On 12/04/2022 18:39, Rob Crittenden wrote:
lejeczek via FreeIPA-users wrote:
On 12/04/2022 11:21, Florence Blanc-Renaud wrote:
Hi,
if you already have ssh public keys in /etc/ssh/ssh_host_*.pub, you
can do
# ipa host-mod --updatedns --sshpubkey "*ssh-rsa AAAAB3NzaC...*"
client.ipa.test
(where the bold text is the content of your .pub file).
Then in order to check what was done:
# ipa dnsrecord-show ipa.test client
Record name: client
A record: 10.0.147.130
SSHFP record: 1 1 2D9747370DF5CEDDE66AC4DC354076326F466A0A, 1 2
0B1FB068265381BE51CEA14D315C3A2647E98BC9672B0640045C9D5131BA404C
You can check that they correspond using
# ssh-keygen -r client.ipa.test -f /etc/ssh/ssh_host_rsa_key.pub
client.ipa.test IN SSHFP 1 1 2d9747370df5cedde66ac4dc354076326f466a0a
client.ipa.test IN SSHFP 1 2
0b1fb068265381be51cea14d315c3a2647e98bc9672b0640045c9d5131ba404c
The fingerprints are also visible using
# ipa host-show client.ipa.test
...
SSH public key fingerprint: SHA256:Cx...
and can be checked using
# ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
3072 SHA256:Cx...
Does it help?
flo
On Mon, Apr 11, 2022 at 9:20 PM lejeczek via FreeIPA-users
<[email protected]> wrote:
Hi guys.
What is the correct way to update/modify server's
sshfp records?
I assumed those are in: /etc/ssh/ssh_host_*.pub
and I should use 'host-mod --updatedns ..'
but then such records do not look like what IPA
had/created.
many thanks, L
_______________________________________________
I've probably phrased poorly what I wanted to say.
I did that, as I said I did: 'host-mod --updatedns ..' and...
just after this I did: 'ipa host-show'
which showed also "ssh public key (FP separately as usually) records"
which puzzled me a bit as, those where not there for/from "regular"
client/replica install (including this host prior to manual update),
but...!
now those "ssh public key" records 'ipa host-show' does not show
anymore... now I begin to worry, or.. it's how IPA "behaves"?
I think it would help if you showed us what you are seeing, the exact
commands, and what the output looks like vs what you expect.
When I do:
-> $ ipa host-mod drunk.in.ccn --updatedns
--sshpubkey="ssh-ed25519 .."
--sshpubkey="ecdsa-sha2-nistp256 ...=" --sshpubkey="ssh-rsa
..."
------------------------------------
Modified host "drunk.in.ccn"
------------------------------------
Host name: drunk.in.ccn
Principal name: host/[email protected]
Principal alias: host/[email protected]
SSH public key: ssh-ed25519 ....AIKv2AOJxFqqpcpe/HR/3hh,
ssh-rsa
AAAAB3NzaC1....U=,
ecdsa-sha2-nistp256
..../TWR/ZoiqV3Ke4Fw3LrtT9b86uqlb8Uc8P8lJe2RV4wvRw=
SSH public key fingerprint: SHA256:....
IPA, above command prints - which '*-mod' when it does, I'd
think, usually shows that end result as '*-show' would get.
So there are both "SSH public key" & "SSH public key
fingerprint" but '-show' latter gets only the latter -
perhaps it's just how it should be?
many thanks, L
ps. Flo, do the right thing, follow etiquette/lang rules. I'd like to
think it's not just conversation between us two. How do you like to read
your book? aha! exactly.
Not sure what you mean. She replied to the list, not just to you.
rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
