On Wed, 2015-11-04 at 15:37 -0500, Brian J. Murrell wrote: > I am trying to re-enroll clients after re-installing their O/S (EL6) > using: > > # ipa-client-install --force-join ... > > Per http://www.freeipa.org/page/V3/Forced_client_re-enrollment but I > am > finding that after doing that for a given host, trying to ssh to it > from another enrolled IPA client I am getting: > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > Someone could be eavesdropping on you right now (man-in-the-middle > attack)! > It is also possible that a host key has just been changed. > The fingerprint for the RSA key sent by the remote host is > 15:db:4d:e2:8b:c2:b8:3d:da:93:90:06:f2:f1:d6:21. > Please contact your system administrator. > Add correct host key in /dev/null to get rid of this message. > Offending DSA key in /var/lib/sss/pubconf/known_hosts:4 > Keyboard-interactive authentication is disabled to avoid man-in-the > -middle attacks. > Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
So the problem here was not really anything to do with the above but rather that ipa-client-install is flaky and can fail when running it a few seconds later it succeeds. Since I am provisioning multiple systems at a time in a script, it was not clearly obvious to me that it was failing. And so when ipa-client-install flakes out, of course what is left is the previous instance of the node in FreeIPA complete with the previous instance's SSH keys. b.
signature.asc
Description: This is a digitally signed message part
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
