Hi,

if you already have ssh public keys in /etc/ssh/ssh_host_*.pub, you can do

# ipa host-mod --updatedns --sshpubkey "ssh-rsa AAAAB3NzaC..." client.ipa.test

(where the bold text is the content of your .pub file).

Then in order to check what was done:

# ipa dnsrecord-show ipa.test client

Record name: client
A record: 10.0.147.130
SSHFP record: 1 1 2D9747370DF5CEDDE66AC4DC354076326F466A0A, 1 2 0B1FB068265381BE51CEA14D315C3A2647E98BC9672B0640045C9D5131BA404C

You can check that they correspond using

# ssh-keygen -r client.ipa.test -f /etc/ssh/ssh_host_rsa_key.pub

client.ipa.test IN SSHFP 1 1 2d9747370df5cedde66ac4dc354076326f466a0a
client.ipa.test IN SSHFP 1 2 0b1fb068265381be51cea14d315c3a2647e98bc9672b0640045c9d5131ba404c

The fingerprints are also visible using

# ipa host-show client.ipa.test

...

SSH public key fingerprint: SHA256:Cx...

and can be checked using

# ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub

3072 SHA256:Cx...

Does it help?

flo

On Mon, Apr 11, 2022 at 9:20 PM lejeczek via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

Hi guys.

What is the correct way to update/modify server's sshfp records?

I assumed those are in: /etc/ssh/ssh_host_*.pub
and I should use 'host-mod --updatedns ..'
but then such records do not look like what IPA had/created.

many thanks, L
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure