[Freeipa-devel] [PATCH] 69 Configure SSH features of SSSD in ipa-client-install
Martin Kosek
mkosek at redhat.com
Wed Feb 29 13:24:48 UTC 2012
On Wed, 2012-02-29 at 10:52 +0100, Jan Cholasta wrote:
> On 28.2.2012 23:42, Rob Crittenden wrote:
> > Jan Cholasta wrote:
> >> Hi,
> >>
> >> this patch configures the new SSH features of SSSD in ipa-client-install.
> >>
> >> To test it, you need to have SSSD 1.8.0 installed.
> >>
> >> Honza
> >>
> >
> >
> > Is there a better name for 'GlobalKnownHostsFile2'?
>
> What do you mean? The option name or the file name? Either way, I don't
> think there is a better name.
>
> >
> > When is PubKeyAgent used?I tried in RHEL 6.2, F-11 and F15-17 and it was
> > an unknown option in all.
>
> It's in openssh in RHEL 6.0.
>
> >
> > Should you test for the existence of /usr/bin/sss_ssh_knownhostsproxy
> > and /usr/bin/sss_ssh_authorizedkeys before setting it in a config file?
>
> It depends. Do we want to support clients with SSSD < 1.8.0?
>
> >
> > How would you recommend testing this? Enroll a client and try to log
> > into the IPA server?
>
> To test host authentication, you need an IPA host with SSH public keys
> set (which is done automatically in ipa-client-install, so any IPA host
> should work) and try to ssh into that host from other (actually, it can
> be the same) IPA host. You should not see "The authenticity of host ...
> can't be estabilished" ssh message.
>
> To test user authentication, you need an IPA user with SSH public keys
> set. To do that, you need to set the public keys using ipa user-mod. You
> should then be able to authenticate using your private key on any IPA host.
>
> >
> > rob
>
> Honza
>
I get this exception when running ipa-client-install with your patch.
# ipa-client-install --enable-dns-updates
Discovery was successful!
Hostname: vm-138.idm.lab.bos.redhat.com
Realm: IDM.LAB.BOS.REDHAT.COM
DNS Domain: idm.lab.bos.redhat.com
IPA Server: vm-068.idm.lab.bos.redhat.com
BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
Continue to configure the system with these values? [no]: y
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Password for admin at IDM.LAB.BOS.REDHAT.COM:
Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM
Created /etc/ipa/default.conf
Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 1514, in <module>
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 1501, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 1326, in install
if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server,
options):
File "/usr/sbin/ipa-client-install", line 711, in configure_sssd_conf
sssdconfig.activate_service('ssh')
File "/usr/lib/python2.7/site-packages/SSSDConfig.py", line 1516, in
activate_service
raise NoServiceError
SSSDConfig.NoServiceError
SSSD version: sssd-1.8.1-0.20120228T2018Zgit751b121.fc16.x86_64
Martin
More information about the Freeipa-devel
mailing list