[Freeipa-devel] [PATCH] 69 Configure SSH features of SSSD in ipa-client-install

Jan Cholasta jcholast at redhat.com
Thu Mar 1 16:01:20 UTC 2012 

On 29.2.2012 15:00, Martin Kosek wrote:
> On Wed, 2012-02-29 at 14:44 +0100, Jan Cholasta wrote:
>> On 29.2.2012 14:24, Martin Kosek wrote:
>>> On Wed, 2012-02-29 at 10:52 +0100, Jan Cholasta wrote:
>>>> On 28.2.2012 23:42, Rob Crittenden wrote:
>>>>> Jan Cholasta wrote:
>>>>>> Hi,
>>>>>>
>>>>>> this patch configures the new SSH features of SSSD in ipa-client-install.
>>>>>>
>>>>>> To test it, you need to have SSSD 1.8.0 installed.
>>>>>>
>>>>>> Honza
>>>>>>
>>>>>
>>>>>
>>>>> Is there a better name for 'GlobalKnownHostsFile2'?
>>>>
>>>> What do you mean? The option name or the file name? Either way, I don't
>>>> think there is a better name.
>>>>
>>>>>
>>>>> When is PubKeyAgent used?I tried in RHEL 6.2, F-11 and F15-17 and it was
>>>>> an unknown option in all.
>>>>
>>>> It's in openssh in RHEL 6.0.
>>>>
>>>>>
>>>>> Should you test for the existence of /usr/bin/sss_ssh_knownhostsproxy
>>>>> and /usr/bin/sss_ssh_authorizedkeys before setting it in a config file?
>>>>
>>>> It depends. Do we want to support clients with SSSD<   1.8.0?
>>>>
>>>>>
>>>>> How would you recommend testing this? Enroll a client and try to log
>>>>> into the IPA server?
>>>>
>>>> To test host authentication, you need an IPA host with SSH public keys
>>>> set (which is done automatically in ipa-client-install, so any IPA host
>>>> should work) and try to ssh into that host from other (actually, it can
>>>> be the same) IPA host. You should not see "The authenticity of host ...
>>>> can't be estabilished" ssh message.
>>>>
>>>> To test user authentication, you need an IPA user with SSH public keys
>>>> set. To do that, you need to set the public keys using ipa user-mod. You
>>>> should then be able to authenticate using your private key on any IPA host.
>>>>
>>>>>
>>>>> rob
>>>>
>>>> Honza
>>>>
>>>
>>> I get this exception when running ipa-client-install with your patch.
>>>
>>> # ipa-client-install --enable-dns-updates
>>> Discovery was successful!
>>> Hostname: vm-138.idm.lab.bos.redhat.com
>>> Realm: IDM.LAB.BOS.REDHAT.COM
>>> DNS Domain: idm.lab.bos.redhat.com
>>> IPA Server: vm-068.idm.lab.bos.redhat.com
>>> BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>>
>>>
>>> Continue to configure the system with these values? [no]: y
>>> User authorized to enroll computers: admin
>>> Synchronizing time with KDC...
>>> Unable to sync time with IPA NTP server, assuming the time is in sync.
>>> Password for admin at IDM.LAB.BOS.REDHAT.COM:
>>>
>>> Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM
>>> Created /etc/ipa/default.conf
>>> Traceback (most recent call last):
>>>     File "/usr/sbin/ipa-client-install", line 1514, in<module>
>>>       sys.exit(main())
>>>     File "/usr/sbin/ipa-client-install", line 1501, in main
>>>       rval = install(options, env, fstore, statestore)
>>>     File "/usr/sbin/ipa-client-install", line 1326, in install
>>>       if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server,
>>> options):
>>>     File "/usr/sbin/ipa-client-install", line 711, in configure_sssd_conf
>>>       sssdconfig.activate_service('ssh')
>>>     File "/usr/lib/python2.7/site-packages/SSSDConfig.py", line 1516, in
>>> activate_service
>>>       raise NoServiceError
>>> SSSDConfig.NoServiceError
>>>
>>>
>>> SSSD version: sssd-1.8.1-0.20120228T2018Zgit751b121.fc16.x86_64
>>>
>>> Martin
>>>
>>
>> Does your /etc/sssd/sssd.conf and /usr/share/sssd/sssd.api.conf contain
>> [ssh] section?
>>
>
> sssd.api.conf did contain the ssh section:
>
> # grep -C 3 ssh /usr/share/sssd/sssd.api.conf
> # autofs service
> autofs_negative_timeout = int, None, false
>
> [ssh]
> # ssh service
>
> [provider]
> #Available provider types
>
>
> sssd.conf did not.
>
>
> Either case, we should not crash but handle the issue in some more
> friendly way.
>
> Martin
>

Patch updated with more defensive code.

Honza

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-69.1-ssh-install-config-sssd.patch
Type: text/x-patch
Size: 4802 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120301/32b41c2c/attachment.bin>

More information about the Freeipa-devel mailing list