[Freeipa-users] Re: ssh key issues
The issue is created by sssd. Instead of re-installing freeipa, I did the below work-around: Temporarily backup /var/lib/sss/pubconf /var/lib/sss/pubconf_bkp ssh again to the remote machine. This will update the new hostkey. Move back /var/lib/sss/pubconf_bkp to /var/lib/sss/pubconf Now try again. The issue will not recur. Note: Don't forget to move back /var/lib/sss/pubconf, else LDAP authentication will fail Regards, Gautham ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: ssh key issues
The issue is created by sssd. Instead of re-installing freeipa, I did the below work-around: Temporarily backup /var/lib/sss/pubconf /var/lib/sss/pubconf_bkp ssh again to the remote machine. This will update the new hostkey. Move back /var/lib/sss/pubconf_bkp to /var/lib/sss/pubconf Now try again. The issue will not recur. Note: Don't forget to move back /var/lib/sss/pubconf, else LDAP authentication will fail ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: ssh key issues
Found the offending server which had a completely different IP address. Deleted it anyways. Problem fixed. Thanks! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ssh key issues
Andrew Meyer via FreeIPA-users wrote: > How do I remove it once I find it? I tried stopping sssd and deleting > everything in /var/lib/sss/db/* but it throw the same error when trying to > SSH to the new server. If you wiped the local sssd cache files then it suggests the data is coming from IPA or your DNS provider via SSHFP records. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ssh key issues
How do I remove it once I find it? I tried stopping sssd and deleting everything in /var/lib/sss/db/* but it throw the same error when trying to SSH to the new server. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ssh key issues
On Tue, Sep 15, 2020 at 01:01:17PM -, Andrew Meyer via FreeIPA-users wrote: Where did you run this? On a FreeIPA server? Or the affected server? Hi, on the host where you see the issue, so I would say jump01 in your case. bye, Sumit ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ssh key issues
I tried this. I ran into this problem earlier this year but can't remember what I did to fix it. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ssh key issues
Where did you run this? On a FreeIPA server? Or the affected server? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ssh key issues
I have had this issue on mac osx when sshing into a remote machine. Usually iall you need to do is remove the know_hosts file and that will clear the problem. Regards, Jonathan -Original Message- From: Andrew Meyer via FreeIPA-users Sent: Monday, 14 September 2020 21:31 To: freeipa-users@lists.fedorahosted.org Cc: Andrew Meyer Subject: [Freeipa-users] Re: ssh key issues I just ran sss_cache -H and that didn't fix it. Still getting this: [andrew.meyer@jump01 ~]$ ssh ameyer@10.150.10.130 @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:eKvyhTmq6m3zlrJY8b+wVEPhaN5V2VE9vGiGmdrh18E. Please contact your system administrator. Add correct host key in /home/andrew.meyer/.ssh/known_hosts to get rid of this message. Offending ED25519 key in /var/lib/sss/pubconf/known_hosts:6 ECDSA host key for 10.150.10.130 has changed and you have requested strict checking. Host key verification failed. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ssh key issues
On Mon, Sep 14, 2020 at 07:31:25PM -, Andrew Meyer via FreeIPA-users wrote: I just ran sss_cache -H and that didn't fix it. Still getting this: [andrew.meyer@jump01 ~]$ ssh ameyer@10.150.10.130 @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:eKvyhTmq6m3zlrJY8b+wVEPhaN5V2VE9vGiGmdrh18E. Please contact your system administrator. Add correct host key in /home/andrew.meyer/.ssh/known_hosts to get rid of this message. Offending ED25519 key in /var/lib/sss/pubconf/known_hosts:6 ECDSA host key for 10.150.10.130 has changed and you have requested strict checking. Host key verification failed. Hi, you can inspect the cache file with the ldbsearch utility from the ldb-tools package: ldbsearch -H /var/lib/sss/db/cache_YOUR.DOMAIN.ldb to see if the key is still somewhere stored in the cache. Calling 'sss_cache' will only reset the lifetime of the cache entry which would cause the backend to refresh the entry or delete it, if it is not present on the server anymore. If the entry is not removed it might be because SSSD is offline, i.e. it cannot connect to the server, or that the entry still exists on the server or there is some issue which prevents SSSD to remove the cached entry. To debug this you can add 'debug_level = 9' to the [domain/...] section of sssd.conf, restart SSSD, call 'sss_cache -H', try ssh again and then inspect /var/log//sssd_YOUR.DOMAIN.log. HTH bye, Sumit ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ssh key issues
I just ran sss_cache -H and that didn't fix it. Still getting this: [andrew.meyer@jump01 ~]$ ssh ameyer@10.150.10.130 @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:eKvyhTmq6m3zlrJY8b+wVEPhaN5V2VE9vGiGmdrh18E. Please contact your system administrator. Add correct host key in /home/andrew.meyer/.ssh/known_hosts to get rid of this message. Offending ED25519 key in /var/lib/sss/pubconf/known_hosts:6 ECDSA host key for 10.150.10.130 has changed and you have requested strict checking. Host key verification failed. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
