In my homelab, where I only have a single IPA server, I have had to rebuild / replace it due to issues outside of IPA. I was unable to restore the VM from a snapshot, however I was able to rebuild and use a backup created by ipa-backup to perform a restore. Everything appeared to work fine, and IPA clients are working, as well as LDAP and other services. The only issue I'm encountering is that when I try to ssh to the IPA server from one of the clients, SSH hangs here:
$ ssh -vvvvv master OpenSSH_8.1p1, OpenSSL 1.1.1d FIPS 10 Sep 2019 debug1: Reading configuration data /etc/ssh/ssh_config debug3: /etc/ssh/ssh_config line 51: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf debug2: checking match for 'final all' host master originally master debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: not matched 'final' debug2: match not found debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only) debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug3: gss kex names ok: [gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-] debug3: kex names ok: [curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1] debug1: configuration requests final Match pass debug1: re-parsing configuration debug1: Reading configuration data /etc/ssh/ssh_config debug3: /etc/ssh/ssh_config line 51: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf debug2: checking match for 'final all' host master originally master debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: matched 'final' debug2: match found debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug3: gss kex names ok: [gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-] debug3: kex names ok: [curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1] debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 master debug1: identity file /home/rlong/.ssh/id_rsa type -1 debug1: identity file /home/rlong/.ssh/id_rsa-cert type -1 debug1: identity file /home/rlong/.ssh/id_dsa type -1 debug1: identity file /home/rlong/.ssh/id_dsa-cert type -1 debug1: identity file /home/rlong/.ssh/id_ecdsa type -1 debug1: identity file /home/rlong/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/rlong/.ssh/id_ed25519 type -1 debug1: identity file /home/rlong/.ssh/id_ed25519-cert type -1 debug1: identity file /home/rlong/.ssh/id_xmss type -1 debug1: identity file /home/rlong/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.1 I'm assuming it has something to do with the knownhostsproxy setup, but I can't find any information on how to confirm that or what to do to resolve it. I am able to ssh to the IPA server from any system that is not enrolled as an IPA client. Any ideas? _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
