[Freeipa-devel] [PATCH] 69 Configure SSH features of SSSD in ipa-client-install

Rob Crittenden rcritten at redhat.com
Fri Mar 2 16:54:10 UTC 2012 

Jan Cholasta wrote:
> On 2.3.2012 04:56, Rob Crittenden wrote:
>> Jan Cholasta wrote:
>>> On 29.2.2012 15:00, Martin Kosek wrote:
>>>> On Wed, 2012-02-29 at 14:44 +0100, Jan Cholasta wrote:
>>>>> On 29.2.2012 14:24, Martin Kosek wrote:
>>>>>> On Wed, 2012-02-29 at 10:52 +0100, Jan Cholasta wrote:
>>>>>>> On 28.2.2012 23:42, Rob Crittenden wrote:
>>>>>>>> Jan Cholasta wrote:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> this patch configures the new SSH features of SSSD in
>>>>>>>>> ipa-client-install.
>>>>>>>>>
>>>>>>>>> To test it, you need to have SSSD 1.8.0 installed.
>>>>>>>>>
>>>>>>>>> Honza
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Is there a better name for 'GlobalKnownHostsFile2'?
>>>>>>>
>>>>>>> What do you mean? The option name or the file name? Either way, I
>>>>>>> don't
>>>>>>> think there is a better name.
>>>>>>>
>>>>>>>>
>>>>>>>> When is PubKeyAgent used?I tried in RHEL 6.2, F-11 and F15-17 and
>>>>>>>> it was
>>>>>>>> an unknown option in all.
>>>>>>>
>>>>>>> It's in openssh in RHEL 6.0.
>>>>>>>
>>>>>>>>
>>>>>>>> Should you test for the existence of
>>>>>>>> /usr/bin/sss_ssh_knownhostsproxy
>>>>>>>> and /usr/bin/sss_ssh_authorizedkeys before setting it in a config
>>>>>>>> file?
>>>>>>>
>>>>>>> It depends. Do we want to support clients with SSSD< 1.8.0?
>>>>>>>
>>>>>>>>
>>>>>>>> How would you recommend testing this? Enroll a client and try to
>>>>>>>> log
>>>>>>>> into the IPA server?
>>>>>>>
>>>>>>> To test host authentication, you need an IPA host with SSH public
>>>>>>> keys
>>>>>>> set (which is done automatically in ipa-client-install, so any IPA
>>>>>>> host
>>>>>>> should work) and try to ssh into that host from other (actually, it
>>>>>>> can
>>>>>>> be the same) IPA host. You should not see "The authenticity of host
>>>>>>> ...
>>>>>>> can't be estabilished" ssh message.
>>>>>>>
>>>>>>> To test user authentication, you need an IPA user with SSH public
>>>>>>> keys
>>>>>>> set. To do that, you need to set the public keys using ipa
>>>>>>> user-mod. You
>>>>>>> should then be able to authenticate using your private key on any
>>>>>>> IPA host.
>>>>>>>
>>>>>>>>
>>>>>>>> rob
>>>>>>>
>>>>>>> Honza
>>>>>>>
>>>>>>
>>>>>> I get this exception when running ipa-client-install with your patch.
>>>>>>
>>>>>> # ipa-client-install --enable-dns-updates
>>>>>> Discovery was successful!
>>>>>> Hostname: vm-138.idm.lab.bos.redhat.com
>>>>>> Realm: IDM.LAB.BOS.REDHAT.COM
>>>>>> DNS Domain: idm.lab.bos.redhat.com
>>>>>> IPA Server: vm-068.idm.lab.bos.redhat.com
>>>>>> BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>>>>>
>>>>>>
>>>>>> Continue to configure the system with these values? [no]: y
>>>>>> User authorized to enroll computers: admin
>>>>>> Synchronizing time with KDC...
>>>>>> Unable to sync time with IPA NTP server, assuming the time is in
>>>>>> sync.
>>>>>> Password for admin at IDM.LAB.BOS.REDHAT.COM:
>>>>>>
>>>>>> Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM
>>>>>> Created /etc/ipa/default.conf
>>>>>> Traceback (most recent call last):
>>>>>> File "/usr/sbin/ipa-client-install", line 1514, in<module>
>>>>>> sys.exit(main())
>>>>>> File "/usr/sbin/ipa-client-install", line 1501, in main
>>>>>> rval = install(options, env, fstore, statestore)
>>>>>> File "/usr/sbin/ipa-client-install", line 1326, in install
>>>>>> if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server,
>>>>>> options):
>>>>>> File "/usr/sbin/ipa-client-install", line 711, in configure_sssd_conf
>>>>>> sssdconfig.activate_service('ssh')
>>>>>> File "/usr/lib/python2.7/site-packages/SSSDConfig.py", line 1516, in
>>>>>> activate_service
>>>>>> raise NoServiceError
>>>>>> SSSDConfig.NoServiceError
>>>>>>
>>>>>>
>>>>>> SSSD version: sssd-1.8.1-0.20120228T2018Zgit751b121.fc16.x86_64
>>>>>>
>>>>>> Martin
>>>>>>
>>>>>
>>>>> Does your /etc/sssd/sssd.conf and /usr/share/sssd/sssd.api.conf
>>>>> contain
>>>>> [ssh] section?
>>>>>
>>>>
>>>> sssd.api.conf did contain the ssh section:
>>>>
>>>> # grep -C 3 ssh /usr/share/sssd/sssd.api.conf
>>>> # autofs service
>>>> autofs_negative_timeout = int, None, false
>>>>
>>>> [ssh]
>>>> # ssh service
>>>>
>>>> [provider]
>>>> #Available provider types
>>>>
>>>>
>>>> sssd.conf did not.
>>>>
>>>>
>>>> Either case, we should not crash but handle the issue in some more
>>>> friendly way.
>>>>
>>>> Martin
>>>>
>>>
>>> Patch updated with more defensive code.
>>>
>>> Honza
>>>
>>
>> Needs a BuildRequires of sssd 1.8 or you get some pylint errors:
>>
>> ipa-client/ipa-install/ipa-client-install:712: [E1101,
>> configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service'
>> member
>> ipa-client/ipa-install/ipa-client-install:723: [E1101,
>> configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service'
>> member
>> ipa-client/ipa-install/ipa-client-install:734: [E1101,
>> configure_sssd_conf] Instance of 'SSSDConfig' has no 'activate_service'
>> member
>
> Added.
>
>>
>> Host keys work fine.
>>
>> I wasn't able to get user ssh keys working but my server is still on
>> F-15. I had a daily build of sssd (1.8.1) but it was missing
>> /usr/libexec/sssd/sssd_ssh!? Too tired to work out why right now.
>
> F15 is not the problem, the SSSD package in ipa-devel is built without
> experimental features for some reason (in the patch I assumed that it
> always is, fixed that).
>
>>
>> Two more things:
>>
>> 1. You will need explicit test cases for QE to test positive and
>> negative login cases (it would have sped me along too).
>
> Should that be part of the patch?

Needs to be somewhere, attached here would have been fine.

>>
>> 2. You need to beef up the commit message to describe what this does
>> (e.g. configure for knownhost support). commit message space is cheap,
>> be verbose.
>
> Done.
>
>>
>> rob
>
> Updated patch attached.
>
> Honza
>

ACK, pushed to master and ipa-2-2

More information about the Freeipa-devel mailing list