[Freeipa-devel] [PATCH] 69 Configure SSH features of SSSD in ipa-client-install
Jan Cholasta
jcholast at redhat.com
Fri Mar 2 08:00:45 UTC 2012
On 2.3.2012 04:56, Rob Crittenden wrote:
> Jan Cholasta wrote:
>> On 29.2.2012 15:00, Martin Kosek wrote:
>>> On Wed, 2012-02-29 at 14:44 +0100, Jan Cholasta wrote:
>>>> On 29.2.2012 14:24, Martin Kosek wrote:
>>>>> On Wed, 2012-02-29 at 10:52 +0100, Jan Cholasta wrote:
>>>>>> On 28.2.2012 23:42, Rob Crittenden wrote:
>>>>>>> Jan Cholasta wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> this patch configures the new SSH features of SSSD in
>>>>>>>> ipa-client-install.
>>>>>>>>
>>>>>>>> To test it, you need to have SSSD 1.8.0 installed.
>>>>>>>>
>>>>>>>> Honza
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Is there a better name for 'GlobalKnownHostsFile2'?
>>>>>>
>>>>>> What do you mean? The option name or the file name? Either way, I
>>>>>> don't
>>>>>> think there is a better name.
>>>>>>
>>>>>>>
>>>>>>> When is PubKeyAgent used?I tried in RHEL 6.2, F-11 and F15-17 and
>>>>>>> it was
>>>>>>> an unknown option in all.
>>>>>>
>>>>>> It's in openssh in RHEL 6.0.
>>>>>>
>>>>>>>
>>>>>>> Should you test for the existence of
>>>>>>> /usr/bin/sss_ssh_knownhostsproxy
>>>>>>> and /usr/bin/sss_ssh_authorizedkeys before setting it in a config
>>>>>>> file?
>>>>>>
>>>>>> It depends. Do we want to support clients with SSSD< 1.8.0?
>>>>>>
>>>>>>>
>>>>>>> How would you recommend testing this? Enroll a client and try to log
>>>>>>> into the IPA server?
>>>>>>
>>>>>> To test host authentication, you need an IPA host with SSH public
>>>>>> keys
>>>>>> set (which is done automatically in ipa-client-install, so any IPA
>>>>>> host
>>>>>> should work) and try to ssh into that host from other (actually, it
>>>>>> can
>>>>>> be the same) IPA host. You should not see "The authenticity of host
>>>>>> ...
>>>>>> can't be estabilished" ssh message.
>>>>>>
>>>>>> To test user authentication, you need an IPA user with SSH public
>>>>>> keys
>>>>>> set. To do that, you need to set the public keys using ipa
>>>>>> user-mod. You
>>>>>> should then be able to authenticate using your private key on any
>>>>>> IPA host.
>>>>>>
>>>>>>>
>>>>>>> rob
>>>>>>
>>>>>> Honza
>>>>>>
>>>>>
>>>>> I get this exception when running ipa-client-install with your patch.
>>>>>
>>>>> # ipa-client-install --enable-dns-updates
>>>>> Discovery was successful!
>>>>> Hostname: vm-138.idm.lab.bos.redhat.com
>>>>> Realm: IDM.LAB.BOS.REDHAT.COM
>>>>> DNS Domain: idm.lab.bos.redhat.com
>>>>> IPA Server: vm-068.idm.lab.bos.redhat.com
>>>>> BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>>>>
>>>>>
>>>>> Continue to configure the system with these values? [no]: y
>>>>> User authorized to enroll computers: admin
>>>>> Synchronizing time with KDC...
>>>>> Unable to sync time with IPA NTP server, assuming the time is in sync.
>>>>> Password for admin at IDM.LAB.BOS.REDHAT.COM:
>>>>>
>>>>> Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM
>>>>> Created /etc/ipa/default.conf
>>>>> Traceback (most recent call last):
>>>>> File "/usr/sbin/ipa-client-install", line 1514, in<module>
>>>>> sys.exit(main())
>>>>> File "/usr/sbin/ipa-client-install", line 1501, in main
>>>>> rval = install(options, env, fstore, statestore)
>>>>> File "/usr/sbin/ipa-client-install", line 1326, in install
>>>>> if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server,
>>>>> options):
>>>>> File "/usr/sbin/ipa-client-install", line 711, in configure_sssd_conf
>>>>> sssdconfig.activate_service('ssh')
>>>>> File "/usr/lib/python2.7/site-packages/SSSDConfig.py", line 1516, in
>>>>> activate_service
>>>>> raise NoServiceError
>>>>> SSSDConfig.NoServiceError
>>>>>
>>>>>
>>>>> SSSD version: sssd-1.8.1-0.20120228T2018Zgit751b121.fc16.x86_64
>>>>>
>>>>> Martin
>>>>>
>>>>
>>>> Does your /etc/sssd/sssd.conf and /usr/share/sssd/sssd.api.conf contain
>>>> [ssh] section?
>>>>
>>>
>>> sssd.api.conf did contain the ssh section:
>>>
>>> # grep -C 3 ssh /usr/share/sssd/sssd.api.conf
>>> # autofs service
>>> autofs_negative_timeout = int, None, false
>>>
>>> [ssh]
>>> # ssh service
>>>
>>> [provider]
>>> #Available provider types
>>>
>>>
>>> sssd.conf did not.
>>>
>>>
>>> Either case, we should not crash but handle the issue in some more
>>> friendly way.
>>>
>>> Martin
>>>
>>
>> Patch updated with more defensive code.
>>
>> Honza
>>
>
> Needs a BuildRequires of sssd 1.8 or you get some pylint errors:
>
> ipa-client/ipa-install/ipa-client-install:712: [E1101,
> configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service'
> member
> ipa-client/ipa-install/ipa-client-install:723: [E1101,
> configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service'
> member
> ipa-client/ipa-install/ipa-client-install:734: [E1101,
> configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service'
> member
Added.
>
> Host keys work fine.
>
> I wasn't able to get user ssh keys working but my server is still on
> F-15. I had a daily build of sssd (1.8.1) but it was missing
> /usr/libexec/sssd/sssd_ssh!? Too tired to work out why right now.
F15 is not the problem, the SSSD package in ipa-devel is built without
experimental features for some reason (in the patch I assumed that it
always is, fixed that).
>
> Two more things:
>
> 1. You will need explicit test cases for QE to test positive and
> negative login cases (it would have sped me along too).
Should that be part of the patch?
>
> 2. You need to beef up the commit message to describe what this does
> (e.g. configure for knownhost support). commit message space is cheap,
> be verbose.
Done.
>
> rob
Updated patch attached.
Honza
--
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-69.2-ssh-install-config-sssd.patch
Type: text/x-patch
Size: 4503 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120302/5908cfa0/attachment.bin>
More information about the Freeipa-devel
mailing list