summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Cholasta <jcholast@redhat.com>2013-04-18 18:06:54 +0200
committerRob Crittenden <rcritten@redhat.com>2013-04-30 11:05:39 -0400
commitddd8988f1cd2c5ecafb476a6efca15e906cb84df (patch)
tree3994509cc53d83effbfb54049895ef41b8fc1231
parent5d6a9d3befb5434dd7b2d1bbafd76050f22743a2 (diff)
downloadfreeipa-ddd8988f1cd2c5ecafb476a6efca15e906cb84df.tar.gz
freeipa-ddd8988f1cd2c5ecafb476a6efca15e906cb84df.tar.xz
freeipa-ddd8988f1cd2c5ecafb476a6efca15e906cb84df.zip
Add support for OpenSSH 6.2.
Run sss_ssh_authorizedkeyscommand as nobody. Automatically update sshd_config on openssh-server update. https://fedorahosted.org/freeipa/ticket/3571
-rw-r--r--freeipa.spec.in39
-rwxr-xr-xipa-client/ipa-install/ipa-client-install63
2 files changed, 81 insertions, 21 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in
index fc1c6abd6..a10d80e1a 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -570,6 +570,42 @@ if [ $1 -gt 1 ] ; then
fi
fi
+%triggerin -n freeipa-client -- openssh-server
+# Has the client been configured?
+restore=0
+test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
+
+if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
+ if egrep -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then
+ sed -r '
+ /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
+ ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
+
+ if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody'; then
+ sed -ri '
+ s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
+ s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
+ ' /etc/ssh/sshd_config.ipanew
+ elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody'; then
+ sed -ri '
+ s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
+ s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
+ ' /etc/ssh/sshd_config.ipanew
+ elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody'; then
+ sed -ri '
+ s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
+ s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/
+ ' /etc/ssh/sshd_config.ipanew
+ fi
+
+ mv /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
+ /sbin/restorecon /etc/ssh/sshd_config
+ chmod 600 /etc/ssh/sshd_config
+
+ /bin/systemctl condrestart sshd.service 2>&1 || :
+ fi
+fi
+
%if ! %{ONLY_CLIENT}
%files server -f server-python.list
%defattr(-,root,root,-)
@@ -799,6 +835,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
+* Tue Apr 30 2013 Jan Cholasta <jcholast@redhat.com> - 3.1.99-8
+- Add triggerin scriptlet to update sshd_config on openssh-server update
+
* Thu Apr 25 2013 Rob Crittenden <rcritten@redhat.com> - 3.1.99-7
- Update nss and nss-tools dependency to fix certutil problem (#872761)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 8cd253eed..385e47257 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -64,6 +64,10 @@ CLIENT_NOT_CONFIGURED = 2
CLIENT_ALREADY_CONFIGURED = 3
CLIENT_UNINSTALL_ERROR = 4 # error after restoring files/state
+SSH_AUTHORIZEDKEYSCOMMAND = '/usr/bin/sss_ssh_authorizedkeys'
+SSH_PROXYCOMMAND = '/usr/bin/sss_ssh_knownhostsproxy'
+SSH_KNOWNHOSTSFILE = '/var/lib/sss/pubconf/known_hosts'
+
client_nss_nickname_format = 'IPA Machine Certificate - %s'
def parse_options():
@@ -1212,9 +1216,9 @@ def configure_ssh_config(fstore, options):
if options.trust_sshfp:
changes['VerifyHostKeyDNS'] = 'yes'
changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss'
- elif options.sssd and file_exists('/usr/bin/sss_ssh_knownhostsproxy'):
- changes['ProxyCommand'] = '/usr/bin/sss_ssh_knownhostsproxy -p %p %h'
- changes['GlobalKnownHostsFile'] = '/var/lib/sss/pubconf/known_hosts'
+ elif options.sssd and file_exists(SSH_PROXYCOMMAND):
+ changes['ProxyCommand'] = '%s -p %%p %%h' % SSH_PROXYCOMMAND
+ changes['GlobalKnownHostsFile'] = SSH_KNOWNHOSTSFILE
change_ssh_config(ssh_config, changes, ['Host'])
root_logger.info('Configured %s', ssh_config)
@@ -1237,25 +1241,42 @@ def configure_sshd_config(fstore, options):
'UsePAM': 'yes',
}
- if options.sssd and file_exists('/usr/bin/sss_ssh_authorizedkeys'):
- authorized_keys_command = '/usr/bin/sss_ssh_authorizedkeys'
- (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null',
- '-o', 'AuthorizedKeysCommand=%s' % authorized_keys_command], raiseonerr=False)
- if retcode == 0:
- changes['AuthorizedKeysCommand'] = authorized_keys_command
- changes['AuthorizedKeysCommandRunAs'] = None
- else:
- authorized_keys_command = '/usr/bin/sss_ssh_authorizedkeys %u'
- (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null',
- '-o', 'PubKeyAgent=%s' % authorized_keys_command], raiseonerr=False)
+ if options.sssd and file_exists(SSH_AUTHORIZEDKEYSCOMMAND):
+ authorized_keys_changes = None
+
+ candidates = (
+ {
+ 'AuthorizedKeysCommand': SSH_AUTHORIZEDKEYSCOMMAND,
+ 'AuthorizedKeysCommandUser': 'nobody',
+ },
+ {
+ 'AuthorizedKeysCommand': SSH_AUTHORIZEDKEYSCOMMAND,
+ 'AuthorizedKeysCommandRunAs': 'nobody',
+ },
+ {
+ 'PubKeyAgent': '%s %%u' % SSH_AUTHORIZEDKEYSCOMMAND,
+ 'PubKeyAgentRunAs': 'nobody',
+ },
+ )
+
+ for candidate in candidates:
+ args = ['sshd', '-t', '-f', '/dev/null']
+ for item in candidate.iteritems():
+ args.append('-o')
+ args.append('%s=%s' % item)
+
+ (stdout, stderr, retcode) = ipautil.run(args, raiseonerr=False)
if retcode == 0:
- changes['PubKeyAgent'] = authorized_keys_command
- changes['PubkeyAgentRunAs'] = None
- else:
- root_logger.warning("Installed OpenSSH server does not " +
- "support dynamically loading authorized user keys. " +
- "Public key authentication of IPA users will not be " +
- "available.")
+ authorized_keys_changes = candidate
+ break
+
+ if authorized_keys_changes is not None:
+ changes.update(authorized_keys_changes)
+ else:
+ root_logger.warning("Installed OpenSSH server does not "
+ "support dynamically loading authorized user keys. "
+ "Public key authentication of IPA users will not be "
+ "available.")
change_ssh_config(sshd_config, changes, ['Match'])
root_logger.info('Configured %s', sshd_config)