On 29.4.2013 20:58, Rob Crittenden wrote:
Alexander pointed out that we can use the user nobody to run these
commands rather than running as the user who requested it, %u.


Added.


For the purposes of development, this is going to commit everyone to
moving to F-19 now. Is that acceptable or do we want to wrap this with a
conditional for some period?

I have changed the patch to add support for openssh 6.2 without dropping support for older openssh versions. We can drop support for older openssh versions in IPA 3.3. See attachment.

Honza

--
Jan Cholasta
>From da804532f38a584970f60f04dd7b0b4a4974fbcc Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 18 Apr 2013 18:06:54 +0200
Subject: [PATCH] Add support for OpenSSH 6.2.

Run sss_ssh_authorizedkeyscommand as nobody. Automatically update sshd_config
on openssh-server update.

https://fedorahosted.org/freeipa/ticket/3571
---
 freeipa.spec.in                           | 39 +++++++++++++++++++
 ipa-client/ipa-install/ipa-client-install | 63 ++++++++++++++++++++-----------
 2 files changed, 81 insertions(+), 21 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index af3fb37..f6891db 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -565,6 +565,42 @@ if [ $1 -gt 1 ] ; then
     fi
 fi
 
+%triggerin -n freeipa-client -- openssh-server
+# Has the client been configured?
+restore=0
+test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
+
+if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
+    if egrep -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then
+        sed -r '
+            /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
+        ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
+
+        if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody'; then
+            sed -ri '
+                s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
+                s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
+            ' /etc/ssh/sshd_config.ipanew
+        elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody'; then
+            sed -ri '
+                s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
+                s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
+            ' /etc/ssh/sshd_config.ipanew
+        elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody'; then
+            sed -ri '
+                s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
+                s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/
+            ' /etc/ssh/sshd_config.ipanew
+        fi
+
+        mv /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
+        /sbin/restorecon /etc/ssh/sshd_config
+        chmod 600 /etc/ssh/sshd_config
+
+        /bin/systemctl condrestart sshd.service 2>&1 || :
+    fi
+fi
+
 %if ! %{ONLY_CLIENT}
 %files server -f server-python.list
 %defattr(-,root,root,-)
@@ -794,6 +830,9 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
+* Tue Apr 30 2013 Jan Cholasta <jchol...@redhat.com> - 3.1.99-7
+- Add triggerin scriptlet to update sshd_config on openssh-server update
+
 * Mon Apr 15 2013 Martin Kosek <mko...@redhat.com> - 3.1.99-6
 - Require samba 4.0.5, includes new passdb API
 - Require krb5 1.11.2-1, fixes missing PAC issue
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index a60124b..70e532e 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -64,6 +64,10 @@ CLIENT_NOT_CONFIGURED = 2
 CLIENT_ALREADY_CONFIGURED = 3
 CLIENT_UNINSTALL_ERROR = 4 # error after restoring files/state
 
+SSH_AUTHORIZEDKEYSCOMMAND = '/usr/bin/sss_ssh_authorizedkeys'
+SSH_PROXYCOMMAND = '/usr/bin/sss_ssh_knownhostsproxy'
+SSH_KNOWNHOSTSFILE = '/var/lib/sss/pubconf/known_hosts'
+
 client_nss_nickname_format = 'IPA Machine Certificate - %s'
 
 def parse_options():
@@ -1170,9 +1174,9 @@ def configure_ssh_config(fstore, options):
     if options.trust_sshfp:
         changes['VerifyHostKeyDNS'] = 'yes'
         changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss'
-    elif options.sssd and file_exists('/usr/bin/sss_ssh_knownhostsproxy'):
-        changes['ProxyCommand'] = '/usr/bin/sss_ssh_knownhostsproxy -p %p %h'
-        changes['GlobalKnownHostsFile'] = '/var/lib/sss/pubconf/known_hosts'
+    elif options.sssd and file_exists(SSH_PROXYCOMMAND):
+        changes['ProxyCommand'] = '%s -p %%p %%h' % SSH_PROXYCOMMAND
+        changes['GlobalKnownHostsFile'] = SSH_KNOWNHOSTSFILE
 
     change_ssh_config(ssh_config, changes, ['Host'])
     root_logger.info('Configured %s', ssh_config)
@@ -1195,25 +1199,42 @@ def configure_sshd_config(fstore, options):
         'UsePAM': 'yes',
     }
 
-    if options.sssd and file_exists('/usr/bin/sss_ssh_authorizedkeys'):
-        authorized_keys_command = '/usr/bin/sss_ssh_authorizedkeys'
-        (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null',
-            '-o', 'AuthorizedKeysCommand=%s' % authorized_keys_command], raiseonerr=False)
-        if retcode == 0:
-            changes['AuthorizedKeysCommand'] = authorized_keys_command
-            changes['AuthorizedKeysCommandRunAs'] = None
-        else:
-            authorized_keys_command = '/usr/bin/sss_ssh_authorizedkeys %u'
-            (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null',
-                '-o', 'PubKeyAgent=%s' % authorized_keys_command], raiseonerr=False)
+    if options.sssd and file_exists(SSH_AUTHORIZEDKEYSCOMMAND):
+        authorized_keys_changes = None
+
+        candidates = (
+            {
+                'AuthorizedKeysCommand': SSH_AUTHORIZEDKEYSCOMMAND,
+                'AuthorizedKeysCommandUser': 'nobody',
+            },
+            {
+                'AuthorizedKeysCommand': SSH_AUTHORIZEDKEYSCOMMAND,
+                'AuthorizedKeysCommandRunAs': 'nobody',
+            },
+            {
+                'PubKeyAgent': '%s %%u' % SSH_AUTHORIZEDKEYSCOMMAND,
+                'PubKeyAgentRunAs': 'nobody',
+            },
+        )
+
+        for candidate in candidates:
+            args = ['sshd', '-t', '-f', '/dev/null']
+            for item in candidate.iteritems():
+                args.append('-o')
+                args.append('%s=%s' % item)
+
+            (stdout, stderr, retcode) = ipautil.run(args, raiseonerr=False)
             if retcode == 0:
-                changes['PubKeyAgent'] = authorized_keys_command
-                changes['PubkeyAgentRunAs'] = None
-            else:
-                root_logger.warning("Installed OpenSSH server does not " +
-                    "support dynamically loading authorized user keys. " +
-                    "Public key authentication of IPA users will not be " +
-                    "available.")
+                authorized_keys_changes = candidate
+                break
+
+        if authorized_keys_changes is not None:
+            changes.update(authorized_keys_changes)
+        else:
+            root_logger.warning("Installed OpenSSH server does not "
+                "support dynamically loading authorized user keys. "
+                "Public key authentication of IPA users will not be "
+                "available.")
 
     change_ssh_config(sshd_config, changes, ['Match'])
     root_logger.info('Configured %s', sshd_config)
-- 
1.8.1.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to