Hi Rob,
Thank you very much for your message. Unfortunately/fortunately after rebooting or restarting the ssh server this morning it is all working as I would expect. I'm not sure what I was missing yesterday but suspect a combination of sssd caching may have been confusing me as I'm sure I'd already tried this several times. Thanks again, Neal. ________________________________ From: Rob Crittenden <[email protected]> Sent: 05 July 2016 18:01 To: Neal Harrington | i-Neda Ltd; [email protected] Subject: Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query Neal Harrington | i-Neda Ltd wrote: > Hi, > > > I have successfully installed FreeIPA server version 4.2.0 on CentOS > 7.2, including replication between servers. I have a few > dozen Ubuntu 14.04 servers joined into IPA for authentication with > various user groups controlling access, sudo permissions etc and overall > I'm very happy. > > > I have however managed to trip myself up by installing the > Ubuntu clients with the --ssh-trust-dns option and now my users ssh keys > are not trusted and ssh login falls back to password based on the Ubuntu > clients. > > > If I uninstall a client, reboot and then reinstall without the > --ssh-trust-dns option then the users ssh key I imported into the web > interface is used and login is automatic over ssh. > > > I've looked through all the obvious places (/etc/ssh, sss, pam, etc) and > can't see anything to control this. Most of my online searches cover > other aspects of ssh host keys in DNS. If I've missed anything obvious > then please point me in the right direction. > > > I have a reasonable number of servers to make this change on and ideally > I'd like to push out the change to a config file and maybe restart a > service. Is this behaviour easy to configure or would it be easier to go > through the uninstall/reboot/reinstall loop? Luckily these are all > testing servers so not a show stopper but I'd prefer to learn what is > actually controlling this. As far as I can tell this option sets this in sshd.conf: VerifyHostKeyDNS = yes HostKeyAlgorithms = ssh-rsa,ssh-dss I assume your DNS doesn't contain the SSHFP entries? rob
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
