[Freeipa-devel] [PATCH] 69 Configure SSH features of SSSD in ipa-client-install
Martin Kosek
mkosek at redhat.com
Wed Feb 29 14:00:25 UTC 2012
On Wed, 2012-02-29 at 14:44 +0100, Jan Cholasta wrote:
> On 29.2.2012 14:24, Martin Kosek wrote:
> > On Wed, 2012-02-29 at 10:52 +0100, Jan Cholasta wrote:
> >> On 28.2.2012 23:42, Rob Crittenden wrote:
> >>> Jan Cholasta wrote:
> >>>> Hi,
> >>>>
> >>>> this patch configures the new SSH features of SSSD in ipa-client-install.
> >>>>
> >>>> To test it, you need to have SSSD 1.8.0 installed.
> >>>>
> >>>> Honza
> >>>>
> >>>
> >>>
> >>> Is there a better name for 'GlobalKnownHostsFile2'?
> >>
> >> What do you mean? The option name or the file name? Either way, I don't
> >> think there is a better name.
> >>
> >>>
> >>> When is PubKeyAgent used?I tried in RHEL 6.2, F-11 and F15-17 and it was
> >>> an unknown option in all.
> >>
> >> It's in openssh in RHEL 6.0.
> >>
> >>>
> >>> Should you test for the existence of /usr/bin/sss_ssh_knownhostsproxy
> >>> and /usr/bin/sss_ssh_authorizedkeys before setting it in a config file?
> >>
> >> It depends. Do we want to support clients with SSSD< 1.8.0?
> >>
> >>>
> >>> How would you recommend testing this? Enroll a client and try to log
> >>> into the IPA server?
> >>
> >> To test host authentication, you need an IPA host with SSH public keys
> >> set (which is done automatically in ipa-client-install, so any IPA host
> >> should work) and try to ssh into that host from other (actually, it can
> >> be the same) IPA host. You should not see "The authenticity of host ...
> >> can't be estabilished" ssh message.
> >>
> >> To test user authentication, you need an IPA user with SSH public keys
> >> set. To do that, you need to set the public keys using ipa user-mod. You
> >> should then be able to authenticate using your private key on any IPA host.
> >>
> >>>
> >>> rob
> >>
> >> Honza
> >>
> >
> > I get this exception when running ipa-client-install with your patch.
> >
> > # ipa-client-install --enable-dns-updates
> > Discovery was successful!
> > Hostname: vm-138.idm.lab.bos.redhat.com
> > Realm: IDM.LAB.BOS.REDHAT.COM
> > DNS Domain: idm.lab.bos.redhat.com
> > IPA Server: vm-068.idm.lab.bos.redhat.com
> > BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >
> >
> > Continue to configure the system with these values? [no]: y
> > User authorized to enroll computers: admin
> > Synchronizing time with KDC...
> > Unable to sync time with IPA NTP server, assuming the time is in sync.
> > Password for admin at IDM.LAB.BOS.REDHAT.COM:
> >
> > Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM
> > Created /etc/ipa/default.conf
> > Traceback (most recent call last):
> > File "/usr/sbin/ipa-client-install", line 1514, in<module>
> > sys.exit(main())
> > File "/usr/sbin/ipa-client-install", line 1501, in main
> > rval = install(options, env, fstore, statestore)
> > File "/usr/sbin/ipa-client-install", line 1326, in install
> > if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server,
> > options):
> > File "/usr/sbin/ipa-client-install", line 711, in configure_sssd_conf
> > sssdconfig.activate_service('ssh')
> > File "/usr/lib/python2.7/site-packages/SSSDConfig.py", line 1516, in
> > activate_service
> > raise NoServiceError
> > SSSDConfig.NoServiceError
> >
> >
> > SSSD version: sssd-1.8.1-0.20120228T2018Zgit751b121.fc16.x86_64
> >
> > Martin
> >
>
> Does your /etc/sssd/sssd.conf and /usr/share/sssd/sssd.api.conf contain
> [ssh] section?
>
sssd.api.conf did contain the ssh section:
# grep -C 3 ssh /usr/share/sssd/sssd.api.conf
# autofs service
autofs_negative_timeout = int, None, false
[ssh]
# ssh service
[provider]
#Available provider types
sssd.conf did not.
Either case, we should not crash but handle the issue in some more
friendly way.
Martin
More information about the Freeipa-devel
mailing list