I have successfully installed FreeIPA server version 4.2.0 on CentOS 7.2, 
including replication between servers. I have a few dozen Ubuntu 14.04 servers 
joined into IPA for authentication with various user groups controlling access, 
sudo permissions etc and overall I'm very happy.

I have however managed to trip myself up by installing the Ubuntu clients with 
the --ssh-trust-dns option and now my users ssh keys are not trusted and ssh 
login falls back to password based on the Ubuntu clients.

If I uninstall a client, reboot and then reinstall without the --ssh-trust-dns 
option then the users ssh key I imported into the web interface is used and 
login is automatic over ssh.

I've looked through all the obvious places (/etc/ssh, sss, pam, etc) and can't 
see anything to control this. Most of my online searches cover other aspects of 
ssh host keys in DNS. If I've missed anything obvious then please point me in 
the right direction.

I have a reasonable number of servers to make this change on and ideally I'd 
like to push out the change to a config file and maybe restart a service. Is 
this behaviour easy to configure or would it be easier to go through the 
uninstall/reboot/reinstall loop? Luckily these are all testing servers so not a 
show stopper but I'd prefer to learn what is actually controlling this.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to