On 2.3.2012 04:56, Rob Crittenden wrote:
Jan Cholasta wrote:
On 29.2.2012 15:00, Martin Kosek wrote:
On Wed, 2012-02-29 at 14:44 +0100, Jan Cholasta wrote:
On 29.2.2012 14:24, Martin Kosek wrote:
On Wed, 2012-02-29 at 10:52 +0100, Jan Cholasta wrote:
On 28.2.2012 23:42, Rob Crittenden wrote:
Jan Cholasta wrote:

this patch configures the new SSH features of SSSD in

To test it, you need to have SSSD 1.8.0 installed.


Is there a better name for 'GlobalKnownHostsFile2'?

What do you mean? The option name or the file name? Either way, I
think there is a better name.

When is PubKeyAgent used?I tried in RHEL 6.2, F-11 and F15-17 and
it was
an unknown option in all.

It's in openssh in RHEL 6.0.

Should you test for the existence of
and /usr/bin/sss_ssh_authorizedkeys before setting it in a config

It depends. Do we want to support clients with SSSD< 1.8.0?

How would you recommend testing this? Enroll a client and try to log
into the IPA server?

To test host authentication, you need an IPA host with SSH public
set (which is done automatically in ipa-client-install, so any IPA
should work) and try to ssh into that host from other (actually, it
be the same) IPA host. You should not see "The authenticity of host
can't be estabilished" ssh message.

To test user authentication, you need an IPA user with SSH public
set. To do that, you need to set the public keys using ipa
user-mod. You
should then be able to authenticate using your private key on any
IPA host.



I get this exception when running ipa-client-install with your patch.

# ipa-client-install --enable-dns-updates
Discovery was successful!
Hostname: vm-138.idm.lab.bos.redhat.com
DNS Domain: idm.lab.bos.redhat.com
IPA Server: vm-068.idm.lab.bos.redhat.com
BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

Continue to configure the system with these values? [no]: y
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Password for ad...@idm.lab.bos.redhat.com:

Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM
Created /etc/ipa/default.conf
Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 1514, in<module>
File "/usr/sbin/ipa-client-install", line 1501, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 1326, in install
if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server,
File "/usr/sbin/ipa-client-install", line 711, in configure_sssd_conf
File "/usr/lib/python2.7/site-packages/SSSDConfig.py", line 1516, in
raise NoServiceError

SSSD version: sssd-1.8.1-0.20120228T2018Zgit751b121.fc16.x86_64


Does your /etc/sssd/sssd.conf and /usr/share/sssd/sssd.api.conf contain
[ssh] section?

sssd.api.conf did contain the ssh section:

# grep -C 3 ssh /usr/share/sssd/sssd.api.conf
# autofs service
autofs_negative_timeout = int, None, false

# ssh service

#Available provider types

sssd.conf did not.

Either case, we should not crash but handle the issue in some more
friendly way.


Patch updated with more defensive code.


Needs a BuildRequires of sssd 1.8 or you get some pylint errors:

ipa-client/ipa-install/ipa-client-install:712: [E1101,
configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service'
ipa-client/ipa-install/ipa-client-install:723: [E1101,
configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service'
ipa-client/ipa-install/ipa-client-install:734: [E1101,
configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service'


Host keys work fine.

I wasn't able to get user ssh keys working but my server is still on
F-15. I had a daily build of sssd (1.8.1) but it was missing
/usr/libexec/sssd/sssd_ssh!? Too tired to work out why right now.

F15 is not the problem, the SSSD package in ipa-devel is built without experimental features for some reason (in the patch I assumed that it always is, fixed that).

Two more things:

1. You will need explicit test cases for QE to test positive and
negative login cases (it would have sped me along too).

Should that be part of the patch?

2. You need to beef up the commit message to describe what this does
(e.g. configure for knownhost support). commit message space is cheap,
be verbose.



Updated patch attached.


Jan Cholasta
>From 07f17587a1fb4d5e3f35710a0be428ef7bb13ddd Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 16 Feb 2012 04:21:56 -0500
Subject: [PATCH] Configure SSH features of SSSD in ipa-client-install.

OpenSSH server (sshd) is configured to fetch user authorized keys from
SSSD and OpenSSH client (ssh) is configured to use and trigger updates
of the SSSD-managed known hosts file.

This requires SSSD 1.8.0.
 freeipa.spec.in                           |    7 ++++++-
 ipa-client/ipa-install/ipa-client-install |   29 ++++++++++++++++++++++++++++-
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 90c8e9f..b1c4fb6 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -75,6 +75,7 @@ BuildRequires:  pyOpenSSL
 BuildRequires:  pylint
 BuildRequires:  libipa_hbac-python
 BuildRequires:  python-memcached
+BuildRequires:  sssd >= 1.8.0
 IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -210,7 +211,7 @@ Requires:  libcurl
 Requires:  xmlrpc-c
-Requires: sssd >= 1.5.1
+Requires: sssd >= 1.8.0
 Requires: certmonger >= 0.26
 Requires: nss-tools
 Requires: bind-utils
@@ -675,6 +676,10 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
+* Thu Mar 1 2012 Jan Cholasta <jchol...@redhat.com> - 2.99.0-21
+- Set min nvr of sssd to 1.8.0 for SSH support
+- Add BuildRequires on sssd >= 1.8.0
 * Wed Feb 29 2012 Petr Vobornik <pvobo...@redhat.com> - 2.99.0-20
 - Add Web UI logout page
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index f5c1efe..cbf351c 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -719,6 +719,14 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options):
         domain = sssdconfig.new_domain(cli_domain)
+    try:
+        sssdconfig.activate_service('ssh')
+    except SSSDConfig.NoServiceError:
+        print "Unable to activate the SSH service in SSSD config."
+        print "Please make sure you have SSSD built with SSH support installed."
+        print "Configure SSH support manually in /etc/sssd/sssd.conf."
+        root_logger.debug("Unable to activate the SSH service in SSSD config.")
     domain.add_provider('ipa', 'id')
     if not options.on_master:
@@ -797,7 +805,8 @@ def change_ssh_config(filename, changes, sections):
         if line is not None:
     for opt in changes:
-        lines.append('%s %s\n' % (opt, changes[opt]))
+        if changes[opt] is not None:
+            lines.append('%s %s\n' % (opt, changes[opt]))
     if in_section:
@@ -828,6 +837,9 @@ def configure_ssh(fstore, ssh_dir, options):
         changes = {}
         if options.trust_sshfp:
             changes['VerifyHostKeyDNS'] = 'yes'
+        elif options.sssd and file_exists('/usr/bin/sss_ssh_knownhostsproxy'):
+            changes['ProxyCommand'] = '/usr/bin/sss_ssh_knownhostsproxy -p %p %h'
+            changes['GlobalKnownHostsFile2'] = '/var/lib/sss/pubconf/known_hosts'
         change_ssh_config(ssh_config, changes, ['Host'])
         print 'Configured', ssh_config
@@ -848,6 +860,21 @@ def configure_ssh(fstore, ssh_dir, options):
         'UsePAM': 'yes',
+    if options.sssd and file_exists('/usr/bin/sss_ssh_authorizedkeys'):
+        (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null', '-o', 'AuthorizedKeysCommand='], raiseonerr=False)
+        if retcode == 0:
+            changes['AuthorizedKeysCommand'] = '/usr/bin/sss_ssh_authorizedkeys'
+            changes['AuthorizedKeysCommandRunAs'] = None
+        else:
+            (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null', '-o', 'PubKeyAgent='], raiseonerr=False)
+            if retcode == 0:
+                changes['PubKeyAgent'] = '/usr/bin/sss_ssh_authorizedkeys %u'
+                changes['PubkeyAgentRunAs'] = None
+            else:
+                print "Warning: Installed OpenSSH server does not support dynamically loading"
+                print "         authorized user keys. Public key authentication of IPA users"
+                print "         will not be available."
     change_ssh_config(sshd_config, changes, ['Match'])
     print 'Configured', sshd_config

Freeipa-devel mailing list

Reply via email to