Re: [Freeipa-users] one last SSH question

[Armstrong, Kenneth Lawrence]

Thanks!  I changed that last line in my ssh_config, reloaded sshd, and was able 
to log in!

-Kenny

On Wed, 2013-07-17 at 16:46 +0200, Jan Cholasta wrote:


On 17.7.2013 16:22, Armstrong, Kenneth Lawrence wrote:
> Ok, hopefully my last SSH key question.
>
> I've been following the instructions here:
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/host-keys.html#installing-host-keys
>
> and here:
>
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/openssh-sssd.html
>
> I have my host's public key set, it shows up in the web UI, and I have
> these lines added to the end of the /etc/ssh/ssh_config file on the
> client machine (that is also a member of the IdM domain):
>
> ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p -d
> LINUXTEST.LIBERTY.EDU %h
> UserKnownHostsFile2 .ssh/sss_known_hosts
>
> I have reloaded the SSH service on the client.  I go to connect from my
> client to my linuxtest server (which happens to be my IdM server), and I
> get this:
>
> [karmstrong@linuxclient  ~]$ ssh
> karmstr...@linuxtest.liberty.edu 
> 
> The authenticity of host 'linuxtest.liberty.edu ( command>)' can't be established.
> RSA key fingerprint is ad:22:28:8d:91:81:3c:07:47:9d:5a:0d:09:33:18:e1.
> Are you sure you want to continue connecting (yes/no)? no
> Host key verification failed.
>
> The public key fingerprint matches what is set on the host's page in the
> IdM interface.
>
> I do not have a known_hosts in the karmstrong .ssh directory.
>
> I have also tried adding the FQDN, and FQDN,ip address into the SSH key
> on the IdM server through the Web UI, but I still get the bit about not
> finding an IP for the proxy command to use when it tries to authenticate
> the host.
>
> I have also verified that there is a PTR record in DNS for the host
> itself, so I believe that it is not a name resolution error.
>
> Am I missing something?

No. The documentation is wrong for some reason. This is what you should
have in ssh_config:

ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts

Honza



--

Kenny Armstrong
System Administrator
IS Operations

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Training Champions for Christ since 1971
<>___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] one last SSH question

[Jan Cholasta]

On 17.7.2013 16:22, Armstrong, Kenneth Lawrence wrote:

Ok, hopefully my last SSH key question.

I've been following the instructions here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/host-keys.html#installing-host-keys

and here:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/openssh-sssd.html

I have my host's public key set, it shows up in the web UI, and I have
these lines added to the end of the /etc/ssh/ssh_config file on the
client machine (that is also a member of the IdM domain):

ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p -d
LINUXTEST.LIBERTY.EDU %h
UserKnownHostsFile2 .ssh/sss_known_hosts

I have reloaded the SSH service on the client.  I go to connect from my
client to my linuxtest server (which happens to be my IdM server), and I
get this:

[karmstrong@linuxclient  ~]$ ssh
karmstr...@linuxtest.liberty.edu 
The authenticity of host 'linuxtest.liberty.edu ()' can't be established.
RSA key fingerprint is ad:22:28:8d:91:81:3c:07:47:9d:5a:0d:09:33:18:e1.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.

The public key fingerprint matches what is set on the host's page in the
IdM interface.

I do not have a known_hosts in the karmstrong .ssh directory.

I have also tried adding the FQDN, and FQDN,ip address into the SSH key
on the IdM server through the Web UI, but I still get the bit about not
finding an IP for the proxy command to use when it tries to authenticate
the host.

I have also verified that there is a PTR record in DNS for the host
itself, so I believe that it is not a name resolution error.

Am I missing something?


No. The documentation is wrong for some reason. This is what you should 
have in ssh_config:


ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts

Honza

--
Jan Cholasta

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users