On Mon, Sep 14, 2020 at 07:31:25PM -0000, Andrew Meyer via FreeIPA-users wrote:
I just ran sss_cache -H and that didn't fix it. Still getting
this:
[andrew.meyer@jump01 ~]$ ssh ameyer(a)10.150.10.130
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:eKvyhTmq6m3zlrJY8b+wVEPhaN5V2VE9vGiGmdrh18E.
Please contact your system administrator.
Add correct host key in /home/andrew.meyer/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /var/lib/sss/pubconf/known_hosts:6
ECDSA host key for 10.150.10.130 has changed and you have requested strict checking.
Host key verification failed.
Hi,
you can inspect the cache file with the ldbsearch utility from the
ldb-tools package:
ldbsearch -H /var/lib/sss/db/cache_YOUR.DOMAIN.ldb
to see if the key is still somewhere stored in the cache.
Calling 'sss_cache' will only reset the lifetime of the cache entry
which would cause the backend to refresh the entry or delete it, if it
is not present on the server anymore. If the entry is not removed it
might be because SSSD is offline, i.e. it cannot connect to the server,
or that the entry still exists on the server or there is some issue
which prevents SSSD to remove the cached entry. To debug this you can
add 'debug_level = 9' to the [domain/...] section of sssd.conf, restart
SSSD, call 'sss_cache -H', try ssh again and then inspect
/var/log/ssss/sssd_YOUR.DOMAIN.log.
HTH
bye,
Sumit
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...