From f6fed3c54742bbfcc4d8bb6433c5965ca61fd989 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 12 Sep 2012 09:19:26 -0400 Subject: Add --no-ssh option to ipa-client-install to disable OpenSSH client configuration. If both --no-ssh and --no-sshd are specified, do not configure the SSH service in SSSD. ticket 3070 --- ipa-client/ipa-install/ipa-client-install | 78 ++++++++++++++++++------------- ipa-client/man/ipa-client-install.1 | 3 ++ 2 files changed, 49 insertions(+), 32 deletions(-) (limited to 'ipa-client') diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 52d3533d7..a9408eed7 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -89,6 +89,8 @@ def parse_options(): help="do not configure ntp", default=True, dest="conf_ntp") basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true", help="configure OpenSSH client to trust DNS SSHFP records") + basic_group.add_option("--no-ssh", dest="conf_ssh", default=True, action="store_false", + help="do not configure OpenSSH client") basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false", help="do not configure OpenSSH server") basic_group.add_option("--no-dns-sshfp", dest="create_sshfp", default=True, action="store_false", @@ -802,18 +804,23 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie sssdconfig.new_config() domain = sssdconfig.new_domain(cli_domain) - try: - sssdconfig.new_service('ssh') - except SSSDConfig.ServiceAlreadyExists: - pass - except SSSDConfig.ServiceNotRecognizedError: - root_logger.error("Unable to activate the SSH service in SSSD config.") - root_logger.info( - "Please make sure you have SSSD built with SSH support installed.") - root_logger.info( - "Configure SSH support manually in /etc/sssd/sssd.conf.") + ssh_dir = ipaservices.knownservices.sshd.get_config_dir() + ssh_config = os.path.join(ssh_dir, 'ssh_config') + sshd_config = os.path.join(ssh_dir, 'sshd_config') + + if (options.conf_ssh and file_exists(ssh_config)) or (options.conf_sshd and file_exists(sshd_config)): + try: + sssdconfig.new_service('ssh') + except SSSDConfig.ServiceAlreadyExists: + pass + except SSSDConfig.ServiceNotRecognizedError: + root_logger.error("Unable to activate the SSH service in SSSD config.") + root_logger.info( + "Please make sure you have SSSD built with SSH support installed.") + root_logger.info( + "Configure SSH support manually in /etc/sssd/sssd.conf.") - sssdconfig.activate_service('ssh') + sssdconfig.activate_service('ssh') domain.add_provider('ipa', 'id') @@ -921,34 +928,37 @@ def change_ssh_config(filename, changes, sections): return True -def configure_ssh(fstore, ssh_dir, options): +def configure_ssh_config(fstore, options): + ssh_dir = ipaservices.knownservices.sshd.get_config_dir() ssh_config = os.path.join(ssh_dir, 'ssh_config') - sshd_config = os.path.join(ssh_dir, 'sshd_config') - if file_exists(ssh_config): - fstore.backup_file(ssh_config) + if not file_exists(ssh_config): + root_logger.info("%s not found, skipping configuration" % ssh_config) + return - changes = { - 'PubkeyAuthentication': 'yes', - } + fstore.backup_file(ssh_config) - if options.trust_sshfp: - changes['VerifyHostKeyDNS'] = 'yes' - changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss' - elif options.sssd and file_exists('/usr/bin/sss_ssh_knownhostsproxy'): - changes['ProxyCommand'] = '/usr/bin/sss_ssh_knownhostsproxy -p %p %h' - changes['GlobalKnownHostsFile'] = '/var/lib/sss/pubconf/known_hosts' + changes = { + 'PubkeyAuthentication': 'yes', + } - change_ssh_config(ssh_config, changes, ['Host']) - root_logger.info('Configured %s', ssh_config) + if options.trust_sshfp: + changes['VerifyHostKeyDNS'] = 'yes' + changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss' + elif options.sssd and file_exists('/usr/bin/sss_ssh_knownhostsproxy'): + changes['ProxyCommand'] = '/usr/bin/sss_ssh_knownhostsproxy -p %p %h' + changes['GlobalKnownHostsFile'] = '/var/lib/sss/pubconf/known_hosts' - if not options.conf_sshd: - return + change_ssh_config(ssh_config, changes, ['Host']) + root_logger.info('Configured %s', ssh_config) +def configure_sshd_config(fstore, options): sshd = ipaservices.knownservices.sshd - if not sshd.is_installed(): - root_logger.info("%s daemon is not installed, skip configuration", - sshd.service_name) + ssh_dir = sshd.get_config_dir() + sshd_config = os.path.join(ssh_dir, 'sshd_config') + + if not file_exists(sshd_config): + root_logger.info("%s not found, skipping configuration" % sshd_config) return fstore.backup_file(sshd_config) @@ -1768,7 +1778,11 @@ def install(options, env, fstore, statestore): ipaclient.ntpconf.config_ntp(ntp_server, fstore, statestore) root_logger.info("NTP enabled") - configure_ssh(fstore, ipaservices.knownservices.sshd.get_config_dir(), options) + if options.conf_ssh: + configure_ssh_config(fstore, options) + + if options.conf_sshd: + configure_sshd_config(fstore, options) root_logger.info('Client configuration complete.') diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index c3ec6de52..ef77f4188 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -74,6 +74,9 @@ Do not configure or enable NTP. \fB\-\-ssh\-trust\-dns\fR Configure OpenSSH client to trust DNS SSHFP records. .TP +\fB\-\-no\-ssh\fR +Do not configure OpenSSH client. +.TP \fB\-\-no\-sshd\fR Do not configure OpenSSH server. .TP -- cgit