Bug 801719 - "Error looking up public keys" while ssh to replica using IP address.
"Error looking up public keys" while ssh to replica using IP address.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.3
Unspecified Unspecified
high Severity unspecified
: rc
: ---
Assigned To: Jakub Hrozek
Kaushik Banerjee
:
: 813884 817406 (view as bug list)
Depends On: 801410
Blocks: 817406
  Show dependency treegraph
 
Reported: 2012-03-09 04:21 EST by Martin Kosek
Modified: 2015-02-04 17:49 EST (History)
11 users (show)

See Also:
Fixed In Version: sssd-1.8.0-17.el6
Doc Type: Bug Fix
Doc Text:
Cause: Reverse DNS lookup was not done to get the FQDN of a host specified by IP address. Consequence: SSH host public key lookup was incorrectly attempted with the textual IP address as FQDN. Fix: Do reverse DNS lookup to get the FQDN of the host before the SSH host public key lookup. Result: SSH host public key lookup is done correctly with FQDN of the host.
Story Points: ---
Clone Of: 801410
: 817406 (view as bug list)
Environment:
Last Closed: 2013-02-21 04:21:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Comment 2 Stephen Gallagher 2012-03-09 07:51:46 EST
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1245
Comment 3 Martin Kosek 2012-03-09 09:31:41 EST
Just a small clarification, this is a full output of ssh connection with hostname and host ip:


# ssh fbar@vm-138.idm.lab.bos.redhat.com
fbar@vm-138.idm.lab.bos.redhat.com's password: 
Last login: Fri Mar  9 09:19:11 2012 from vm-068.idm.lab.bos.redhat.com

# ssh fbar@10.16.78.138
Error looking up public keys
The authenticity of host '10.16.78.138 (<no hostip for proxy command>)' can't be established.
RSA key fingerprint is f4:f6:c8:45:23:7a:44:65:20:01:51:79:27:34:ad:33.
No matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.16.78.138' (RSA) to the list of known hosts.
fbar@10.16.78.138's password: 
Last login: Fri Mar  9 09:20:13 2012 from vm-068.idm.lab.bos.redhat.com
Comment 5 Jan Cholasta 2012-03-30 06:53:53 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause:
Reverse DNS lookup was not done to get the FQDN of a host specified by IP address.

Consequence:
SSH host public key lookup was incorrectly attempted with the textual IP address as FQDN.

Fix:
Do reverse DNS lookup to get the FQDN of the host before the SSH host public key lookup.

Result:
SSH host public key lookup is done correctly with FQDN of the host.
Comment 8 Dmitri Pal 2012-04-29 16:12:38 EDT
Deleted Technical Notes Contents.

Old Contents:
Cause:
Reverse DNS lookup was not done to get the FQDN of a host specified by IP address.

Consequence:
SSH host public key lookup was incorrectly attempted with the textual IP address as FQDN.

Fix:
Do reverse DNS lookup to get the FQDN of the host before the SSH host public key lookup.

Result:
SSH host public key lookup is done correctly with FQDN of the host.
Comment 10 Stephen Gallagher 2012-04-30 14:02:26 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause:
Reverse DNS lookup was not done to get the FQDN of a host specified by IP
address.

Consequence:
SSH host public key lookup was incorrectly attempted with the textual IP
address as FQDN.

Fix:
Do reverse DNS lookup to get the FQDN of the host before the SSH host public
key lookup.

Result:
SSH host public key lookup is done correctly with FQDN of the host.
Comment 11 Kaleem 2012-05-15 09:39:38 EDT
sssd-version:
============
[root@ipareplica ~]# rpm -q sssd
sssd-1.8.0-25.el6.x86_64
[root@ipareplica ~]#

Now i see error message "Error looking up public keys" when i do ssh to replica even with hostnames

[root@ipa63server ~]# ipa dnsrecord-show testrelm.com ipa63server
  Record name: ipa63server
  A record: 10.65.201.141
  SSHFP record: 2 1 56589F9B48400243165B37E43634E0F2DA4F4A8F, 1 1 798DCDB5A89F18007EF0ECEDF21FBD32F907178A
[root@ipa63server ~]# 

[root@ipa63server ~]# ipa dnsrecord-show testrelm.com ipareplica
  Record name: ipareplica
  A record: 10.65.201.159
  SSHFP record: 2 1 B1678B617E211E15F4D5473649BE8E796223E7F8, 1 1 87B8DDAD108C76E60553E6E8148F26F1423FE37B
[root@ipa63server ~]# 

[root@ipa63server ~]# ssh tuser1@ipareplica.testrelm.com
Error looking up public keys
tuser1@ipareplica.testrelm.com's password:
Comment 13 Jenny Galipeau 2012-06-13 16:59:45 EDT
*** Bug 817406 has been marked as a duplicate of this bug. ***
Comment 14 Jenny Galipeau 2012-06-14 13:13:35 EDT
*** Bug 813884 has been marked as a duplicate of this bug. ***
Comment 17 Namita Soman 2012-11-28 14:52:28 EST
xdong verifying
Comment 18 Xiyang Dong 2012-11-29 13:58:17 EST
ipa version:

ipa-server-3.0.0-8.el6.x86_64

how to verify:
1. Install ipa-server with dns
2. Install ipa-server replica
3. [root@qe-blade-06 ~]# ipa dnsrecord-find testrelm.com cloud-qe-15
  Record name: @
  NS record: qe-blade-06.testrelm.com., cloud-qe-15.testrelm.com.

...

  Record name: cloud-qe-15
  A record: 10.16.96.100
  SSHFP record: 1 1 CE10E5106B57DE6BB932A9ADA87506BF802D39C4, 2 1
                327D54350858DA03F927009E97A394B81022EA49
-----------------------------
Number of entries returned 10


4. [root@qe-blade-06 ~]# ssh cloud-qe-15.testrelm.com

[root@cloud-qe-15 ~]# 

5. [root@qe-blade-06 ~]# ssh 10.16.96.100

[root@cloud-qe-15 ~]# 
  
no error "looking up public keys " showed up while ssh to replica using IP address
Comment 19 Xiyang Dong 2012-11-29 13:59:56 EST
verified
Comment 20 Peter Robinson 2013-01-10 06:40:34 EST
I'm seeing the same "Error looking up public keys" issues when sshing from a rhel 6.3 host which has been configured with "ipa-client-install --mkhomedir --configure-ssh --configure-sshd" to a rhel 5 host which doesn't support the ssh configuration and hence when configuring a RHEL-5 ipa client it doesn't register the ssh keys in DNS as part of the ipa client configuration process.
Comment 21 errata-xmlrpc 2013-02-21 04:21:46 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html

Note You need to log in before you can comment on or make changes to this bug.