Hi Rob,

Thank you very much for your message. Unfortunately/fortunately after rebooting 
or restarting the ssh server this morning it is all working as I would expect. 
I'm not sure what I was missing yesterday but suspect a combination of sssd 
caching may have been confusing me as I'm sure I'd already tried this several 

Thanks again,
From: Rob Crittenden <rcrit...@redhat.com>
Sent: 05 July 2016 18:01
To: Neal Harrington | i-Neda Ltd; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh 
key query

Neal Harrington | i-Neda Ltd wrote:
> Hi,
> I have successfully installed FreeIPA server version 4.2.0 on CentOS
> 7.2, including replication between servers. I have a few
> dozen Ubuntu 14.04 servers joined into IPA for authentication with
> various user groups controlling access, sudo permissions etc and overall
> I'm very happy.
> I have however managed to trip myself up by installing the
> Ubuntu clients with the --ssh-trust-dns option and now my users ssh keys
> are not trusted and ssh login falls back to password based on the Ubuntu
> clients.
> If I uninstall a client, reboot and then reinstall without the
> --ssh-trust-dns option then the users ssh key I imported into the web
> interface is used and login is automatic over ssh.
> I've looked through all the obvious places (/etc/ssh, sss, pam, etc) and
> can't see anything to control this. Most of my online searches cover
> other aspects of ssh host keys in DNS. If I've missed anything obvious
> then please point me in the right direction.
> I have a reasonable number of servers to make this change on and ideally
> I'd like to push out the change to a config file and maybe restart a
> service. Is this behaviour easy to configure or would it be easier to go
> through the uninstall/reboot/reinstall loop? Luckily these are all
> testing servers so not a show stopper but I'd prefer to learn what is
> actually controlling this.

As far as I can tell this option sets this in sshd.conf:

VerifyHostKeyDNS = yes
HostKeyAlgorithms = ssh-rsa,ssh-dss

I assume your DNS doesn't contain the SSHFP entries?


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to