This may need to be passed upstream to the SSH maintainers or openssh folks, 
(Centos 6.4, ipa-client 3.0.0-26,  openssh-5.3p1-84.1 )

IPA  (sssd) when installed is to modify the /etc/ssh/ssh_config file, by adding 
(at least)  a line :

GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts

Default behavior of SSH when that isn't present is to check both 
/etc/ssh/ssh_known_hosts2 & /etc/ssh/ssh_known_hosts  for keys.  This is 
documented in the ssh_config man page.

However, when the line is present with the sssd change, the OS only checks for 
/etc/ssh/ssh_known_hosts2, plus the file in /var/lib/sss.

It still checks for both $HOME/.ssh/known_hosts &  $HOME/.ssh/known_hosts,  
either way.  (that's controlled by a different option.)

Should IPA / SSSD be adding back in the default value, until such time as it's 
fixed in the upstream?

Matthew Barr
Technical Architect
AIM: matthewbarr1
c:  (646) 727-0535

Freeipa-users mailing list

Reply via email to