Re: [Freeipa-users] ssh known hosts gets recreated on client

2015-06-10 Thread Bob Hinton 
OK. I think the original problem wasn't what I thought it was.

The keys in /etc/ssh/*.pub on the ipamaster didn't match the ones stored
in IPA. I'm not sure how this happened, however the master is a test VM
that's been used to test ipa-backup and ipa-restore (it's a V4.1.0
master even though the client is V3.0)

Anyway, I repaired this by setting the keys in IPA to the ones in the
files by doing the following on the ipa master :-

echo "ipa host-mod ipa004.jackland.co.uk --sshpubkey='" > keyfix.sh
sudo cat /etc/ssh/ssh_host_rsa_key.pub >> keyfix.sh
echo -n ',' >> keyfix.sh
sudo cat /etc/ssh/ssh_host_ecdsa_key.pub >> keyfix.sh
echo -n ',' >> keyfix.sh
sudo cat /etc/ssh/ssh_host_ed25519_key.pub >> keyfix.sh
echo "'" >> keyfix.sh
vi keyfix.sh   (keep pressing J to join everything into one long line)
sh keyfix.sh

On 10/06/2015 17:09, Bob Hinton wrote:
> On 10/06/2015 14:37, Lukas Slebodnik wrote:
>> On (10/06/15 11:33), Bob Hinton wrote:
>>> Hello,
>>>
>>> If I uninstall the ipa client with "ipa-client-install --uninstall" then
>>> reinstall it to the same ipa master then most functions work fine.
>>> However, if I attempt to ssh from the client to the master then I get.
>>>
>>> @@@
>>> @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
>>> @@@
>>> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
>>> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
>>> It is also possible that the RSA host key has just been changed.
>>> The fingerprint for the RSA key sent by the remote host is
>>> 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1.
>>> Please contact your system administrator.
>>> Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this
>>> message.
>>> Offending key in /var/lib/sss/pubconf/known_hosts:1
>>> RSA host key for ipa004.jackland.co.uk has changed and you have
>>> requested strict checking.
>>> Host key verification failed.
>>>
>>> I've tried stopping the sssd service on the client, removing
>>> /var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting
>>> sssd, but /var/lib/sss/pubconf just gets recreated with the old contents
>>> and I get the same error (it seems odd that it's reporting that the host
>>> key of the master has changed when it's the client that has been
>>> reinstalled). How do I clear-out the client's knowledge of the old host
>>> keys?
>>>
>>> In this case I'm using ipa-client v3.0.0 on RHEL6.6
>>>
>> You removed /var/lib/sss/pubconf/known_hosts
>> and also sssd cache, but you still have problem after restarting sssd.
>>
>> So the only explanation is that wrong host public key is stored in FreeIPA.
>> Could you try to check host public key with ldapsearch in FreeIPA.
>> I think you wold need to do it as an admin.
>>
>> LS
>> .
>>
> The two rsa keys look like they're the same (see below) though the
> finger-prints are evidently different. I copied and pasted the two keys
> into files and ran diff over these to prove that they match.
>
> I can actually fix the problem by copying the ipa master host keys to a
> file, removing them with
>
> ipa host-mod ipa004.jackland.co.uk --sshpubkey=''
>
> then I can ssh from the client to the master without the error. I can
> finally restore the keys from the file using the ipa host-mod command
> again and all is well. So this looks like a long-winded way of clearing
> some sort of cache of the key finger-print on the client. It would just
> be nice to know if there's a more direct way of doing this. Also I know
> this works for one client, but it would be a pain to have to go through
> this procedure for lots of them.
>
> Thanks
>
> Bob
>
> -sh-4.2$ ipa host-show ipa004.jackland.co.uk --all
>   dn:
> fqdn=ipa004.jackland.co.uk,cn=computers,cn=accounts,dc=jackland,dc=co,dc=uk
>   Host name: ipa004.jackland.co.uk
>   Principal name: host/ipa004.jackland.co...@jackland.co.uk
>   SSH public key: ssh-rsa
>  
> B3NzaC1yc2EDAQABAAABAQClPcH8nnghnG3+knwkdg70I106jxO/zIeKggF71C4OHLCu0MJ/loEOcySZ2WH5YPWzRhX1LVN9FyDUKiOc3SNKnjpxjPsJXxk7r77X99jPmk+1QBgYGpn4yrYw/ebEAQLSjHGK86KfNvIbG2RSbNn6uQzC/mciXLEO+7lQ6Vq+DE3Du7+2iuyC2qKeNA9VVzc1NLm0phHT5nOKHpUZ3208GK1vn6r/5YiPmPy5zh8cGmedRft2Fc/J0rOlw5zvwW6kKYZldLvBK7xD2Pm3i2fs38nkH1JA3t83/FXXR/S/F7cY9aI1J/s/UuzawYmeBFXhrbexsUJicY7sS4LqtfBl,
>   ssh-ed25519
> C3NzaC1lZDI1NTE5ILt/SPXhj9izWvjQv5ChWozlOgqRzmSFMZkVj4amRGh/,
> ecdsa-sha2-nistp256
>  
> E2VjZHNhLXNoYTItbmlzdHAyNTYIbmlzdHAyNTYAAABBBM4R+8D6KCGntBbpGhwDzgH7YJt0xw1Ze21NH+rlsfnoLFStuM7T46/T1L2b2II8hwCmu6dt7F+NSd4YXUpk0/M=
>   Requires pre-authentication: True
>   Trusted for delegation: False
>   Password: False
>   Keytab: True
>   Managed by: ipa004.jackland.co.uk
>   Managing: ipa004.jackland.co.uk
>   SSH public key fingerprint:
> DA:92:FD:52:AE:C2:65:00:9A:F6:0B:AA:20:51:8E:04 (ssh-rsa),
>

Re: [Freeipa-users] ssh known hosts gets recreated on client

2015-06-10 Thread Bob Hinton 
On 10/06/2015 14:37, Lukas Slebodnik wrote:
> On (10/06/15 11:33), Bob Hinton wrote:
>> Hello,
>>
>> If I uninstall the ipa client with "ipa-client-install --uninstall" then
>> reinstall it to the same ipa master then most functions work fine.
>> However, if I attempt to ssh from the client to the master then I get.
>>
>> @@@
>> @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
>> @@@
>> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
>> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
>> It is also possible that the RSA host key has just been changed.
>> The fingerprint for the RSA key sent by the remote host is
>> 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1.
>> Please contact your system administrator.
>> Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this
>> message.
>> Offending key in /var/lib/sss/pubconf/known_hosts:1
>> RSA host key for ipa004.jackland.co.uk has changed and you have
>> requested strict checking.
>> Host key verification failed.
>>
>> I've tried stopping the sssd service on the client, removing
>> /var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting
>> sssd, but /var/lib/sss/pubconf just gets recreated with the old contents
>> and I get the same error (it seems odd that it's reporting that the host
>> key of the master has changed when it's the client that has been
>> reinstalled). How do I clear-out the client's knowledge of the old host
>> keys?
>>
>> In this case I'm using ipa-client v3.0.0 on RHEL6.6
>>
> You removed /var/lib/sss/pubconf/known_hosts
> and also sssd cache, but you still have problem after restarting sssd.
>
> So the only explanation is that wrong host public key is stored in FreeIPA.
> Could you try to check host public key with ldapsearch in FreeIPA.
> I think you wold need to do it as an admin.
>
> LS
> .
>
The two rsa keys look like they're the same (see below) though the
finger-prints are evidently different. I copied and pasted the two keys
into files and ran diff over these to prove that they match.

I can actually fix the problem by copying the ipa master host keys to a
file, removing them with

ipa host-mod ipa004.jackland.co.uk --sshpubkey=''

then I can ssh from the client to the master without the error. I can
finally restore the keys from the file using the ipa host-mod command
again and all is well. So this looks like a long-winded way of clearing
some sort of cache of the key finger-print on the client. It would just
be nice to know if there's a more direct way of doing this. Also I know
this works for one client, but it would be a pain to have to go through
this procedure for lots of them.

Thanks

Bob

-sh-4.2$ ipa host-show ipa004.jackland.co.uk --all
  dn:
fqdn=ipa004.jackland.co.uk,cn=computers,cn=accounts,dc=jackland,dc=co,dc=uk
  Host name: ipa004.jackland.co.uk
  Principal name: host/ipa004.jackland.co...@jackland.co.uk
  SSH public key: ssh-rsa
 
B3NzaC1yc2EDAQABAAABAQClPcH8nnghnG3+knwkdg70I106jxO/zIeKggF71C4OHLCu0MJ/loEOcySZ2WH5YPWzRhX1LVN9FyDUKiOc3SNKnjpxjPsJXxk7r77X99jPmk+1QBgYGpn4yrYw/ebEAQLSjHGK86KfNvIbG2RSbNn6uQzC/mciXLEO+7lQ6Vq+DE3Du7+2iuyC2qKeNA9VVzc1NLm0phHT5nOKHpUZ3208GK1vn6r/5YiPmPy5zh8cGmedRft2Fc/J0rOlw5zvwW6kKYZldLvBK7xD2Pm3i2fs38nkH1JA3t83/FXXR/S/F7cY9aI1J/s/UuzawYmeBFXhrbexsUJicY7sS4LqtfBl,
  ssh-ed25519
C3NzaC1lZDI1NTE5ILt/SPXhj9izWvjQv5ChWozlOgqRzmSFMZkVj4amRGh/,
ecdsa-sha2-nistp256
 
E2VjZHNhLXNoYTItbmlzdHAyNTYIbmlzdHAyNTYAAABBBM4R+8D6KCGntBbpGhwDzgH7YJt0xw1Ze21NH+rlsfnoLFStuM7T46/T1L2b2II8hwCmu6dt7F+NSd4YXUpk0/M=
  Requires pre-authentication: True
  Trusted for delegation: False
  Password: False
  Keytab: True
  Managed by: ipa004.jackland.co.uk
  Managing: ipa004.jackland.co.uk
  SSH public key fingerprint:
DA:92:FD:52:AE:C2:65:00:9A:F6:0B:AA:20:51:8E:04 (ssh-rsa),
 
53:79:39:CE:D8:13:23:D2:3C:2C:8E:E4:56:7E:41:76 (ssh-ed25519),
 
56:28:C4:62:3F:64:18:5D:EC:B9:E0:1F:8B:48:EA:0B (ecdsa-sha2-nistp256)
  cn: ipa004.jackland.co.uk
  ipauniqueid: 0ffd1566-fd61-11e4-b868-000c29f1a817
  krblastpwdchange: 20150518132324Z
  objectclass: ipaSshGroupOfPubKeys, ipaobject, krbprincipal, nshost,
top, ipaservice, pkiuser, ipahost,
   krbticketpolicyaux, krbprincipalaux, ipasshhost
  serverhostname: ipa004
-sh-4.2$

-sh-4.1$ ssh ipa004.jackland.co.uk
@@@
@WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
86:c1:d7:96:8d:a3:b6:54:69:7c:

Re: [Freeipa-users] ssh known hosts gets recreated on client

2015-06-10 Thread Lukas Slebodnik 
On (10/06/15 11:33), Bob Hinton wrote:
>Hello,
>
>If I uninstall the ipa client with "ipa-client-install --uninstall" then
>reinstall it to the same ipa master then most functions work fine.
>However, if I attempt to ssh from the client to the master then I get.
>
>@@@
>@WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
>@@@
>IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
>Someone could be eavesdropping on you right now (man-in-the-middle attack)!
>It is also possible that the RSA host key has just been changed.
>The fingerprint for the RSA key sent by the remote host is
>86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1.
>Please contact your system administrator.
>Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this
>message.
>Offending key in /var/lib/sss/pubconf/known_hosts:1
>RSA host key for ipa004.jackland.co.uk has changed and you have
>requested strict checking.
>Host key verification failed.
>
>I've tried stopping the sssd service on the client, removing
>/var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting
>sssd, but /var/lib/sss/pubconf just gets recreated with the old contents
>and I get the same error (it seems odd that it's reporting that the host
>key of the master has changed when it's the client that has been
>reinstalled). How do I clear-out the client's knowledge of the old host
>keys?
>
>In this case I'm using ipa-client v3.0.0 on RHEL6.6
>
You removed /var/lib/sss/pubconf/known_hosts
and also sssd cache, but you still have problem after restarting sssd.

So the only explanation is that wrong host public key is stored in FreeIPA.
Could you try to check host public key with ldapsearch in FreeIPA.
I think you wold need to do it as an admin.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ssh known hosts gets recreated on client

2015-06-10 Thread Bob Hinton 
The /home/USER/.ssh/known_hosts file doesn't exist. It's
/var/lib/sss/pubconf/known_hosts that's the problem.

If the offending line is deleted from this file or this file is deleted
completely then it's automatically replaced and the same error occurs.

On 10/06/2015 13:55, Cory Carlton wrote:
> I feel this is a User ssh file issue not a sssd when sshing. 
> the client is seeing its a different key exchange with the same IP it
> once knew about, the known_hosts file on the client machine (and user)
> in the .ssh folder need to be updated or wiped clean.
>
> If you edit on the client machine /home/USER/.ssh/known_hosts delete
> the IP line.
>
> On Wed, Jun 10, 2015 at 5:33 AM, Bob Hinton  > wrote:
>
> Hello,
>
> If I uninstall the ipa client with "ipa-client-install
> --uninstall" then
> reinstall it to the same ipa master then most functions work fine.
> However, if I attempt to ssh from the client to the master then I get.
>
> @@@
> @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> @@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle
> attack)!
> It is also possible that the RSA host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1.
> Please contact your system administrator.
> Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this
> message.
> Offending key in /var/lib/sss/pubconf/known_hosts:1
> RSA host key for ipa004.jackland.co.uk
>  has changed and you have
> requested strict checking.
> Host key verification failed.
>
> I've tried stopping the sssd service on the client, removing
> /var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting
> sssd, but /var/lib/sss/pubconf just gets recreated with the old
> contents
> and I get the same error (it seems odd that it's reporting that
> the host
> key of the master has changed when it's the client that has been
> reinstalled). How do I clear-out the client's knowledge of the old
> host
> keys?
>
> In this case I'm using ipa-client v3.0.0 on RHEL6.6
>
> Thanks
>
> Bob
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ssh known hosts gets recreated on client

2015-06-10 Thread Cory Carlton 
I feel this is a User ssh file issue not a sssd when sshing.
the client is seeing its a different key exchange with the same IP it once
knew about, the known_hosts file on the client machine (and user) in the
.ssh folder need to be updated or wiped clean.

If you edit on the client machine /home/USER/.ssh/known_hosts delete the IP
line.

On Wed, Jun 10, 2015 at 5:33 AM, Bob Hinton 
wrote:

> Hello,
>
> If I uninstall the ipa client with "ipa-client-install --uninstall" then
> reinstall it to the same ipa master then most functions work fine.
> However, if I attempt to ssh from the client to the master then I get.
>
> @@@
> @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> @@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that the RSA host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1.
> Please contact your system administrator.
> Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this
> message.
> Offending key in /var/lib/sss/pubconf/known_hosts:1
> RSA host key for ipa004.jackland.co.uk has changed and you have
> requested strict checking.
> Host key verification failed.
>
> I've tried stopping the sssd service on the client, removing
> /var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting
> sssd, but /var/lib/sss/pubconf just gets recreated with the old contents
> and I get the same error (it seems odd that it's reporting that the host
> key of the master has changed when it's the client that has been
> reinstalled). How do I clear-out the client's knowledge of the old host
> keys?
>
> In this case I'm using ipa-client v3.0.0 on RHEL6.6
>
> Thanks
>
> Bob
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project