On 12/04/2022 18:39, Rob Crittenden wrote:
> lejeczek via FreeIPA-users wrote:
>>
>> On 12/04/2022 11:21, Florence Blanc-Renaud wrote:
>>> Hi,
>>>
>>> if you already have ssh public keys in /etc/ssh/ssh_host_*.pub, you
>>> can do
>>> # ipa host-mod --updatedns --sshpubkey "*ssh-rsa AAAAB3NzaC...*"
>>> client.ipa.test
>>> (where the bold text is the content of your .pub file).
>>>
>>> Then in order to check what was done:
>>> # ipa dnsrecord-show ipa.test client
>>> Record name: client
>>>    A record: 10.0.147.130
>>>    SSHFP record: 1 1 2D9747370DF5CEDDE66AC4DC354076326F466A0A, 1 2
>>> 0B1FB068265381BE51CEA14D315C3A2647E98BC9672B0640045C9D5131BA404C
>>>
>>> You can check that they correspond using
>>> # ssh-keygen -r client.ipa.test -f /etc/ssh/ssh_host_rsa_key.pub
>>> client.ipa.test IN SSHFP 1 1 2d9747370df5cedde66ac4dc354076326f466a0a
>>> client.ipa.test IN SSHFP 1 2
>>> 0b1fb068265381be51cea14d315c3a2647e98bc9672b0640045c9d5131ba404c
>>>
>>> The fingerprints are also visible using
>>> # ipa host-show client.ipa.test
>>> ...
>>> SSH public key fingerprint: SHA256:Cx...
>>>
>>> and can be checked using
>>> # ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
>>> 3072 SHA256:Cx...
>>>
>>> Does it help?
>>> flo
>>>
>>> On Mon, Apr 11, 2022 at 9:20 PM lejeczek via FreeIPA-users
>>> <freeipa-users@lists.fedorahosted.org> wrote:
>>>
>>>      Hi guys.
>>>
>>>      What is the correct way to update/modify server's
>>>      sshfp records?
>>>
>>>      I assumed those are in: /etc/ssh/ssh_host_*.pub
>>>      and I should use 'host-mod --updatedns ..'
>>>      but then such records do not look like what IPA
>>>      had/created.
>>>
>>>      many thanks, L
>>>      _______________________________________________
>>>
>> I've probably phrased poorly what I wanted to say.
>> I did that, as I said I did: 'host-mod --updatedns ..' and...
>> just after this I did: 'ipa host-show'
>> which showed also "ssh public key (FP separately as usually) records"
>> which puzzled me a bit as, those where not there for/from "regular"
>> client/replica install (including this host prior to manual update),
>> but...!
>> now those "ssh public key" records 'ipa host-show' does not show
>> anymore... now I begin to worry, or.. it's how IPA "behaves"?
> I think it would help if you showed us what you are seeing, the exact
> commands, and what the output looks like vs what you expect.
>
When I do:

-> $ ipa host-mod drunk.in.ccn --updatedns
--sshpubkey="ssh-ed25519 .."
--sshpubkey="ecdsa-sha2-nistp256 ...=" --sshpubkey="ssh-rsa
..."
------------------------------------
Modified host "drunk.in.ccn"
------------------------------------
   Host name: drunk.in.ccn
   Principal name: host/drunk.in.ccn@IN.CCN
   Principal alias: host/drunk.in.ccn@IN.CCN
   SSH public key: ssh-ed25519 ....AIKv2AOJxFqqpcpe/HR/3hh,
                   ssh-rsa
                   AAAAB3NzaC1....U=,
                   ecdsa-sha2-nistp256
..../TWR/ZoiqV3Ke4Fw3LrtT9b86uqlb8Uc8P8lJe2RV4wvRw=
   SSH public key fingerprint: SHA256:....

IPA, above command prints - which '*-mod' when it does, I'd
think, usually shows that end result as '*-show' would get.
So there are both "SSH public key" & "SSH public key
fingerprint" but '-show' latter gets only the latter -
perhaps it's just how it should be?

many thanks, L

>> ps. Flo, do the right thing, follow etiquette/lang rules. I'd like to
>> think it's not just conversation between us two. How do you like to read
>> your book? aha! exactly.
> Not sure what you mean. She replied to the list, not just to you.
>
> rob
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure