Bug 801719 – "Error looking up public keys" while ssh to replica using IP address.

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 801719 - "Error looking up public keys" while ssh to replica using IP address.

Summary:	"Error looking up public keys" while ssh to replica using IP address.

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd (Show other bugs)
Sub Component:
Version:	6.3
Hardware:	Unspecified Unspecified

Priority	high Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:

URL:
Whiteboard:
Keywords:

Duplicates:	813884 817406 (view as bug list)
Depends On:	801410
Blocks:	817406
	Show dependency tree / graph

Reported:	2012-03-09 04:21 EST by Martin Kosek
Modified:	2015-02-04 17:49 EST (History)
CC List:	11 users (show)

See Also:
Fixed In Version:	sssd-1.8.0-17.el6
Doc Type:	Bug Fix
Doc Text:	Cause: Reverse DNS lookup was not done to get the FQDN of a host specified by IP address. Consequence: SSH host public key lookup was incorrectly attempted with the textual IP address as FQDN. Fix: Do reverse DNS lookup to get the FQDN of the host before the SSH host public key lookup. Result: SSH host public key lookup is done correctly with FQDN of the host.
Story Points:	---
Clone Of:	801410
Clones:	817406 (view as bug list)
Environment:
Last Closed:	2013-02-21 04:21:46 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0508	normal	SHIPPED_LIVE	Low: sssd security, bug fix and enhancement update	2013-02-20 16:30:10 EST

Groups: None (edit)

Comment 2 Stephen Gallagher 2012-03-09 07:51:46 EST

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1245

Comment 3 Martin Kosek 2012-03-09 09:31:41 EST

Just a small clarification, this is a full output of ssh connection with hostname and host ip:


# ssh fbar@vm-138.idm.lab.bos.redhat.com
fbar@vm-138.idm.lab.bos.redhat.com's password: 
Last login: Fri Mar  9 09:19:11 2012 from vm-068.idm.lab.bos.redhat.com

# ssh fbar@10.16.78.138
Error looking up public keys
The authenticity of host '10.16.78.138 (<no hostip for proxy command>)' can't be established.
RSA key fingerprint is f4:f6:c8:45:23:7a:44:65:20:01:51:79:27:34:ad:33.
No matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.16.78.138' (RSA) to the list of known hosts.
fbar@10.16.78.138's password: 
Last login: Fri Mar  9 09:20:13 2012 from vm-068.idm.lab.bos.redhat.com

Comment 5 Jan Cholasta 2012-03-30 06:53:53 EDT

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause:
Reverse DNS lookup was not done to get the FQDN of a host specified by IP address.

Consequence:
SSH host public key lookup was incorrectly attempted with the textual IP address as FQDN.

Fix:
Do reverse DNS lookup to get the FQDN of the host before the SSH host public key lookup.

Result:
SSH host public key lookup is done correctly with FQDN of the host.

Comment 8 Dmitri Pal 2012-04-29 16:12:38 EDT

Deleted Technical Notes Contents.

Old Contents:
Cause:
Reverse DNS lookup was not done to get the FQDN of a host specified by IP address.

Consequence:
SSH host public key lookup was incorrectly attempted with the textual IP address as FQDN.

Fix:
Do reverse DNS lookup to get the FQDN of the host before the SSH host public key lookup.

Result:
SSH host public key lookup is done correctly with FQDN of the host.

Comment 10 Stephen Gallagher 2012-04-30 14:02:26 EDT

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause:
Reverse DNS lookup was not done to get the FQDN of a host specified by IP
address.

Consequence:
SSH host public key lookup was incorrectly attempted with the textual IP
address as FQDN.

Fix:
Do reverse DNS lookup to get the FQDN of the host before the SSH host public
key lookup.

Result:
SSH host public key lookup is done correctly with FQDN of the host.

Comment 11 Kaleem 2012-05-15 09:39:38 EDT

sssd-version:
============
[root@ipareplica ~]# rpm -q sssd
sssd-1.8.0-25.el6.x86_64
[root@ipareplica ~]#

Now i see error message "Error looking up public keys" when i do ssh to replica even with hostnames

[root@ipa63server ~]# ipa dnsrecord-show testrelm.com ipa63server
  Record name: ipa63server
  A record: 10.65.201.141
  SSHFP record: 2 1 56589F9B48400243165B37E43634E0F2DA4F4A8F, 1 1 798DCDB5A89F18007EF0ECEDF21FBD32F907178A
[root@ipa63server ~]# 

[root@ipa63server ~]# ipa dnsrecord-show testrelm.com ipareplica
  Record name: ipareplica
  A record: 10.65.201.159
  SSHFP record: 2 1 B1678B617E211E15F4D5473649BE8E796223E7F8, 1 1 87B8DDAD108C76E60553E6E8148F26F1423FE37B
[root@ipa63server ~]# 

[root@ipa63server ~]# ssh tuser1@ipareplica.testrelm.com
Error looking up public keys
tuser1@ipareplica.testrelm.com's password:

Comment 13 Jenny Galipeau 2012-06-13 16:59:45 EDT

*** Bug 817406 has been marked as a duplicate of this bug. ***

Comment 14 Jenny Galipeau 2012-06-14 13:13:35 EDT

*** Bug 813884 has been marked as a duplicate of this bug. ***

Comment 17 Namita Soman 2012-11-28 14:52:28 EST

xdong verifying

Comment 18 Xiyang Dong 2012-11-29 13:58:17 EST

ipa version:

ipa-server-3.0.0-8.el6.x86_64

how to verify:
1. Install ipa-server with dns
2. Install ipa-server replica
3. [root@qe-blade-06 ~]# ipa dnsrecord-find testrelm.com cloud-qe-15
  Record name: @
  NS record: qe-blade-06.testrelm.com., cloud-qe-15.testrelm.com.

...

  Record name: cloud-qe-15
  A record: 10.16.96.100
  SSHFP record: 1 1 CE10E5106B57DE6BB932A9ADA87506BF802D39C4, 2 1
                327D54350858DA03F927009E97A394B81022EA49
-----------------------------
Number of entries returned 10


4. [root@qe-blade-06 ~]# ssh cloud-qe-15.testrelm.com

[root@cloud-qe-15 ~]# 

5. [root@qe-blade-06 ~]# ssh 10.16.96.100

[root@cloud-qe-15 ~]# 
  
no error "looking up public keys " showed up while ssh to replica using IP address

Comment 19 Xiyang Dong 2012-11-29 13:59:56 EST

verified

Comment 20 Peter Robinson 2013-01-10 06:40:34 EST

I'm seeing the same "Error looking up public keys" issues when sshing from a rhel 6.3 host which has been configured with "ipa-client-install --mkhomedir --configure-ssh --configure-sshd" to a rhel 5 host which doesn't support the ssh configuration and hence when configuring a RHEL-5 ipa client it doesn't register the ssh keys in DNS as part of the ipa client configuration process.

Comment 21 errata-xmlrpc 2013-02-21 04:21:46 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html

Note You need to log in before you can comment on or make changes to this bug.