Re: [Freeipa-devel] [PATCH] 79 SSH configuration fixes
On Tue, 2012-05-29 at 17:21 +0200, Jan Cholasta wrote: > On 25.5.2012 18:09, Martin Kosek wrote: > > On Wed, 2012-05-23 at 11:16 +0200, Jan Cholasta wrote: > >> Hi, > >> > >> this fixes https://fedorahosted.org/freeipa/ticket/2769 as well as some > >> other issues with SSH configuration in ipa-client-install. > >> > >> Honza > >> > > > > This fixed the basic functionality, but I discovered another issue > > (quite serious one). > > > > With /usr/bin/sss_ssh_knownhostsproxy as ssh ProxyCommand, I cannot > > connect to remove client which does not have valid reverse record. > > Without the proxy command, it works fine. I logged a Bugzilla for this > > issue: > > https://bugzilla.redhat.com/show_bug.cgi?id=825316 > > > > Martin > > > > I have sent a fix for this issue to sssd-devel. > > Honza > Ok, thanks. Since there is no change to be done on IPA side when the SSSD fix is released, we can push your change. So ACK, pushed to master, ipa-2-2. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 79 SSH configuration fixes
On 25.5.2012 18:09, Martin Kosek wrote: On Wed, 2012-05-23 at 11:16 +0200, Jan Cholasta wrote: Hi, this fixes https://fedorahosted.org/freeipa/ticket/2769 as well as some other issues with SSH configuration in ipa-client-install. Honza This fixed the basic functionality, but I discovered another issue (quite serious one). With /usr/bin/sss_ssh_knownhostsproxy as ssh ProxyCommand, I cannot connect to remove client which does not have valid reverse record. Without the proxy command, it works fine. I logged a Bugzilla for this issue: https://bugzilla.redhat.com/show_bug.cgi?id=825316 Martin I have sent a fix for this issue to sssd-devel. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 79 SSH configuration fixes
On Wed, 2012-05-23 at 11:16 +0200, Jan Cholasta wrote: > Hi, > > this fixes https://fedorahosted.org/freeipa/ticket/2769 as well as some > other issues with SSH configuration in ipa-client-install. > > Honza > This fixed the basic functionality, but I discovered another issue (quite serious one). With /usr/bin/sss_ssh_knownhostsproxy as ssh ProxyCommand, I cannot connect to remove client which does not have valid reverse record. Without the proxy command, it works fine. I logged a Bugzilla for this issue: https://bugzilla.redhat.com/show_bug.cgi?id=825316 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 79 SSH configuration fixes
Hi,
this fixes https://fedorahosted.org/freeipa/ticket/2769 as well as some
other issues with SSH configuration in ipa-client-install.
Honza
--
Jan Cholasta
>From 6edf63e682ba2021ea6f0ffba76388c5ef232254 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Wed, 23 May 2012 05:00:55 -0400
Subject: [PATCH] SSH configuration fixes.
Use GlobalKnownHostsFile instead of GlobalKnownHostsFile2 in ssh_config, as the
latter has been deprecated in OpenSSH 5.9.
If DNS host key verification is enabled, restrict the set of allowed host
public key algorithms to ssh-rsa and ssh-dss, as DNS SSHFP records support only
these algorithms.
Make sure public key user authentication is enabled in both ssh and sshd.
ticket 2769
---
ipa-client/ipa-install/ipa-client-install |9 +++--
1 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 67279b3..9f44da6 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -857,12 +857,16 @@ def configure_ssh(fstore, ssh_dir, options):
if file_exists(ssh_config):
fstore.backup_file(ssh_config)
-changes = {}
+changes = {
+'PubkeyAuthentication': 'yes',
+}
+
if options.trust_sshfp:
changes['VerifyHostKeyDNS'] = 'yes'
+changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss'
elif options.sssd and file_exists('/usr/bin/sss_ssh_knownhostsproxy'):
changes['ProxyCommand'] = '/usr/bin/sss_ssh_knownhostsproxy -p %p %h'
-changes['GlobalKnownHostsFile2'] = '/var/lib/sss/pubconf/known_hosts'
+changes['GlobalKnownHostsFile'] = '/var/lib/sss/pubconf/known_hosts'
change_ssh_config(ssh_config, changes, ['Host'])
print 'Configured', ssh_config
@@ -878,6 +882,7 @@ def configure_ssh(fstore, ssh_dir, options):
fstore.backup_file(sshd_config)
changes = {
+'PubkeyAuthentication': 'yes',
'KerberosAuthentication': 'no',
'GSSAPIAuthentication': 'yes',
'UsePAM': 'yes',
--
1.7.7.6
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
