Neal Harrington | i-Neda Ltd wrote:
Hi Rob,


Thank you very much for your message. Unfortunately/fortunately after
rebooting or restarting the ssh server this morning it is all working as
I would expect. I'm not sure what I was missing yesterday but suspect a
combination of sssd caching may have been confusing me as I'm sure
I'd already tried this several times.

Very strange indeed. The sssd cache is persistent so rebooting shouldn't have affected it at all.

rob



Thanks again,
Neal.
------------------------------------------------------------------------
*From:* Rob Crittenden <rcrit...@redhat.com>
*Sent:* 05 July 2016 18:01
*To:* Neal Harrington | i-Neda Ltd; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and
user ssh key query
Neal Harrington | i-Neda Ltd wrote:
Hi,


I have successfully installed FreeIPA server version 4.2.0 on CentOS
7.2, including replication between servers. I have a few
dozen Ubuntu 14.04 servers joined into IPA for authentication with
various user groups controlling access, sudo permissions etc and overall
I'm very happy.


I have however managed to trip myself up by installing the
Ubuntu clients with the --ssh-trust-dns option and now my users ssh keys
are not trusted and ssh login falls back to password based on the Ubuntu
clients.


If I uninstall a client, reboot and then reinstall without the
--ssh-trust-dns option then the users ssh key I imported into the web
interface is used and login is automatic over ssh.


I've looked through all the obvious places (/etc/ssh, sss, pam, etc) and
can't see anything to control this. Most of my online searches cover
other aspects of ssh host keys in DNS. If I've missed anything obvious
then please point me in the right direction.


I have a reasonable number of servers to make this change on and ideally
I'd like to push out the change to a config file and maybe restart a
service. Is this behaviour easy to configure or would it be easier to go
through the uninstall/reboot/reinstall loop? Luckily these are all
testing servers so not a show stopper but I'd prefer to learn what is
actually controlling this.

As far as I can tell this option sets this in sshd.conf:

VerifyHostKeyDNS = yes
HostKeyAlgorithms = ssh-rsa,ssh-dss

I assume your DNS doesn't contain the SSHFP entries?

rob



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to