diff options
author | Jan Cholasta <jcholast@redhat.com> | 2012-05-23 05:00:55 -0400 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-05-30 07:47:44 +0200 |
commit | 0b33b9fb3791545ab952b46c7443482a52fe6a6c (patch) | |
tree | 401a1af92a4a282916fe9a25324a9a9fb64d2a30 | |
parent | ce11a7c0e22ee8f70e14c43419f20be70176fe8c (diff) | |
download | freeipa.git-0b33b9fb3791545ab952b46c7443482a52fe6a6c.tar.gz freeipa.git-0b33b9fb3791545ab952b46c7443482a52fe6a6c.tar.xz freeipa.git-0b33b9fb3791545ab952b46c7443482a52fe6a6c.zip |
SSH configuration fixes.
Use GlobalKnownHostsFile instead of GlobalKnownHostsFile2 in ssh_config, as the
latter has been deprecated in OpenSSH 5.9.
If DNS host key verification is enabled, restrict the set of allowed host
public key algorithms to ssh-rsa and ssh-dss, as DNS SSHFP records support only
these algorithms.
Make sure public key user authentication is enabled in both ssh and sshd.
ticket 2769
-rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 67279b3e..9f44da6e 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -857,12 +857,16 @@ def configure_ssh(fstore, ssh_dir, options): if file_exists(ssh_config): fstore.backup_file(ssh_config) - changes = {} + changes = { + 'PubkeyAuthentication': 'yes', + } + if options.trust_sshfp: changes['VerifyHostKeyDNS'] = 'yes' + changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss' elif options.sssd and file_exists('/usr/bin/sss_ssh_knownhostsproxy'): changes['ProxyCommand'] = '/usr/bin/sss_ssh_knownhostsproxy -p %p %h' - changes['GlobalKnownHostsFile2'] = '/var/lib/sss/pubconf/known_hosts' + changes['GlobalKnownHostsFile'] = '/var/lib/sss/pubconf/known_hosts' change_ssh_config(ssh_config, changes, ['Host']) print 'Configured', ssh_config @@ -878,6 +882,7 @@ def configure_ssh(fstore, ssh_dir, options): fstore.backup_file(sshd_config) changes = { + 'PubkeyAuthentication': 'yes', 'KerberosAuthentication': 'no', 'GSSAPIAuthentication': 'yes', 'UsePAM': 'yes', |