand your point. If you run ipa host-mod --updatedns --sshpubkey "ssh-rsa ..." then the value of the ssh pub key is overwritten and now contains a single value. If there were previously other SSH pub keys they are simply deleted by this command. The right method would be to add multiple --sshpubkey arguments, for the key to be added + the previous ones, or to use --addattr="ipaSshPubKey=..." Was this your question? > ps. Flo, do the right thing, follow etiquette/lang rules. > I'd like to think it's not just conversation between us two. > How do you like to read your book? aha! exactly. > > Honestly I have no idea how to interpret this comment, so I'd rather not interpret it myself and risk misunderstanding. Did I write something that broke etiquette? It was clearly not my intent. I'm open to constructive feedback as I try to help as much as I can on this mailing list. flo > many thanks, L. > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
