freeipa

Clone
Source Code
GIT

#3931 SSH key upload broken when client joins an older server
Closed: Fixed None Opened 10 years ago by mkosek.

Closed: Fixed
Reopen Issue

As ipa-client-install is using API host-mod command to modify host and add SSH keys, it always fails to add the key if the client is of a newer version than the server (which will be a very common scenario given that server should be more stable than most of the clients):

# ipa-client-install -p admin -w Secret123 --mkhomedir --enable-dns-updates --force-join --force-ntpd
Discovery was successful!
Hostname: vm-052.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: vm-086.example.com
BaseDN: dc=example,dc=com

Continue to configure the system with these values? [no]: y
Synchronizing time with KDC...
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
    Valid From:  Mon Sep 09 06:56:05 2013 UTC
    Valid Until: Fri Sep 09 06:56:05 2033 UTC

Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
DNS server record set to: vm-052.example.com -> 10.16.78.52

Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
host_mod: 2.65 client incompatible with 2.49 server at u'https://vm-086.example.com/ipa/xml'

Failed to upload host SSH public keys.
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.

We should do just an LDAP modify operation instead.

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1009024

Alternatively, we can use the JSON API directly, with a lower API version. This would mean (future versions of) the server can apply any host-mod logic (or even fail to upload the keys if we need to break compatibility).

master:

  • 5824a0e ipa-client-install: Verify RPC connection with a ping
  • e01a28b ipa-client-install: Use direct RPC instead of api.Command

ipa-3-3:

  • 96ab700 ipa-client-install: Verify RPC connection with a ping
  • 960c67a ipa-client-install: Use direct RPC instead of api.Command

The patches fix an additional bug where ipa-client-install would fail on servers without S4U2Proxy delegation (before IPA 2.2).

Metadata Update from @mkosek:
- Issue assigned to pviktori
- Issue set to the milestone: FreeIPA 3.3.x - 2013/09 (bug fixing)
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
defect
None
None
Client
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1009024
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.