> Dominik Vogt via FreeIPA-users wrote: > > However, host key files in rsa and ecdsa format keep reappearing. > > I'm not exactly sure when this happens. Does it have something to > > do with sssd? > > I believe sshd generates keys on startup if they do not exist.
I'll check that. There was some "AUTOGENERATE..." setting for ssh in RHEL 5 and 6 in the system defaults, but I couldn't find anything like that on the installed machines. > You probably want to include the --no-dns-sshfp option for > ipa-client-install to prevent any existing SSH keys from appearing in DNS. > > ipa-client-install will add any keys to the host entry at the time of > enrollment. > > I understand that IdM can manage host keys, but we don't want to > > use that feature because of the underlying system requirements, > > and we'll never add new machines anyway. > > I don't believe there is an easy way to prevent ssh keys from getting > into IPA. There is an ACI that grants a host write access to their own > ssh pub keys but there is no equivalent permission for it. You could, > for example, try tweaking the write to read and see if that helps. It'll > prevent keys from getting into IPA so that sssd can never find them. It would be good enough to make sure these keys are not used and don't interfere with the keys that were installed manually. At the moment there's a real problem though because sssd keeps caching keys in the wrong format in /var/lib/.../known_hosts, and ssh then complains that this copy is out of date. > My spidey sense isn't tingling with this suggestion but that doesn't > mean there isn't the possibility of a side-effort or future upgrade issues. Ciao Dominik ^_^ ^_^ -- Dominik Vogt _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
