[Freeipa-users] Re: server sshfp update - ?

Tue, 12 Apr 2022 10:06:06 -0700 


On 12/04/2022 11:21, Florence Blanc-Renaud wrote:

Hi,


if you already have ssh public keys in 
/etc/ssh/ssh_host_*.pub, you can do
# ipa host-mod --updatedns --sshpubkey "*ssh-rsa 
AAAAB3NzaC...*" client.ipa.test

(where the bold text is the content of your .pub file).

Then in order to check what was done:
# ipa dnsrecord-show ipa.test client
Record name: client
  A record: 10.0.147.130

  SSHFP record: 1 1 
2D9747370DF5CEDDE66AC4DC354076326F466A0A, 1 2 
0B1FB068265381BE51CEA14D315C3A2647E98BC9672B0640045C9D5131BA404C


You can check that they correspond using

# ssh-keygen -r client.ipa.test -f 
/etc/ssh/ssh_host_rsa_key.pub
client.ipa.test IN SSHFP 1 1 
2d9747370df5cedde66ac4dc354076326f466a0a
client.ipa.test IN SSHFP 1 2 
0b1fb068265381be51cea14d315c3a2647e98bc9672b0640045c9d5131ba404c


The fingerprints are also visible using
# ipa host-show client.ipa.test
...
SSH public key fingerprint: SHA256:Cx...

and can be checked using
# ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
3072 SHA256:Cx...

Does it help?
flo


On Mon, Apr 11, 2022 at 9:20 PM lejeczek via FreeIPA-users 
<[email protected]> wrote:


    Hi guys.

    What is the correct way to update/modify server's
    sshfp records?

    I assumed those are in: /etc/ssh/ssh_host_*.pub
    and I should use 'host-mod --updatedns ..'
    but then such records do not look like what IPA
    had/created.

    many thanks, L
    _______________________________________________


I've probably phrased poorly what I wanted to say.
I did that, as I said I did: 'host-mod --updatedns ..' and...
just after this I did: 'ipa host-show'

which showed also "ssh public key (FP separately as usually) 
records" which puzzled me a bit as, those where not there 
for/from "regular" client/replica install (including this 
host prior to manual update), but...!
now those "ssh public key" records 'ipa host-show' does not 
show anymore... now I begin to worry, or.. it's how IPA 
"behaves"?



ps. Flo, do the right thing, follow etiquette/lang rules. 
I'd like to think it's not just conversation between us two. 
How do you like to read your book? aha! exactly.


many thanks, L.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure






















					Reply via email to