Still getting “ssh failure: Offending RSA key in /var/lib/sss/pubconf/known_hosts” despite removing the specified key from “known_hosts”
As seen in the posted log, the offending key is not in its normal place, i.e. $HOME/.ssh/known_hosts, but it's rather located in /var/lib/sss/pubconf/known_hosts. This suggests that System Security Services Daemon aka sssd is fetching the offending key from another source.
This is why removing the key from the file has no effect, because it's being re-fetched from a server over and over again.
In this case, the server is a FreeIPA server. Therefore to fix the problem, the offending key sent by the IPA server has to be changed.
This can be done by manually changing the key on the server, or removing the host information from the server completely, and installing the client (via ipa-client-install) again.
My problem happened after re-installing the OS on the client. Therefore it is a sensible option for me to remove the host info from the server and install the IPA client again.
TL;DR: On the server you want to connect to, run:
ipa host-mod --sshpubkey="`cat /etc/ssh/ssh_host_ed25519_key.pub`" --sshpubkey="`cat /etc/ssh/ssh_host_ecdsa_key.pub`" --sshpubkey="`cat /etc/ssh/ssh_host_rsa_key.pub`" `hostname`
What's happening here is that the ssh client is retrieving the server host's public key from the IPA Server, but the IPA Server doesn't know that the host's public key has changed.
ssh gets the old key, and ssh becomes unhappy.
To update the keys in the IPA server, use ipa host-mod or the IPA WebGUI.
If you only need ed25519, it's fine to skip the other keys. E.g:
ipa host-mod --sshpubkey="`cat /etc/ssh/ssh_host_ed25519_key.pub`" `hostname`
Using the WebGUI requires more cut and paste to add keys, so depending on what you want to do, the command line may be the easier option.
If you want to view or modify ssh keys using the WebGUI:
- navigate to
Hosts->'your host'->Settings - scroll down to
SSH Keys - view or update using the
show/set,deleteandaddbuttons - scroll up and
save