[Freeipa-devel] [PATCHES] 59-65 SSH public key management

Rob Crittenden rcritten at redhat.com
Thu Dec 15 21:03:34 UTC 2011 

Jan Cholasta wrote:
> Dne 7.12.2011 17:28, Jan Cholasta napsal(a):
>> [PATCH] 65 Configure ssh and sshd during ipa-client-install.
>>
>> For ssh, VerifyHostKeyDNS option is enabled.
>>
>> For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM
>> options are enabled (this can be disabled using --no-sshd
>> ipa-client-install option).
>>
>
> Changed this not to implicitly trust DNS, as discussed on yesterday's
> meeting. You can make SSH trust DNS explicitly using --ssh-trust-dns
> ipa-client-install option.
>
> Honza
>

Traceback if ipaserver package is not installed.

# ipa-client-install
[snip]
Created /etc/ipa/default.conf
ipa         : ERROR    cannot import plugins sub-package 
ipaserver.install.plugins.plugins: No module named ipaserver.install.plugins
Traceback (most recent call last):
   File "/usr/sbin/ipa-client-install", line 1474, in <module>
     sys.exit(main())
   File "/usr/sbin/ipa-client-install", line 1461, in main
     rval = install(options, env, fstore, statestore)
   File "/usr/sbin/ipa-client-install", line 1277, in install
     api.finalize()
   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 656, 
in finalize
     self.__do_if_not_done('load_plugins')
   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 452, 
in __do_if_not_done
     getattr(self, name)()
   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 599, 
in load_plugins
     self.import_plugins('ipaserver/install/plugins')
   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 625, 
in import_plugins
     raise e
ImportError: No module named ipaserver.install.plugins

You need to use a context other than 'installer'. I used 'cli_installer' 
to proceed.

Is this what I should expect when logging into an enrolled client:

$ slogin -v doberman.example.com
[ snip ]
debug1: matching host key fingerprint found in DNS
The authenticity of host 'doberman.example.com. (192.168.186.9)' can't 
be established.
RSA key fingerprint is 99:4a:4e:7f:4e:79:56:f6:00:4a:db:67:63:24:77:79.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?

That part seems to be working, I guess I didn't expected to be asked.

When I tested without DNS it said something about key not found in DNS 
as I would expect.

I'm unable to add another pub key:
$ ipa user-mod --addattr ipasshpubkey=<BIGKEY>== tuser1
ipa: ERROR: invalid 'ipasshpubkey': must be binary data

$ ipa user-mod --sshpubkey=<BIGKEY>== tuser1
[SUCCESS]

I wonder if normalize_ssh_pubkeys should not be validate_ssh_pubkeys(). 
It isn't really converting them to some common format, just confirming 
that they are valid keys, right?

rob

More information about the Freeipa-devel mailing list