[Freeipa-devel] [PATCH] 130 Drop support for OpenSSH versions before 6.2

Thu, 18 Apr 2013 10:23:44 -0700 

Hi,

this patch fixes <https://fedorahosted.org/freeipa/ticket/3571>.
OpenSSH 6.2 brings upstream support for AuthorizedKeysCommand, which is required for OpenSSH integration. Until now, we relied on downstream 
patches and enabled parts of OpenSSH integration conditionally.
This patch includes a scriptlet which updates sshd_config on freeipa-client RPM update. Please note that the scriptlet will work only if IPA client was set up before openssh-server package was updated to 6.2p1. This is because unpatched ipa-client-install does not configure sshd_config when openssh-server 6.2p1 is already installed (see https://bugzilla.redhat.com/show_bug.cgi?id=953617). Specifically, it will not work for IPA installs done on recently updated Fedora 19.
Also, this does not fix SSH integration not working on Fedora 18, as that is caused by backward incompatiblity in openssh-server-6.1p1-6 and later (see https://bugzilla.redhat.com/show_bug.cgi?id=953534). 

Honza

--
Jan Cholasta

>From ced80a4ec1fc0993472d9350289c817df554b18a Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 18 Apr 2013 18:06:54 +0200
Subject: [PATCH] Drop support for OpenSSH versions before 6.2.

Automatically update sshd_config on client RPM update.

https://fedorahosted.org/freeipa/ticket/3571
---
 freeipa.spec.in                           | 18 ++++++++++++++++++
 ipa-client/ipa-install/ipa-client-install | 20 ++------------------
 2 files changed, 20 insertions(+), 18 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 9448a4b..1320e6b 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -244,6 +244,9 @@ Requires: libnfsidmap
 Requires: nfs-utils
 Requires(post): policycoreutils
 
+# openssh-server is optional, but it must be at least 6.2p1
+Conflicts: openssh-server < 6.2p1
+
 Obsoletes: ipa-client >= 1.0
 
 %description client
@@ -563,6 +566,17 @@ if [ $1 -gt 1 ] ; then
             /sbin/restorecon /etc/krb5.conf
         fi
     fi
+
+    if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
+        if egrep -q '^AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys$' /etc/ssh/sshd_config 2>/dev/null; then
+            if ! egrep -q '^AuthorizedKeysCommandUser[ \t]' /etc/ssh/sshd_config 2>/dev/null; then
+                sed -r 's|^AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys$|\0\nAuthorizedKeysCommandUser %u|' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
+                mv /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
+                /sbin/restorecon /etc/ssh/sshd_config
+                chmod 600 /etc/ssh/sshd_config
+            fi
+        fi
+    fi
 fi
 
 %if ! %{ONLY_CLIENT}
@@ -794,6 +808,10 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
+* Thu Apr 18 2013 Jan Cholasta <jchol...@redhat.com> - 3.1.99-7
+- Add Conflicts: openssh-server < 6.2p1
+- Update sshd_config when client is updated
+
 * Mon Apr 15 2013 Martin Kosek <mko...@redhat.com> - 3.1.99-6
 - Require samba 4.0.5, includes new passdb API
 - Require krb5 1.11.2-1, fixes missing PAC issue
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 126611a..f519188 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1194,24 +1194,8 @@ def configure_sshd_config(fstore, options):
     }
 
     if options.sssd and file_exists('/usr/bin/sss_ssh_authorizedkeys'):
-        authorized_keys_command = '/usr/bin/sss_ssh_authorizedkeys'
-        (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null',
-            '-o', 'AuthorizedKeysCommand=%s' % authorized_keys_command], raiseonerr=False)
-        if retcode == 0:
-            changes['AuthorizedKeysCommand'] = authorized_keys_command
-            changes['AuthorizedKeysCommandRunAs'] = None
-        else:
-            authorized_keys_command = '/usr/bin/sss_ssh_authorizedkeys %u'
-            (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null',
-                '-o', 'PubKeyAgent=%s' % authorized_keys_command], raiseonerr=False)
-            if retcode == 0:
-                changes['PubKeyAgent'] = authorized_keys_command
-                changes['PubkeyAgentRunAs'] = None
-            else:
-                root_logger.warning("Installed OpenSSH server does not " +
-                    "support dynamically loading authorized user keys. " +
-                    "Public key authentication of IPA users will not be " +
-                    "available.")
+        changes['AuthorizedKeysCommand'] = '/usr/bin/sss_ssh_authorizedkeys'
+        changes['AuthorizedKeysCommandUser'] = '%u'
 
     change_ssh_config(sshd_config, changes, ['Match'])
     root_logger.info('Configured %s', sshd_config)
-- 
1.8.1.4


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to