On 19.4.2013 19:39, Rob Crittenden wrote:
Jan Cholasta wrote:
Also, this does not fix SSH integration not working on Fedora 18, as
that is caused by backward incompatiblity in openssh-server-6.1p1-6 and
later (see https://bugzilla.redhat.com/show_bug.cgi?id=953534).


FYI this bug was fixed.


This seems to work ok. Do we want to do this upgrade as an rpm scriptlet
or is it better to handle this in ipa-upgradeconfig (it might be easier
to maintain there)?

As Martin pointed out, this needs to be done on the client and we don't have client upgrade script yet, hence the scriptlet.


In any case, a condrestart of sssd is required to have it pick up the
new config.

Fixed.


Do you know if F-18 will get 6.2? Do we need to consider backporting
this to 3.1?

It won't, backport is not needed.

Updated patch attached.

Honza

--
Jan Cholasta
>From 1ef3baa5f3f5f36bbeacb637d9dfb612317803b9 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 18 Apr 2013 18:06:54 +0200
Subject: [PATCH] Drop support for OpenSSH versions before 6.2.

Automatically update sshd_config on client RPM update.

https://fedorahosted.org/freeipa/ticket/3571
---
 freeipa.spec.in                           | 20 ++++++++++++++++++++
 ipa-client/ipa-install/ipa-client-install | 20 ++------------------
 2 files changed, 22 insertions(+), 18 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index af3fb37..9e20997 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -244,6 +244,9 @@ Requires: libnfsidmap
 Requires: nfs-utils
 Requires(post): policycoreutils
 
+# openssh-server is optional, but it must be at least 6.2p1
+Conflicts: openssh-server < 6.2p1
+
 Obsoletes: ipa-client >= 1.0
 
 %description client
@@ -563,6 +566,19 @@ if [ $1 -gt 1 ] ; then
             /sbin/restorecon /etc/krb5.conf
         fi
     fi
+
+    if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
+        if egrep -q '^AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys$' /etc/ssh/sshd_config 2>/dev/null; then
+            if ! egrep -q '^AuthorizedKeysCommandUser[ \t]' /etc/ssh/sshd_config 2>/dev/null; then
+                sed -r 's|^AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys$|\0\nAuthorizedKeysCommandUser %u|' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
+                mv /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
+                /sbin/restorecon /etc/ssh/sshd_config
+                chmod 600 /etc/ssh/sshd_config
+
+                /bin/systemctl condrestart sshd.service 2>&1 || :
+            fi
+        fi
+    fi
 fi
 
 %if ! %{ONLY_CLIENT}
@@ -794,6 +810,10 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
+* Thu Apr 18 2013 Jan Cholasta <jchol...@redhat.com> - 3.1.99-7
+- Add Conflicts: openssh-server < 6.2p1
+- Update sshd_config when client is updated
+
 * Mon Apr 15 2013 Martin Kosek <mko...@redhat.com> - 3.1.99-6
 - Require samba 4.0.5, includes new passdb API
 - Require krb5 1.11.2-1, fixes missing PAC issue
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 29adc93..bc1550d 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1194,24 +1194,8 @@ def configure_sshd_config(fstore, options):
     }
 
     if options.sssd and file_exists('/usr/bin/sss_ssh_authorizedkeys'):
-        authorized_keys_command = '/usr/bin/sss_ssh_authorizedkeys'
-        (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null',
-            '-o', 'AuthorizedKeysCommand=%s' % authorized_keys_command], raiseonerr=False)
-        if retcode == 0:
-            changes['AuthorizedKeysCommand'] = authorized_keys_command
-            changes['AuthorizedKeysCommandRunAs'] = None
-        else:
-            authorized_keys_command = '/usr/bin/sss_ssh_authorizedkeys %u'
-            (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null',
-                '-o', 'PubKeyAgent=%s' % authorized_keys_command], raiseonerr=False)
-            if retcode == 0:
-                changes['PubKeyAgent'] = authorized_keys_command
-                changes['PubkeyAgentRunAs'] = None
-            else:
-                root_logger.warning("Installed OpenSSH server does not " +
-                    "support dynamically loading authorized user keys. " +
-                    "Public key authentication of IPA users will not be " +
-                    "available.")
+        changes['AuthorizedKeysCommand'] = '/usr/bin/sss_ssh_authorizedkeys'
+        changes['AuthorizedKeysCommandUser'] = '%u'
 
     change_ssh_config(sshd_config, changes, ['Match'])
     root_logger.info('Configured %s', sshd_config)
-- 
1.8.1.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to