On 13/04/2022 09:57, Florence Blanc-Renaud wrote:
On Tue, Apr 12, 2022 at 7:05 PM lejeczek via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
On 12/04/2022 11:21, Florence Blanc-Renaud wrote:
> Hi,
>
> if you already have ssh public keys in
> /etc/ssh/ssh_host_*.pub, you can do
> # ipa host-mod --updatedns --sshpubkey "*ssh-rsa
> AAAAB3NzaC...*" client.ipa.test
> (where the bold text is the content of your .pub file).
>
> Then in order to check what was done:
> # ipa dnsrecord-show ipa.test client
> Record name: client
> A record: 10.0.147.130
> SSHFP record: 1 1
> 2D9747370DF5CEDDE66AC4DC354076326F466A0A, 1 2
>
0B1FB068265381BE51CEA14D315C3A2647E98BC9672B0640045C9D5131BA404C
>
> You can check that they correspond using
> # ssh-keygen -r client.ipa.test -f
> /etc/ssh/ssh_host_rsa_key.pub
> client.ipa.test IN SSHFP 1 1
> 2d9747370df5cedde66ac4dc354076326f466a0a
> client.ipa.test IN SSHFP 1 2
>
0b1fb068265381be51cea14d315c3a2647e98bc9672b0640045c9d5131ba404c
>
> The fingerprints are also visible using
> # ipa host-show client.ipa.test
> ...
> SSH public key fingerprint: SHA256:Cx...
>
> and can be checked using
> # ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
> 3072 SHA256:Cx...
>
> Does it help?
> flo
>
> On Mon, Apr 11, 2022 at 9:20 PM lejeczek via
FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org> wrote:
>
> Hi guys.
>
> What is the correct way to update/modify server's
> sshfp records?
>
> I assumed those are in: /etc/ssh/ssh_host_*.pub
> and I should use 'host-mod --updatedns ..'
> but then such records do not look like what IPA
> had/created.
>
> many thanks, L
> _______________________________________________
>
I've probably phrased poorly what I wanted to say.
I did that, as I said I did: 'host-mod --updatedns ..'
and...
just after this I did: 'ipa host-show'
which showed also "ssh public key (FP separately as
usually)
records" which puzzled me a bit as, those where not there
for/from "regular" client/replica install (including this
host prior to manual update), but...!
now those "ssh public key" records 'ipa host-show'
does not
show anymore... now I begin to worry, or.. it's how IPA
"behaves"?
Ok, so I didn't understand your point. If you run ipa
host-mod --updatedns --sshpubkey "ssh-rsa ..." then the
value of the ssh pub key is overwritten and now contains a
single value. If there were previously other SSH pub keys
they are simply deleted by this command. The right method
would be to add multiple --sshpubkey arguments, for the
key to be added + the previous ones, or to use
--addattr="ipaSshPubKey=..."
Was this your question?
ps. Flo, do the right thing, follow etiquette/lang rules.
I'd like to think it's not just conversation between
us two.
How do you like to read your book? aha! exactly.
Honestly I have no idea how to interpret this comment, so
I'd rather not interpret it myself and risk
misunderstanding. Did I write something that broke
etiquette? It was clearly not my intent. I'm open to
constructive feedback as I try to help as much as I can on
this mailing list.
I know some dev guys(but not exclusively) do not think nor
use mailing lists this way - I often struggle when
searching(and I think search always prior to sent a message)
for info/answers and get a thread when need to go down then
jump up and down again, etc.
simple etiquette you are now doing - as oppose to prev
message - so rest/all? read it as read a book in Latin
derived lang, from the top and down always.
thanks, L.