OpenSSH server included in Fedora 18 raises a validation error when
the tested AuthorizedKeysCommand/PubKeyAgent option is tested with
an empty value. It requires a command with an absolute path to be
passed. Due to this issue, sshd support is never configured on
Fedora 18.

Pass the real agent we will use later to the testing command to
avoid this error.

--

This patch should make it to the upcoming 3.1 release.

Note: this is not reproducible in RHEL-6 systems, so we are covered on this 
front.
From c8c4b51994097140e48d5b69bbc3ef6de683604b Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Mon, 10 Dec 2012 10:09:58 +0100
Subject: [PATCH] Fix sshd feature check

OpenSSH server included in Fedora 18 raises a validation error when
the tested AuthorizedKeysCommand/PubKeyAgent option is tested with
an empty value. It requires a command with an absolute path to be
passed. Due to this issue, sshd support is never configured on
Fedora 18.

Pass the real agent we will use later to the testing command to
avoid this error.
---
 ipa-client/ipa-install/ipa-client-install | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 975759169520e204ccd59bfa5141cf6ff53ba6fd..7f50b2a2f3b6f0a1a5e030e0459675ce7432300e 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1063,14 +1063,18 @@ def configure_sshd_config(fstore, options):
     }
 
     if options.sssd and file_exists('/usr/bin/sss_ssh_authorizedkeys'):
-        (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null', '-o', 'AuthorizedKeysCommand='], raiseonerr=False)
+        authorized_keys_command = '/usr/bin/sss_ssh_authorizedkeys'
+        (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null',
+            '-o', 'AuthorizedKeysCommand=%s' % authorized_keys_command], raiseonerr=False)
         if retcode == 0:
-            changes['AuthorizedKeysCommand'] = '/usr/bin/sss_ssh_authorizedkeys'
+            changes['AuthorizedKeysCommand'] = authorized_keys_command
             changes['AuthorizedKeysCommandRunAs'] = None
         else:
-            (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null', '-o', 'PubKeyAgent='], raiseonerr=False)
+            authorized_keys_command = '/usr/bin/sss_ssh_authorizedkeys %u'
+            (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null',
+                '-o', 'PubKeyAgent=%s' % authorized_keys_command], raiseonerr=False)
             if retcode == 0:
-                changes['PubKeyAgent'] = '/usr/bin/sss_ssh_authorizedkeys %u'
+                changes['PubKeyAgent'] = authorized_keys_command
                 changes['PubkeyAgentRunAs'] = None
             else:
                 root_logger.warning("Installed OpenSSH server does not " +
-- 
1.7.11.7

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to