On 10/06/2015 14:37, Lukas Slebodnik wrote: > On (10/06/15 11:33), Bob Hinton wrote: >> Hello, >> >> If I uninstall the ipa client with "ipa-client-install --uninstall" then >> reinstall it to the same ipa master then most functions work fine. >> However, if I attempt to ssh from the client to the master then I get. >> >> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ >> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! >> Someone could be eavesdropping on you right now (man-in-the-middle attack)! >> It is also possible that the RSA host key has just been changed. >> The fingerprint for the RSA key sent by the remote host is >> 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1. >> Please contact your system administrator. >> Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this >> message. >> Offending key in /var/lib/sss/pubconf/known_hosts:1 >> RSA host key for ipa004.jackland.co.uk has changed and you have >> requested strict checking. >> Host key verification failed. >> >> I've tried stopping the sssd service on the client, removing >> /var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting >> sssd, but /var/lib/sss/pubconf just gets recreated with the old contents >> and I get the same error (it seems odd that it's reporting that the host >> key of the master has changed when it's the client that has been >> reinstalled). How do I clear-out the client's knowledge of the old host >> keys? >> >> In this case I'm using ipa-client v3.0.0 on RHEL6.6 >> > You removed /var/lib/sss/pubconf/known_hosts > and also sssd cache, but you still have problem after restarting sssd. > > So the only explanation is that wrong host public key is stored in FreeIPA. > Could you try to check host public key with ldapsearch in FreeIPA. > I think you wold need to do it as an admin. > > LS > . > The two rsa keys look like they're the same (see below) though the finger-prints are evidently different. I copied and pasted the two keys into files and ran diff over these to prove that they match.
I can actually fix the problem by copying the ipa master host keys to a file, removing them with ipa host-mod ipa004.jackland.co.uk --sshpubkey='' then I can ssh from the client to the master without the error. I can finally restore the keys from the file using the ipa host-mod command again and all is well. So this looks like a long-winded way of clearing some sort of cache of the key finger-print on the client. It would just be nice to know if there's a more direct way of doing this. Also I know this works for one client, but it would be a pain to have to go through this procedure for lots of them. Thanks Bob -sh-4.2$ ipa host-show ipa004.jackland.co.uk --all dn: fqdn=ipa004.jackland.co.uk,cn=computers,cn=accounts,dc=jackland,dc=co,dc=uk Host name: ipa004.jackland.co.uk Principal name: host/ipa004.jackland.co...@jackland.co.uk SSH public key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClPcH8nnghnG3+knwkdg70I106jxO/zIeKggF71C4OHLCu0MJ/loEOcySZ2WH5YPWzRhX1LVN9FyDUKiOc3SNKnjpxjPsJXxk7r77X99jPmk+1QBgYGpn4yrYw/ebEAQLSjHGK86KfNvIbG2RSbNn6uQzC/mciXLEO+7lQ6Vq+DE3Du7+2iuyC2qKeNA9VVzc1NLm0phHT5nOKHpUZ3208GK1vn6r/5YiPmPy5zh8cGmedRft2Fc/J0rOlw5zvwW6kKYZldLvBK7xD2Pm3i2fs38nkH1JA3t83/FXXR/S/F7cY9aI1J/s/UuzawYmeBFXhrbexsUJicY7sS4LqtfBl, ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILt/SPXhj9izWvjQv5ChWozlOgqRzmSFMZkVj4amRGh/, ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM4R+8D6KCGntBbpGhwDzgH7YJt0xw1Ze21NH+rlsfnoLFStuM7T46/T1L2b2II8hwCmu6dt7F+NSd4YXUpk0/M= Requires pre-authentication: True Trusted for delegation: False Password: False Keytab: True Managed by: ipa004.jackland.co.uk Managing: ipa004.jackland.co.uk SSH public key fingerprint: DA:92:FD:52:AE:C2:65:00:9A:F6:0B:AA:20:51:8E:04 (ssh-rsa), 53:79:39:CE:D8:13:23:D2:3C:2C:8E:E4:56:7E:41:76 (ssh-ed25519), 56:28:C4:62:3F:64:18:5D:EC:B9:E0:1F:8B:48:EA:0B (ecdsa-sha2-nistp256) cn: ipa004.jackland.co.uk ipauniqueid: 0ffd1566-fd61-11e4-b868-000c29f1a817 krblastpwdchange: 20150518132324Z objectclass: ipaSshGroupOfPubKeys, ipaobject, krbprincipal, nshost, top, ipaservice, pkiuser, ipahost, krbticketpolicyaux, krbprincipalaux, ipasshhost serverhostname: ipa004 -sh-4.2$ -sh-4.1$ ssh ipa004.jackland.co.uk @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1. Please contact your system administrator. Add correct host key in /home/adminuser/.ssh/known_hosts to get rid of this message. Offending key in /var/lib/sss/pubconf/known_hosts:1 RSA host key for ipa004.jackland.co.uk has changed and you have requested strict checking. Host key verification failed. -sh-4.1$ head -1 /var/lib/sss/pubconf/known_hosts |1|SsQw9iAjhWz7sgcE9OwLuSC6hsM=|DgSaVQaJDU2dW6U4vN/quyySzvk= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClPcH8nnghnG3+knwkdg70I106jxO/zIeKggF71C4OHLCu0MJ/loEOcySZ2WH5YPWzRhX1LVN9FyDUKiOc3SNKnjpxjPsJXxk7r77X99jPmk+1QBgYGpn4yrYw/ebEAQLSjHGK86KfNvIbG2RSbNn6uQzC/mciXLEO+7lQ6Vq+DE3Du7+2iuyC2qKeNA9VVzc1NLm0phHT5nOKHpUZ3208GK1vn6r/5YiPmPy5zh8cGmedRft2Fc/J0rOlw5zvwW6kKYZldLvBK7xD2Pm3i2fs38nkH1JA3t83/FXXR/S/F7cY9aI1J/s/UuzawYmeBFXhrbexsUJicY7sS4LqtfBl -sh-4.1$ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project