On 19.6.2013 21:36, Matthew Barr wrote:
This may need to be passed upstream to the SSH maintainers or openssh
folks, but:
(Centos 6.4, ipa-client 3.0.0-26,  openssh-5.3p1-84.1 )

IPA  (sssd) when installed is to modify the /etc/ssh/ssh_config file, by
adding (at least)  a line :

GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts

Default behavior of SSH when that isn't present is to check both
/etc/ssh/ssh_known_hosts2 & /etc/ssh/ssh_known_hosts  for keys.  This is
documented in the ssh_config man page.

However, when the line is present with the sssd change, the OS only
checks for /etc/ssh/ssh_known_hosts2, plus the file in /var/lib/sss.

I don't think it checks /etc/ssh/ssh_known_hosts2, since the GlobalKnownHostsFile2 option was deprecated in OpenSSH 5.9, unless of course you have an older version of OpenSSH installed.

It still checks for both $HOME/.ssh/known_hosts &
$HOME/.ssh/known_hosts,  either way.  (that's controlled by a different

Should IPA / SSSD be adding back in the default value, until such time
as it's fixed in the upstream?

I'm not sure I understand, what do you think should be fixed?


Jan Cholasta

Freeipa-users mailing list

Reply via email to