From afad0775e16e52aa2d6637e809ad748ace838bea Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 16 Feb 2012 04:21:56 -0500 Subject: Configure SSH features of SSSD in ipa-client-install. OpenSSH server (sshd) is configured to fetch user authorized keys from SSSD and OpenSSH client (ssh) is configured to use and trigger updates of the SSSD-managed known hosts file. This requires SSSD 1.8.0. --- ipa-client/ipa-install/ipa-client-install | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) (limited to 'ipa-client/ipa-install') diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 7d405a8d7..67c299966 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -719,6 +719,14 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): sssdconfig.new_config() domain = sssdconfig.new_domain(cli_domain) + try: + sssdconfig.activate_service('ssh') + except SSSDConfig.NoServiceError: + print "Unable to activate the SSH service in SSSD config." + print "Please make sure you have SSSD built with SSH support installed." + print "Configure SSH support manually in /etc/sssd/sssd.conf." + root_logger.debug("Unable to activate the SSH service in SSSD config.") + domain.add_provider('ipa', 'id') if not options.on_master: @@ -797,7 +805,8 @@ def change_ssh_config(filename, changes, sections): if line is not None: lines.append(line) for opt in changes: - lines.append('%s %s\n' % (opt, changes[opt])) + if changes[opt] is not None: + lines.append('%s %s\n' % (opt, changes[opt])) lines.append('\n') if in_section: lines.append(line) @@ -828,6 +837,9 @@ def configure_ssh(fstore, ssh_dir, options): changes = {} if options.trust_sshfp: changes['VerifyHostKeyDNS'] = 'yes' + elif options.sssd and file_exists('/usr/bin/sss_ssh_knownhostsproxy'): + changes['ProxyCommand'] = '/usr/bin/sss_ssh_knownhostsproxy -p %p %h' + changes['GlobalKnownHostsFile2'] = '/var/lib/sss/pubconf/known_hosts' change_ssh_config(ssh_config, changes, ['Host']) print 'Configured', ssh_config @@ -848,6 +860,21 @@ def configure_ssh(fstore, ssh_dir, options): 'UsePAM': 'yes', } + if options.sssd and file_exists('/usr/bin/sss_ssh_authorizedkeys'): + (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null', '-o', 'AuthorizedKeysCommand='], raiseonerr=False) + if retcode == 0: + changes['AuthorizedKeysCommand'] = '/usr/bin/sss_ssh_authorizedkeys' + changes['AuthorizedKeysCommandRunAs'] = None + else: + (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null', '-o', 'PubKeyAgent='], raiseonerr=False) + if retcode == 0: + changes['PubKeyAgent'] = '/usr/bin/sss_ssh_authorizedkeys %u' + changes['PubkeyAgentRunAs'] = None + else: + print "Warning: Installed OpenSSH server does not support dynamically loading" + print " authorized user keys. Public key authentication of IPA users" + print " will not be available." + change_ssh_config(sshd_config, changes, ['Match']) print 'Configured', sshd_config -- cgit