I am trying to re-enroll clients after re-installing their O/S (EL6)
using:

# ipa-client-install --force-join ...

Per http://www.freeipa.org/page/V3/Forced_client_re-enrollment but I am
finding that after doing that for a given host, trying to ssh to it
from another enrolled IPA client I am getting:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
15:db:4d:e2:8b:c2:b8:3d:da:93:90:06:f2:f1:d6:21.
Please contact your system administrator.
Add correct host key in /dev/null to get rid of this message.
Offending DSA key in /var/lib/sss/pubconf/known_hosts:4
Keyboard-interactive authentication is disabled to avoid man-in-the-middle 
attacks.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

Removing offending keys from /var/lib/sss/pubconf/known_hosts doesn't
fix things as the offending key just gets put right back.

Clearly something is going wrong with the re-enrollment and the SSH key
of the new instance vs. the SSH key of the old instance.

Am I doing something wrong or not doing something else I should be?

Cheers,
b.

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to