On 12/04/2022 18:39, Rob Crittenden wrote:
lejeczek via FreeIPA-users wrote:
>
> On 12/04/2022 11:21, Florence Blanc-Renaud wrote:
>> Hi,
>>
>> if you already have ssh public keys in /etc/ssh/ssh_host_*.pub, you
>> can do
>> # ipa host-mod --updatedns --sshpubkey "*ssh-rsa AAAAB3NzaC...*"
>> client.ipa.test
>> (where the bold text is the content of your .pub file).
>>
>> Then in order to check what was done:
>> # ipa dnsrecord-show ipa.test client
>> Record name: client
>> A record: 10.0.147.130
>> SSHFP record: 1 1 2D9747370DF5CEDDE66AC4DC354076326F466A0A, 1 2
>> 0B1FB068265381BE51CEA14D315C3A2647E98BC9672B0640045C9D5131BA404C
>>
>> You can check that they correspond using
>> # ssh-keygen -r client.ipa.test -f /etc/ssh/ssh_host_rsa_key.pub
>> client.ipa.test IN SSHFP 1 1 2d9747370df5cedde66ac4dc354076326f466a0a
>> client.ipa.test IN SSHFP 1 2
>> 0b1fb068265381be51cea14d315c3a2647e98bc9672b0640045c9d5131ba404c
>>
>> The fingerprints are also visible using
>> # ipa host-show client.ipa.test
>> ...
>> SSH public key fingerprint: SHA256:Cx...
>>
>> and can be checked using
>> # ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
>> 3072 SHA256:Cx...
>>
>> Does it help?
>> flo
>>
>> On Mon, Apr 11, 2022 at 9:20 PM lejeczek via FreeIPA-users
>> <freeipa-users(a)lists.fedorahosted.org> wrote:
>>
>> Hi guys.
>>
>> What is the correct way to update/modify server's
>> sshfp records?
>>
>> I assumed those are in: /etc/ssh/ssh_host_*.pub
>> and I should use 'host-mod --updatedns ..'
>> but then such records do not look like what IPA
>> had/created.
>>
>> many thanks, L
>> _______________________________________________
>>
> I've probably phrased poorly what I wanted to say.
> I did that, as I said I did: 'host-mod --updatedns ..' and...
> just after this I did: 'ipa host-show'
> which showed also "ssh public key (FP separately as usually) records"
> which puzzled me a bit as, those where not there for/from "regular"
> client/replica install (including this host prior to manual update),
> but...!
> now those "ssh public key" records 'ipa host-show' does not show
> anymore... now I begin to worry, or.. it's how IPA "behaves"?
I think it would help if you showed us what you are seeing, the exact
commands, and what the output looks like vs what you expect.
When I do:
-> $ ipa host-mod drunk.in.ccn --updatedns
--sshpubkey="ssh-ed25519 .."
--sshpubkey="ecdsa-sha2-nistp256 ...=" --sshpubkey="ssh-rsa
..."
------------------------------------
Modified host "drunk.in.ccn"
------------------------------------
Host name: drunk.in.ccn
Principal name: host/drunk.in.ccn(a)IN.CCN
Principal alias: host/drunk.in.ccn(a)IN.CCN
SSH public key: ssh-ed25519 ....AIKv2AOJxFqqpcpe/HR/3hh,
ssh-rsa
AAAAB3NzaC1....U=,
ecdsa-sha2-nistp256
..../TWR/ZoiqV3Ke4Fw3LrtT9b86uqlb8Uc8P8lJe2RV4wvRw=
SSH public key fingerprint: SHA256:....
IPA, above command prints - which '*-mod' when it does, I'd
think, usually shows that end result as '*-show' would get.
So there are both "SSH public key" & "SSH public key
fingerprint" but '-show' latter gets only the latter -
perhaps it's just how it should be?
many thanks, L
> ps. Flo, do the right thing, follow etiquette/lang rules. I'd
like to
> think it's not just conversation between us two. How do you like to read
> your book? aha! exactly.
Not sure what you mean. She replied to the list, not just to you.
rob