Neal Harrington | i-Neda Ltd wrote:

I have successfully installed FreeIPA server version 4.2.0 on CentOS
7.2, including replication between servers. I have a few
dozen Ubuntu 14.04 servers joined into IPA for authentication with
various user groups controlling access, sudo permissions etc and overall
I'm very happy.

I have however managed to trip myself up by installing the
Ubuntu clients with the --ssh-trust-dns option and now my users ssh keys
are not trusted and ssh login falls back to password based on the Ubuntu

If I uninstall a client, reboot and then reinstall without the
--ssh-trust-dns option then the users ssh key I imported into the web
interface is used and login is automatic over ssh.

I've looked through all the obvious places (/etc/ssh, sss, pam, etc) and
can't see anything to control this. Most of my online searches cover
other aspects of ssh host keys in DNS. If I've missed anything obvious
then please point me in the right direction.

I have a reasonable number of servers to make this change on and ideally
I'd like to push out the change to a config file and maybe restart a
service. Is this behaviour easy to configure or would it be easier to go
through the uninstall/reboot/reinstall loop? Luckily these are all
testing servers so not a show stopper but I'd prefer to learn what is
actually controlling this.

As far as I can tell this option sets this in sshd.conf:

VerifyHostKeyDNS = yes
HostKeyAlgorithms = ssh-rsa,ssh-dss

I assume your DNS doesn't contain the SSHFP entries?


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to