I'm running into the following while working on a workaround for subiquity ignoring ssh_deletekeys in an autoinstall deployment:
The task is to update the three SSH host public keys on a FreeIPA server, as these are annoyingly regenerated on the first boot after the host is enrolled during installation, causing SSH connection issues. I'm looking for a proper solution for this, but in the meantime, a workaround would be great.
user@jose-haverly:~$ HostKeys=$(cat /etc/ssh/ssh_host_*_key.pub | awk 'PRE="--sshpubkey=" {print PRE "\""$0"\""}' | xargs -d$'\n')
user@jose-haverly:~$ ipa host-mod $HostKeys $(hostname -f)
ipa: ERROR: command 'host_mod' takes at most 1 argument
Okay, time to check if the command looks the way it should:
user@jose-haverly:~$ echo "ipa host-mod $HostKeys $(hostname -f)"
ipa host-mod --sshpubkey="ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLskZXmJFQzLmpDI5Y6aJcJ51y9NyzmzmdEjFmgEvJnss2YqLQ9L1Hv/UF5g/IDdefGGGC1kqdPcRJvzXdygWzQ= root@jose-haverly" --sshpubkey="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVwskz0q8MF234/bFKAESmfXVCGQzBZYEuIa3Kp5kVO root@jose-haverly" --sshpubkey="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCUXkg84wl5ed/tnJNxcezq4SxEkoYz2vtQeOIonxjprBHYqmPZDmy25Xmw0TpxACTzvhLZ/Ywfw4vnSnVCMOcu9alq1xGQdtCxt11udmE7C8IOXgPSRZmAS5dTEJSIFX9/+/+E3NMfRslL98LFjJXl5hxPZhLuoHmutvDTxiC/KSsHrK/MJbEH8hUhGPjMsBd54eytQpWwm4BQFCuAbkLL+iVjvAqAICpx7JjZFoOOv4FoX+NP7o27HqnbWWaQwWL4sBKSq6XxCtlBTra+bx3p4yQlQX/r1A3RJt+Ra+CkIZHUyj1k+oM1GvQcp2bDBIvng0AkHoJPSkY+sg8BVW2A6IYoWjAvj6lAixr2HRACm7ouy/aSQ48o5Qpilj8Irde8BKP/A915iOS7BzEN1CQkE8QgfzNVAOsCCSjrfXPDaASawd2mEIbq3XfI/Mzc/oDBcG9E7VE9Y9Uqfj26AHLAJzFhkZu2tChA8RCgoL86hQCCkfyEO0hpkCvprZzw/ck= root@jose-haverly" jose-haverly.local
Yup, that looks fine. Checking to see what happens if I copy-paste this text output as a command:
user@jose-haverly:~$ ipa host-mod --sshpubkey="ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLskZXmJFQzLmpDI5Y6aJcJ51y9NyzmzmdEjFmgEvJnss2YqLQ9L1Hv/UF5g/IDdefGGGC1kqdPcRJvzXdygWzQ= root@jose-haverly" --sshpubkey="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVwskz0q8MF234/bFKAESmfXVCGQzBZYEuIa3Kp5kVO root@jose-haverly" --sshpubkey="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCUXkg84wl5ed/tnJNxcezq4SxEkoYz2vtQeOIonxjprBHYqmPZDmy25Xmw0TpxACTzvhLZ/Ywfw4vnSnVCMOcu9alq1xGQdtCxt11udmE7C8IOXgPSRZmAS5dTEJSIFX9/+/+E3NMfRslL98LFjJXl5hxPZhLuoHmutvDTxiC/KSsHrK/MJbEH8hUhGPjMsBd54eytQpWwm4BQFCuAbkLL+iVjvAqAICpx7JjZFoOOv4FoX+NP7o27HqnbWWaQwWL4sBKSq6XxCtlBTra+bx3p4yQlQX/r1A3RJt+Ra+CkIZHUyj1k+oM1GvQcp2bDBIvng0AkHoJPSkY+sg8BVW2A6IYoWjAvj6lAixr2HRACm7ouy/aSQ48o5Qpilj8Irde8BKP/A915iOS7BzEN1CQkE8QgfzNVAOsCCSjrfXPDaASawd2mEIbq3XfI/Mzc/oDBcG9E7VE9Y9Uqfj26AHLAJzFhkZu2tChA8RCgoL86hQCCkfyEO0hpkCvprZzw/ck= root@jose-haverly" jose-haverly.local
ipa: ERROR: no modifications to be performed
And that works, so what am I missing here? Why does parsing a variable or directly $(via some cmd) cause ipa host-mod to fail?
As Gordon Davisson pointed out this is probably a quoting issue.
Here's how you could use an array. My Bash foo isn't great so I cant guarantee it'll work but you should get the gist:
# Build the arguments in an array
keys=()
while read -r key; do
keys+=(--sshpubkey="$key")
done < <(cat /etc/ssh/ssh_host_*_key.pub)
# Execute the command with the array
ipa host-mod "${keys[@]}" "$(hostname -f)"
When using "${HostKeys[@]}", Bash expands the array into separate arguments, preserving the distinction between each --sshpubkey flag. This should match the behavior expected by ipa host-mod.