OK. I think the original problem wasn't what I thought it was. The keys in /etc/ssh/*.pub on the ipamaster didn't match the ones stored in IPA. I'm not sure how this happened, however the master is a test VM that's been used to test ipa-backup and ipa-restore (it's a V4.1.0 master even though the client is V3.0)
Anyway, I repaired this by setting the keys in IPA to the ones in the files by doing the following on the ipa master :- echo "ipa host-mod ipa004.jackland.co.uk --sshpubkey='" > keyfix.sh sudo cat /etc/ssh/ssh_host_rsa_key.pub >> keyfix.sh echo -n ',' >> keyfix.sh sudo cat /etc/ssh/ssh_host_ecdsa_key.pub >> keyfix.sh echo -n ',' >> keyfix.sh sudo cat /etc/ssh/ssh_host_ed25519_key.pub >> keyfix.sh echo "'" >> keyfix.sh vi keyfix.sh (keep pressing J to join everything into one long line) sh keyfix.sh On 10/06/2015 17:09, Bob Hinton wrote: > On 10/06/2015 14:37, Lukas Slebodnik wrote: >> On (10/06/15 11:33), Bob Hinton wrote: >>> Hello, >>> >>> If I uninstall the ipa client with "ipa-client-install --uninstall" then >>> reinstall it to the same ipa master then most functions work fine. >>> However, if I attempt to ssh from the client to the master then I get. >>> >>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >>> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ >>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >>> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! >>> Someone could be eavesdropping on you right now (man-in-the-middle attack)! >>> It is also possible that the RSA host key has just been changed. >>> The fingerprint for the RSA key sent by the remote host is >>> 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1. >>> Please contact your system administrator. >>> Add correct host key in /home/gbob/.ssh/known_hosts to get rid of this >>> message. >>> Offending key in /var/lib/sss/pubconf/known_hosts:1 >>> RSA host key for ipa004.jackland.co.uk has changed and you have >>> requested strict checking. >>> Host key verification failed. >>> >>> I've tried stopping the sssd service on the client, removing >>> /var/lib/sss/pubconf/known_hosts and /var/lib/sss/db/* then restarting >>> sssd, but /var/lib/sss/pubconf just gets recreated with the old contents >>> and I get the same error (it seems odd that it's reporting that the host >>> key of the master has changed when it's the client that has been >>> reinstalled). How do I clear-out the client's knowledge of the old host >>> keys? >>> >>> In this case I'm using ipa-client v3.0.0 on RHEL6.6 >>> >> You removed /var/lib/sss/pubconf/known_hosts >> and also sssd cache, but you still have problem after restarting sssd. >> >> So the only explanation is that wrong host public key is stored in FreeIPA. >> Could you try to check host public key with ldapsearch in FreeIPA. >> I think you wold need to do it as an admin. >> >> LS >> . >> > The two rsa keys look like they're the same (see below) though the > finger-prints are evidently different. I copied and pasted the two keys > into files and ran diff over these to prove that they match. > > I can actually fix the problem by copying the ipa master host keys to a > file, removing them with > > ipa host-mod ipa004.jackland.co.uk --sshpubkey='' > > then I can ssh from the client to the master without the error. I can > finally restore the keys from the file using the ipa host-mod command > again and all is well. So this looks like a long-winded way of clearing > some sort of cache of the key finger-print on the client. It would just > be nice to know if there's a more direct way of doing this. Also I know > this works for one client, but it would be a pain to have to go through > this procedure for lots of them. > > Thanks > > Bob > > -sh-4.2$ ipa host-show ipa004.jackland.co.uk --all > dn: > fqdn=ipa004.jackland.co.uk,cn=computers,cn=accounts,dc=jackland,dc=co,dc=uk > Host name: ipa004.jackland.co.uk > Principal name: host/ipa004.jackland.co...@jackland.co.uk > SSH public key: ssh-rsa > > AAAAB3NzaC1yc2EAAAADAQABAAABAQClPcH8nnghnG3+knwkdg70I106jxO/zIeKggF71C4OHLCu0MJ/loEOcySZ2WH5YPWzRhX1LVN9FyDUKiOc3SNKnjpxjPsJXxk7r77X99jPmk+1QBgYGpn4yrYw/ebEAQLSjHGK86KfNvIbG2RSbNn6uQzC/mciXLEO+7lQ6Vq+DE3Du7+2iuyC2qKeNA9VVzc1NLm0phHT5nOKHpUZ3208GK1vn6r/5YiPmPy5zh8cGmedRft2Fc/J0rOlw5zvwW6kKYZldLvBK7xD2Pm3i2fs38nkH1JA3t83/FXXR/S/F7cY9aI1J/s/UuzawYmeBFXhrbexsUJicY7sS4LqtfBl, > ssh-ed25519 > AAAAC3NzaC1lZDI1NTE5AAAAILt/SPXhj9izWvjQv5ChWozlOgqRzmSFMZkVj4amRGh/, > ecdsa-sha2-nistp256 > > AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM4R+8D6KCGntBbpGhwDzgH7YJt0xw1Ze21NH+rlsfnoLFStuM7T46/T1L2b2II8hwCmu6dt7F+NSd4YXUpk0/M= > Requires pre-authentication: True > Trusted for delegation: False > Password: False > Keytab: True > Managed by: ipa004.jackland.co.uk > Managing: ipa004.jackland.co.uk > SSH public key fingerprint: > DA:92:FD:52:AE:C2:65:00:9A:F6:0B:AA:20:51:8E:04 (ssh-rsa), > > 53:79:39:CE:D8:13:23:D2:3C:2C:8E:E4:56:7E:41:76 (ssh-ed25519), > > 56:28:C4:62:3F:64:18:5D:EC:B9:E0:1F:8B:48:EA:0B (ecdsa-sha2-nistp256) > cn: ipa004.jackland.co.uk > ipauniqueid: 0ffd1566-fd61-11e4-b868-000c29f1a817 > krblastpwdchange: 20150518132324Z > objectclass: ipaSshGroupOfPubKeys, ipaobject, krbprincipal, nshost, > top, ipaservice, pkiuser, ipahost, > krbticketpolicyaux, krbprincipalaux, ipasshhost > serverhostname: ipa004 > -sh-4.2$ > > -sh-4.1$ ssh ipa004.jackland.co.uk > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > Someone could be eavesdropping on you right now (man-in-the-middle attack)! > It is also possible that the RSA host key has just been changed. > The fingerprint for the RSA key sent by the remote host is > 86:c1:d7:96:8d:a3:b6:54:69:7c:cf:79:55:b3:14:c1. > Please contact your system administrator. > Add correct host key in /home/adminuser/.ssh/known_hosts to get rid of > this message. > Offending key in /var/lib/sss/pubconf/known_hosts:1 > RSA host key for ipa004.jackland.co.uk has changed and you have > requested strict checking. > Host key verification failed. > > -sh-4.1$ head -1 /var/lib/sss/pubconf/known_hosts > |1|SsQw9iAjhWz7sgcE9OwLuSC6hsM=|DgSaVQaJDU2dW6U4vN/quyySzvk= ssh-rsa > AAAAB3NzaC1yc2EAAAADAQABAAABAQClPcH8nnghnG3+knwkdg70I106jxO/zIeKggF71C4OHLCu0MJ/loEOcySZ2WH5YPWzRhX1LVN9FyDUKiOc3SNKnjpxjPsJXxk7r77X99jPmk+1QBgYGpn4yrYw/ebEAQLSjHGK86KfNvIbG2RSbNn6uQzC/mciXLEO+7lQ6Vq+DE3Du7+2iuyC2qKeNA9VVzc1NLm0phHT5nOKHpUZ3208GK1vn6r/5YiPmPy5zh8cGmedRft2Fc/J0rOlw5zvwW6kKYZldLvBK7xD2Pm3i2fs38nkH1JA3t83/FXXR/S/F7cY9aI1J/s/UuzawYmeBFXhrbexsUJicY7sS4LqtfBl > -sh-4.1$ > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project