Hi,
this patch configures the new SSH features of SSSD in ipa-client-install.
To test it, you need to have SSSD 1.8.0 installed.
Honza
--
Jan Cholasta
>From fe3dcdf8101cd24aa67e9e5850f6cce71846fed6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 16 Feb 2012 04:21:56 -0500
Subject: [PATCH] Configure SSH features of SSSD in ipa-client-install.
This requires SSSD 1.8.0.
---
freeipa.spec.in | 5 ++++-
ipa-client/ipa-install/ipa-client-install | 23 ++++++++++++++++++++++-
2 files changed, 26 insertions(+), 2 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 3609bdd..a3d74c1 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -210,7 +210,7 @@ Requires: libcurl
Requires: xmlrpc-c
%endif
%endif
-Requires: sssd >= 1.5.1
+Requires: sssd >= 1.8.0
Requires: certmonger >= 0.26
Requires: nss-tools
Requires: bind-utils
@@ -674,6 +674,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
+* Tue Feb 28 2012 Jan Cholasta <jchol...@redhat.com> - 2.99.0-20
+- Set min nvr of sssd to 1.8.0 for SSH support
+
* Mon Feb 27 2012 Rob Crittenden <rcrit...@redhat.com> - 2.99.0-19
- Add Requires to ipa-client on oddjob-mkhomedir
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index f5c1efe..bce2ef0 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -708,6 +708,8 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options):
sssdconfig = SSSDConfig.SSSDConfig()
sssdconfig.new_config()
+ sssdconfig.activate_service('ssh')
+
try:
domain = sssdconfig.new_domain(cli_domain)
except SSSDConfig.DomainAlreadyExistsError:
@@ -797,7 +799,8 @@ def change_ssh_config(filename, changes, sections):
if line is not None:
lines.append(line)
for opt in changes:
- lines.append('%s %s\n' % (opt, changes[opt]))
+ if changes[opt] is not None:
+ lines.append('%s %s\n' % (opt, changes[opt]))
lines.append('\n')
if in_section:
lines.append(line)
@@ -828,6 +831,9 @@ def configure_ssh(fstore, ssh_dir, options):
changes = {}
if options.trust_sshfp:
changes['VerifyHostKeyDNS'] = 'yes'
+ elif options.sssd:
+ changes['ProxyCommand'] = '/usr/bin/sss_ssh_knownhostsproxy -p %p %h'
+ changes['GlobalKnownHostsFile2'] = '/var/lib/sss/pubconf/known_hosts'
change_ssh_config(ssh_config, changes, ['Host'])
print 'Configured', ssh_config
@@ -848,6 +854,21 @@ def configure_ssh(fstore, ssh_dir, options):
'UsePAM': 'yes',
}
+ if options.sssd:
+ (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null', '-o', 'AuthorizedKeysCommand='], raiseonerr=False)
+ if retcode == 0:
+ changes['AuthorizedKeysCommand'] = '/usr/bin/sss_ssh_authorizedkeys'
+ changes['AuthorizedKeysCommandRunAs'] = None
+ else:
+ (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null', '-o', 'PubKeyAgent='], raiseonerr=False)
+ if retcode == 0:
+ changes['PubKeyAgent'] = '/usr/bin/sss_ssh_authorizedkeys %u'
+ changes['PubkeyAgentRunAs'] = None
+ else:
+ print "Warning: Installed OpenSSH server does not support dynamically loading"
+ print " authorized user keys. Public key authentication of IPA users"
+ print " will not be available."
+
change_ssh_config(sshd_config, changes, ['Match'])
print 'Configured', sshd_config
--
1.7.6.5
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
