Hi,

this patch modifies ipa-replica-conncheck when it performs the SSH connection to the master, so that the username is always fully qualified.


https://fedorahosted.org/freeipa/ticket/5812

--
Florence Blanc-Renaud
Identity Management Team, Red Hat

From ea7e2dbdce797f0640b752aff3064956b2bd1639 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <fren...@redhat.com>
Date: Wed, 1 Jun 2016 17:42:48 +0200
Subject: [PATCH] Always qualify requests for admin in ipa-replica-conncheck

ipa-replica-conncheck connects to the master using an SSH command:
ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \
    -o GSSAPIAuthentication=yes <principal>@<master hostname> \
    echo OK

The issue is that the principal name is not fully qualified (for instance
'admin' is used, even if ipa-replica-conncheck was called with
--principal ad...@example.com).
When the FreeIPA server is running with a /etc/sssd/sssd.conf containing
    [sssd]
    default_domain_suffix = ad.domain.com
this leads to the SSH connection failure because admin is not defined in
the default domain.

The fix uses the fully qualified principal name, and calls ssh with
ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=<tmpfile> \
    -o GSSAPIAuthentication=yes -o User=<principal> \
    <master hostname> echo OK
to avoid syntax issues with admin@DOMAIN@master

https://fedorahosted.org/freeipa/ticket/5812
---
 install/tools/ipa-replica-conncheck | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index d88291e55cdee7ea959d73f7535dd3db4ca2c31d..0008fb399022a180d38c36b14377f05068da420b 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -66,7 +66,8 @@ class SshExec(object):
             '-o StrictHostKeychecking=no',
             '-o UserKnownHostsFile=%s' % tmpf.name,
             '-o GSSAPIAuthentication=yes',
-            '%s@%s' % (self.user, self.addr), command
+            '-o User=%s' % self.user,
+            '%s' % self.addr, command
         ]
         if verbose:
             cmd.insert(1, '-v')
@@ -515,7 +516,8 @@ def main():
             except Exception:
                 print_info("Retrying using SSH...")
 
-                user = principal.partition('@')[0]
+                # Ticket 5812 Always qualify requests for admin
+                user = principal
                 ssh = SshExec(user, options.master)
 
                 print_info("Check SSH connection to remote master")
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to