1009024 – SSH key upload broken when client joins an older server

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1009024 - SSH key upload broken when client joins an older server

Summary: SSH key upload broken when client joins an older server

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-09-17 14:05 UTC by Martin Kosek
Modified:	2014-06-18 00:11 UTC (History)
CC List:	3 users (show)
Fixed In Version:	ipa-3.3.2-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 10:32:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Martin Kosek 2013-09-17 14:05:09 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3931

As `ipa-client-install` is using API host-mod command to modify host and add SSH keys, it always fails to add the key if the client is of a newer version than the server (which will be a very common scenario given that server should be more stable than most of the clients):

{{{
# ipa-client-install -p admin -w Secret123 --mkhomedir --enable-dns-updates --force-join --force-ntpd
Discovery was successful!
Hostname: vm-052.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: vm-086.example.com
BaseDN: dc=example,dc=com

Continue to configure the system with these values? [no]: y
Synchronizing time with KDC...
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
    Valid From:  Mon Sep 09 06:56:05 2013 UTC
    Valid Until: Fri Sep 09 06:56:05 2033 UTC

Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
DNS server record set to: vm-052.example.com -> 10.16.78.52

Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
host_mod: 2.65 client incompatible with 2.49 server at u'https://vm-086.example.com/ipa/xml'

Failed to upload host SSH public keys.
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
}}}

We should do just an LDAP modify operation instead.

Comment 1 Petr Viktorin (pviktori) 2013-10-04 13:37:55 UTC

Fixed upstream
master: https://fedorahosted.org/freeipa/changeset/5824a0e14e73f8d13a93ccccf1b5213488ff9eaa
ipa-3-3: https://fedorahosted.org/freeipa/changeset/96ab7002ac2acfc129dd73f1fc9b023a6fbf3723

Comment 3 Xiyang Dong 2014-01-29 13:40:16 UTC

Verified on :
ipa-server-3.0.0-25.el6.x86_64
ipa-client-3.3.3-10.el7.x86_64

[root@70client ~]# ipa-client-install -p admin -w Secret123 --mkhomedir --enable-dns-updates --force-join --force-ntpd
Discovery was successful!
Hostname: 70client.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: 64master.testrelm.com
BaseDN: dc=testrelm,dc=com

Continue to configure the system with these values? [no]: y
Synchronizing time with KDC...
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TESTRELM.COM
    Issuer:      CN=Certificate Authority,O=TESTRELM.COM
    Valid From:  Wed Jan 29 01:46:45 2014 UTC
    Valid Until: Sun Jan 29 01:46:45 2034 UTC

Enrolled in IPA realm TESTRELM.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.COM
Hostname (70client.testrelm.com) not found in DNS
DNS server record set to: 70client.testrelm.com -> 10.16.185.22
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.

Comment 4 Ludek Smid 2014-06-13 10:32:27 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.