[Freeipa-devel] [PATCH] 69 Configure SSH features of SSSD in ipa-client-install

Wed Feb 29 13:24:48 UTC 2012

On Wed, 2012-02-29 at 10:52 +0100, Jan Cholasta wrote:
> On 28.2.2012 23:42, Rob Crittenden wrote:
> > Jan Cholasta wrote:
> >> Hi,
> >>
> >> this patch configures the new SSH features of SSSD in ipa-client-install.
> >>
> >> To test it, you need to have SSSD 1.8.0 installed.
> >>
> >> Honza
> >>
> >
> >
> > Is there a better name for 'GlobalKnownHostsFile2'?
> 
> What do you mean? The option name or the file name? Either way, I don't 
> think there is a better name.
> 
> >
> > When is PubKeyAgent used?I tried in RHEL 6.2, F-11 and F15-17 and it was
> > an unknown option in all.
> 
> It's in openssh in RHEL 6.0.
> 
> >
> > Should you test for the existence of /usr/bin/sss_ssh_knownhostsproxy
> > and /usr/bin/sss_ssh_authorizedkeys before setting it in a config file?
> 
> It depends. Do we want to support clients with SSSD < 1.8.0?
> 
> >
> > How would you recommend testing this? Enroll a client and try to log
> > into the IPA server?
> 
> To test host authentication, you need an IPA host with SSH public keys 
> set (which is done automatically in ipa-client-install, so any IPA host 
> should work) and try to ssh into that host from other (actually, it can 
> be the same) IPA host. You should not see "The authenticity of host ... 
> can't be estabilished" ssh message.
> 
> To test user authentication, you need an IPA user with SSH public keys 
> set. To do that, you need to set the public keys using ipa user-mod. You 
> should then be able to authenticate using your private key on any IPA host.
> 
> >
> > rob
> 
> Honza
> 

I get this exception when running ipa-client-install with your patch.

# ipa-client-install --enable-dns-updates
Discovery was successful!
Hostname: vm-138.idm.lab.bos.redhat.com
Realm: IDM.LAB.BOS.REDHAT.COM
DNS Domain: idm.lab.bos.redhat.com
IPA Server: vm-068.idm.lab.bos.redhat.com
BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

Continue to configure the system with these values? [no]: y
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Password for admin at IDM.LAB.BOS.REDHAT.COM: 

Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM
Created /etc/ipa/default.conf
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 1514, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 1501, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 1326, in install
    if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server,
options):
  File "/usr/sbin/ipa-client-install", line 711, in configure_sssd_conf
    sssdconfig.activate_service('ssh')
  File "/usr/lib/python2.7/site-packages/SSSDConfig.py", line 1516, in
activate_service
    raise NoServiceError
SSSDConfig.NoServiceError

SSSD version: sssd-1.8.1-0.20120228T2018Zgit751b121.fc16.x86_64

Martin