Re: [Freeipa-users] Odd problem with SSSD and SSH keys
Here was the original sssd.conf. IPA created one, and I think in our early confusion over IPA, we created the other accidentally, and as we were trying to get puppet to enforce our system configs (we have a lot of developers who love to tinker with things they don't understand, which at this point includes me, I guess) we ended up postponing figuring out whether we could do away with the ".foo.net" one until today: --- [domain/foo.com] cach_credentials = True krb5_store_password_if_offline = True ipa_domain = foo.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = zw129.foo.com chpass_provider = ipa ipa_dyndns_update = True ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49 ldap_tls_cacert = /etc/ipa/ca.crt [domain/.foo.com] cache_credentials = True krb5_store_password_if_offline = True krb5_realm = FOO.COM ipa_domain = .foo.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt chpass_provider = ipa ipa_dyndns_update = True ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49 ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=com dns_discovery_domain = .foo.com [sssd] services = nss, pam, ssh config_file_version = 2 domains = .foo.com, foo.com [nss] [pam] [sudo] [autofs] [ssh] --- Bret On 01/16/2014 12:47 PM, Jan Cholasta wrote: I'm glad that fixed it, but I would still be interested in what went wrong. Could you tell me what was the difference between foo.com and .foo.com domain configuration? I'm also curious how did such configuration got into sssd.conf in the first place, ipa-client-install should have created only one domain. On 16.1.2014 18:19, Bret Wortman wrote: It did. I just needed the motivation to figure out which version was correct. So I experimented on my own workstation this morning before anyone else got in and rolled out a corrected version. Thanks for your help, everyone! On 01/16/2014 11:52 AM, Jan Cholasta wrote: I think you can just comment out the whole [domain/] section in sssd.conf and restart sssd. Does that solve the problem? If not, could you please post your sssd.conf here? On 16.1.2014 11:21, Bret Wortman wrote: Yes, though there should be only one. We ended up somehow with foo.com and .foo.com and I'm not sure how to reduce us properly to just foo.com. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Jan 16, 2014, at 4:42 AM, Jan Cholasta wrote: OK, there is definitely something going on in the client then. Are there multiple domains configured in sssd.conf? On 15.1.2014 13:56, Bret Wortman wrote: The fingerprint does match. On 01/15/2014 03:33 AM, Jan Cholasta wrote: On 14.1.2014 12:34, Bret Wortman wrote: The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA for the host in question. It should not have had any connectivity issues; it's co-located with several of our IPA masters. Can you also check if the MD5 fingerprint reported by ssh (e.g. 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab in your original post) matches the MD5 fingerprint for the host in IPA? -- Jan Cholasta smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd problem with SSSD and SSH keys
I'm glad that fixed it, but I would still be interested in what went wrong. Could you tell me what was the difference between foo.com and .foo.com domain configuration? I'm also curious how did such configuration got into sssd.conf in the first place, ipa-client-install should have created only one domain. On 16.1.2014 18:19, Bret Wortman wrote: It did. I just needed the motivation to figure out which version was correct. So I experimented on my own workstation this morning before anyone else got in and rolled out a corrected version. Thanks for your help, everyone! On 01/16/2014 11:52 AM, Jan Cholasta wrote: I think you can just comment out the whole [domain/] section in sssd.conf and restart sssd. Does that solve the problem? If not, could you please post your sssd.conf here? On 16.1.2014 11:21, Bret Wortman wrote: Yes, though there should be only one. We ended up somehow with foo.com and .foo.com and I'm not sure how to reduce us properly to just foo.com. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Jan 16, 2014, at 4:42 AM, Jan Cholasta wrote: OK, there is definitely something going on in the client then. Are there multiple domains configured in sssd.conf? On 15.1.2014 13:56, Bret Wortman wrote: The fingerprint does match. On 01/15/2014 03:33 AM, Jan Cholasta wrote: On 14.1.2014 12:34, Bret Wortman wrote: The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA for the host in question. It should not have had any connectivity issues; it's co-located with several of our IPA masters. Can you also check if the MD5 fingerprint reported by ssh (e.g. 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab in your original post) matches the MD5 fingerprint for the host in IPA? -- Jan Cholasta -- Jan Cholasta ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd problem with SSSD and SSH keys
It did. I just needed the motivation to figure out which version was correct. So I experimented on my own workstation this morning before anyone else got in and rolled out a corrected version. Thanks for your help, everyone! On 01/16/2014 11:52 AM, Jan Cholasta wrote: I think you can just comment out the whole [domain/] section in sssd.conf and restart sssd. Does that solve the problem? If not, could you please post your sssd.conf here? On 16.1.2014 11:21, Bret Wortman wrote: Yes, though there should be only one. We ended up somehow with foo.com and .foo.com and I'm not sure how to reduce us properly to just foo.com. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Jan 16, 2014, at 4:42 AM, Jan Cholasta wrote: OK, there is definitely something going on in the client then. Are there multiple domains configured in sssd.conf? On 15.1.2014 13:56, Bret Wortman wrote: The fingerprint does match. On 01/15/2014 03:33 AM, Jan Cholasta wrote: On 14.1.2014 12:34, Bret Wortman wrote: The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA for the host in question. It should not have had any connectivity issues; it's co-located with several of our IPA masters. Can you also check if the MD5 fingerprint reported by ssh (e.g. 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab in your original post) matches the MD5 fingerprint for the host in IPA? -- Jan Cholasta smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd problem with SSSD and SSH keys
I think you can just comment out the whole [domain/] section in sssd.conf and restart sssd. Does that solve the problem? If not, could you please post your sssd.conf here? On 16.1.2014 11:21, Bret Wortman wrote: Yes, though there should be only one. We ended up somehow with foo.com and .foo.com and I'm not sure how to reduce us properly to just foo.com. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Jan 16, 2014, at 4:42 AM, Jan Cholasta wrote: OK, there is definitely something going on in the client then. Are there multiple domains configured in sssd.conf? On 15.1.2014 13:56, Bret Wortman wrote: The fingerprint does match. On 01/15/2014 03:33 AM, Jan Cholasta wrote: On 14.1.2014 12:34, Bret Wortman wrote: The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA for the host in question. It should not have had any connectivity issues; it's co-located with several of our IPA masters. Can you also check if the MD5 fingerprint reported by ssh (e.g. 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab in your original post) matches the MD5 fingerprint for the host in IPA? -- Jan Cholasta -- Jan Cholasta ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd problem with SSSD and SSH keys
Yes, though there should be only one. We ended up somehow with foo.com and .foo.com and I'm not sure how to reduce us properly to just foo.com. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman > On Jan 16, 2014, at 4:42 AM, Jan Cholasta wrote: > > OK, there is definitely something going on in the client then. Are there > multiple domains configured in sssd.conf? > >> On 15.1.2014 13:56, Bret Wortman wrote: >> The fingerprint does match. >> >>> On 01/15/2014 03:33 AM, Jan Cholasta wrote: >>> >>> On 14.1.2014 12:34, Bret Wortman wrote: The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA for the host in question. It should not have had any connectivity issues; it's co-located with several of our IPA masters. >>> >>> Can you also check if the MD5 fingerprint reported by ssh (e.g. >>> 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab in your original post) >>> matches the MD5 fingerprint for the host in IPA? > > -- > Jan Cholasta smime.p7s Description: S/MIME cryptographic signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd problem with SSSD and SSH keys
OK, there is definitely something going on in the client then. Are there multiple domains configured in sssd.conf? On 15.1.2014 13:56, Bret Wortman wrote: The fingerprint does match. On 01/15/2014 03:33 AM, Jan Cholasta wrote: On 14.1.2014 12:34, Bret Wortman wrote: The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA for the host in question. It should not have had any connectivity issues; it's co-located with several of our IPA masters. Can you also check if the MD5 fingerprint reported by ssh (e.g. 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab in your original post) matches the MD5 fingerprint for the host in IPA? -- Jan Cholasta ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd problem with SSSD and SSH keys
No, that was me conflating this problem on two different machines, rs512 and zw131. Sorry about that. Bret On 01/15/2014 12:53 AM, Simo Sorce wrote: On Tue, 2014-01-14 at 06:46 -0500, Bret Wortman wrote: I was assuming that the key was being re-inserted by the ssh authentication request, but to eliminate puppet, I just tried this sequence: # puppet agent --disable # rm -f /var/lib/sss/pubconf/known_hosts # ls -l /var/lib/sss/pubconf/known_hosts # ssh zw131 : : (errors about the key being incorrect) : # cat /var/lib/sss/pubconf/known_hosts : it now contained the bad key again. Just a shot in the dark. Your log files say ' host "rs512" ', are you having reverse DNS issues ? Simo. smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd problem with SSSD and SSH keys
The fingerprint does match. On 01/15/2014 03:33 AM, Jan Cholasta wrote: On 14.1.2014 12:34, Bret Wortman wrote: The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA for the host in question. It should not have had any connectivity issues; it's co-located with several of our IPA masters. Can you also check if the MD5 fingerprint reported by ssh (e.g. 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab in your original post) matches the MD5 fingerprint for the host in IPA? I'd be happy to run sss_ssh_knownhostsproxy manually but haven't been able to locate the proxy command to use via Google yet. Any guidance? I don't think you need to do that, it will just update /var/lib/sss/pubconf/known_hosts again. On 01/14/2014 05:43 AM, Jan Cholasta wrote: On 13.1.2014 22:18, Jakub Hrozek wrote: On Mon, Jan 13, 2014 at 02:44:29PM -0500, Bret Wortman wrote: They're definitely different. I deleted the one in the file, then tried again. It put the bad key back in the file. I blew the whole file away and the same thing happened. Where is this key coming from if not from IPA? Can you try running sss_ssh_knownhostsproxy manually to see what key does it return? The keys are propagated to the file from the sssd database. If the client was offline, the client could use stale records. Can you verify the client has no connectivity issues? Honza (CC-ed) might have some more hints. Compare the public key in /etc/ssh/ssh_host_rsa_key.pub on the host with the public key for that host in IPA. If they do not match, the host key was changed after IPA client was installed and the host record in IPA must be manually updated with the new key. Honza smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd problem with SSSD and SSH keys
On 14.1.2014 12:34, Bret Wortman wrote: The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA for the host in question. It should not have had any connectivity issues; it's co-located with several of our IPA masters. Can you also check if the MD5 fingerprint reported by ssh (e.g. 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab in your original post) matches the MD5 fingerprint for the host in IPA? I'd be happy to run sss_ssh_knownhostsproxy manually but haven't been able to locate the proxy command to use via Google yet. Any guidance? I don't think you need to do that, it will just update /var/lib/sss/pubconf/known_hosts again. On 01/14/2014 05:43 AM, Jan Cholasta wrote: On 13.1.2014 22:18, Jakub Hrozek wrote: On Mon, Jan 13, 2014 at 02:44:29PM -0500, Bret Wortman wrote: They're definitely different. I deleted the one in the file, then tried again. It put the bad key back in the file. I blew the whole file away and the same thing happened. Where is this key coming from if not from IPA? Can you try running sss_ssh_knownhostsproxy manually to see what key does it return? The keys are propagated to the file from the sssd database. If the client was offline, the client could use stale records. Can you verify the client has no connectivity issues? Honza (CC-ed) might have some more hints. Compare the public key in /etc/ssh/ssh_host_rsa_key.pub on the host with the public key for that host in IPA. If they do not match, the host key was changed after IPA client was installed and the host record in IPA must be manually updated with the new key. Honza -- Jan Cholasta ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd problem with SSSD and SSH keys
On Tue, 2014-01-14 at 06:46 -0500, Bret Wortman wrote: > I was assuming that the key was being re-inserted by the ssh > authentication request, but to eliminate puppet, I just tried this sequence: > > # puppet agent --disable > # rm -f /var/lib/sss/pubconf/known_hosts > # ls -l /var/lib/sss/pubconf/known_hosts > # ssh zw131 > : > : (errors about the key being incorrect) > : > # cat /var/lib/sss/pubconf/known_hosts > : > > it now contained the bad key again. Just a shot in the dark. Your log files say ' host "rs512" ', are you having reverse DNS issues ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd problem with SSSD and SSH keys
I was assuming that the key was being re-inserted by the ssh authentication request, but to eliminate puppet, I just tried this sequence: # puppet agent --disable # rm -f /var/lib/sss/pubconf/known_hosts # ls -l /var/lib/sss/pubconf/known_hosts # ssh zw131 : : (errors about the key being incorrect) : # cat /var/lib/sss/pubconf/known_hosts : it now contained the bad key again. On 01/13/2014 02:52 PM, Dmitri Pal wrote: On 01/13/2014 02:44 PM, Bret Wortman wrote: They're definitely different. I deleted the one in the file, then tried again. It put the bad key back in the file. I blew the whole file away and the same thing happened. Where is this key coming from if not from IPA? Puppet? On 01/13/2014 02:36 PM, Rob Crittenden wrote: Bret Wortman wrote: I've got a strange situation where some of my workstations are reporting difficulty when sshing to remote systems, but there's no pattern I can discern. One user's machine can't get to system A, but I can, though I can't ssh to his workstation directly. Here's the kind of thing I see when doing ssh -vvv: debug1: Server host key: RSA 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab debug3: load_hostkeys: loading entries for host "rs512" from file "/root/.ssh/known_hosts" debug3: load_hostkeys: loaded 0 keys debug3: load_hostkeys: loading entries for host "rs512" from file "/var/lib/sss/pubconf/known_hosts" debug3: load_hostkeys: found key type RSA in file /var/lib/sss/pubconf/known_hosts:2 debug3: load_hostkeys: loaded 1 keys @@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone coudl be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending RSA key in /var/lib/sss/pubconf/known_hosts:2 RSA host key for zw131 has changed and you have requested strict checking. Host key verification failed. # We haven't changed the host key; the public key files are dated October 23 of last year. Our configuration files for SSSD and SSH are managed by Puppet, so they are consistent from system to system. That said, I did compare a system that could remote to rs512 to one that could not and found no differences. Here are the files: /etc/sssd/sssd.conf: [domain/spx.net] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = foo.net id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = zw129.foo.net chpass_provider = ipa ipa_dyndns_update = True ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49 ldap_tls_cacert = /etc/ipa/ca.crt [domain/.spx.net] cache_credentials = True krb5_store_password_if_offline = True krb5_realm = FOO.NET ipa_domain = .foo.net id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt chpass_provider = ipa ipa_dyndns_update = True ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49 ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net dns_discovery_domain = .spx.net [sssd] services = nss, pam, ssh config_file_version = 2 domains = .spx.net, spx.net [nss] [pam] [sudo] [autofs] [ssh] Is there anything else relevant that I should be looking at? You might compare the value of the key in IPA to what is in /var/lib/sss/pubconf/known_hosts rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd problem with SSSD and SSH keys
The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA for the host in question. It should not have had any connectivity issues; it's co-located with several of our IPA masters. I'd be happy to run sss_ssh_knownhostsproxy manually but haven't been able to locate the proxy command to use via Google yet. Any guidance? On 01/14/2014 05:43 AM, Jan Cholasta wrote: On 13.1.2014 22:18, Jakub Hrozek wrote: On Mon, Jan 13, 2014 at 02:44:29PM -0500, Bret Wortman wrote: They're definitely different. I deleted the one in the file, then tried again. It put the bad key back in the file. I blew the whole file away and the same thing happened. Where is this key coming from if not from IPA? Can you try running sss_ssh_knownhostsproxy manually to see what key does it return? The keys are propagated to the file from the sssd database. If the client was offline, the client could use stale records. Can you verify the client has no connectivity issues? Honza (CC-ed) might have some more hints. Compare the public key in /etc/ssh/ssh_host_rsa_key.pub on the host with the public key for that host in IPA. If they do not match, the host key was changed after IPA client was installed and the host record in IPA must be manually updated with the new key. Honza smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd problem with SSSD and SSH keys
On 13.1.2014 22:18, Jakub Hrozek wrote: On Mon, Jan 13, 2014 at 02:44:29PM -0500, Bret Wortman wrote: They're definitely different. I deleted the one in the file, then tried again. It put the bad key back in the file. I blew the whole file away and the same thing happened. Where is this key coming from if not from IPA? Can you try running sss_ssh_knownhostsproxy manually to see what key does it return? The keys are propagated to the file from the sssd database. If the client was offline, the client could use stale records. Can you verify the client has no connectivity issues? Honza (CC-ed) might have some more hints. Compare the public key in /etc/ssh/ssh_host_rsa_key.pub on the host with the public key for that host in IPA. If they do not match, the host key was changed after IPA client was installed and the host record in IPA must be manually updated with the new key. Honza -- Jan Cholasta ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd problem with SSSD and SSH keys
On Mon, Jan 13, 2014 at 02:44:29PM -0500, Bret Wortman wrote: > They're definitely different. I deleted the one in the file, then > tried again. It put the bad key back in the file. I blew the whole > file away and the same thing happened. Where is this key coming from > if not from IPA? Can you try running sss_ssh_knownhostsproxy manually to see what key does it return? The keys are propagated to the file from the sssd database. If the client was offline, the client could use stale records. Can you verify the client has no connectivity issues? Honza (CC-ed) might have some more hints. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd problem with SSSD and SSH keys
On 01/13/2014 02:44 PM, Bret Wortman wrote: > They're definitely different. I deleted the one in the file, then > tried again. It put the bad key back in the file. I blew the whole > file away and the same thing happened. Where is this key coming from > if not from IPA? Puppet? > > > On 01/13/2014 02:36 PM, Rob Crittenden wrote: >> Bret Wortman wrote: >>> I've got a strange situation where some of my workstations are >>> reporting >>> difficulty when sshing to remote systems, but there's no pattern I can >>> discern. One user's machine can't get to system A, but I can, though I >>> can't ssh to his workstation directly. >>> >>> Here's the kind of thing I see when doing ssh -vvv: >>> >>> debug1: Server host key: RSA >>> 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab >>> debug3: load_hostkeys: loading entries for host "rs512" from file >>> "/root/.ssh/known_hosts" >>> debug3: load_hostkeys: loaded 0 keys >>> debug3: load_hostkeys: loading entries for host "rs512" from file >>> "/var/lib/sss/pubconf/known_hosts" >>> debug3: load_hostkeys: found key type RSA in file >>> /var/lib/sss/pubconf/known_hosts:2 >>> debug3: load_hostkeys: loaded 1 keys >>> @@ >>> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ >>> @@ >>> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! >>> Someone coudl be eavesdropping on you right now (man-in-the-middle >>> attack)! >>> It is also possible that a host key has just been changed. >>> The fingerprint for the RSA key sent by the remote host is >>> 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab >>> Please contact your system administrator. >>> Add correct host key in /root/.ssh/known_hosts to get rid of this >>> message. >>> Offending RSA key in /var/lib/sss/pubconf/known_hosts:2 >>> RSA host key for zw131 has changed and you have requested strict >>> checking. >>> Host key verification failed. >>> # >>> >>> We haven't changed the host key; the public key files are dated October >>> 23 of last year. Our configuration files for SSSD and SSH are >>> managed by >>> Puppet, so they are consistent from system to system. That said, I did >>> compare a system that could remote to rs512 to one that could not and >>> found no differences. Here are the files: >>> >>> /etc/sssd/sssd.conf: >>> [domain/spx.net] >>> cache_credentials = True >>> krb5_store_password_if_offline = True >>> ipa_domain = foo.net >>> id_provider = ipa >>> auth_provider = ipa >>> access_provider = ipa >>> ipa_hostname = zw129.foo.net >>> chpass_provider = ipa >>> ipa_dyndns_update = True >>> ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49 >>> ldap_tls_cacert = /etc/ipa/ca.crt >>> [domain/.spx.net] >>> cache_credentials = True >>> krb5_store_password_if_offline = True >>> krb5_realm = FOO.NET >>> ipa_domain = .foo.net >>> id_provider = ipa >>> auth_provider = ipa >>> access_provider = ipa >>> ldap_tls_cacert = /etc/ipa/ca.crt >>> chpass_provider = ipa >>> ipa_dyndns_update = True >>> ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49 >>> ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net >>> dns_discovery_domain = .spx.net >>> [sssd] >>> services = nss, pam, ssh >>> config_file_version = 2 >>> >>> domains = .spx.net, spx.net >>> [nss] >>> >>> [pam] >>> >>> [sudo] >>> >>> [autofs] >>> >>> [ssh] >>> >>> Is there anything else relevant that I should be looking at? >> >> You might compare the value of the key in IPA to what is in >> /var/lib/sss/pubconf/known_hosts >> >> rob >> > > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd problem with SSSD and SSH keys
They're definitely different. I deleted the one in the file, then tried again. It put the bad key back in the file. I blew the whole file away and the same thing happened. Where is this key coming from if not from IPA? On 01/13/2014 02:36 PM, Rob Crittenden wrote: Bret Wortman wrote: I've got a strange situation where some of my workstations are reporting difficulty when sshing to remote systems, but there's no pattern I can discern. One user's machine can't get to system A, but I can, though I can't ssh to his workstation directly. Here's the kind of thing I see when doing ssh -vvv: debug1: Server host key: RSA 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab debug3: load_hostkeys: loading entries for host "rs512" from file "/root/.ssh/known_hosts" debug3: load_hostkeys: loaded 0 keys debug3: load_hostkeys: loading entries for host "rs512" from file "/var/lib/sss/pubconf/known_hosts" debug3: load_hostkeys: found key type RSA in file /var/lib/sss/pubconf/known_hosts:2 debug3: load_hostkeys: loaded 1 keys @@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone coudl be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending RSA key in /var/lib/sss/pubconf/known_hosts:2 RSA host key for zw131 has changed and you have requested strict checking. Host key verification failed. # We haven't changed the host key; the public key files are dated October 23 of last year. Our configuration files for SSSD and SSH are managed by Puppet, so they are consistent from system to system. That said, I did compare a system that could remote to rs512 to one that could not and found no differences. Here are the files: /etc/sssd/sssd.conf: [domain/spx.net] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = foo.net id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = zw129.foo.net chpass_provider = ipa ipa_dyndns_update = True ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49 ldap_tls_cacert = /etc/ipa/ca.crt [domain/.spx.net] cache_credentials = True krb5_store_password_if_offline = True krb5_realm = FOO.NET ipa_domain = .foo.net id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt chpass_provider = ipa ipa_dyndns_update = True ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49 ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net dns_discovery_domain = .spx.net [sssd] services = nss, pam, ssh config_file_version = 2 domains = .spx.net, spx.net [nss] [pam] [sudo] [autofs] [ssh] Is there anything else relevant that I should be looking at? You might compare the value of the key in IPA to what is in /var/lib/sss/pubconf/known_hosts rob smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd problem with SSSD and SSH keys
Bret Wortman wrote: I've got a strange situation where some of my workstations are reporting difficulty when sshing to remote systems, but there's no pattern I can discern. One user's machine can't get to system A, but I can, though I can't ssh to his workstation directly. Here's the kind of thing I see when doing ssh -vvv: debug1: Server host key: RSA 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab debug3: load_hostkeys: loading entries for host "rs512" from file "/root/.ssh/known_hosts" debug3: load_hostkeys: loaded 0 keys debug3: load_hostkeys: loading entries for host "rs512" from file "/var/lib/sss/pubconf/known_hosts" debug3: load_hostkeys: found key type RSA in file /var/lib/sss/pubconf/known_hosts:2 debug3: load_hostkeys: loaded 1 keys @@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone coudl be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending RSA key in /var/lib/sss/pubconf/known_hosts:2 RSA host key for zw131 has changed and you have requested strict checking. Host key verification failed. # We haven't changed the host key; the public key files are dated October 23 of last year. Our configuration files for SSSD and SSH are managed by Puppet, so they are consistent from system to system. That said, I did compare a system that could remote to rs512 to one that could not and found no differences. Here are the files: /etc/sssd/sssd.conf: [domain/spx.net] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = foo.net id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = zw129.foo.net chpass_provider = ipa ipa_dyndns_update = True ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49 ldap_tls_cacert = /etc/ipa/ca.crt [domain/.spx.net] cache_credentials = True krb5_store_password_if_offline = True krb5_realm = FOO.NET ipa_domain = .foo.net id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt chpass_provider = ipa ipa_dyndns_update = True ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49 ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net dns_discovery_domain = .spx.net [sssd] services = nss, pam, ssh config_file_version = 2 domains = .spx.net, spx.net [nss] [pam] [sudo] [autofs] [ssh] Is there anything else relevant that I should be looking at? You might compare the value of the key in IPA to what is in /var/lib/sss/pubconf/known_hosts rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users