It is expected that in output of host-find and host-show the fingerprint of all SSH keys should be shown.
Got:
ipa host-show vm-058-188.abc.idm.lab.eng.brq.redhat.com Host name: vm-058-188.abc.idm.lab.eng.brq.redhat.com Principal name: host/vm-058-188.abc.idm.lab.eng.brq.redhat.com@DOM-012.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Password: False Member of host-groups: ipaservers Keytab: True Managed by: vm-058-188.abc.idm.lab.eng.brq.redhat.com
Expected:
ipa host-show vm-058-188.abc.idm.lab.eng.brq.redhat.com Host name: vm-058-188.abc.idm.lab.eng.brq.redhat.com Principal name: host/vm-058-188.abc.idm.lab.eng.brq.redhat.com@DOM-012.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Password: False Member of host-groups: ipaservers Keytab: True Managed by: vm-058-188.abc.idm.lab.eng.brq.redhat.com SSH fingerprint: B5:AE:22:61:9A:2E:B3:11:15:35:8C:90:60:FE:78:49 (ssh-rsa), E0:A7:72:95:43:93:22:91:B2:E6:F9:7D:B1:22:9B:7F (ecdsa-sha2-nistp256), 3A:C5:EC:89:FE:C2:46:7B:D3:9D:92:9F:CC:BC:61:EA (ssh-ed25519)
Actually API call returns fingeprints, only on client side they are not shown.
"result": { "result": { "dn": "fqdn=vm-058-188.abc.idm.lab.eng.brq.redhat.com,cn=computers,cn=accounts,dc=dom-012,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com", "fqdn": [ "vm-058-188.abc.idm.lab.eng.brq.redhat.com" ], "has_keytab": true, "has_password": false, "krbprincipalname": [ "host/vm-058-188.abc.idm.lab.eng.brq.redhat.com@DOM-012.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM" ], "managedby_host": [ "vm-058-188.abc.idm.lab.eng.brq.redhat.com" ], "memberof_hostgroup": [ "ipaservers" ], "sshpubkeyfp": [ "B5:AE:22:61:9A:2E:B3:11:15:35:8C:90:60:FE:78:49 (ssh-rsa)", "E0:A7:72:95:43:93:22:91:B2:E6:F9:7D:B1:22:9B:7F (ecdsa-sha2-nistp256)", "3A:C5:EC:89:FE:C2:46:7B:D3:9D:92:9F:CC:BC:61:EA (ssh-ed25519)" ] }, "summary": null, "value": "vm-058-188.abc.idm.lab.eng.brq.redhat.com"
Probably caused by think client feature.
Is this still an issue? I was not able to reproduce it on the current master (12.7.2016) with freshly installed ipa server.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1356142
attachment host_find.out
attachment host_show0.out
attachment host_show1.out
So when I was fiddling with the ipa host-show and host-find, I found out that fingerprints weren't displayed sometimes. The fingerprints would have been hidden for hosts that I failed to install as replicas and their records might have been corrupted.
However, when I installed the certain host even as a client, the fingeprint would appear back again.
Attaching console outputs - host_find and host_show0 are before proper client installation, host_show1 after it.
The main question here whether fingerprint is displayed for hosts which have sshpubkey record in LDAP (ideally check with DM rights). That is the only trusted source to determine if sshkey is there or not. Host-find or host-show can lie as well.
I cannot reproduce this anymore, it was probably fixed.
Metadata Update from @mbasti: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.4.1
Login to comment on this ticket.