On 19.6.2013 21:36, Matthew Barr wrote:
This may need to be passed upstream to the SSH maintainers or openssh
folks, but:
(Centos 6.4, ipa-client 3.0.0-26, openssh-5.3p1-84.1 )
IPA (sssd) when installed is to modify the /etc/ssh/ssh_config file, by
adding (at least) a line :
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
Default behavior of SSH when that isn't present is to check both
/etc/ssh/ssh_known_hosts2 & /etc/ssh/ssh_known_hosts for keys. This is
documented in the ssh_config man page.
However, when the line is present with the sssd change, the OS only
checks for /etc/ssh/ssh_known_hosts2, plus the file in /var/lib/sss.
I don't think it checks /etc/ssh/ssh_known_hosts2, since the
GlobalKnownHostsFile2 option was deprecated in OpenSSH 5.9, unless of
course you have an older version of OpenSSH installed.
It still checks for both $HOME/.ssh/known_hosts &
$HOME/.ssh/known_hosts, either way. (that's controlled by a different
option.)
Should IPA / SSSD be adding back in the default value, until such time
as it's fixed in the upstream?
I'm not sure I understand, what do you think should be fixed?
Honza
--
Jan Cholasta
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users