I've got a strange situation where some of my workstations are reporting difficulty when sshing to remote systems, but there's no pattern I can discern. One user's machine can't get to system A, but I can, though I can't ssh to his workstation directly.

Here's the kind of thing I see when doing ssh -vvv:

debug1: Server host key: RSA 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab
debug3: load_hostkeys: loading entries for host "rs512" from file "/root/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug3: load_hostkeys: loading entries for host "rs512" from file "/var/lib/sss/pubconf/known_hosts"
debug3: load_hostkeys: found key type RSA in file /var/lib/sss/pubconf/known_hosts:2
debug3: load_hostkeys: loaded 1 keys
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@   WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone coudl be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /var/lib/sss/pubconf/known_hosts:2
RSA host key for zw131 has changed and you have requested strict checking.
Host key verification failed.
#


We haven't changed the host key; the public key files are dated October 23 of last year. Our configuration files for SSSD and SSH are managed by Puppet, so they are consistent from system to system. That said, I did compare a system that could remote to rs512 to one that could not and found no differences. Here are the files:

/etc/sssd/sssd.conf:
[domain/spx.net]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = foo.net
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = zw129.foo.net
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49
ldap_tls_cacert = /etc/ipa/ca.crt
[domain/.spx.net]
cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = FOO.NET
ipa_domain = .foo.net
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49
ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net
dns_discovery_domain = .spx.net
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = .spx.net, spx.net
[nss]

[pam]

[sudo]

[autofs]

[ssh]

Is there anything else relevant that I should be looking at?


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to