On 14.1.2014 12:34, Bret Wortman wrote:
The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA for the
host in question. It should not have had any connectivity issues; it's
co-located with several of our IPA masters.

Can you also check if the MD5 fingerprint reported by ssh (e.g. 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab in your original post) matches the MD5 fingerprint for the host in IPA?

I'd be happy to run sss_ssh_knownhostsproxy manually but haven't been
able to locate the proxy command to use via Google yet. Any guidance?

I don't think you need to do that, it will just update /var/lib/sss/pubconf/known_hosts again.

On 01/14/2014 05:43 AM, Jan Cholasta wrote:
On 13.1.2014 22:18, Jakub Hrozek wrote:
On Mon, Jan 13, 2014 at 02:44:29PM -0500, Bret Wortman wrote:
They're definitely different. I deleted the one in the file, then
tried again. It put the bad key back in the file. I blew the whole
file away and the same thing happened. Where is this key coming from
if not from IPA?

Can you try running sss_ssh_knownhostsproxy manually to see what key
does it return?

The keys are propagated to the file from the sssd database. If the
was offline, the client could use stale records. Can you verify the
has no connectivity issues?

Honza (CC-ed) might have some more hints.

Compare the public key in /etc/ssh/ssh_host_rsa_key.pub on the host
with the public key for that host in IPA. If they do not match, the
host key was changed after IPA client was installed and the host
record in IPA must be manually updated with the new key.


Jan Cholasta

Freeipa-users mailing list

Reply via email to