Linux – Still getting “ssh failure: Offending RSA key in /var/lib/sss/pubconf/known_hosts” despite removing the specified key from “known_hosts”


I know similar questions have been asked many times, but there's a difference here:

Trying to ssh to the server I get:

$ ssh cl11lx
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /nethome/ajalali/.ssh/known_hosts to get rid of this message.
Offending RSA key in /var/lib/sss/pubconf/known_hosts:8
  remove with: ssh-keygen -f "/var/lib/sss/pubconf/known_hosts" -R cl11lx
ECDSA host key for cl11lx has changed and you have requested strict checking.
Host key verification failed.

The most relevant question I found is here, which is closed as a duplicate of this one which itself is closed as off-topic. But they're not the same anyway. Another related question is asked here.

In most cases, as we know, you can fix the problem by replacing the server key, for example by running:

ssh-keygen -R <host>

But neither this solution, nor removing the offending key from the file /var/lib/sss/pubconf/known_hosts did solve my problem.

As soon as I remove that whole file, or remove the offending key, the key is back.

Please note that all my systems are members of a freeipa server, which itself is an LDAP/Kerberos on the backend.

Best Answer

As seen in the posted log, the offending key is not in its normal place, i.e. $HOME/.ssh/known_hosts, but it's rather located in /var/lib/sss/pubconf/known_hosts. This suggests that System Security Services Daemon aka sssd is fetching the offending key from another source.

This is why removing the key from the file has no effect, because it's being re-fetched from a server over and over again.

In this case, the server is a FreeIPA server. Therefore to fix the problem, the offending key sent by the IPA server has to be changed.

This can be done by manually changing the key on the server, or removing the host information from the server completely, and installing the client (via ipa-client-install) again.

My problem happened after re-installing the OS on the client. Therefore it is a sensible option for me to remove the host info from the server and install the IPA client again.