SSH configuration fixes.

Use GlobalKnownHostsFile instead of GlobalKnownHostsFile2 in ssh_config, as the
latter has been deprecated in OpenSSH 5.9.

If DNS host key verification is enabled, restrict the set of allowed host
public key algorithms to ssh-rsa and ssh-dss, as DNS SSHFP records support only
these algorithms.

Make sure public key user authentication is enabled in both ssh and sshd.

ticket 2769

1 files changed, 7 insertions, 2 deletions

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 67279b3e..9f44da6e 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -857,12 +857,16 @@ def configure_ssh(fstore, ssh_dir, options):
     if file_exists(ssh_config):
         fstore.backup_file(ssh_config)
 
-        changes = {}
+        changes = {
+            'PubkeyAuthentication': 'yes',
+        }
+
         if options.trust_sshfp:
             changes['VerifyHostKeyDNS'] = 'yes'
+            changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss'
         elif options.sssd and file_exists('/usr/bin/sss_ssh_knownhostsproxy'):
             changes['ProxyCommand'] = '/usr/bin/sss_ssh_knownhostsproxy -p %p %h'
-            changes['GlobalKnownHostsFile2'] = '/var/lib/sss/pubconf/known_hosts'
+            changes['GlobalKnownHostsFile'] = '/var/lib/sss/pubconf/known_hosts'
 
         change_ssh_config(ssh_config, changes, ['Host'])
         print 'Configured', ssh_config
@@ -878,6 +882,7 @@ def configure_ssh(fstore, ssh_dir, options):
     fstore.backup_file(sshd_config)
 
     changes = {
+        'PubkeyAuthentication': 'yes',
         'KerberosAuthentication': 'no',
         'GSSAPIAuthentication': 'yes',
         'UsePAM': 'yes',