Re: [Freeipa-devel] [PATCH] 69 Configure SSH features of SSSD in ipa-client-install
On 2.3.2012 04:56, Rob Crittenden wrote: Jan Cholasta wrote: On 29.2.2012 15:00, Martin Kosek wrote: On Wed, 2012-02-29 at 14:44 +0100, Jan Cholasta wrote: On 29.2.2012 14:24, Martin Kosek wrote: On Wed, 2012-02-29 at 10:52 +0100, Jan Cholasta wrote: On 28.2.2012 23:42, Rob Crittenden wrote: Jan Cholasta wrote: Hi, this patch configures the new SSH features of SSSD in ipa-client-install. To test it, you need to have SSSD 1.8.0 installed. Honza Is there a better name for 'GlobalKnownHostsFile2'? What do you mean? The option name or the file name? Either way, I don't think there is a better name. When is PubKeyAgent used?I tried in RHEL 6.2, F-11 and F15-17 and it was an unknown option in all. It's in openssh in RHEL 6.0. Should you test for the existence of /usr/bin/sss_ssh_knownhostsproxy and /usr/bin/sss_ssh_authorizedkeys before setting it in a config file? It depends. Do we want to support clients with SSSD 1.8.0? How would you recommend testing this? Enroll a client and try to log into the IPA server? To test host authentication, you need an IPA host with SSH public keys set (which is done automatically in ipa-client-install, so any IPA host should work) and try to ssh into that host from other (actually, it can be the same) IPA host. You should not see The authenticity of host ... can't be estabilished ssh message. To test user authentication, you need an IPA user with SSH public keys set. To do that, you need to set the public keys using ipa user-mod. You should then be able to authenticate using your private key on any IPA host. rob Honza I get this exception when running ipa-client-install with your patch. # ipa-client-install --enable-dns-updates Discovery was successful! Hostname: vm-138.idm.lab.bos.redhat.com Realm: IDM.LAB.BOS.REDHAT.COM DNS Domain: idm.lab.bos.redhat.com IPA Server: vm-068.idm.lab.bos.redhat.com BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Continue to configure the system with these values? [no]: y User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for ad...@idm.lab.bos.redhat.com: Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM Created /etc/ipa/default.conf Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1514, inmodule sys.exit(main()) File /usr/sbin/ipa-client-install, line 1501, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1326, in install if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): File /usr/sbin/ipa-client-install, line 711, in configure_sssd_conf sssdconfig.activate_service('ssh') File /usr/lib/python2.7/site-packages/SSSDConfig.py, line 1516, in activate_service raise NoServiceError SSSDConfig.NoServiceError SSSD version: sssd-1.8.1-0.20120228T2018Zgit751b121.fc16.x86_64 Martin Does your /etc/sssd/sssd.conf and /usr/share/sssd/sssd.api.conf contain [ssh] section? sssd.api.conf did contain the ssh section: # grep -C 3 ssh /usr/share/sssd/sssd.api.conf # autofs service autofs_negative_timeout = int, None, false [ssh] # ssh service [provider] #Available provider types sssd.conf did not. Either case, we should not crash but handle the issue in some more friendly way. Martin Patch updated with more defensive code. Honza Needs a BuildRequires of sssd 1.8 or you get some pylint errors: ipa-client/ipa-install/ipa-client-install:712: [E1101, configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service' member ipa-client/ipa-install/ipa-client-install:723: [E1101, configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service' member ipa-client/ipa-install/ipa-client-install:734: [E1101, configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service' member Added. Host keys work fine. I wasn't able to get user ssh keys working but my server is still on F-15. I had a daily build of sssd (1.8.1) but it was missing /usr/libexec/sssd/sssd_ssh!? Too tired to work out why right now. F15 is not the problem, the SSSD package in ipa-devel is built without experimental features for some reason (in the patch I assumed that it always is, fixed that). Two more things: 1. You will need explicit test cases for QE to test positive and negative login cases (it would have sped me along too). Should that be part of the patch? 2. You need to beef up the commit message to describe what this does (e.g. configure for knownhost support). commit message space is cheap, be verbose. Done. rob Updated patch attached. Honza -- Jan Cholasta From 07f17587a1fb4d5e3f35710a0be428ef7bb13ddd Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Thu, 16 Feb 2012 04:21:56 -0500 Subject: [PATCH] Configure SSH features of SSSD in ipa-client-install. OpenSSH server (sshd) is configured to fetch user authorized keys from SSSD and OpenSSH client (ssh) is configured to use
Re: [Freeipa-devel] [PATCH] 69 Configure SSH features of SSSD in ipa-client-install
Jan Cholasta wrote: On 2.3.2012 04:56, Rob Crittenden wrote: Jan Cholasta wrote: On 29.2.2012 15:00, Martin Kosek wrote: On Wed, 2012-02-29 at 14:44 +0100, Jan Cholasta wrote: On 29.2.2012 14:24, Martin Kosek wrote: On Wed, 2012-02-29 at 10:52 +0100, Jan Cholasta wrote: On 28.2.2012 23:42, Rob Crittenden wrote: Jan Cholasta wrote: Hi, this patch configures the new SSH features of SSSD in ipa-client-install. To test it, you need to have SSSD 1.8.0 installed. Honza Is there a better name for 'GlobalKnownHostsFile2'? What do you mean? The option name or the file name? Either way, I don't think there is a better name. When is PubKeyAgent used?I tried in RHEL 6.2, F-11 and F15-17 and it was an unknown option in all. It's in openssh in RHEL 6.0. Should you test for the existence of /usr/bin/sss_ssh_knownhostsproxy and /usr/bin/sss_ssh_authorizedkeys before setting it in a config file? It depends. Do we want to support clients with SSSD 1.8.0? How would you recommend testing this? Enroll a client and try to log into the IPA server? To test host authentication, you need an IPA host with SSH public keys set (which is done automatically in ipa-client-install, so any IPA host should work) and try to ssh into that host from other (actually, it can be the same) IPA host. You should not see The authenticity of host ... can't be estabilished ssh message. To test user authentication, you need an IPA user with SSH public keys set. To do that, you need to set the public keys using ipa user-mod. You should then be able to authenticate using your private key on any IPA host. rob Honza I get this exception when running ipa-client-install with your patch. # ipa-client-install --enable-dns-updates Discovery was successful! Hostname: vm-138.idm.lab.bos.redhat.com Realm: IDM.LAB.BOS.REDHAT.COM DNS Domain: idm.lab.bos.redhat.com IPA Server: vm-068.idm.lab.bos.redhat.com BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Continue to configure the system with these values? [no]: y User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for ad...@idm.lab.bos.redhat.com: Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM Created /etc/ipa/default.conf Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1514, inmodule sys.exit(main()) File /usr/sbin/ipa-client-install, line 1501, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1326, in install if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): File /usr/sbin/ipa-client-install, line 711, in configure_sssd_conf sssdconfig.activate_service('ssh') File /usr/lib/python2.7/site-packages/SSSDConfig.py, line 1516, in activate_service raise NoServiceError SSSDConfig.NoServiceError SSSD version: sssd-1.8.1-0.20120228T2018Zgit751b121.fc16.x86_64 Martin Does your /etc/sssd/sssd.conf and /usr/share/sssd/sssd.api.conf contain [ssh] section? sssd.api.conf did contain the ssh section: # grep -C 3 ssh /usr/share/sssd/sssd.api.conf # autofs service autofs_negative_timeout = int, None, false [ssh] # ssh service [provider] #Available provider types sssd.conf did not. Either case, we should not crash but handle the issue in some more friendly way. Martin Patch updated with more defensive code. Honza Needs a BuildRequires of sssd 1.8 or you get some pylint errors: ipa-client/ipa-install/ipa-client-install:712: [E1101, configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service' member ipa-client/ipa-install/ipa-client-install:723: [E1101, configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service' member ipa-client/ipa-install/ipa-client-install:734: [E1101, configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service' member Added. Host keys work fine. I wasn't able to get user ssh keys working but my server is still on F-15. I had a daily build of sssd (1.8.1) but it was missing /usr/libexec/sssd/sssd_ssh!? Too tired to work out why right now. F15 is not the problem, the SSSD package in ipa-devel is built without experimental features for some reason (in the patch I assumed that it always is, fixed that). Two more things: 1. You will need explicit test cases for QE to test positive and negative login cases (it would have sped me along too). Should that be part of the patch? Needs to be somewhere, attached here would have been fine. 2. You need to beef up the commit message to describe what this does (e.g. configure for knownhost support). commit message space is cheap, be verbose. Done. rob Updated patch attached. Honza ACK, pushed to master and ipa-2-2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 69 Configure SSH features of SSSD in ipa-client-install
On 29.2.2012 15:00, Martin Kosek wrote: On Wed, 2012-02-29 at 14:44 +0100, Jan Cholasta wrote: On 29.2.2012 14:24, Martin Kosek wrote: On Wed, 2012-02-29 at 10:52 +0100, Jan Cholasta wrote: On 28.2.2012 23:42, Rob Crittenden wrote: Jan Cholasta wrote: Hi, this patch configures the new SSH features of SSSD in ipa-client-install. To test it, you need to have SSSD 1.8.0 installed. Honza Is there a better name for 'GlobalKnownHostsFile2'? What do you mean? The option name or the file name? Either way, I don't think there is a better name. When is PubKeyAgent used?I tried in RHEL 6.2, F-11 and F15-17 and it was an unknown option in all. It's in openssh in RHEL 6.0. Should you test for the existence of /usr/bin/sss_ssh_knownhostsproxy and /usr/bin/sss_ssh_authorizedkeys before setting it in a config file? It depends. Do we want to support clients with SSSD 1.8.0? How would you recommend testing this? Enroll a client and try to log into the IPA server? To test host authentication, you need an IPA host with SSH public keys set (which is done automatically in ipa-client-install, so any IPA host should work) and try to ssh into that host from other (actually, it can be the same) IPA host. You should not see The authenticity of host ... can't be estabilished ssh message. To test user authentication, you need an IPA user with SSH public keys set. To do that, you need to set the public keys using ipa user-mod. You should then be able to authenticate using your private key on any IPA host. rob Honza I get this exception when running ipa-client-install with your patch. # ipa-client-install --enable-dns-updates Discovery was successful! Hostname: vm-138.idm.lab.bos.redhat.com Realm: IDM.LAB.BOS.REDHAT.COM DNS Domain: idm.lab.bos.redhat.com IPA Server: vm-068.idm.lab.bos.redhat.com BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Continue to configure the system with these values? [no]: y User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for ad...@idm.lab.bos.redhat.com: Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM Created /etc/ipa/default.conf Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1514, inmodule sys.exit(main()) File /usr/sbin/ipa-client-install, line 1501, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1326, in install if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): File /usr/sbin/ipa-client-install, line 711, in configure_sssd_conf sssdconfig.activate_service('ssh') File /usr/lib/python2.7/site-packages/SSSDConfig.py, line 1516, in activate_service raise NoServiceError SSSDConfig.NoServiceError SSSD version: sssd-1.8.1-0.20120228T2018Zgit751b121.fc16.x86_64 Martin Does your /etc/sssd/sssd.conf and /usr/share/sssd/sssd.api.conf contain [ssh] section? sssd.api.conf did contain the ssh section: # grep -C 3 ssh /usr/share/sssd/sssd.api.conf # autofs service autofs_negative_timeout = int, None, false [ssh] # ssh service [provider] #Available provider types sssd.conf did not. Either case, we should not crash but handle the issue in some more friendly way. Martin Patch updated with more defensive code. Honza -- Jan Cholasta From 70358db5818496b8ae77acb7b68d61fa9d237192 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Thu, 16 Feb 2012 04:21:56 -0500 Subject: [PATCH] Configure SSH features of SSSD in ipa-client-install. This requires SSSD 1.8.0. --- freeipa.spec.in |5 +++- ipa-client/ipa-install/ipa-client-install | 36 - 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 90c8e9f..0889765 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -210,7 +210,7 @@ Requires: libcurl Requires: xmlrpc-c %endif %endif -Requires: sssd = 1.5.1 +Requires: sssd = 1.8.0 Requires: certmonger = 0.26 Requires: nss-tools Requires: bind-utils @@ -675,6 +675,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Thu Mar 1 2012 Jan Cholasta jchol...@redhat.com - 2.99.0-21 +- Set min nvr of sssd to 1.8.0 for SSH support + * Wed Feb 29 2012 Petr Vobornik pvobo...@redhat.com - 2.99.0-20 - Add Web UI logout page diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index f5c1efe..f4d65b8 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -709,6 +709,20 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): sssdconfig.new_config() try: +sssdconfig.activate_service('ssh') +except SSSDConfig.NoServiceError: +if options.preserve_sssd: +print Unable to activate the SSH
Re: [Freeipa-devel] [PATCH] 69 Configure SSH features of SSSD in ipa-client-install
Jan Cholasta wrote: On 29.2.2012 15:00, Martin Kosek wrote: On Wed, 2012-02-29 at 14:44 +0100, Jan Cholasta wrote: On 29.2.2012 14:24, Martin Kosek wrote: On Wed, 2012-02-29 at 10:52 +0100, Jan Cholasta wrote: On 28.2.2012 23:42, Rob Crittenden wrote: Jan Cholasta wrote: Hi, this patch configures the new SSH features of SSSD in ipa-client-install. To test it, you need to have SSSD 1.8.0 installed. Honza Is there a better name for 'GlobalKnownHostsFile2'? What do you mean? The option name or the file name? Either way, I don't think there is a better name. When is PubKeyAgent used?I tried in RHEL 6.2, F-11 and F15-17 and it was an unknown option in all. It's in openssh in RHEL 6.0. Should you test for the existence of /usr/bin/sss_ssh_knownhostsproxy and /usr/bin/sss_ssh_authorizedkeys before setting it in a config file? It depends. Do we want to support clients with SSSD 1.8.0? How would you recommend testing this? Enroll a client and try to log into the IPA server? To test host authentication, you need an IPA host with SSH public keys set (which is done automatically in ipa-client-install, so any IPA host should work) and try to ssh into that host from other (actually, it can be the same) IPA host. You should not see The authenticity of host ... can't be estabilished ssh message. To test user authentication, you need an IPA user with SSH public keys set. To do that, you need to set the public keys using ipa user-mod. You should then be able to authenticate using your private key on any IPA host. rob Honza I get this exception when running ipa-client-install with your patch. # ipa-client-install --enable-dns-updates Discovery was successful! Hostname: vm-138.idm.lab.bos.redhat.com Realm: IDM.LAB.BOS.REDHAT.COM DNS Domain: idm.lab.bos.redhat.com IPA Server: vm-068.idm.lab.bos.redhat.com BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Continue to configure the system with these values? [no]: y User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for ad...@idm.lab.bos.redhat.com: Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM Created /etc/ipa/default.conf Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1514, inmodule sys.exit(main()) File /usr/sbin/ipa-client-install, line 1501, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1326, in install if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): File /usr/sbin/ipa-client-install, line 711, in configure_sssd_conf sssdconfig.activate_service('ssh') File /usr/lib/python2.7/site-packages/SSSDConfig.py, line 1516, in activate_service raise NoServiceError SSSDConfig.NoServiceError SSSD version: sssd-1.8.1-0.20120228T2018Zgit751b121.fc16.x86_64 Martin Does your /etc/sssd/sssd.conf and /usr/share/sssd/sssd.api.conf contain [ssh] section? sssd.api.conf did contain the ssh section: # grep -C 3 ssh /usr/share/sssd/sssd.api.conf # autofs service autofs_negative_timeout = int, None, false [ssh] # ssh service [provider] #Available provider types sssd.conf did not. Either case, we should not crash but handle the issue in some more friendly way. Martin Patch updated with more defensive code. Honza Needs a BuildRequires of sssd 1.8 or you get some pylint errors: ipa-client/ipa-install/ipa-client-install:712: [E1101, configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service' member ipa-client/ipa-install/ipa-client-install:723: [E1101, configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service' member ipa-client/ipa-install/ipa-client-install:734: [E1101, configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service' member Host keys work fine. I wasn't able to get user ssh keys working but my server is still on F-15. I had a daily build of sssd (1.8.1) but it was missing /usr/libexec/sssd/sssd_ssh!? Too tired to work out why right now. Two more things: 1. You will need explicit test cases for QE to test positive and negative login cases (it would have sped me along too). 2. You need to beef up the commit message to describe what this does (e.g. configure for knownhost support). commit message space is cheap, be verbose. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 69 Configure SSH features of SSSD in ipa-client-install
On 28.2.2012 23:42, Rob Crittenden wrote: Jan Cholasta wrote: Hi, this patch configures the new SSH features of SSSD in ipa-client-install. To test it, you need to have SSSD 1.8.0 installed. Honza Is there a better name for 'GlobalKnownHostsFile2'? What do you mean? The option name or the file name? Either way, I don't think there is a better name. When is PubKeyAgent used?I tried in RHEL 6.2, F-11 and F15-17 and it was an unknown option in all. It's in openssh in RHEL 6.0. Should you test for the existence of /usr/bin/sss_ssh_knownhostsproxy and /usr/bin/sss_ssh_authorizedkeys before setting it in a config file? It depends. Do we want to support clients with SSSD 1.8.0? How would you recommend testing this? Enroll a client and try to log into the IPA server? To test host authentication, you need an IPA host with SSH public keys set (which is done automatically in ipa-client-install, so any IPA host should work) and try to ssh into that host from other (actually, it can be the same) IPA host. You should not see The authenticity of host ... can't be estabilished ssh message. To test user authentication, you need an IPA user with SSH public keys set. To do that, you need to set the public keys using ipa user-mod. You should then be able to authenticate using your private key on any IPA host. rob Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 69 Configure SSH features of SSSD in ipa-client-install
On Wed, 2012-02-29 at 10:52 +0100, Jan Cholasta wrote: On 28.2.2012 23:42, Rob Crittenden wrote: Jan Cholasta wrote: Hi, this patch configures the new SSH features of SSSD in ipa-client-install. To test it, you need to have SSSD 1.8.0 installed. Honza Is there a better name for 'GlobalKnownHostsFile2'? What do you mean? The option name or the file name? Either way, I don't think there is a better name. When is PubKeyAgent used?I tried in RHEL 6.2, F-11 and F15-17 and it was an unknown option in all. It's in openssh in RHEL 6.0. Should you test for the existence of /usr/bin/sss_ssh_knownhostsproxy and /usr/bin/sss_ssh_authorizedkeys before setting it in a config file? It depends. Do we want to support clients with SSSD 1.8.0? How would you recommend testing this? Enroll a client and try to log into the IPA server? To test host authentication, you need an IPA host with SSH public keys set (which is done automatically in ipa-client-install, so any IPA host should work) and try to ssh into that host from other (actually, it can be the same) IPA host. You should not see The authenticity of host ... can't be estabilished ssh message. To test user authentication, you need an IPA user with SSH public keys set. To do that, you need to set the public keys using ipa user-mod. You should then be able to authenticate using your private key on any IPA host. rob Honza I get this exception when running ipa-client-install with your patch. # ipa-client-install --enable-dns-updates Discovery was successful! Hostname: vm-138.idm.lab.bos.redhat.com Realm: IDM.LAB.BOS.REDHAT.COM DNS Domain: idm.lab.bos.redhat.com IPA Server: vm-068.idm.lab.bos.redhat.com BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Continue to configure the system with these values? [no]: y User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for ad...@idm.lab.bos.redhat.com: Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM Created /etc/ipa/default.conf Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1514, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 1501, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1326, in install if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): File /usr/sbin/ipa-client-install, line 711, in configure_sssd_conf sssdconfig.activate_service('ssh') File /usr/lib/python2.7/site-packages/SSSDConfig.py, line 1516, in activate_service raise NoServiceError SSSDConfig.NoServiceError SSSD version: sssd-1.8.1-0.20120228T2018Zgit751b121.fc16.x86_64 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 69 Configure SSH features of SSSD in ipa-client-install
On 29.2.2012 14:24, Martin Kosek wrote: On Wed, 2012-02-29 at 10:52 +0100, Jan Cholasta wrote: On 28.2.2012 23:42, Rob Crittenden wrote: Jan Cholasta wrote: Hi, this patch configures the new SSH features of SSSD in ipa-client-install. To test it, you need to have SSSD 1.8.0 installed. Honza Is there a better name for 'GlobalKnownHostsFile2'? What do you mean? The option name or the file name? Either way, I don't think there is a better name. When is PubKeyAgent used?I tried in RHEL 6.2, F-11 and F15-17 and it was an unknown option in all. It's in openssh in RHEL 6.0. Should you test for the existence of /usr/bin/sss_ssh_knownhostsproxy and /usr/bin/sss_ssh_authorizedkeys before setting it in a config file? It depends. Do we want to support clients with SSSD 1.8.0? How would you recommend testing this? Enroll a client and try to log into the IPA server? To test host authentication, you need an IPA host with SSH public keys set (which is done automatically in ipa-client-install, so any IPA host should work) and try to ssh into that host from other (actually, it can be the same) IPA host. You should not see The authenticity of host ... can't be estabilished ssh message. To test user authentication, you need an IPA user with SSH public keys set. To do that, you need to set the public keys using ipa user-mod. You should then be able to authenticate using your private key on any IPA host. rob Honza I get this exception when running ipa-client-install with your patch. # ipa-client-install --enable-dns-updates Discovery was successful! Hostname: vm-138.idm.lab.bos.redhat.com Realm: IDM.LAB.BOS.REDHAT.COM DNS Domain: idm.lab.bos.redhat.com IPA Server: vm-068.idm.lab.bos.redhat.com BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Continue to configure the system with these values? [no]: y User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for ad...@idm.lab.bos.redhat.com: Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM Created /etc/ipa/default.conf Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1514, inmodule sys.exit(main()) File /usr/sbin/ipa-client-install, line 1501, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1326, in install if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): File /usr/sbin/ipa-client-install, line 711, in configure_sssd_conf sssdconfig.activate_service('ssh') File /usr/lib/python2.7/site-packages/SSSDConfig.py, line 1516, in activate_service raise NoServiceError SSSDConfig.NoServiceError SSSD version: sssd-1.8.1-0.20120228T2018Zgit751b121.fc16.x86_64 Martin Does your /etc/sssd/sssd.conf and /usr/share/sssd/sssd.api.conf contain [ssh] section? -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 69 Configure SSH features of SSSD in ipa-client-install
On Wed, 2012-02-29 at 14:44 +0100, Jan Cholasta wrote: On 29.2.2012 14:24, Martin Kosek wrote: On Wed, 2012-02-29 at 10:52 +0100, Jan Cholasta wrote: On 28.2.2012 23:42, Rob Crittenden wrote: Jan Cholasta wrote: Hi, this patch configures the new SSH features of SSSD in ipa-client-install. To test it, you need to have SSSD 1.8.0 installed. Honza Is there a better name for 'GlobalKnownHostsFile2'? What do you mean? The option name or the file name? Either way, I don't think there is a better name. When is PubKeyAgent used?I tried in RHEL 6.2, F-11 and F15-17 and it was an unknown option in all. It's in openssh in RHEL 6.0. Should you test for the existence of /usr/bin/sss_ssh_knownhostsproxy and /usr/bin/sss_ssh_authorizedkeys before setting it in a config file? It depends. Do we want to support clients with SSSD 1.8.0? How would you recommend testing this? Enroll a client and try to log into the IPA server? To test host authentication, you need an IPA host with SSH public keys set (which is done automatically in ipa-client-install, so any IPA host should work) and try to ssh into that host from other (actually, it can be the same) IPA host. You should not see The authenticity of host ... can't be estabilished ssh message. To test user authentication, you need an IPA user with SSH public keys set. To do that, you need to set the public keys using ipa user-mod. You should then be able to authenticate using your private key on any IPA host. rob Honza I get this exception when running ipa-client-install with your patch. # ipa-client-install --enable-dns-updates Discovery was successful! Hostname: vm-138.idm.lab.bos.redhat.com Realm: IDM.LAB.BOS.REDHAT.COM DNS Domain: idm.lab.bos.redhat.com IPA Server: vm-068.idm.lab.bos.redhat.com BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Continue to configure the system with these values? [no]: y User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for ad...@idm.lab.bos.redhat.com: Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM Created /etc/ipa/default.conf Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1514, inmodule sys.exit(main()) File /usr/sbin/ipa-client-install, line 1501, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1326, in install if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): File /usr/sbin/ipa-client-install, line 711, in configure_sssd_conf sssdconfig.activate_service('ssh') File /usr/lib/python2.7/site-packages/SSSDConfig.py, line 1516, in activate_service raise NoServiceError SSSDConfig.NoServiceError SSSD version: sssd-1.8.1-0.20120228T2018Zgit751b121.fc16.x86_64 Martin Does your /etc/sssd/sssd.conf and /usr/share/sssd/sssd.api.conf contain [ssh] section? sssd.api.conf did contain the ssh section: # grep -C 3 ssh /usr/share/sssd/sssd.api.conf # autofs service autofs_negative_timeout = int, None, false [ssh] # ssh service [provider] #Available provider types sssd.conf did not. Either case, we should not crash but handle the issue in some more friendly way. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 69 Configure SSH features of SSSD in ipa-client-install
Jan Cholasta wrote: Hi, this patch configures the new SSH features of SSSD in ipa-client-install. To test it, you need to have SSSD 1.8.0 installed. Honza Is there a better name for 'GlobalKnownHostsFile2'? When is PubKeyAgent used?I tried in RHEL 6.2, F-11 and F15-17 and it was an unknown option in all. Should you test for the existence of /usr/bin/sss_ssh_knownhostsproxy and /usr/bin/sss_ssh_authorizedkeys before setting it in a config file? How would you recommend testing this? Enroll a client and try to log into the IPA server? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel