Thanks Rob. It was this which suggested to me that the re-enrolment itself
would result in new host keys being generated:
A new certificate, ssh keys are generated, ipaUniqueID stays the
same.
from
https://www.freeipa.org/page/V3/Forced_client_re-enrollment
However I've confirmed that actually it is simply cloud-init which is
creating new keys on reimaging the instance; if you rewrite the host keys
back to what they were before the reimage then re-enrol using
ipa-client-install --keytab, the host's keys remain as they were.
Thanks for making me check my assumptions!
Steve
http://stackhpc.com/
Please note I work Tuesday to Friday.
On Fri, 27 Jan 2023 at 16:35, Rob Crittenden <rcritten(a)redhat.com> wrote:
Steve Brasier via FreeIPA-users wrote:
> Hi. I'm looking at using `ipa-client-install --keytab` to re-enrole a VM
after reimaging. However this changes the host's ssh keys, which is
undesirable in this case.
>
> Is there a "smart" way of preventing that? Or is this comment from 10
years ago the correct way to reset it:
https://pagure.io/freeipa/issue/2655#comment-320195
Can you be a bit more specific? Does the static image already have ssh
keys? If they are the same what's the issue re-updating an existing entry?
I don't believe ipa-client-install is generating ssh keys (at least not
on purpose) so I'd check to see if that is happening elsewhere, e.g.
ensure they are right, then install the client, verify.
rob