They're definitely different. I deleted the one in the file, then tried again. It put the bad key back in the file. I blew the whole file away and the same thing happened. Where is this key coming from if not from IPA?


On 01/13/2014 02:36 PM, Rob Crittenden wrote:
Bret Wortman wrote:
I've got a strange situation where some of my workstations are reporting
difficulty when sshing to remote systems, but there's no pattern I can
discern. One user's machine can't get to system A, but I can, though I
can't ssh to his workstation directly.

Here's the kind of thing I see when doing ssh -vvv:

debug1: Server host key: RSA 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab
debug3: load_hostkeys: loading entries for host "rs512" from file
"/root/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug3: load_hostkeys: loading entries for host "rs512" from file
"/var/lib/sss/pubconf/known_hosts"
debug3: load_hostkeys: found key type RSA in file
/var/lib/sss/pubconf/known_hosts:2
debug3: load_hostkeys: loaded 1 keys
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@   WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone coudl be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /var/lib/sss/pubconf/known_hosts:2
RSA host key for zw131 has changed and you have requested strict checking.
Host key verification failed.
#

We haven't changed the host key; the public key files are dated October
23 of last year. Our configuration files for SSSD and SSH are managed by
Puppet, so they are consistent from system to system. That said, I did
compare a system that could remote to rs512 to one that could not and
found no differences. Here are the files:

/etc/sssd/sssd.conf:
[domain/spx.net]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = foo.net
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = zw129.foo.net
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49
ldap_tls_cacert = /etc/ipa/ca.crt
[domain/.spx.net]
cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = FOO.NET
ipa_domain = .foo.net
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49
ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net
dns_discovery_domain = .spx.net
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = .spx.net, spx.net
[nss]

[pam]

[sudo]

[autofs]

[ssh]

Is there anything else relevant that I should be looking at?

You might compare the value of the key in IPA to what is in /var/lib/sss/pubconf/known_hosts

rob



Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to