[Freeipa-devel] [PATCH] 69 Configure SSH features of SSSD in ipa-client-install

Jan Cholasta jcholast at redhat.com
Wed Feb 29 13:44:38 UTC 2012 

On 29.2.2012 14:24, Martin Kosek wrote:
> On Wed, 2012-02-29 at 10:52 +0100, Jan Cholasta wrote:
>> On 28.2.2012 23:42, Rob Crittenden wrote:
>>> Jan Cholasta wrote:
>>>> Hi,
>>>>
>>>> this patch configures the new SSH features of SSSD in ipa-client-install.
>>>>
>>>> To test it, you need to have SSSD 1.8.0 installed.
>>>>
>>>> Honza
>>>>
>>>
>>>
>>> Is there a better name for 'GlobalKnownHostsFile2'?
>>
>> What do you mean? The option name or the file name? Either way, I don't
>> think there is a better name.
>>
>>>
>>> When is PubKeyAgent used?I tried in RHEL 6.2, F-11 and F15-17 and it was
>>> an unknown option in all.
>>
>> It's in openssh in RHEL 6.0.
>>
>>>
>>> Should you test for the existence of /usr/bin/sss_ssh_knownhostsproxy
>>> and /usr/bin/sss_ssh_authorizedkeys before setting it in a config file?
>>
>> It depends. Do we want to support clients with SSSD<  1.8.0?
>>
>>>
>>> How would you recommend testing this? Enroll a client and try to log
>>> into the IPA server?
>>
>> To test host authentication, you need an IPA host with SSH public keys
>> set (which is done automatically in ipa-client-install, so any IPA host
>> should work) and try to ssh into that host from other (actually, it can
>> be the same) IPA host. You should not see "The authenticity of host ...
>> can't be estabilished" ssh message.
>>
>> To test user authentication, you need an IPA user with SSH public keys
>> set. To do that, you need to set the public keys using ipa user-mod. You
>> should then be able to authenticate using your private key on any IPA host.
>>
>>>
>>> rob
>>
>> Honza
>>
>
> I get this exception when running ipa-client-install with your patch.
>
> # ipa-client-install --enable-dns-updates
> Discovery was successful!
> Hostname: vm-138.idm.lab.bos.redhat.com
> Realm: IDM.LAB.BOS.REDHAT.COM
> DNS Domain: idm.lab.bos.redhat.com
> IPA Server: vm-068.idm.lab.bos.redhat.com
> BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>
>
> Continue to configure the system with these values? [no]: y
> User authorized to enroll computers: admin
> Synchronizing time with KDC...
> Unable to sync time with IPA NTP server, assuming the time is in sync.
> Password for admin at IDM.LAB.BOS.REDHAT.COM:
>
> Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM
> Created /etc/ipa/default.conf
> Traceback (most recent call last):
>    File "/usr/sbin/ipa-client-install", line 1514, in<module>
>      sys.exit(main())
>    File "/usr/sbin/ipa-client-install", line 1501, in main
>      rval = install(options, env, fstore, statestore)
>    File "/usr/sbin/ipa-client-install", line 1326, in install
>      if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server,
> options):
>    File "/usr/sbin/ipa-client-install", line 711, in configure_sssd_conf
>      sssdconfig.activate_service('ssh')
>    File "/usr/lib/python2.7/site-packages/SSSDConfig.py", line 1516, in
> activate_service
>      raise NoServiceError
> SSSDConfig.NoServiceError
>
>
> SSSD version: sssd-1.8.1-0.20120228T2018Zgit751b121.fc16.x86_64
>
> Martin
>

Does your /etc/sssd/sssd.conf and /usr/share/sssd/sssd.api.conf contain 
[ssh] section?

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list