[Freeipa-users] ssh known hosts gets recreated on client
Hello, If I uninstall the ipa client with ipa-client-install --uninstall then reinstall it to the same ipa master then most functions work fine. However, if I attempt to ssh from the client to the master then I get. @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1. Please contact your system administrator. Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this message. Offending key in /var/lib/sss/pubconf/known_hosts:1 RSA host key for ipa004.jackland.co.uk has changed and you have requested strict checking. Host key verification failed. I've tried stopping the sssd service on the client, removing /var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting sssd, but /var/lib/sss/pubconf just gets recreated with the old contents and I get the same error (it seems odd that it's reporting that the host key of the master has changed when it's the client that has been reinstalled). How do I clear-out the client's knowledge of the old host keys? In this case I'm using ipa-client v3.0.0 on RHEL6.6 Thanks Bob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ssh known hosts gets recreated on client
The /home/USER/.ssh/known_hosts file doesn't exist. It's /var/lib/sss/pubconf/known_hosts that's the problem. If the offending line is deleted from this file or this file is deleted completely then it's automatically replaced and the same error occurs. On 10/06/2015 13:55, Cory Carlton wrote: I feel this is a User ssh file issue not a sssd when sshing. the client is seeing its a different key exchange with the same IP it once knew about, the known_hosts file on the client machine (and user) in the .ssh folder need to be updated or wiped clean. If you edit on the client machine /home/USER/.ssh/known_hosts delete the IP line. On Wed, Jun 10, 2015 at 5:33 AM, Bob Hinton b...@jackland.demon.co.uk mailto:b...@jackland.demon.co.uk wrote: Hello, If I uninstall the ipa client with ipa-client-install --uninstall then reinstall it to the same ipa master then most functions work fine. However, if I attempt to ssh from the client to the master then I get. @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1. Please contact your system administrator. Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this message. Offending key in /var/lib/sss/pubconf/known_hosts:1 RSA host key for ipa004.jackland.co.uk http://ipa004.jackland.co.uk has changed and you have requested strict checking. Host key verification failed. I've tried stopping the sssd service on the client, removing /var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting sssd, but /var/lib/sss/pubconf just gets recreated with the old contents and I get the same error (it seems odd that it's reporting that the host key of the master has changed when it's the client that has been reinstalled). How do I clear-out the client's knowledge of the old host keys? In this case I'm using ipa-client v3.0.0 on RHEL6.6 Thanks Bob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ssh known hosts gets recreated on client
I feel this is a User ssh file issue not a sssd when sshing. the client is seeing its a different key exchange with the same IP it once knew about, the known_hosts file on the client machine (and user) in the .ssh folder need to be updated or wiped clean. If you edit on the client machine /home/USER/.ssh/known_hosts delete the IP line. On Wed, Jun 10, 2015 at 5:33 AM, Bob Hinton b...@jackland.demon.co.uk wrote: Hello, If I uninstall the ipa client with ipa-client-install --uninstall then reinstall it to the same ipa master then most functions work fine. However, if I attempt to ssh from the client to the master then I get. @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1. Please contact your system administrator. Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this message. Offending key in /var/lib/sss/pubconf/known_hosts:1 RSA host key for ipa004.jackland.co.uk has changed and you have requested strict checking. Host key verification failed. I've tried stopping the sssd service on the client, removing /var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting sssd, but /var/lib/sss/pubconf just gets recreated with the old contents and I get the same error (it seems odd that it's reporting that the host key of the master has changed when it's the client that has been reinstalled). How do I clear-out the client's knowledge of the old host keys? In this case I'm using ipa-client v3.0.0 on RHEL6.6 Thanks Bob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ssh known hosts gets recreated on client
On (10/06/15 11:33), Bob Hinton wrote: Hello, If I uninstall the ipa client with ipa-client-install --uninstall then reinstall it to the same ipa master then most functions work fine. However, if I attempt to ssh from the client to the master then I get. @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1. Please contact your system administrator. Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this message. Offending key in /var/lib/sss/pubconf/known_hosts:1 RSA host key for ipa004.jackland.co.uk has changed and you have requested strict checking. Host key verification failed. I've tried stopping the sssd service on the client, removing /var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting sssd, but /var/lib/sss/pubconf just gets recreated with the old contents and I get the same error (it seems odd that it's reporting that the host key of the master has changed when it's the client that has been reinstalled). How do I clear-out the client's knowledge of the old host keys? In this case I'm using ipa-client v3.0.0 on RHEL6.6 You removed /var/lib/sss/pubconf/known_hosts and also sssd cache, but you still have problem after restarting sssd. So the only explanation is that wrong host public key is stored in FreeIPA. Could you try to check host public key with ldapsearch in FreeIPA. I think you wold need to do it as an admin. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ssh known hosts gets recreated on client
On 10/06/2015 14:37, Lukas Slebodnik wrote: On (10/06/15 11:33), Bob Hinton wrote: Hello, If I uninstall the ipa client with ipa-client-install --uninstall then reinstall it to the same ipa master then most functions work fine. However, if I attempt to ssh from the client to the master then I get. @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1. Please contact your system administrator. Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this message. Offending key in /var/lib/sss/pubconf/known_hosts:1 RSA host key for ipa004.jackland.co.uk has changed and you have requested strict checking. Host key verification failed. I've tried stopping the sssd service on the client, removing /var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting sssd, but /var/lib/sss/pubconf just gets recreated with the old contents and I get the same error (it seems odd that it's reporting that the host key of the master has changed when it's the client that has been reinstalled). How do I clear-out the client's knowledge of the old host keys? In this case I'm using ipa-client v3.0.0 on RHEL6.6 You removed /var/lib/sss/pubconf/known_hosts and also sssd cache, but you still have problem after restarting sssd. So the only explanation is that wrong host public key is stored in FreeIPA. Could you try to check host public key with ldapsearch in FreeIPA. I think you wold need to do it as an admin. LS . The two rsa keys look like they're the same (see below) though the finger-prints are evidently different. I copied and pasted the two keys into files and ran diff over these to prove that they match. I can actually fix the problem by copying the ipa master host keys to a file, removing them with ipa host-mod ipa004.jackland.co.uk --sshpubkey='' then I can ssh from the client to the master without the error. I can finally restore the keys from the file using the ipa host-mod command again and all is well. So this looks like a long-winded way of clearing some sort of cache of the key finger-print on the client. It would just be nice to know if there's a more direct way of doing this. Also I know this works for one client, but it would be a pain to have to go through this procedure for lots of them. Thanks Bob -sh-4.2$ ipa host-show ipa004.jackland.co.uk --all dn: fqdn=ipa004.jackland.co.uk,cn=computers,cn=accounts,dc=jackland,dc=co,dc=uk Host name: ipa004.jackland.co.uk Principal name: host/ipa004.jackland.co...@jackland.co.uk SSH public key: ssh-rsa B3NzaC1yc2EDAQABAAABAQClPcH8nnghnG3+knwkdg70I106jxO/zIeKggF71C4OHLCu0MJ/loEOcySZ2WH5YPWzRhX1LVN9FyDUKiOc3SNKnjpxjPsJXxk7r77X99jPmk+1QBgYGpn4yrYw/ebEAQLSjHGK86KfNvIbG2RSbNn6uQzC/mciXLEO+7lQ6Vq+DE3Du7+2iuyC2qKeNA9VVzc1NLm0phHT5nOKHpUZ3208GK1vn6r/5YiPmPy5zh8cGmedRft2Fc/J0rOlw5zvwW6kKYZldLvBK7xD2Pm3i2fs38nkH1JA3t83/FXXR/S/F7cY9aI1J/s/UuzawYmeBFXhrbexsUJicY7sS4LqtfBl, ssh-ed25519 C3NzaC1lZDI1NTE5ILt/SPXhj9izWvjQv5ChWozlOgqRzmSFMZkVj4amRGh/, ecdsa-sha2-nistp256 E2VjZHNhLXNoYTItbmlzdHAyNTYIbmlzdHAyNTYAAABBBM4R+8D6KCGntBbpGhwDzgH7YJt0xw1Ze21NH+rlsfnoLFStuM7T46/T1L2b2II8hwCmu6dt7F+NSd4YXUpk0/M= Requires pre-authentication: True Trusted for delegation: False Password: False Keytab: True Managed by: ipa004.jackland.co.uk Managing: ipa004.jackland.co.uk SSH public key fingerprint: DA:92:FD:52:AE:C2:65:00:9A:F6:0B:AA:20:51:8E:04 (ssh-rsa), 53:79:39:CE:D8:13:23:D2:3C:2C:8E:E4:56:7E:41:76 (ssh-ed25519), 56:28:C4:62:3F:64:18:5D:EC:B9:E0:1F:8B:48:EA:0B (ecdsa-sha2-nistp256) cn: ipa004.jackland.co.uk ipauniqueid: 0ffd1566-fd61-11e4-b868-000c29f1a817 krblastpwdchange: 20150518132324Z objectclass: ipaSshGroupOfPubKeys, ipaobject, krbprincipal, nshost, top, ipaservice, pkiuser, ipahost, krbticketpolicyaux, krbprincipalaux, ipasshhost serverhostname: ipa004 -sh-4.2$ -sh-4.1$ ssh ipa004.jackland.co.uk @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1. Please contact your system administrator. Add correct
Re: [Freeipa-users] ssh known hosts gets recreated on client
OK. I think the original problem wasn't what I thought it was. The keys in /etc/ssh/*.pub on the ipamaster didn't match the ones stored in IPA. I'm not sure how this happened, however the master is a test VM that's been used to test ipa-backup and ipa-restore (it's a V4.1.0 master even though the client is V3.0) Anyway, I repaired this by setting the keys in IPA to the ones in the files by doing the following on the ipa master :- echo ipa host-mod ipa004.jackland.co.uk --sshpubkey=' keyfix.sh sudo cat /etc/ssh/ssh_host_rsa_key.pub keyfix.sh echo -n ',' keyfix.sh sudo cat /etc/ssh/ssh_host_ecdsa_key.pub keyfix.sh echo -n ',' keyfix.sh sudo cat /etc/ssh/ssh_host_ed25519_key.pub keyfix.sh echo ' keyfix.sh vi keyfix.sh (keep pressing J to join everything into one long line) sh keyfix.sh On 10/06/2015 17:09, Bob Hinton wrote: On 10/06/2015 14:37, Lukas Slebodnik wrote: On (10/06/15 11:33), Bob Hinton wrote: Hello, If I uninstall the ipa client with ipa-client-install --uninstall then reinstall it to the same ipa master then most functions work fine. However, if I attempt to ssh from the client to the master then I get. @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1. Please contact your system administrator. Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this message. Offending key in /var/lib/sss/pubconf/known_hosts:1 RSA host key for ipa004.jackland.co.uk has changed and you have requested strict checking. Host key verification failed. I've tried stopping the sssd service on the client, removing /var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting sssd, but /var/lib/sss/pubconf just gets recreated with the old contents and I get the same error (it seems odd that it's reporting that the host key of the master has changed when it's the client that has been reinstalled). How do I clear-out the client's knowledge of the old host keys? In this case I'm using ipa-client v3.0.0 on RHEL6.6 You removed /var/lib/sss/pubconf/known_hosts and also sssd cache, but you still have problem after restarting sssd. So the only explanation is that wrong host public key is stored in FreeIPA. Could you try to check host public key with ldapsearch in FreeIPA. I think you wold need to do it as an admin. LS . The two rsa keys look like they're the same (see below) though the finger-prints are evidently different. I copied and pasted the two keys into files and ran diff over these to prove that they match. I can actually fix the problem by copying the ipa master host keys to a file, removing them with ipa host-mod ipa004.jackland.co.uk --sshpubkey='' then I can ssh from the client to the master without the error. I can finally restore the keys from the file using the ipa host-mod command again and all is well. So this looks like a long-winded way of clearing some sort of cache of the key finger-print on the client. It would just be nice to know if there's a more direct way of doing this. Also I know this works for one client, but it would be a pain to have to go through this procedure for lots of them. Thanks Bob -sh-4.2$ ipa host-show ipa004.jackland.co.uk --all dn: fqdn=ipa004.jackland.co.uk,cn=computers,cn=accounts,dc=jackland,dc=co,dc=uk Host name: ipa004.jackland.co.uk Principal name: host/ipa004.jackland.co...@jackland.co.uk SSH public key: ssh-rsa B3NzaC1yc2EDAQABAAABAQClPcH8nnghnG3+knwkdg70I106jxO/zIeKggF71C4OHLCu0MJ/loEOcySZ2WH5YPWzRhX1LVN9FyDUKiOc3SNKnjpxjPsJXxk7r77X99jPmk+1QBgYGpn4yrYw/ebEAQLSjHGK86KfNvIbG2RSbNn6uQzC/mciXLEO+7lQ6Vq+DE3Du7+2iuyC2qKeNA9VVzc1NLm0phHT5nOKHpUZ3208GK1vn6r/5YiPmPy5zh8cGmedRft2Fc/J0rOlw5zvwW6kKYZldLvBK7xD2Pm3i2fs38nkH1JA3t83/FXXR/S/F7cY9aI1J/s/UuzawYmeBFXhrbexsUJicY7sS4LqtfBl, ssh-ed25519 C3NzaC1lZDI1NTE5ILt/SPXhj9izWvjQv5ChWozlOgqRzmSFMZkVj4amRGh/, ecdsa-sha2-nistp256 E2VjZHNhLXNoYTItbmlzdHAyNTYIbmlzdHAyNTYAAABBBM4R+8D6KCGntBbpGhwDzgH7YJt0xw1Ze21NH+rlsfnoLFStuM7T46/T1L2b2II8hwCmu6dt7F+NSd4YXUpk0/M= Requires pre-authentication: True Trusted for delegation: False Password: False Keytab: True Managed by: ipa004.jackland.co.uk Managing: ipa004.jackland.co.uk SSH public key fingerprint: DA:92:FD:52:AE:C2:65:00:9A:F6:0B:AA:20:51:8E:04 (ssh-rsa), 53:79:39:CE:D8:13:23:D2:3C:2C:8E:E4:56:7E:41:76 (ssh-ed25519), 56:28:C4:62:3F:64:18:5D:EC:B9:E0:1F:8B:48:EA:0B (ecdsa-sha2-nistp256)
