Thanks Rob. It was this which suggested to me that the re-enrolment itself would result in new host keys being generated:

> A new certificate, ssh keys are generated, ipaUniqueID stays the same.

from https://www.freeipa.org/page/V3/Forced_client_re-enrollment

However I've confirmed that actually it is simply cloud-init which is creating new keys on reimaging the instance; if you rewrite the host keys back to what they were before the reimage then re-enrol using ipa-client-install --keytab, the host's keys remain as they were.

Thanks for making me check my assumptions!

Steve

http://stackhpc.com/

Please note I work Tuesday to Friday.

On Fri, 27 Jan 2023 at 16:35, Rob Crittenden <rcritten@redhat.com> wrote:

Steve Brasier via FreeIPA-users wrote:
> Hi. I'm looking at using `ipa-client-install --keytab` to re-enrole a VM after reimaging. However this changes the host's ssh keys, which is undesirable in this case.
>
> Is there a "smart" way of preventing that? Or is this comment from 10 years ago the correct way to reset it: https://pagure.io/freeipa/issue/2655#comment-320195

Can you be a bit more specific? Does the static image already have ssh
keys? If they are the same what's the issue re-updating an existing entry?

I don't believe ipa-client-install is generating ssh keys (at least not
on purpose) so I'd check to see if that is happening elsewhere, e.g.
ensure they are right, then install the client, verify.

rob