Knowledge Base

Preserving for the future: Shell scripts, AoC, and more

Devuan generate new ssh keys for freeipa host

bgstack15

Comments

If a Devuan system is a freeipa client, but you cannot ssh -o GSSAPIAuthentication=yes to it, even though all the regular troubleshooting steps work, and the logs don't show you anything, the host ssh keys might be wrong in freeipa.

Generate new ssh keys for freeipa host

All the steps can be taken on the host in question. As root, make sure you can kinit -k to get a kerberos key with the host keystore. If this step doesn't work, you need to go fix that, which is beyond the scope of this post.

kinit -k


# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/d2-03a.ipa.example.com@IPA.EXAMPLE.COM

Valid starting       Expires              Service principal
12/31/2019 07:25:47  01/01/2020 07:25:47  krbtgt/IPA.EXAMPLE.COM@IPA.EXAMPLE.CO

Now, generate new ssh keys. Apparently on Devuan systems, restarting the daemon is not good enough. On CentOS, if you delete the ssh host keys, restarting the daemon will just generate new ones which can cause some interesting effects when connecting to a host that did so. However, on Devuan you have to run:

rm -rf /etc/ssh/ssh_host_*_key*
dpkg-reconfigure openssh-server
service ssh restart

And then, with the fresh keytab from the kinit -k earlier, it's a piece of cake to modify this host in freeipa to use a new set of ssh public keys!

LC_ALL="" LC_CTYPE="C.UTF-8" ipa host-mod --sshpubkey="$( cat /etc/ssh/ssh_host_rsa_key.pub )" --sshpubkey="$( cat /etc/ssh/ssh_host_ecdsa_key.pub )" --sshpubkey="$( cat /etc/ssh/ssh_host_ed25519_key.pub )" $( hostname -s )


----------------------
Modified host "d2-03a"
----------------------
  Host name: d2-03a.ipa.example.com
  Principal name: host/d2-03a.ipa.example.com@IPA.EXAMPLE.COM
  Principal alias: host/d2-03a.ipa.example.com@IPA.EXAMPLE.COM
  SSH public key: ssh-rsa
                  AAAAB3NzaC1yc4EAAAADAQABAAABg[truncated]
                  root@d2-03a, ecdsa-sha2-nistp256
                  AAAAE@VjZHNhLXNoYTItbmlzdHAyNTYAAAAI[truncated]
                  root@d2-03a, ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBU/CbzrNnMivn5kAiHTU6WSadY/FWPG8qZ3sGleDbHr
                  root@d2-03a
  SSH public key fingerprint: SHA256:tMcJ2uFNmx6K+dF+Gm6WUBO4AvBmGVj9247mvg5LxU4 root@d2-03a (ssh-rsa),
                              SHA256:uJeRc0dkao/DmnQm2hyQUSfeC0HgIZppB2NVyA+BoTA root@d2-03a (ecdsa-sha2-nistp256),
                              SHA256:j+trvcJAQx5PeaJbUJ8xImBDgCJ2U/nW3h5D3m2kTj4 root@d2-03a (ssh-ed25519)
  Password: False
  Keytab: True
  Managed by: d2-03a.ipa.example.com

My ipa command kept complaining about all these language problems. Maybe I failed to set them correctly in my preseed. Whatever.

References

Internet searches

freeipa new ssh host key

Weblinks

6.8. Managing Public SSH Keys for Hosts How To: Ubuntu / Debian Linux Regenerate OpenSSH Host Keys - nixCraft

Man pages

ipa help host-mod

Comments