diff options
author | Jan Cholasta <jcholast@redhat.com> | 2012-02-16 04:21:56 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2012-03-01 18:44:58 -0500 |
commit | 154696b5eaa165ea5dd8f03cf39fb61abf74274c (patch) | |
tree | 4509160d6de216ba800ae2d1d713056fd01ae4e4 | |
parent | edf08b2b65e2d74fdded63e9c6a5ebe3dd38426e (diff) | |
download | freeipa.git-154696b5eaa165ea5dd8f03cf39fb61abf74274c.tar.gz freeipa.git-154696b5eaa165ea5dd8f03cf39fb61abf74274c.tar.xz freeipa.git-154696b5eaa165ea5dd8f03cf39fb61abf74274c.zip |
Configure SSH features of SSSD in ipa-client-install.
OpenSSH server (sshd) is configured to fetch user authorized keys from
SSSD and OpenSSH client (ssh) is configured to use and trigger updates
of the SSSD-managed known hosts file.
This requires SSSD 1.8.0.
-rw-r--r-- | freeipa.spec.in | 7 | ||||
-rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 29 |
2 files changed, 34 insertions, 2 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 5047db93..9421bd2a 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -74,6 +74,7 @@ BuildRequires: pyOpenSSL BuildRequires: pylint BuildRequires: libipa_hbac-python BuildRequires: python-memcached +BuildRequires: sssd >= 1.8.0 %description IPA is an integrated solution to provide centrally managed Identity (machine, @@ -209,7 +210,7 @@ Requires: libcurl Requires: xmlrpc-c %endif %endif -Requires: sssd >= 1.5.1 +Requires: sssd >= 1.8.0 Requires: certmonger >= 0.26 Requires: nss-tools Requires: bind-utils @@ -669,6 +670,10 @@ fi %changelog +* Thu Mar 1 2012 Jan Cholasta <jcholast@redhat.com> - 2.2.0-15 +- Set min nvr of sssd to 1.8.0 for SSH support +- Add BuildRequires on sssd >= 1.8.0 + * Wed Feb 29 2012 Petr Vobornik <pvoborni@redhat.com> - 2.2.0-14 - Add Web UI form based login page - Removed ipa_migration.css diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 7d405a8d..67c29996 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -719,6 +719,14 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options): sssdconfig.new_config() domain = sssdconfig.new_domain(cli_domain) + try: + sssdconfig.activate_service('ssh') + except SSSDConfig.NoServiceError: + print "Unable to activate the SSH service in SSSD config." + print "Please make sure you have SSSD built with SSH support installed." + print "Configure SSH support manually in /etc/sssd/sssd.conf." + root_logger.debug("Unable to activate the SSH service in SSSD config.") + domain.add_provider('ipa', 'id') if not options.on_master: @@ -797,7 +805,8 @@ def change_ssh_config(filename, changes, sections): if line is not None: lines.append(line) for opt in changes: - lines.append('%s %s\n' % (opt, changes[opt])) + if changes[opt] is not None: + lines.append('%s %s\n' % (opt, changes[opt])) lines.append('\n') if in_section: lines.append(line) @@ -828,6 +837,9 @@ def configure_ssh(fstore, ssh_dir, options): changes = {} if options.trust_sshfp: changes['VerifyHostKeyDNS'] = 'yes' + elif options.sssd and file_exists('/usr/bin/sss_ssh_knownhostsproxy'): + changes['ProxyCommand'] = '/usr/bin/sss_ssh_knownhostsproxy -p %p %h' + changes['GlobalKnownHostsFile2'] = '/var/lib/sss/pubconf/known_hosts' change_ssh_config(ssh_config, changes, ['Host']) print 'Configured', ssh_config @@ -848,6 +860,21 @@ def configure_ssh(fstore, ssh_dir, options): 'UsePAM': 'yes', } + if options.sssd and file_exists('/usr/bin/sss_ssh_authorizedkeys'): + (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null', '-o', 'AuthorizedKeysCommand='], raiseonerr=False) + if retcode == 0: + changes['AuthorizedKeysCommand'] = '/usr/bin/sss_ssh_authorizedkeys' + changes['AuthorizedKeysCommandRunAs'] = None + else: + (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null', '-o', 'PubKeyAgent='], raiseonerr=False) + if retcode == 0: + changes['PubKeyAgent'] = '/usr/bin/sss_ssh_authorizedkeys %u' + changes['PubkeyAgentRunAs'] = None + else: + print "Warning: Installed OpenSSH server does not support dynamically loading" + print " authorized user keys. Public key authentication of IPA users" + print " will not be available." + change_ssh_config(sshd_config, changes, ['Match']) print 'Configured', sshd_config |