The fingerprint does match. On 01/15/2014 03:33 AM, Jan Cholasta wrote:
On 14.1.2014 12:34, Bret Wortman wrote:The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA for the host in question. It should not have had any connectivity issues; it's co-located with several of our IPA masters.Can you also check if the MD5 fingerprint reported by ssh (e.g. 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab in your original post) matches the MD5 fingerprint for the host in IPA?I'd be happy to run sss_ssh_knownhostsproxy manually but haven't been able to locate the proxy command to use via Google yet. Any guidance?I don't think you need to do that, it will just update /var/lib/sss/pubconf/known_hosts again.On 01/14/2014 05:43 AM, Jan Cholasta wrote:On 13.1.2014 22:18, Jakub Hrozek wrote:On Mon, Jan 13, 2014 at 02:44:29PM -0500, Bret Wortman wrote:They're definitely different. I deleted the one in the file, then tried again. It put the bad key back in the file. I blew the whole file away and the same thing happened. Where is this key coming from if not from IPA?Can you try running sss_ssh_knownhostsproxy manually to see what key does it return? The keys are propagated to the file from the sssd database. If the client was offline, the client could use stale records. Can you verify the client has no connectivity issues? Honza (CC-ed) might have some more hints.Compare the public key in /etc/ssh/ssh_host_rsa_key.pub on the host with the public key for that host in IPA. If they do not match, the host key was changed after IPA client was installed and the host record in IPA must be manually updated with the new key. Honza
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
