From d62b2d9be5a1162f5fdb255aa4f361ce048722fa Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 23 May 2012 05:00:55 -0400 Subject: SSH configuration fixes. Use GlobalKnownHostsFile instead of GlobalKnownHostsFile2 in ssh_config, as the latter has been deprecated in OpenSSH 5.9. If DNS host key verification is enabled, restrict the set of allowed host public key algorithms to ssh-rsa and ssh-dss, as DNS SSHFP records support only these algorithms. Make sure public key user authentication is enabled in both ssh and sshd. ticket 2769 --- ipa-client/ipa-install/ipa-client-install | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'ipa-client/ipa-install') diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index dce363a35..4fc4449da 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -856,12 +856,16 @@ def configure_ssh(fstore, ssh_dir, options): if file_exists(ssh_config): fstore.backup_file(ssh_config) - changes = {} + changes = { + 'PubkeyAuthentication': 'yes', + } + if options.trust_sshfp: changes['VerifyHostKeyDNS'] = 'yes' + changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss' elif options.sssd and file_exists('/usr/bin/sss_ssh_knownhostsproxy'): changes['ProxyCommand'] = '/usr/bin/sss_ssh_knownhostsproxy -p %p %h' - changes['GlobalKnownHostsFile2'] = '/var/lib/sss/pubconf/known_hosts' + changes['GlobalKnownHostsFile'] = '/var/lib/sss/pubconf/known_hosts' change_ssh_config(ssh_config, changes, ['Host']) print 'Configured', ssh_config @@ -877,6 +881,7 @@ def configure_ssh(fstore, ssh_dir, options): fstore.backup_file(sshd_config) changes = { + 'PubkeyAuthentication': 'yes', 'KerberosAuthentication': 'no', 'GSSAPIAuthentication': 'yes', 'UsePAM': 'yes', -- cgit