Red Hat Bugzilla – Bug 1137012
[PATCH] sss_cache flush ssh host keys.
Last modified: 2015-03-05 05:33:34 EST
This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/2358 When you rebuild a host in a freeipa environment, the SSH key is regenerated and reuploaded to freeipa. However, this is cached in sssd on a workstation and is placed into known_hosts: It essentially means you are locked out of any host that you have rebuilt or rolled the ssh key on. This patch (Discussed on the mailing list) corrects this behaviour, and allows an ssh host key to be expired and not inserted into the known hosts.
* master: 3ac7c4fe618ede980a4df8d90341ef1fd0f1f62f
1. After enrolling the ipa-client to ipa-server for the first time: ssh admin@<client> $ copy /var/lib/sss/pubconf/known_hosts to /var/lib/sss/pubconf/known_hosts_old 2. Now uninstall the client "ipa-client-install --uninstall -U" 3. Generate new ssh keys on the client # ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /etc/ssh/ssh_host_rsa_key. Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub. 4. Re-install ipa client 5. ssh to the client and check if /var/lib/sss/pubconf/known_hosts is updated. ssh admin@<client> $ # diff /var/lib/sss/pubconf/known_hosts_old /var/lib/sss/pubconf/known_hosts 1,3c1,3 ... ... <output removed so as not to display the keys> echo $? # 1
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0441.html