[Freeipa-devel] [PATCHES] 59-65 SSH public key management

Jan Cholasta jcholast at redhat.com
Wed Jan 25 08:38:42 UTC 2012 

Dne 24.1.2012 23:11, Rob Crittenden napsal(a):
> Jan Cholasta wrote:
>> I have updated and rebased the patches:
>>
>>
>> [PATCH] 59 Add LDAP schema for SSH public keys.
>>
>> No changes.
>>
>> [PATCH] 60 Add LDAP ACIs for SSH public key schema.
>> Requires patch 59.
>>
>> No changes.
>>
>> [PATCH] 61 Add support for SSH public keys to user and host objects.
>> Requires patch 59 and 66.
>>
>> Added new virtual attribute for SSH public key fingerprints to both user
>> and host.
>>
>> The ipasshuser and ipasshhost objectclasses are now automatically added
>> to user and host objects when necessary.
>>
>> The --addattr issue is fixed in patch 66.
>>
>> [PATCH] 62 Add API initialization to ipa-client-install.
>>
>> Changed API context to "cli_installer".
>>
>> [PATCH] 63 Move the nsupdate functionality to separate function in
>> ipa-client-install.
>>
>> No changes.
>>
>> [PATCH] 64 Update host SSH public keys on the server during client
>> install.
>> Requires patch 59, 61, 62, 63, 66 and 67.
>>
>> The host SSH public keys are now loaded from a platform specific
>> location instead of /etc/ssh.
>>
>> [PATCH] 65 Configure ssh and sshd during ipa-client-install.
>> Requires patch 67.
>>
>> The configuration files are now looked for in a platform specific
>> location instead of /etc/ssh
>>
>>
>> Also I have added 2 new patches to the patchset:
>>
>>
>> [PATCH] 66 Base64-decode unicode values in Bytes parameters.
>>
>> Fix wrong handling of strings in --setattr/--addattr/--delattr.
>>
>> These changes make it possible to use Bytes in
>> --setattr/--addattr/--delattr without errors.
>>
>> It might seem that this patch breaks the API, but it does not. Bytes
>> parameters are currently used only for certificate attribute of host and
>> service objects and these attributes are normalized using ipalib.x509
>> functions, so both raw binary values and base64-encoded values are
>> accepted. I have checked that old client works with new server without
>> problems.
>>
>> [PATCH] 67 Add SSH service to platform-specific services.
>>
>> Add method for getting configuration directory path of a service, so
>> that a different SSH configuration directory can be specified on
>> different platforms.
>>
>>
>> Honza
>>
>
> FYI, the schema change in 59.1 didn't apply cleanly in 2.2.

I did all the patches on top of master. Should I rebase them to ipa-2-2?

>
> This patch set lacks a way to upgrade an existing install to support SSH
> keys.

I will create a patch with the update files.

>
> Patch 61 you can drop the md5 and sha1 imports and import them from
> ipalib.compat instead.

Is this OK in ipapython?

>
> Patch 65 should there be a way to set --ssh-trust-dns on master installs?

Possibly. Should I add the ssh-related command-line options of 
ipa-client-install to ipa-server-install as well?

>
> 66 is ACK and I think can be pushed separately.
>
> 67 not to be too pedantic but it would read better if the sshd service
> started on its own line.

I'm not sure I follow.

>
> I installed my system with DNS and added VerifyHostKeyDNS to my
> ssh_config on both my client and server but both sides still said the
> host key couldn't be found in DNS. Not sure if it is something I
> did/didn't do or not.

Make sure that both use IPA DNS server and that the SSHFP records exist 
(they should be created automatically in ipa-client-install, or ipa 
host-mod with --updatedns).

>
> I like showing just the fingerprint by default, it is much nicer than
> the whole key.

I think so :-)

>
> This fails:
>
> $ ipa user-mod --delattr ipasshpubkey=<bigkey_not_in_entry> tuser1
>
> [Tue Jan 24 16:41:52 2012] [error] ipa: ERROR: non-public:
> UnicodeDecodeError: 'utf8' codec can't decode byte 0x91 in position 21:
> invalid start byte
> [Tue Jan 24 16:41:52 2012] [error] Traceback (most recent call last):
> [Tue Jan 24 16:41:52 2012] [error] File
> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 230, in
> wsgi_execute
> [Tue Jan 24 16:41:52 2012] [error] result = self.Command[name](*args,
> **options)
> [Tue Jan 24 16:41:52 2012] [error] File
> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 438, in
> __call__
> [Tue Jan 24 16:41:52 2012] [error] ret = self.run(*args, **options)
> [Tue Jan 24 16:41:52 2012] [error] File
> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 696, in run
> [Tue Jan 24 16:41:52 2012] [error] return self.execute(*args, **options)
> [Tue Jan 24 16:41:52 2012] [error] File
> "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line
> 1106, in execute
> [Tue Jan 24 16:41:52 2012] [error]
> self.process_attr_options(entry_attrs, dn, keys, options)
> [Tue Jan 24 16:41:52 2012] [error] File
> "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 784,
> in process_attr_options
> [Tue Jan 24 16:41:52 2012] [error] raise
> errors.AttrValueNotFound(attr=attr, value=delval)
> [Tue Jan 24 16:41:52 2012] [error] File
> "/usr/lib/python2.7/site-packages/ipalib/errors.py", line 268, in __init__
> [Tue Jan 24 16:41:52 2012] [error] self.strerror = ugettext(self.format)
> % kw
> [Tue Jan 24 16:41:52 2012] [error] File
> "/usr/lib/python2.7/site-packages/ipalib/text.py", line 248, in __mod__
> [Tue Jan 24 16:41:52 2012] [error] return self.__unicode__() % kw
> [Tue Jan 24 16:41:52 2012] [error] UnicodeDecodeError: 'utf8' codec
> can't decode byte 0x91 in position 21: invalid start byte

Good catch, will fix (as part of patch 66, so self-NACK on the current 
version).

>
> This is very, very close.
>
> rob

Honza

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list