[Freeipa-devel] [PATCHES] 59-65 SSH public key management

Rob Crittenden rcritten at redhat.com
Tue Jan 24 22:11:25 UTC 2012 

Jan Cholasta wrote:
> I have updated and rebased the patches:
>
>
> [PATCH] 59 Add LDAP schema for SSH public keys.
>
> No changes.
>
> [PATCH] 60 Add LDAP ACIs for SSH public key schema.
> Requires patch 59.
>
> No changes.
>
> [PATCH] 61 Add support for SSH public keys to user and host objects.
> Requires patch 59 and 66.
>
> Added new virtual attribute for SSH public key fingerprints to both user
> and host.
>
> The ipasshuser and ipasshhost objectclasses are now automatically added
> to user and host objects when necessary.
>
> The --addattr issue is fixed in patch 66.
>
> [PATCH] 62 Add API initialization to ipa-client-install.
>
> Changed API context to "cli_installer".
>
> [PATCH] 63 Move the nsupdate functionality to separate function in
> ipa-client-install.
>
> No changes.
>
> [PATCH] 64 Update host SSH public keys on the server during client install.
> Requires patch 59, 61, 62, 63, 66 and 67.
>
> The host SSH public keys are now loaded from a platform specific
> location instead of /etc/ssh.
>
> [PATCH] 65 Configure ssh and sshd during ipa-client-install.
> Requires patch 67.
>
> The configuration files are now looked for in a platform specific
> location instead of /etc/ssh
>
>
> Also I have added 2 new patches to the patchset:
>
>
> [PATCH] 66 Base64-decode unicode values in Bytes parameters.
>
> Fix wrong handling of strings in --setattr/--addattr/--delattr.
>
> These changes make it possible to use Bytes in
> --setattr/--addattr/--delattr without errors.
>
> It might seem that this patch breaks the API, but it does not. Bytes
> parameters are currently used only for certificate attribute of host and
> service objects and these attributes are normalized using ipalib.x509
> functions, so both raw binary values and base64-encoded values are
> accepted. I have checked that old client works with new server without
> problems.
>
> [PATCH] 67 Add SSH service to platform-specific services.
>
> Add method for getting configuration directory path of a service, so
> that a different SSH configuration directory can be specified on
> different platforms.
>
>
> Honza
>

FYI, the schema change in 59.1 didn't apply cleanly in 2.2.

This patch set lacks a way to upgrade an existing install to support SSH 
keys.

Patch 61 you can drop the md5 and sha1 imports and import them from 
ipalib.compat instead.

Patch 65 should there be a way to set --ssh-trust-dns on master installs?

66 is ACK and I think can be pushed separately.

67 not to be too pedantic but it would read better if the sshd service 
started on its own line.

I installed my system with DNS and added VerifyHostKeyDNS to my 
ssh_config on both my client and server but both sides still said the 
host key couldn't be found in DNS. Not sure if it is something I 
did/didn't do or not.

I like showing just the fingerprint by default, it is much nicer than 
the whole key.

This fails:

$ ipa user-mod --delattr ipasshpubkey=<bigkey_not_in_entry> tuser1

[Tue Jan 24 16:41:52 2012] [error] ipa: ERROR: non-public: 
UnicodeDecodeError: 'utf8' codec can't decode byte 0x91 in position 21: 
invalid start byte
[Tue Jan 24 16:41:52 2012] [error] Traceback (most recent call last):
[Tue Jan 24 16:41:52 2012] [error]   File 
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 230, in 
wsgi_execute
[Tue Jan 24 16:41:52 2012] [error]     result = 
self.Command[name](*args, **options)
[Tue Jan 24 16:41:52 2012] [error]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 438, in __call__
[Tue Jan 24 16:41:52 2012] [error]     ret = self.run(*args, **options)
[Tue Jan 24 16:41:52 2012] [error]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 696, in run
[Tue Jan 24 16:41:52 2012] [error]     return self.execute(*args, **options)
[Tue Jan 24 16:41:52 2012] [error]   File 
"/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 
1106, in execute
[Tue Jan 24 16:41:52 2012] [error] 
self.process_attr_options(entry_attrs, dn, keys, options)
[Tue Jan 24 16:41:52 2012] [error]   File 
"/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 784, 
in process_attr_options
[Tue Jan 24 16:41:52 2012] [error]     raise 
errors.AttrValueNotFound(attr=attr, value=delval)
[Tue Jan 24 16:41:52 2012] [error]   File 
"/usr/lib/python2.7/site-packages/ipalib/errors.py", line 268, in __init__
[Tue Jan 24 16:41:52 2012] [error]     self.strerror = 
ugettext(self.format) % kw
[Tue Jan 24 16:41:52 2012] [error]   File 
"/usr/lib/python2.7/site-packages/ipalib/text.py", line 248, in __mod__
[Tue Jan 24 16:41:52 2012] [error]     return self.__unicode__() % kw
[Tue Jan 24 16:41:52 2012] [error] UnicodeDecodeError: 'utf8' codec 
can't decode byte 0x91 in position 21: invalid start byte

This is very, very close.

rob

More information about the Freeipa-devel mailing list