Dne 7.12.2011 17:28, Jan Cholasta napsal(a):
[PATCH] 65 Configure ssh and sshd during ipa-client-install.

For ssh, VerifyHostKeyDNS option is enabled.

For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM
options are enabled (this can be disabled using --no-sshd
ipa-client-install option).


Changed this not to implicitly trust DNS, as discussed on yesterday's meeting. You can make SSH trust DNS explicitly using --ssh-trust-dns ipa-client-install option.

Honza

--
Jan Cholasta
>From 351d556a7cb0adb83e6726ae918b54b63d81f724 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 7 Dec 2011 03:49:09 -0500
Subject: [PATCH] Configure ssh and sshd during ipa-client-install.

For ssh, VerifyHostKeyDNS option is set to 'ask' (it can be set to
'yes' using --ssh-trust-dns ipa-client-install option).

For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM
options are enabled (this can be disabled using --no-sshd
ipa-client-install option).

ticket 1634
---
 ipa-client/ipa-install/ipa-client-install |  108 +++++++++++++++++++++++++++++
 ipa-client/man/ipa-client-install.1       |    6 ++
 ipapython/platform/base.py                |    2 +-
 3 files changed, 115 insertions(+), 1 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 29ceee0..0a040f4 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -84,6 +84,10 @@ def parse_options():
     basic_group.add_option("--ntp-server", dest="ntp_server", help="ntp server to use")
     basic_group.add_option("-N", "--no-ntp", action="store_false",
                       help="do not configure ntp", default=True, dest="conf_ntp")
+    basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true",
+                      help="configure OpenSSH client to trust DNS SSHFP records")
+    basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false",
+                      help="do not configure OpenSSH server")
     basic_group.add_option("--no-dns-sshfp", dest="create_sshfp", default=True, action="store_false",
                       help="do not automatically create DNS SSHFP records")
     basic_group.add_option("-f", "--force", dest="force", action="store_true",
@@ -287,8 +291,10 @@ def uninstall(options, env, quiet=False):
 
     emit_quiet(quiet, "Disabling client Kerberos and LDAP configurations")
     was_sssd_installed = False
+    was_sshd_configured = False
     if fstore.has_files():
         was_sssd_installed = fstore.has_file("/etc/sssd/sssd.conf")
+        was_sshd_configured = fstore.has_file("/etc/ssh/sshd_config")
     try:
         auth_config = ipaservices.authconfig()
         if statestore.has_state('authconfig'):
@@ -382,6 +388,9 @@ def uninstall(options, env, quiet=False):
            if restored:
                ipaservices.knownservices.ntpd.restart()
 
+    if was_sshd_configured and ipaservices.knownservices.sshd.is_running():
+        ipaservices.knownservices.sshd.restart()
+
     if was_sssd_installed and was_sssd_configured:
         # SSSD was installed before our installation, config now is restored, restart it
         emit_quiet(quiet, "The original configuration of SSSD included other domains than IPA-based one.")
@@ -748,6 +757,103 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options):
 
     return 0
 
+def change_ssh_config(filename, changes, sections):
+    if len(changes) == 0:
+        return True
+
+    try:
+        f = open(filename, 'r')
+    except IOError, e:
+        root_logger.error("Failed to open '%s': %s" % (filename, str(e)))
+        return False
+
+    lines = []
+    in_section = False
+    for line in f:
+        if in_section:
+            lines.append(line)
+            continue
+        pline = line.strip()
+        if len(pline) == 0 or pline.startswith('#'):
+            lines.append(line)
+            continue
+        parts = pline.split()
+        option = parts[0].lower()
+        for key in sections:
+            if key.lower() == option:
+                in_section = True
+                break
+        if in_section:
+            break
+        for opt in changes:
+            if opt.lower() == option:
+                line = None
+                break
+        if line is not None:
+            lines.append(line)
+    for opt in changes:
+        lines.append('%s %s\n' % (opt, changes[opt]))
+    lines.append('\n')
+    if in_section:
+        lines.append(line)
+    for line in f:
+        lines.append(line)
+
+    f.close()
+
+    try:
+        f = open(filename, 'w')
+    except IOError, e:
+        root_logger.error("Failed to open '%s': %s" % (filename, str(e)))
+        return False
+
+    f.write(''.join(lines))
+
+    f.close()
+
+    return True
+
+def configure_ssh(fstore, options):
+    if file_exists('/etc/ssh/ssh_config'):
+        fstore.backup_file('/etc/ssh/ssh_config')
+
+        if options.trust_sshfp:
+            verify_sshfp = 'yes'
+        else:
+            verify_sshfp = 'ask'
+
+        changes = {
+            'VerifyHostKeyDNS': verify_sshfp,
+        }
+
+        change_ssh_config('/etc/ssh/ssh_config', changes, ['Host'])
+        print 'Configured /etc/ssh/ssh_config'
+
+    if not options.conf_sshd:
+        return
+
+    sshd = ipaservices.knownservices.sshd
+    if not sshd.is_installed():
+        root_logger.debug("%s daemon is not installed, skip configuration" % (sshd.service_name))
+        return
+
+    fstore.backup_file('/etc/ssh/sshd_config')
+
+    changes = {
+        'KerberosAuthentication': 'yes',
+        'GSSAPIAuthentication': 'yes',
+        'UsePAM': 'yes',
+    }
+
+    change_ssh_config('/etc/ssh/sshd_config', changes, ['Match'])
+    print 'Configured /etc/ssh/sshd_config'
+
+    if sshd.is_running():
+        try:
+            sshd.restart()
+        except Exception, e:
+            log_service_error(sshd.service_name, 'restart', e)
+
 def resolve_ipaddress(server):
     """ Connect to the server's LDAP port in order to determine what ip
         address this machine uses as "public" ip (relative to the server).
@@ -1321,6 +1427,8 @@ def install(options, env, fstore, statestore):
         ipaclient.ntpconf.config_ntp(ntp_server, fstore, statestore)
         print "NTP enabled"
 
+    configure_ssh(fstore, options)
+
     print "Client configuration complete."
 
     return 0
diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1
index cca3fa9..96b019b 100644
--- a/ipa-client/man/ipa-client-install.1
+++ b/ipa-client/man/ipa-client-install.1
@@ -63,6 +63,12 @@ Configure ntpd to use this NTP server.
 \fB\-N\fR, \fB\-\-no\-ntp\fR
 Do not configure or enable NTP.
 .TP
+\fB\-\-ssh\-trust\-dns\fR
+Configure OpenSSH client to trust DNS SSHFP records.
+.TP
+\fB\-\-no\-sshd\fR
+Do not configure OpenSSH server.
+.TP
 \fB\-\-no\-dns\-sshfp\fR
 Do not automatically create DNS SSHFP records.
 .TP
diff --git a/ipapython/platform/base.py b/ipapython/platform/base.py
index 99189a1..80420c7 100644
--- a/ipapython/platform/base.py
+++ b/ipapython/platform/base.py
@@ -22,7 +22,7 @@ from ipalib.plugable import MagicDict
 # set them as in Red Hat distributions. Actual implementation should make them available
 # through knownservices.<name> and take care of remapping internally, if needed
 wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc', 'messagebus',
-                     'nslcd', 'nscd', 'ntpd', 'portmap', 'rpcbind', 'kadmin']
+                     'nslcd', 'nscd', 'ntpd', 'portmap', 'rpcbind', 'kadmin', 'sshd']
 
 class AuthConfig(object):
     """
-- 
1.7.6.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to