Hi, this patch configures the new SSH features of SSSD in ipa-client-install.
To test it, you need to have SSSD 1.8.0 installed. Honza -- Jan Cholasta
>From fe3dcdf8101cd24aa67e9e5850f6cce71846fed6 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Thu, 16 Feb 2012 04:21:56 -0500 Subject: [PATCH] Configure SSH features of SSSD in ipa-client-install. This requires SSSD 1.8.0. --- freeipa.spec.in | 5 ++++- ipa-client/ipa-install/ipa-client-install | 23 ++++++++++++++++++++++- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 3609bdd..a3d74c1 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -210,7 +210,7 @@ Requires: libcurl Requires: xmlrpc-c %endif %endif -Requires: sssd >= 1.5.1 +Requires: sssd >= 1.8.0 Requires: certmonger >= 0.26 Requires: nss-tools Requires: bind-utils @@ -674,6 +674,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Tue Feb 28 2012 Jan Cholasta <jchol...@redhat.com> - 2.99.0-20 +- Set min nvr of sssd to 1.8.0 for SSH support + * Mon Feb 27 2012 Rob Crittenden <rcrit...@redhat.com> - 2.99.0-19 - Add Requires to ipa-client on oddjob-mkhomedir diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index f5c1efe..bce2ef0 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -708,6 +708,8 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): sssdconfig = SSSDConfig.SSSDConfig() sssdconfig.new_config() + sssdconfig.activate_service('ssh') + try: domain = sssdconfig.new_domain(cli_domain) except SSSDConfig.DomainAlreadyExistsError: @@ -797,7 +799,8 @@ def change_ssh_config(filename, changes, sections): if line is not None: lines.append(line) for opt in changes: - lines.append('%s %s\n' % (opt, changes[opt])) + if changes[opt] is not None: + lines.append('%s %s\n' % (opt, changes[opt])) lines.append('\n') if in_section: lines.append(line) @@ -828,6 +831,9 @@ def configure_ssh(fstore, ssh_dir, options): changes = {} if options.trust_sshfp: changes['VerifyHostKeyDNS'] = 'yes' + elif options.sssd: + changes['ProxyCommand'] = '/usr/bin/sss_ssh_knownhostsproxy -p %p %h' + changes['GlobalKnownHostsFile2'] = '/var/lib/sss/pubconf/known_hosts' change_ssh_config(ssh_config, changes, ['Host']) print 'Configured', ssh_config @@ -848,6 +854,21 @@ def configure_ssh(fstore, ssh_dir, options): 'UsePAM': 'yes', } + if options.sssd: + (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null', '-o', 'AuthorizedKeysCommand='], raiseonerr=False) + if retcode == 0: + changes['AuthorizedKeysCommand'] = '/usr/bin/sss_ssh_authorizedkeys' + changes['AuthorizedKeysCommandRunAs'] = None + else: + (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null', '-o', 'PubKeyAgent='], raiseonerr=False) + if retcode == 0: + changes['PubKeyAgent'] = '/usr/bin/sss_ssh_authorizedkeys %u' + changes['PubkeyAgentRunAs'] = None + else: + print "Warning: Installed OpenSSH server does not support dynamically loading" + print " authorized user keys. Public key authentication of IPA users" + print " will not be available." + change_ssh_config(sshd_config, changes, ['Match']) print 'Configured', sshd_config -- 1.7.6.5
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel