Devuan generate new ssh keys for freeipa host

If a Devuan system is a freeipa client, but you cannot ssh -o GSSAPIAuthentication=yes to it, even though all the regular troubleshooting steps work, and the logs don’t show you anything, the host ssh keys might be wrong in freeipa.

Generate new ssh keys for freeipa host

All the steps can be taken on the host in question.
As root, make sure you can kinit -k to get a kerberos key with the host keystore. If this step doesn’t work, you need to go fix that, which is beyond the scope of this post.

kinit -k
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/

Valid starting       Expires              Service principal
12/31/2019 07:25:47  01/01/2020 07:25:47  krbtgt/IPA.EXAMPLE.COM@IPA.EXAMPLE.CO

Now, generate new ssh keys. Apparently on Devuan systems, restarting the daemon is not good enough. On CentOS, if you delete the ssh host keys, restarting the daemon will just generate new ones which can cause some interesting effects when connecting to a host that did so. However, on Devuan you have to run:

rm -rf /etc/ssh/ssh_host_*_key*
dpkg-reconfigure openssh-server
service ssh restart

And then, with the fresh keytab from the kinit -k earlier, it’s a piece of cake to modify this host in freeipa to use a new set of ssh public keys!

LC_ALL="" LC_CTYPE="C.UTF-8" ipa host-mod --sshpubkey="$( cat /etc/ssh/ )" --sshpubkey="$( cat /etc/ssh/ )" --sshpubkey="$( cat /etc/ssh/ )" $( hostname -s )
Modified host "d2-03a"
  Host name:
  Principal name: host/
  Principal alias: host/
  SSH public key: ssh-rsa
                  root@d2-03a, ecdsa-sha2-nistp256
                  root@d2-03a, ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBU/CbzrNnMivn5kAiHTU6WSadY/FWPG8qZ3sGleDbHr
  SSH public key fingerprint: SHA256:tMcJ2uFNmx6K+dF+Gm6WUBO4AvBmGVj9247mvg5LxU4 root@d2-03a (ssh-rsa),
                              SHA256:uJeRc0dkao/DmnQm2hyQUSfeC0HgIZppB2NVyA+BoTA root@d2-03a (ecdsa-sha2-nistp256),
                              SHA256:j+trvcJAQx5PeaJbUJ8xImBDgCJ2U/nW3h5D3m2kTj4 root@d2-03a (ssh-ed25519)
  Password: False
  Keytab: True
  Managed by:

My ipa command kept complaining about all these language problems. Maybe I failed to set them correctly in my preseed. Whatever.


Internet searches

freeipa new ssh host key


6.8. Managing Public SSH Keys for Hosts
How To: Ubuntu / Debian Linux Regenerate OpenSSH Host Keys – nixCraft

Man pages

ipa help host-mod

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.