If a Devuan system is a freeipa client, but you cannot ssh -o GSSAPIAuthentication=yes to it, even though all the regular troubleshooting steps work, and the logs don’t show you anything, the host ssh keys might be wrong in freeipa.
Generate new ssh keys for freeipa host
All the steps can be taken on the host in question.
As root, make sure you can kinit -k to get a kerberos key with the host keystore. If this step doesn’t work, you need to go fix that, which is beyond the scope of this post.
# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/d2-03a.ipa.example.com@IPA.EXAMPLE.COM Valid starting Expires Service principal 12/31/2019 07:25:47 01/01/2020 07:25:47 krbtgt/IPA.EXAMPLE.COM@IPA.EXAMPLE.CO
Now, generate new ssh keys. Apparently on Devuan systems, restarting the daemon is not good enough. On CentOS, if you delete the ssh host keys, restarting the daemon will just generate new ones which can cause some interesting effects when connecting to a host that did so. However, on Devuan you have to run:
rm -rf /etc/ssh/ssh_host_*_key* dpkg-reconfigure openssh-server service ssh restart
And then, with the fresh keytab from the kinit -k earlier, it’s a piece of cake to modify this host in freeipa to use a new set of ssh public keys!
LC_ALL="" LC_CTYPE="C.UTF-8" ipa host-mod --sshpubkey="$( cat /etc/ssh/ssh_host_rsa_key.pub )" --sshpubkey="$( cat /etc/ssh/ssh_host_ecdsa_key.pub )" --sshpubkey="$( cat /etc/ssh/ssh_host_ed25519_key.pub )" $( hostname -s )
---------------------- Modified host "d2-03a" ---------------------- Host name: d2-03a.ipa.example.com Principal name: host/d2-03a.ipa.example.com@IPA.EXAMPLE.COM Principal alias: host/d2-03a.ipa.example.com@IPA.EXAMPLE.COM SSH public key: ssh-rsa AAAAB3NzaC1yc4EAAAADAQABAAABg[truncated] root@d2-03a, ecdsa-sha2-nistp256 AAAAE@VjZHNhLXNoYTItbmlzdHAyNTYAAAAI[truncated] root@d2-03a, ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBU/CbzrNnMivn5kAiHTU6WSadY/FWPG8qZ3sGleDbHr root@d2-03a SSH public key fingerprint: SHA256:tMcJ2uFNmx6K+dF+Gm6WUBO4AvBmGVj9247mvg5LxU4 root@d2-03a (ssh-rsa), SHA256:uJeRc0dkao/DmnQm2hyQUSfeC0HgIZppB2NVyA+BoTA root@d2-03a (ecdsa-sha2-nistp256), SHA256:j+trvcJAQx5PeaJbUJ8xImBDgCJ2U/nW3h5D3m2kTj4 root@d2-03a (ssh-ed25519) Password: False Keytab: True Managed by: d2-03a.ipa.example.com
My ipa command kept complaining about all these language problems. Maybe I failed to set them correctly in my preseed. Whatever.
ipa help host-mod