|
I've got a strange situation where some of my workstations are
reporting difficulty when sshing to remote systems, but there's no
pattern I can discern. One user's machine can't get to system A, but
I can, though I can't ssh to his workstation directly. Here's the kind of thing I see when doing ssh -vvv: debug1: Server host key: RSA 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab debug3: load_hostkeys: loading entries for host "rs512" from file "/root/.ssh/known_hosts" debug3: load_hostkeys: loaded 0 keys debug3: load_hostkeys: loading entries for host "rs512" from file "/var/lib/sss/pubconf/known_hosts" debug3: load_hostkeys: found key type RSA in file /var/lib/sss/pubconf/known_hosts:2 debug3: load_hostkeys: loaded 1 keys @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone coudl be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending RSA key in /var/lib/sss/pubconf/known_hosts:2 RSA host key for zw131 has changed and you have requested strict checking. Host key verification failed. # We haven't changed the host key; the public key files are dated October 23 of last year. Our configuration files for SSSD and SSH are managed by Puppet, so they are consistent from system to system. That said, I did compare a system that could remote to rs512 to one that could not and found no differences. Here are the files: /etc/sssd/sssd.conf: [domain/spx.net] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = foo.net id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = zw129.foo.net chpass_provider = ipa ipa_dyndns_update = True ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49 ldap_tls_cacert = /etc/ipa/ca.crt [domain/.spx.net] cache_credentials = True krb5_store_password_if_offline = True krb5_realm = FOO.NET ipa_domain = .foo.net id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt chpass_provider = ipa ipa_dyndns_update = True ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49 ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net dns_discovery_domain = .spx.net [sssd] services = nss, pam, ssh config_file_version = 2 domains = .spx.net, spx.net [nss] [pam] [sudo] [autofs] [ssh] Is there anything else relevant that I should be looking at? |
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
