From c34f5fbc882b16baebc18d795511e8e1fc50668b Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 7 Dec 2011 03:40:51 -0500 Subject: Update host SSH public keys on the server during client install. This is done by calling host-mod to update the keys on IPA server and nsupdate to update DNS SSHFP records. DNS update can be disabled using --no-dns-sshfp ipa-client-install option. https://fedorahosted.org/freeipa/ticket/1634 --- ipa-client/ipa-install/ipa-client-install | 64 +++++++++++++++++++++++++++++++ ipa-client/man/ipa-client-install.1 | 3 ++ 2 files changed, 67 insertions(+) (limited to 'ipa-client') diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 10769ba7c..2d147e375 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -28,6 +28,7 @@ try: from ipapython.ipa_log_manager import * import tempfile import getpass + from base64 import b64decode from ipaclient import ipadiscovery import ipaclient.ipachangeconf import ipaclient.ntpconf @@ -83,6 +84,8 @@ def parse_options(): basic_group.add_option("--ntp-server", dest="ntp_server", help="ntp server to use") basic_group.add_option("-N", "--no-ntp", action="store_false", help="do not configure ntp", default=True, dest="conf_ntp") + basic_group.add_option("--no-dns-sshfp", dest="create_sshfp", default=True, action="store_false", + help="do not automatically create DNS SSHFP records") basic_group.add_option("-f", "--force", dest="force", action="store_true", default=False, help="force setting of LDAP/Kerberos conf") basic_group.add_option("-d", "--debug", dest="debug", action="store_true", @@ -853,6 +856,65 @@ def client_dns(server, hostname, dns_updates=False): if dns_updates or not dns_ok: update_dns(server, hostname) +def update_ssh_keys(server, hostname, ssh_dir, create_sshfp): + pubkeys = [] + for basename in os.listdir(ssh_dir): + if not basename.endswith('.pub'): + continue + filename = os.path.join(ssh_dir, basename) + + try: + f = open(filename, 'r') + except IOError, e: + root_logger.warning("Failed to open '%s': %s" % (filename, str(e))) + continue + + for line in f: + line = line[:-1] + if line.startswith('#'): + continue + parts = line.split() + if len(parts) < 2: + continue + try: + pubkey = b64decode(parts[1]) + except TypeError: + continue + try: + algo, data, fp = ipautil.decode_ssh_pubkey(pubkey) + except ValueError: + continue + if parts[0] != algo: + continue + root_logger.debug("Adding SSH public key from %s" % filename) + pubkeys.append(unicode(parts[1])) + + f.close() + + try: + result = api.Command['host_mod'](unicode(hostname), ipasshpubkey=pubkeys, updatedns=False) + except errors.EmptyModlist: + pass + except StandardError, e: + root_logger.warning("host_mod: %s" % str(e)) + print >>sys.stderr, "Failed to upload host SSH public keys." + return + + if create_sshfp: + zone = '.'.join(hostname.split('.')[1:]) + ttl = 1200 + + update_txt = 'zone %s.\nupdate delete %s. IN SSHFP\nsend\n' % (zone, hostname) + for pubkey in pubkeys: + pubkey = b64decode(pubkey) + sshfp = ipautil.make_sshfp(pubkey) + if sshfp is not None: + update_txt += 'update add %s. %s IN SSHFP %s\n' % (hostname, ttl, sshfp) + update_txt += 'send\n' + + if not do_nsupdate(update_txt): + print "Warning: Could not update DNS SSHFP records." + def install(options, env, fstore, statestore): dnsok = False @@ -1160,6 +1222,8 @@ def install(options, env, fstore, statestore): client_dns(cli_server, hostname, options.dns_updates) configure_certmonger(fstore, subject_base, cli_realm, hostname, options) + update_ssh_keys(cli_server, hostname, ipaservices.knownservices.sshd.get_config_dir(), options.create_sshfp) + try: os.remove(CCACHE_FILE) except: diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 6f5e0fc45..cca3fa9dc 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -63,6 +63,9 @@ Configure ntpd to use this NTP server. \fB\-N\fR, \fB\-\-no\-ntp\fR Do not configure or enable NTP. .TP +\fB\-\-no\-dns\-sshfp\fR +Do not automatically create DNS SSHFP records. +.TP \fB\-f\fR, \fB\-\-force\fR Force the settings even if errors occur .TP -- cgit