Update host SSH public keys on the server during client install.

This is done by calling host-mod to update the keys on IPA server and nsupdate to update DNS SSHFP records. DNS update can be disabled using --no-dns-sshfp ipa-client-install option. https://fedorahosted.org/freeipa/ticket/1634
author: Jan Cholasta <jcholast@redhat.com> 2011-12-07 03:40:51 -0500
committer: Rob Crittenden <rcritten@redhat.com> 2012-02-13 22:21:43 -0500
commit: c34f5fbc882b16baebc18d795511e8e1fc50668b (patch)
tree: 05b15df263fceb0dff104e274338178d33f29dd7
parent: 9b6649a1ce7c15043c9d197363c3b9fdd4b12a1d (diff)
download: freeipa-c34f5fbc882b16baebc18d795511e8e1fc50668b.tar.gz
freeipa-c34f5fbc882b16baebc18d795511e8e1fc50668b.tar.xz
freeipa-c34f5fbc882b16baebc18d795511e8e1fc50668b.zip
7 files changed, 86 insertions, 3 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 4af0358d8..dda4db909 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -89,6 +89,8 @@ def parse_options():
     dns_group.add_option("--no-host-dns", dest="no_host_dns", action="store_true",
                       default=False,
                       help="Do not use DNS for hostname lookup during installation")
+    dns_group.add_option("--no-dns-sshfp", dest="create_sshfp", default=True, action="store_false",
+                      help="do not automatically create DNS SSHFP records")
     parser.add_option_group(dns_group)
 
     options, args = parser.parse_args()
@@ -455,7 +457,10 @@ def main():
 
     # Call client install script
     try:
-        ipautil.run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", config.domain_name, "--server", config.host_name, "--realm", config.realm_name])
+        args = ["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", config.domain_name, "--server", config.host_name, "--realm", config.realm_name]
+        if not options.create_sshfp:
+            args.append("--no-dns-sshfp")
+        ipautil.run(args)
     except Exception, e:
         print "Configuration of client side components failed!"
         print "ipa-client-install returned: " + str(e)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 949d0219b..2d6f06722 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -200,6 +200,8 @@ def parse_options():
     dns_group.add_option("--no-host-dns", dest="no_host_dns", action="store_true",
                       default=False,
                       help="Do not use DNS for hostname lookup during installation")
+    dns_group.add_option("--no-dns-sshfp", dest="create_sshfp", default=True, action="store_false",
+                      help="do not automatically create DNS SSHFP records")
     parser.add_option_group(dns_group)
 
     uninstall_group = OptionGroup(parser, "uninstall options")
@@ -1037,7 +1039,10 @@ def main():
 
     # Call client install script
     try:
-        run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name])
+        args = ["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name]
+        if not options.create_sshfp:
+            args.append("--no-dns-sshfp")
+        run(args)
     except Exception, e:
         sys.exit("Configuration of client side components failed!\nipa-client-install returned: " + str(e))
 
diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
index 074162f0c..87506477e 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -84,6 +84,9 @@ Do not create new reverse DNS zone. If a reverse DNS zone already exists for the
 .TP
 \fB\-\-no\-host\-dns\fR
 Do not use DNS for hostname lookup during installation
+.TP
+\fB\-\-no\-dns\-sshfp\fR
+Do not automatically create DNS SSHFP records.
 
 .SH "EXIT STATUS"
 0 if the command was successful
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 6f1e59e75..23b51979d 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -147,6 +147,9 @@ Number of seconds between regular checks for new DNS zones. When set to 0 the na
 .TP
 \fB\-\-no\-host\-dns\fR
 Do not use DNS for hostname lookup during installation
+.TP
+\fB\-\-no\-dns\-sshfp\fR
+Do not automatically create DNS SSHFP records.
 
 .SS "UNINSTALL OPTIONS"
 .TP
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 10769ba7c..2d147e375 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -28,6 +28,7 @@ try:
     from ipapython.ipa_log_manager import *
     import tempfile
     import getpass
+    from base64 import b64decode
     from ipaclient import ipadiscovery
     import ipaclient.ipachangeconf
     import ipaclient.ntpconf
@@ -83,6 +84,8 @@ def parse_options():
     basic_group.add_option("--ntp-server", dest="ntp_server", help="ntp server to use")
     basic_group.add_option("-N", "--no-ntp", action="store_false",
                       help="do not configure ntp", default=True, dest="conf_ntp")
+    basic_group.add_option("--no-dns-sshfp", dest="create_sshfp", default=True, action="store_false",
+                      help="do not automatically create DNS SSHFP records")
     basic_group.add_option("-f", "--force", dest="force", action="store_true",
                       default=False, help="force setting of LDAP/Kerberos conf")
     basic_group.add_option("-d", "--debug", dest="debug", action="store_true",
@@ -853,6 +856,65 @@ def client_dns(server, hostname, dns_updates=False):
     if dns_updates or not dns_ok:
         update_dns(server, hostname)
 
+def update_ssh_keys(server, hostname, ssh_dir, create_sshfp):
+    pubkeys = []
+    for basename in os.listdir(ssh_dir):
+        if not basename.endswith('.pub'):
+            continue
+        filename = os.path.join(ssh_dir, basename)
+
+        try:
+            f = open(filename, 'r')
+        except IOError, e:
+            root_logger.warning("Failed to open '%s': %s" % (filename, str(e)))
+            continue
+
+        for line in f:
+            line = line[:-1]
+            if line.startswith('#'):
+                continue
+            parts = line.split()
+            if len(parts) < 2:
+                continue
+            try:
+                pubkey = b64decode(parts[1])
+            except TypeError:
+                continue
+            try:
+                algo, data, fp = ipautil.decode_ssh_pubkey(pubkey)
+            except ValueError:
+                continue
+            if parts[0] != algo:
+                continue
+            root_logger.debug("Adding SSH public key from %s" % filename)
+            pubkeys.append(unicode(parts[1]))
+
+        f.close()
+
+    try:
+        result = api.Command['host_mod'](unicode(hostname), ipasshpubkey=pubkeys, updatedns=False)
+    except errors.EmptyModlist:
+        pass
+    except StandardError, e:
+        root_logger.warning("host_mod: %s" % str(e))
+        print >>sys.stderr, "Failed to upload host SSH public keys."
+        return
+
+    if create_sshfp:
+        zone = '.'.join(hostname.split('.')[1:])
+        ttl = 1200
+
+        update_txt = 'zone %s.\nupdate delete %s. IN SSHFP\nsend\n' % (zone, hostname)
+        for pubkey in pubkeys:
+            pubkey = b64decode(pubkey)
+            sshfp = ipautil.make_sshfp(pubkey)
+            if sshfp is not None:
+                update_txt += 'update add %s. %s IN SSHFP %s\n' % (hostname, ttl, sshfp)
+        update_txt += 'send\n'
+
+        if not do_nsupdate(update_txt):
+            print "Warning: Could not update DNS SSHFP records."
+
 def install(options, env, fstore, statestore):
     dnsok = False
 
@@ -1160,6 +1222,8 @@ def install(options, env, fstore, statestore):
         client_dns(cli_server, hostname, options.dns_updates)
         configure_certmonger(fstore, subject_base, cli_realm, hostname, options)
 
+    update_ssh_keys(cli_server, hostname, ipaservices.knownservices.sshd.get_config_dir(), options.create_sshfp)
+
     try:
         os.remove(CCACHE_FILE)
     except:
diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1
index 6f5e0fc45..cca3fa9dc 100644
--- a/ipa-client/man/ipa-client-install.1
+++ b/ipa-client/man/ipa-client-install.1
@@ -63,6 +63,9 @@ Configure ntpd to use this NTP server.
 \fB\-N\fR, \fB\-\-no\-ntp\fR
 Do not configure or enable NTP.
 .TP
+\fB\-\-no\-dns\-sshfp\fR
+Do not automatically create DNS SSHFP records.
+.TP
 \fB\-f\fR, \fB\-\-force\fR
 Force the settings even if errors occur
 .TP
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 6e6c94111..2fa12565f 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -185,7 +185,7 @@ def read_reverse_zone(default, ip_address):
 def add_zone(name, zonemgr=None, dns_backup=None, ns_hostname=None, ns_ip_address=None,
        update_policy=None):
     if update_policy is None:
-        update_policy = "grant %(realm)s krb5-self * A; grant %(realm)s krb5-self * AAAA;" % dict(realm=api.env.realm)
+        update_policy = "grant %(realm)s krb5-self * A; grant %(realm)s krb5-self * AAAA; grant %(realm)s krb5-self * SSHFP;" % dict(realm=api.env.realm)
 
     if zonemgr is None:
         zonemgr = 'hostmaster.%s' % name
author	Jan Cholasta <jcholast@redhat.com>	2011-12-07 03:40:51 -0500
committer	Rob Crittenden <rcritten@redhat.com>	2012-02-13 22:21:43 -0500
commit	c34f5fbc882b16baebc18d795511e8e1fc50668b (patch)
tree	05b15df263fceb0dff104e274338178d33f29dd7
parent	9b6649a1ce7c15043c9d197363c3b9fdd4b12a1d (diff)
download	freeipa-c34f5fbc882b16baebc18d795511e8e1fc50668b.tar.gz freeipa-c34f5fbc882b16baebc18d795511e8e1fc50668b.tar.xz freeipa-c34f5fbc882b16baebc18d795511e8e1fc50668b.zip