Hi,
Dne 19.11.2014 v 09:45 Christoph Kaminski napsal(a):
this is an example of a host here and the ways how can I reach it via ssh:
(they are all in dns forward and reverse resolving)
(note I redacted the hostnames and IP addresses in the output below)
host host.mgmt
host.mgmt has address 192.168.1.1
host 192.168.1.1
1.1.168.192.in-addr.arpa domain name pointer host.mgmt.
host host.mydom.int
host.mydom.int has address 192.168.2.1
host 192.168.2.1
1.2.168.192.in-addr.arpa domain name pointer host.mydom.int.
host host.mydom.net
host.mydom.net has address 192.168.3.1
host 192.168.3.1
1.3.168.192.in-addr.arpa domain name pointer host.mydom.net.
So it's a host with multiple IP addresses? You have 2 options then:
1. Add a host entry with the SSH public key to IPA for each of the
hostnames then, as Dmitri suggested.
2. Manually add the additional hostnames to the fqdn attribute of the
host entry using ldapmodify.
MfG
Christoph Kaminski
Von: Jan Cholasta <jchol...@redhat.com>
An: Jakub Hrozek <jhro...@redhat.com>, d...@redhat.com
Kopie: freeipa-users@redhat.com
Datum: 19.11.2014 07:53
Betreff: Re: [Freeipa-users] Multiple Domains and SSH
Gesendet von: freeipa-users-boun...@redhat.com
------------------------------------------------------------------------
Hi,
Dne 18.11.2014 v 23:53 Jakub Hrozek napsal(a):
>
>> On 18 Nov 2014, at 23:12, Dmitri Pal <d...@redhat.com> wrote:
>>
>> On 11/18/2014 01:07 AM, Christoph Kaminski wrote:
>>> Hi
>>>
>>> I can reach each host here via ssh on multiple domains:
>>>
>>> host.mydom.int
>>> host mydom.net
>>> host.mgmt
>>>
>>> sss_ssh_knownhostproxy does work only on the domain which I have
use to register to ipa (mgmt), on the other domains I get ever "The
authenticity of host 'host.mydom.int (<no hostip for proxy command>)'
can't be established."... why?
Because it does not know that the hostnames refer to the same host.
Do you have a reverse DNS record set up for the host? Does it point to
the same hostname that you used to register the host in IPA?
>>>
>>
>>
>> And other hosts in those domains are not registered?
>> May be you should try to add a host entry and SSH digest to IPA even
if they are not enrolled?
This would work too.
>>
>
> Maybe Honza would have some tips for debugging...
See pages 13-16 of
<http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf>.
Honza
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org <http://freeipa.org/>for more info on the project
www.biotronik.com <http://www.biotronik.com>
------------------------------------------------------------------------
*BIOTRONIK - excellence for life*
Established with the development of the first German pacemaker in 1963,
BIOTRONIK has upheld the highest quality standards in the fields of
cardiac rhythm management and vascular intervention in more than 100
countries worldwide. We’ve developed advanced technologies and products
such as BIOTRONIK Home Monitoring®, Closed Loop Stimulation (CLS) and
Orsiro, the industry’s first hybrid drug eluting stent. BIOTRONIK also
offers the broadest portfolio of cardiac devices with ProMRI®, an
advanced technology that gives patients access to magnetic resonance
(MR) scanning.
------------------------------------------------------------------------
BIOTRONIK SE & Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501
Vertreten durch ihre Komplementärin:
BIOTRONIK MT SE
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
Geschäftsführende Direktoren: Christoph Böhmer, Dr. Lothar Krings
------------------------------------------------------------------------
This e-mail and the information it contains including attachments are
confidential and meant only for use by the intended recipient(s);
disclosure or copying is strictly prohibited. If you are not addressed,
but in the possession of this e-mail, please notify the sender
immediately and delete the document.
Honza
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
