[Freeipa-users] Re: Disabling ssh hostkey generation/caching
On Wed, Sep 15, 2021 at 10:57:55AM -0400, Rob Crittenden via FreeIPA-users wrote:
Dominik Vogt via FreeIPA-users wrote:
> However, host key files in rsa and ecdsa format keep reappearing.
> I'm not exactly sure when this happens. Does it have something to
> do with sssd?
I believe sshd generates keys on startup if they do not exist.
For the records, I've fixed the problem with
$ systemctl mask sshd-keygen(a)rsa.service
$ systemctl mask sshd-keygen(a)ecdsa.service
$ systemctl mask sshd-keygen(a)ed25519.service
You probably want to include the --no-dns-sshfp option for
ipa-client-install to prevent any existing SSH keys from appearing in DNS.
Yes.
> Caching the keys in sssd would be in order if we can make sure
> that sssd does not cache the old keys at any time. Running
> "sss_cache -H" does not seem to affect the cached known_hosts file
> in /var/lib though.
We now remove /var/lib/sss/.../known_hosts at startup.
Our ssh connection problems because of old keys in the sss cache
are gone, and no keys are being generated when sshd starts up.
Thanks for the help!
Dominik ^_^ ^_^
--
Dominik Vogt