Bug 801719

Summary: "Error looking up public keys" while ssh to replica using IP address.
Product: Red Hat Enterprise Linux 6 Reporter: Martin Kosek <mkosek>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: high    
Version: 6.3CC: dpal, grajaiya, jcholast, jgalipea, ksiddiqu, mkosek, nsoman, perobins, prc, spoore, xdong
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.8.0-17.el6 Doc Type: Bug Fix
Doc Text:
Cause: Reverse DNS lookup was not done to get the FQDN of a host specified by IP address. Consequence: SSH host public key lookup was incorrectly attempted with the textual IP address as FQDN. Fix: Do reverse DNS lookup to get the FQDN of the host before the SSH host public key lookup. Result: SSH host public key lookup is done correctly with FQDN of the host.
 Story Points: ---
Clone Of: 801410
: 817406 (view as bug list) Environment:
Last Closed: 2013-02-21 09:21:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 801410    
Bug Blocks: 817406    

Comment 2 Stephen Gallagher 2012-03-09 12:51:46 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1245
Comment 3 Martin Kosek 2012-03-09 14:31:41 UTC 
Just a small clarification, this is a full output of ssh connection with hostname and host ip:


# ssh fbar.lab.bos.redhat.com
fbar.lab.bos.redhat.com's password: 
Last login: Fri Mar  9 09:19:11 2012 from vm-068.idm.lab.bos.redhat.com

# ssh fbar.78.138
Error looking up public keys
The authenticity of host '10.16.78.138 (<no hostip for proxy command>)' can't be established.
RSA key fingerprint is f4:f6:c8:45:23:7a:44:65:20:01:51:79:27:34:ad:33.
No matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.16.78.138' (RSA) to the list of known hosts.
fbar.78.138's password: 
Last login: Fri Mar  9 09:20:13 2012 from vm-068.idm.lab.bos.redhat.com
Comment 5 Jan Cholasta 2012-03-30 10:53:53 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause:
Reverse DNS lookup was not done to get the FQDN of a host specified by IP address.

Consequence:
SSH host public key lookup was incorrectly attempted with the textual IP address as FQDN.

Fix:
Do reverse DNS lookup to get the FQDN of the host before the SSH host public key lookup.

Result:
SSH host public key lookup is done correctly with FQDN of the host.
Comment 8 Dmitri Pal 2012-04-29 20:12:38 UTC 
Deleted Technical Notes Contents.

Old Contents:
Cause:
Reverse DNS lookup was not done to get the FQDN of a host specified by IP address.

Consequence:
SSH host public key lookup was incorrectly attempted with the textual IP address as FQDN.

Fix:
Do reverse DNS lookup to get the FQDN of the host before the SSH host public key lookup.

Result:
SSH host public key lookup is done correctly with FQDN of the host.
Comment 10 Stephen Gallagher 2012-04-30 18:02:26 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause:
Reverse DNS lookup was not done to get the FQDN of a host specified by IP
address.

Consequence:
SSH host public key lookup was incorrectly attempted with the textual IP
address as FQDN.

Fix:
Do reverse DNS lookup to get the FQDN of the host before the SSH host public
key lookup.

Result:
SSH host public key lookup is done correctly with FQDN of the host.
Comment 11 Kaleem 2012-05-15 13:39:38 UTC 
sssd-version:
============
[root@ipareplica ~]# rpm -q sssd
sssd-1.8.0-25.el6.x86_64
[root@ipareplica ~]#

Now i see error message "Error looking up public keys" when i do ssh to replica even with hostnames

[root@ipa63server ~]# ipa dnsrecord-show testrelm.com ipa63server
  Record name: ipa63server
  A record: 10.65.201.141
  SSHFP record: 2 1 56589F9B48400243165B37E43634E0F2DA4F4A8F, 1 1 798DCDB5A89F18007EF0ECEDF21FBD32F907178A
[root@ipa63server ~]# 

[root@ipa63server ~]# ipa dnsrecord-show testrelm.com ipareplica
  Record name: ipareplica
  A record: 10.65.201.159
  SSHFP record: 2 1 B1678B617E211E15F4D5473649BE8E796223E7F8, 1 1 87B8DDAD108C76E60553E6E8148F26F1423FE37B
[root@ipa63server ~]# 

[root@ipa63server ~]# ssh tuser1.com
Error looking up public keys
tuser1.com's password:
Comment 13 Jenny Severance 2012-06-13 20:59:45 UTC 
*** Bug 817406 has been marked as a duplicate of this bug. ***
Comment 14 Jenny Severance 2012-06-14 17:13:35 UTC 
*** Bug 813884 has been marked as a duplicate of this bug. ***
Comment 17 Namita Soman 2012-11-28 19:52:28 UTC 
xdong verifying
Comment 18 Xiyang Dong 2012-11-29 18:58:17 UTC 
ipa version:

ipa-server-3.0.0-8.el6.x86_64

how to verify:
1. Install ipa-server with dns
2. Install ipa-server replica
3. [root@qe-blade-06 ~]# ipa dnsrecord-find testrelm.com cloud-qe-15
  Record name: @
  NS record: qe-blade-06.testrelm.com., cloud-qe-15.testrelm.com.

...

  Record name: cloud-qe-15
  A record: 10.16.96.100
  SSHFP record: 1 1 CE10E5106B57DE6BB932A9ADA87506BF802D39C4, 2 1
                327D54350858DA03F927009E97A394B81022EA49
-----------------------------
Number of entries returned 10


4. [root@qe-blade-06 ~]# ssh cloud-qe-15.testrelm.com

[root@cloud-qe-15 ~]# 

5. [root@qe-blade-06 ~]# ssh 10.16.96.100

[root@cloud-qe-15 ~]# 
  
no error "looking up public keys " showed up while ssh to replica using IP address
Comment 19 Xiyang Dong 2012-11-29 18:59:56 UTC 
verified
Comment 20 Peter Robinson 2013-01-10 11:40:34 UTC 
I'm seeing the same "Error looking up public keys" issues when sshing from a rhel 6.3 host which has been configured with "ipa-client-install --mkhomedir --configure-ssh --configure-sshd" to a rhel 5 host which doesn't support the ssh configuration and hence when configuring a RHEL-5 ipa client it doesn't register the ssh keys in DNS as part of the ipa client configuration process.
Comment 21 errata-xmlrpc 2013-02-21 09:21:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html