I am trying to re-enroll clients after re-installing their O/S (EL6) using:
# ipa-client-install --force-join ... Per http://www.freeipa.org/page/V3/Forced_client_re-enrollment but I am finding that after doing that for a given host, trying to ssh to it from another enrolled IPA client I am getting: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is 15:db:4d:e2:8b:c2:b8:3d:da:93:90:06:f2:f1:d6:21. Please contact your system administrator. Add correct host key in /dev/null to get rid of this message. Offending DSA key in /var/lib/sss/pubconf/known_hosts:4 Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks. Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). Removing offending keys from /var/lib/sss/pubconf/known_hosts doesn't fix things as the offending key just gets put right back. Clearly something is going wrong with the re-enrollment and the SSH key of the new instance vs. the SSH key of the old instance. Am I doing something wrong or not doing something else I should be? Cheers, b.
signature.asc
Description: This is a digitally signed message part
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
