diff options
author | Jan Cholasta <jcholast@redhat.com> | 2011-12-07 03:49:09 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2012-02-13 22:21:47 -0500 |
commit | c00bf9e38afa4867f4ec397b260f2e467163096d (patch) | |
tree | 619ae4614ef70f9189e296d85daa02de3b14e493 | |
parent | c34f5fbc882b16baebc18d795511e8e1fc50668b (diff) | |
download | freeipa-c00bf9e38afa4867f4ec397b260f2e467163096d.tar.gz freeipa-c00bf9e38afa4867f4ec397b260f2e467163096d.tar.xz freeipa-c00bf9e38afa4867f4ec397b260f2e467163096d.zip |
Configure ssh and sshd during ipa-client-install.
For ssh, VerifyHostKeyDNS option is set to 'yes' if --ssh-trust-dns
ipa-client-install option is used.
For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM
options are enabled (this can be disabled using --no-sshd
ipa-client-install option).
ticket 1634
-rwxr-xr-x | install/tools/ipa-replica-install | 8 | ||||
-rwxr-xr-x | install/tools/ipa-server-install | 8 | ||||
-rw-r--r-- | install/tools/man/ipa-replica-install.1 | 6 | ||||
-rw-r--r-- | install/tools/man/ipa-server-install.1 | 6 | ||||
-rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 108 | ||||
-rw-r--r-- | ipa-client/man/ipa-client-install.1 | 6 |
6 files changed, 142 insertions, 0 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index dda4db909..0b8ab2ae7 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -63,6 +63,10 @@ def parse_options(): help="do not configure ntp", default=True) basic_group.add_option("--no-ui-redirect", dest="ui_redirect", action="store_false", default=True, help="Do not automatically redirect to the Web UI") + basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true", + help="configure OpenSSH client to trust DNS SSHFP records") + basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false", + help="do not configure OpenSSH server") basic_group.add_option("--skip-conncheck", dest="skip_conncheck", action="store_true", default=False, help="skip connection check to remote master") basic_group.add_option("-d", "--debug", dest="debug", action="store_true", @@ -460,6 +464,10 @@ def main(): args = ["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", config.domain_name, "--server", config.host_name, "--realm", config.realm_name] if not options.create_sshfp: args.append("--no-dns-sshfp") + if options.trust_sshfp: + args.append("--ssh-trust-dns") + if not options.conf_sshd: + args.append("--no-sshd") ipautil.run(args) except Exception, e: print "Configuration of client side components failed!" diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 2d6f06722..f7de54403 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -141,6 +141,10 @@ def parse_options(): help="Don't install allow_all HBAC rule") basic_group.add_option("--no-ui-redirect", dest="ui_redirect", action="store_false", default=True, help="Do not automatically redirect to the Web UI") + basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true", + help="configure OpenSSH client to trust DNS SSHFP records") + basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false", + help="do not configure OpenSSH server") basic_group.add_option("-d", "--debug", dest="debug", action="store_true", default=False, help="print debugging information") basic_group.add_option("-U", "--unattended", dest="unattended", action="store_true", @@ -1042,6 +1046,10 @@ def main(): args = ["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name] if not options.create_sshfp: args.append("--no-dns-sshfp") + if options.trust_sshfp: + args.append("--ssh-trust-dns") + if not options.conf_sshd: + args.append("--no-sshd") run(args) except Exception, e: sys.exit("Configuration of client side components failed!\nipa-client-install returned: " + str(e)) diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index 87506477e..c41af20e0 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -47,6 +47,12 @@ Do not configure NTP \fB\-\-no\-ui\-redirect\fR Do not automatically redirect to the Web UI. .TP +\fB\-\-ssh\-trust\-dns\fR +Configure OpenSSH client to trust DNS SSHFP records. +.TP +\fB\-\-no\-sshd\fR +Do not configure OpenSSH server. +.TP \fB\-\-skip\-conncheck\fR Skip connection check to remote master .TP diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 23b51979d..9870022aa 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -63,6 +63,12 @@ Don't install allow_all HBAC rule. This rule lets any user from any host access \fB\-\-no\-ui\-redirect\fR Do not automatically redirect to the Web UI. .TP +\fB\-\-ssh\-trust\-dns\fR +Configure OpenSSH client to trust DNS SSHFP records. +.TP +\fB\-\-no\-sshd\fR +Do not configure OpenSSH server. +.TP \fB\-d\fR, \fB\-\-debug\fR Enable debug logging when more verbose output is needed .TP diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 2d147e375..f5c1efe06 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -84,6 +84,10 @@ def parse_options(): basic_group.add_option("--ntp-server", dest="ntp_server", help="ntp server to use") basic_group.add_option("-N", "--no-ntp", action="store_false", help="do not configure ntp", default=True, dest="conf_ntp") + basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true", + help="configure OpenSSH client to trust DNS SSHFP records") + basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false", + help="do not configure OpenSSH server") basic_group.add_option("--no-dns-sshfp", dest="create_sshfp", default=True, action="store_false", help="do not automatically create DNS SSHFP records") basic_group.add_option("-f", "--force", dest="force", action="store_true", @@ -290,8 +294,12 @@ def uninstall(options, env, quiet=False): emit_quiet(quiet, "Disabling client Kerberos and LDAP configurations") was_sssd_installed = False + was_sshd_configured = False if fstore.has_files(): was_sssd_installed = fstore.has_file("/etc/sssd/sssd.conf") + + sshd_config = os.path.join(ipaservices.knownservices.sshd.get_config_dir(), "sshd_config") + was_sshd_configured = fstore.has_file(sshd_config) try: auth_config = ipaservices.authconfig() if statestore.has_state('authconfig'): @@ -385,6 +393,9 @@ def uninstall(options, env, quiet=False): if restored: ipaservices.knownservices.ntpd.restart() + if was_sshd_configured and ipaservices.knownservices.sshd.is_running(): + ipaservices.knownservices.sshd.restart() + if was_sssd_installed and was_sssd_configured: # SSSD was installed before our installation, config now is restored, restart it emit_quiet(quiet, "The original configuration of SSSD included other domains than IPA-based one.") @@ -751,6 +762,101 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): return 0 +def change_ssh_config(filename, changes, sections): + if len(changes) == 0: + return True + + try: + f = open(filename, 'r') + except IOError, e: + root_logger.error("Failed to open '%s': %s" % (filename, str(e))) + return False + + lines = [] + in_section = False + for line in f: + if in_section: + lines.append(line) + continue + pline = line.strip() + if len(pline) == 0 or pline.startswith('#'): + lines.append(line) + continue + parts = pline.split() + option = parts[0].lower() + for key in sections: + if key.lower() == option: + in_section = True + break + if in_section: + break + for opt in changes: + if opt.lower() == option: + line = None + break + if line is not None: + lines.append(line) + for opt in changes: + lines.append('%s %s\n' % (opt, changes[opt])) + lines.append('\n') + if in_section: + lines.append(line) + for line in f: + lines.append(line) + + f.close() + + try: + f = open(filename, 'w') + except IOError, e: + root_logger.error("Failed to open '%s': %s" % (filename, str(e))) + return False + + f.write(''.join(lines)) + + f.close() + + return True + +def configure_ssh(fstore, ssh_dir, options): + ssh_config = os.path.join(ssh_dir, 'ssh_config') + sshd_config = os.path.join(ssh_dir, 'sshd_config') + + if file_exists(ssh_config): + fstore.backup_file(ssh_config) + + changes = {} + if options.trust_sshfp: + changes['VerifyHostKeyDNS'] = 'yes' + + change_ssh_config(ssh_config, changes, ['Host']) + print 'Configured', ssh_config + + if not options.conf_sshd: + return + + sshd = ipaservices.knownservices.sshd + if not sshd.is_installed(): + root_logger.debug("%s daemon is not installed, skip configuration" % (sshd.service_name)) + return + + fstore.backup_file(sshd_config) + + changes = { + 'KerberosAuthentication': 'yes', + 'GSSAPIAuthentication': 'yes', + 'UsePAM': 'yes', + } + + change_ssh_config(sshd_config, changes, ['Match']) + print 'Configured', sshd_config + + if sshd.is_running(): + try: + sshd.restart() + except Exception, e: + log_service_error(sshd.service_name, 'restart', e) + def resolve_ipaddress(server): """ Connect to the server's LDAP port in order to determine what ip address this machine uses as "public" ip (relative to the server). @@ -1340,6 +1446,8 @@ def install(options, env, fstore, statestore): ipaclient.ntpconf.config_ntp(ntp_server, fstore, statestore) print "NTP enabled" + configure_ssh(fstore, ipaservices.knownservices.sshd.get_config_dir(), options) + print "Client configuration complete." return 0 diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index cca3fa9dc..96b019bd9 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -63,6 +63,12 @@ Configure ntpd to use this NTP server. \fB\-N\fR, \fB\-\-no\-ntp\fR Do not configure or enable NTP. .TP +\fB\-\-ssh\-trust\-dns\fR +Configure OpenSSH client to trust DNS SSHFP records. +.TP +\fB\-\-no\-sshd\fR +Do not configure OpenSSH server. +.TP \fB\-\-no\-dns\-sshfp\fR Do not automatically create DNS SSHFP records. .TP |