[Freeipa-devel] [PATCH] 69 Configure SSH features of SSSD in ipa-client-install

Rob Crittenden rcritten at redhat.com
Fri Mar 2 03:56:20 UTC 2012 

Jan Cholasta wrote:
> On 29.2.2012 15:00, Martin Kosek wrote:
>> On Wed, 2012-02-29 at 14:44 +0100, Jan Cholasta wrote:
>>> On 29.2.2012 14:24, Martin Kosek wrote:
>>>> On Wed, 2012-02-29 at 10:52 +0100, Jan Cholasta wrote:
>>>>> On 28.2.2012 23:42, Rob Crittenden wrote:
>>>>>> Jan Cholasta wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> this patch configures the new SSH features of SSSD in
>>>>>>> ipa-client-install.
>>>>>>>
>>>>>>> To test it, you need to have SSSD 1.8.0 installed.
>>>>>>>
>>>>>>> Honza
>>>>>>>
>>>>>>
>>>>>>
>>>>>> Is there a better name for 'GlobalKnownHostsFile2'?
>>>>>
>>>>> What do you mean? The option name or the file name? Either way, I
>>>>> don't
>>>>> think there is a better name.
>>>>>
>>>>>>
>>>>>> When is PubKeyAgent used?I tried in RHEL 6.2, F-11 and F15-17 and
>>>>>> it was
>>>>>> an unknown option in all.
>>>>>
>>>>> It's in openssh in RHEL 6.0.
>>>>>
>>>>>>
>>>>>> Should you test for the existence of /usr/bin/sss_ssh_knownhostsproxy
>>>>>> and /usr/bin/sss_ssh_authorizedkeys before setting it in a config
>>>>>> file?
>>>>>
>>>>> It depends. Do we want to support clients with SSSD< 1.8.0?
>>>>>
>>>>>>
>>>>>> How would you recommend testing this? Enroll a client and try to log
>>>>>> into the IPA server?
>>>>>
>>>>> To test host authentication, you need an IPA host with SSH public keys
>>>>> set (which is done automatically in ipa-client-install, so any IPA
>>>>> host
>>>>> should work) and try to ssh into that host from other (actually, it
>>>>> can
>>>>> be the same) IPA host. You should not see "The authenticity of host
>>>>> ...
>>>>> can't be estabilished" ssh message.
>>>>>
>>>>> To test user authentication, you need an IPA user with SSH public keys
>>>>> set. To do that, you need to set the public keys using ipa
>>>>> user-mod. You
>>>>> should then be able to authenticate using your private key on any
>>>>> IPA host.
>>>>>
>>>>>>
>>>>>> rob
>>>>>
>>>>> Honza
>>>>>
>>>>
>>>> I get this exception when running ipa-client-install with your patch.
>>>>
>>>> # ipa-client-install --enable-dns-updates
>>>> Discovery was successful!
>>>> Hostname: vm-138.idm.lab.bos.redhat.com
>>>> Realm: IDM.LAB.BOS.REDHAT.COM
>>>> DNS Domain: idm.lab.bos.redhat.com
>>>> IPA Server: vm-068.idm.lab.bos.redhat.com
>>>> BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>>>
>>>>
>>>> Continue to configure the system with these values? [no]: y
>>>> User authorized to enroll computers: admin
>>>> Synchronizing time with KDC...
>>>> Unable to sync time with IPA NTP server, assuming the time is in sync.
>>>> Password for admin at IDM.LAB.BOS.REDHAT.COM:
>>>>
>>>> Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM
>>>> Created /etc/ipa/default.conf
>>>> Traceback (most recent call last):
>>>> File "/usr/sbin/ipa-client-install", line 1514, in<module>
>>>> sys.exit(main())
>>>> File "/usr/sbin/ipa-client-install", line 1501, in main
>>>> rval = install(options, env, fstore, statestore)
>>>> File "/usr/sbin/ipa-client-install", line 1326, in install
>>>> if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server,
>>>> options):
>>>> File "/usr/sbin/ipa-client-install", line 711, in configure_sssd_conf
>>>> sssdconfig.activate_service('ssh')
>>>> File "/usr/lib/python2.7/site-packages/SSSDConfig.py", line 1516, in
>>>> activate_service
>>>> raise NoServiceError
>>>> SSSDConfig.NoServiceError
>>>>
>>>>
>>>> SSSD version: sssd-1.8.1-0.20120228T2018Zgit751b121.fc16.x86_64
>>>>
>>>> Martin
>>>>
>>>
>>> Does your /etc/sssd/sssd.conf and /usr/share/sssd/sssd.api.conf contain
>>> [ssh] section?
>>>
>>
>> sssd.api.conf did contain the ssh section:
>>
>> # grep -C 3 ssh /usr/share/sssd/sssd.api.conf
>> # autofs service
>> autofs_negative_timeout = int, None, false
>>
>> [ssh]
>> # ssh service
>>
>> [provider]
>> #Available provider types
>>
>>
>> sssd.conf did not.
>>
>>
>> Either case, we should not crash but handle the issue in some more
>> friendly way.
>>
>> Martin
>>
>
> Patch updated with more defensive code.
>
> Honza
>

Needs a BuildRequires of sssd 1.8 or you get some pylint errors:

ipa-client/ipa-install/ipa-client-install:712: [E1101, 
configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service' 
member
ipa-client/ipa-install/ipa-client-install:723: [E1101, 
configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service' 
member
ipa-client/ipa-install/ipa-client-install:734: [E1101, 
configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service' 
member

Host keys work fine.

I wasn't able to get user ssh keys working but my server is still on 
F-15. I had a daily build of sssd  (1.8.1) but it was missing 
/usr/libexec/sssd/sssd_ssh!? Too tired to work out why right now.

Two more things:

1. You will need explicit test cases for QE to test positive and 
negative login cases (it would have sped me along too).

2. You need to beef up the commit message to describe what this does 
(e.g. configure for knownhost support). commit message space is cheap, 
be verbose.

rob

More information about the Freeipa-devel mailing list