> I'm afraid there is no right thing to call ATM, as there is no support
> for cache invalidation in SSH host code. I guess you'll have to
> implement it yourself.
>
> Off the top of my head, you need to properly set SYSDB_CACHE_EXPIRE in
> sysdb_store_ssh_host, return only unexpired hosts in
> sysdb_get_ssh_known_hosts, make sysdb_search_ssh_hosts public and create
> sysdb_set_ssh_host_attr (sysdb_update_ssh_hosts does the same, so you
> can modify and rename it instead of writing a completely new function).
Please find attached a patch that adds the functionality. Note that
ssh_hosts don't use the dataExpire attribute, they use a different
attribute, which is why I opted to call ssh_known_host_expire.
--
William <will...@firstyear.id.au>
>From f9ba86ca3c709aa7051d82568c235dbba38aebb0 Mon Sep 17 00:00:00 2001
From: William Brown <will...@firstyear.id.au>
Date: Wed, 30 Apr 2014 16:29:32 +0930
Subject: [PATCH] Allow sss_cache to expire sshKnownHosts
---
src/db/sysdb_ssh.c | 2 +-
src/db/sysdb_ssh.h | 8 ++++++++
src/tools/sss_cache.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++-----
3 files changed, 58 insertions(+), 6 deletions(-)
diff --git a/src/db/sysdb_ssh.c b/src/db/sysdb_ssh.c
index 7dd98cf..9c60441 100644
--- a/src/db/sysdb_ssh.c
+++ b/src/db/sysdb_ssh.c
@@ -229,7 +229,7 @@ sysdb_delete_ssh_host(struct sss_domain_info *domain,
return sysdb_delete_custom(domain, name, SSH_HOSTS_SUBDIR);
}
-static errno_t
+errno_t
sysdb_search_ssh_hosts(TALLOC_CTX *mem_ctx,
struct sss_domain_info *domain,
const char *filter,
diff --git a/src/db/sysdb_ssh.h b/src/db/sysdb_ssh.h
index e8aca77..9209ae1 100644
--- a/src/db/sysdb_ssh.h
+++ b/src/db/sysdb_ssh.h
@@ -47,6 +47,14 @@ sysdb_delete_ssh_host(struct sss_domain_info *domain,
const char *name);
errno_t
+sysdb_search_ssh_hosts(TALLOC_CTX *mem_ctx,
+ struct sss_domain_info *domain,
+ const char *filter,
+ const char **attrs,
+ struct ldb_message ***hosts,
+ size_t *num_hosts);
+
+errno_t
sysdb_get_ssh_host(TALLOC_CTX *mem_ctx,
struct sss_domain_info *domain,
const char *name,
diff --git a/src/tools/sss_cache.c b/src/tools/sss_cache.c
index ffa4e35..f642fc5 100644
--- a/src/tools/sss_cache.c
+++ b/src/tools/sss_cache.c
@@ -30,6 +30,7 @@
#include "db/sysdb.h"
#include "db/sysdb_services.h"
#include "db/sysdb_autofs.h"
+#include "db/sysdb_ssh.h"
#define INVALIDATE_NONE 0
#define INVALIDATE_USERS 1
@@ -37,14 +38,16 @@
#define INVALIDATE_NETGROUPS 4
#define INVALIDATE_SERVICES 8
#define INVALIDATE_AUTOFSMAPS 16
+#define INVALIDATE_SSH_HOSTS 32
#ifdef BUILD_AUTOFS
#define INVALIDATE_EVERYTHING (INVALIDATE_USERS | INVALIDATE_GROUPS | \
INVALIDATE_NETGROUPS | INVALIDATE_SERVICES | \
- INVALIDATE_AUTOFSMAPS)
+ INVALIDATE_AUTOFSMAPS | INVALIDATE_SSH_HOSTS )
#else
#define INVALIDATE_EVERYTHING (INVALIDATE_USERS | INVALIDATE_GROUPS | \
- INVALIDATE_NETGROUPS | INVALIDATE_SERVICES)
+ INVALIDATE_NETGROUPS | INVALIDATE_SERVICES | \
+ INVALIDATE_SSH_HOSTS )
#endif
enum sss_cache_entry {
@@ -52,7 +55,8 @@ enum sss_cache_entry {
TYPE_GROUP,
TYPE_NETGROUP,
TYPE_SERVICE,
- TYPE_AUTOFSMAP
+ TYPE_AUTOFSMAP,
+ TYPE_SSH_HOST
};
static errno_t search_autofsmaps(TALLOC_CTX *mem_ctx,
@@ -69,18 +73,21 @@ struct cache_tool_ctx {
char *netgroup_filter;
char *service_filter;
char *autofs_filter;
+ char *ssh_host_filter;
char *user_name;
char *group_name;
char *netgroup_name;
char *service_name;
char *autofs_name;
+ char *ssh_host_name;
bool update_user_filter;
bool update_group_filter;
bool update_netgroup_filter;
bool update_service_filter;
bool update_autofs_filter;
+ bool update_ssh_host_filter;
};
errno_t init_domains(struct cache_tool_ctx *ctx, const char *domain);
@@ -152,6 +159,9 @@ int main(int argc, const char *argv[])
skipped &= !invalidate_entries(tctx, dinfo, TYPE_AUTOFSMAP,
tctx->autofs_filter,
tctx->autofs_name);
+ skipped &= !invalidate_entries(tctx, dinfo, TYPE_SSH_HOST,
+ tctx->ssh_host_filter,
+ tctx->ssh_host_name);
ret = sysdb_transaction_commit(sysdb);
if (ret != EOK) {
@@ -327,6 +337,14 @@ static errno_t update_all_filters(struct cache_tool_ctx *tctx,
if (ret != EOK) {
return ret;
}
+
+ /* Update ssh host filter */
+ ret = update_filter(tctx, dinfo, tctx->ssh_host_name,
+ tctx->update_ssh_host_filter, "(%s=%s)", false,
+ &tctx->ssh_host_filter);
+ if (ret != EOK) {
+ return ret;
+ }
return EOK;
}
@@ -371,6 +389,11 @@ static bool invalidate_entries(TALLOC_CTX *ctx,
type_string = "autofs map";
ret = search_autofsmaps(ctx, dinfo, filter, attrs, &msg_count, &msgs);
break;
+ case TYPE_SSH_HOST:
+ type_string = "ssh_host";
+ ret = sysdb_search_ssh_hosts(ctx, dinfo,
+ filter, attrs, &msgs, &msg_count);
+ break;
}
if (ret != EOK) {
@@ -446,6 +469,10 @@ static errno_t invalidate_entry(TALLOC_CTX *ctx,
ret = sysdb_set_autofsmap_attr(domain, name,
sys_attrs, SYSDB_MOD_REP);
break;
+ case TYPE_SSH_HOST:
+ ret = sysdb_update_ssh_known_host_expire(domain, name,
+ 1, 0);
+ break;
default:
return EINVAL;
}
@@ -529,6 +556,7 @@ errno_t init_context(int argc, const char *argv[], struct cache_tool_ctx **tctx)
char *group = NULL;
char *netgroup = NULL;
char *service = NULL;
+ char *ssh_host = NULL;
char *map = NULL;
char *domain = NULL;
int debug = SSSDBG_DEFAULT;
@@ -563,6 +591,10 @@ errno_t init_context(int argc, const char *argv[], struct cache_tool_ctx **tctx)
{ "autofs-maps", 'A', POPT_ARG_NONE, NULL, 'a',
_("Invalidate all autofs maps"), NULL },
#endif /* BUILD_AUTOFS */
+ { "ssh_host", 'h', POPT_ARG_STRING, &ssh_host, 0,
+ _("Invalidate particular ssh host"), NULL },
+ { "ssh_hosts", 'H', POPT_ARG_NONE, NULL, 'h',
+ _("Invalidate all ssh hosts"), NULL },
{ "domain", 'd', POPT_ARG_STRING, &domain, 0,
_("Only invalidate entries from a particular domain"), NULL },
POPT_TABLEEND
@@ -594,6 +626,9 @@ errno_t init_context(int argc, const char *argv[], struct cache_tool_ctx **tctx)
case 'a':
idb |= INVALIDATE_AUTOFSMAPS;
break;
+ case 'h':
+ idb |= INVALIDATE_SSH_HOSTS;
+ break;
case 'e':
idb = INVALIDATE_EVERYTHING;
break;
@@ -608,7 +643,7 @@ errno_t init_context(int argc, const char *argv[], struct cache_tool_ctx **tctx)
}
if (idb == INVALIDATE_NONE && !user && !group &&
- !netgroup && !service && !map) {
+ !netgroup && !service && !ssh_host && !map) {
BAD_POPT_PARAMS(pc,
_("Please select at least one object to invalidate\n"),
ret, fini);
@@ -664,15 +699,24 @@ errno_t init_context(int argc, const char *argv[], struct cache_tool_ctx **tctx)
ctx->autofs_name = talloc_strdup(ctx, map);
ctx->update_autofs_filter = true;
}
+
+ if (idb & INVALIDATE_SSH_HOSTS) {
+ ctx->ssh_host_filter = talloc_asprintf(ctx, "(%s=*)", SYSDB_NAME);
+ ctx->update_ssh_host_filter = false;
+ } else if (ssh_host) {
+ ctx->ssh_host_name = talloc_strdup(ctx, ssh_host);
+ ctx->update_ssh_host_filter = true;
+ }
if (((idb & INVALIDATE_USERS) && !ctx->user_filter) ||
((idb & INVALIDATE_GROUPS) && !ctx->group_filter) ||
((idb & INVALIDATE_NETGROUPS) && !ctx->netgroup_filter) ||
((idb & INVALIDATE_SERVICES) && !ctx->service_filter) ||
((idb & INVALIDATE_AUTOFSMAPS) && !ctx->autofs_filter) ||
+ ((idb & INVALIDATE_SSH_HOSTS) && !ctx->ssh_host_filter) ||
(user && !ctx->user_name) || (group && !ctx->group_name) ||
(netgroup && !ctx->netgroup_name) || (map && !ctx->autofs_name) ||
- (service && !ctx->service_name)) {
+ (service && !ctx->service_name) || (map && !ctx->ssh_host_name)) {
DEBUG(SSSDBG_CRIT_FAILURE, "Construction of filters failed\n");
ret = ENOMEM;
goto fini;
--
1.9.0
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
