[Freeipa-devel] [PATCHES] 59-65 SSH public key management

Jan Cholasta jcholast at redhat.com
Mon Jan 2 08:25:01 UTC 2012 

Dne 15.12.2011 22:03, Rob Crittenden napsal(a):
> Jan Cholasta wrote:
>> Dne 7.12.2011 17:28, Jan Cholasta napsal(a):
>>> [PATCH] 65 Configure ssh and sshd during ipa-client-install.
>>>
>>> For ssh, VerifyHostKeyDNS option is enabled.
>>>
>>> For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM
>>> options are enabled (this can be disabled using --no-sshd
>>> ipa-client-install option).
>>>
>>
>> Changed this not to implicitly trust DNS, as discussed on yesterday's
>> meeting. You can make SSH trust DNS explicitly using --ssh-trust-dns
>> ipa-client-install option.
>>
>> Honza
>>
>
> Traceback if ipaserver package is not installed.
>
> # ipa-client-install
> [snip]
> Created /etc/ipa/default.conf
> ipa : ERROR cannot import plugins sub-package
> ipaserver.install.plugins.plugins: No module named
> ipaserver.install.plugins
> Traceback (most recent call last):
> File "/usr/sbin/ipa-client-install", line 1474, in <module>
> sys.exit(main())
> File "/usr/sbin/ipa-client-install", line 1461, in main
> rval = install(options, env, fstore, statestore)
> File "/usr/sbin/ipa-client-install", line 1277, in install
> api.finalize()
> File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 656, in
> finalize
> self.__do_if_not_done('load_plugins')
> File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 452, in
> __do_if_not_done
> getattr(self, name)()
> File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 599, in
> load_plugins
> self.import_plugins('ipaserver/install/plugins')
> File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 625, in
> import_plugins
> raise e
> ImportError: No module named ipaserver.install.plugins
>
> You need to use a context other than 'installer'. I used 'cli_installer'
> to proceed.

OK.

>
> Is this what I should expect when logging into an enrolled client:
>
> $ slogin -v doberman.example.com
> [ snip ]
> debug1: matching host key fingerprint found in DNS
> The authenticity of host 'doberman.example.com. (192.168.186.9)' can't
> be established.
> RSA key fingerprint is 99:4a:4e:7f:4e:79:56:f6:00:4a:db:67:63:24:77:79.
> Matching host key fingerprint found in DNS.
> Are you sure you want to continue connecting (yes/no)?
>
> That part seems to be working, I guess I didn't expected to be asked.
>
> When I tested without DNS it said something about key not found in DNS
> as I would expect.

That's because I have set VerifyHostKeyDNS to "ask" by default. It can 
easily be changed to "no", if that's what we want.

>
> I'm unable to add another pub key:
> $ ipa user-mod --addattr ipasshpubkey=<BIGKEY>== tuser1
> ipa: ERROR: invalid 'ipasshpubkey': must be binary data
>
> $ ipa user-mod --sshpubkey=<BIGKEY>== tuser1
> [SUCCESS]

Will fix.

>
> I wonder if normalize_ssh_pubkeys should not be validate_ssh_pubkeys().
> It isn't really converting them to some common format, just confirming
> that they are valid keys, right?

Well, it does the base64-decoding of the key blob. But I agree, 
"normalize" is probably not the right name for this kind of operation.

>
> rob

Honza

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list