Re: [Freeipa-devel] [PATCH] 79 SSH configuration fixes
On Tue, 2012-05-29 at 17:21 +0200, Jan Cholasta wrote: > On 25.5.2012 18:09, Martin Kosek wrote: > > On Wed, 2012-05-23 at 11:16 +0200, Jan Cholasta wrote: > >> Hi, > >> > >> this fixes https://fedorahosted.org/freeipa/ticket/2769 as well as some > >> other issues with SSH configuration in ipa-client-install. > >> > >> Honza > >> > > > > This fixed the basic functionality, but I discovered another issue > > (quite serious one). > > > > With /usr/bin/sss_ssh_knownhostsproxy as ssh ProxyCommand, I cannot > > connect to remove client which does not have valid reverse record. > > Without the proxy command, it works fine. I logged a Bugzilla for this > > issue: > > https://bugzilla.redhat.com/show_bug.cgi?id=825316 > > > > Martin > > > > I have sent a fix for this issue to sssd-devel. > > Honza > Ok, thanks. Since there is no change to be done on IPA side when the SSSD fix is released, we can push your change. So ACK, pushed to master, ipa-2-2. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 79 SSH configuration fixes
On 25.5.2012 18:09, Martin Kosek wrote: On Wed, 2012-05-23 at 11:16 +0200, Jan Cholasta wrote: Hi, this fixes https://fedorahosted.org/freeipa/ticket/2769 as well as some other issues with SSH configuration in ipa-client-install. Honza This fixed the basic functionality, but I discovered another issue (quite serious one). With /usr/bin/sss_ssh_knownhostsproxy as ssh ProxyCommand, I cannot connect to remove client which does not have valid reverse record. Without the proxy command, it works fine. I logged a Bugzilla for this issue: https://bugzilla.redhat.com/show_bug.cgi?id=825316 Martin I have sent a fix for this issue to sssd-devel. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 79 SSH configuration fixes
On Wed, 2012-05-23 at 11:16 +0200, Jan Cholasta wrote: > Hi, > > this fixes https://fedorahosted.org/freeipa/ticket/2769 as well as some > other issues with SSH configuration in ipa-client-install. > > Honza > This fixed the basic functionality, but I discovered another issue (quite serious one). With /usr/bin/sss_ssh_knownhostsproxy as ssh ProxyCommand, I cannot connect to remove client which does not have valid reverse record. Without the proxy command, it works fine. I logged a Bugzilla for this issue: https://bugzilla.redhat.com/show_bug.cgi?id=825316 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 79 SSH configuration fixes
Hi, this fixes https://fedorahosted.org/freeipa/ticket/2769 as well as some other issues with SSH configuration in ipa-client-install. Honza -- Jan Cholasta >From 6edf63e682ba2021ea6f0ffba76388c5ef232254 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 23 May 2012 05:00:55 -0400 Subject: [PATCH] SSH configuration fixes. Use GlobalKnownHostsFile instead of GlobalKnownHostsFile2 in ssh_config, as the latter has been deprecated in OpenSSH 5.9. If DNS host key verification is enabled, restrict the set of allowed host public key algorithms to ssh-rsa and ssh-dss, as DNS SSHFP records support only these algorithms. Make sure public key user authentication is enabled in both ssh and sshd. ticket 2769 --- ipa-client/ipa-install/ipa-client-install |9 +++-- 1 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 67279b3..9f44da6 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -857,12 +857,16 @@ def configure_ssh(fstore, ssh_dir, options): if file_exists(ssh_config): fstore.backup_file(ssh_config) -changes = {} +changes = { +'PubkeyAuthentication': 'yes', +} + if options.trust_sshfp: changes['VerifyHostKeyDNS'] = 'yes' +changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss' elif options.sssd and file_exists('/usr/bin/sss_ssh_knownhostsproxy'): changes['ProxyCommand'] = '/usr/bin/sss_ssh_knownhostsproxy -p %p %h' -changes['GlobalKnownHostsFile2'] = '/var/lib/sss/pubconf/known_hosts' +changes['GlobalKnownHostsFile'] = '/var/lib/sss/pubconf/known_hosts' change_ssh_config(ssh_config, changes, ['Host']) print 'Configured', ssh_config @@ -878,6 +882,7 @@ def configure_ssh(fstore, ssh_dir, options): fstore.backup_file(sshd_config) changes = { +'PubkeyAuthentication': 'yes', 'KerberosAuthentication': 'no', 'GSSAPIAuthentication': 'yes', 'UsePAM': 'yes', -- 1.7.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel