Create IPA ssh client configuration and move ProxyCommand

The ProxyCommand is non-executable if the user does not have a valid shell (like /sbin/nologin) so skip it in that case. https://pagure.io/freeipa/issue/7676 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-11-10 13:57:09 -05:00 · 2020-11-10 13:57:09 -05:00 · 15b30e15a4
commit 15b30e15a4
parent cd9b4efa91
4 changed files with 49 additions and 1 deletions
--- a/client/share/Makefile.am
+++ b/client/share/Makefile.am
@ -4,6 +4,7 @@ appdir = $(IPA_DATA_DIR)/client
 dist_app_DATA =				\
 	freeipa.template		\
 	sshd_ipa.conf.template	\
+	ssh_ipa.conf.template	\
 	$(NULL)

 epnconfdir = $(IPA_SYSCONF_DIR)
--- a/client/share/ssh_ipa.conf.template
+++ b/client/share/ssh_ipa.conf.template
@ -0,0 +1,10 @@
+# IPA-related configuration changes to ssh_config
+#
+PubkeyAuthentication yes
+${ENABLEPROXY}GlobalKnownHostsFile $KNOWNHOSTS
+${VERIFYHOSTKEYDNS}VerifyHostKeyDNS yes
+
+# assumes that if a user does not have shell (/sbin/nologin),
+# this will return nonzero exit code and proxy command will be ignored
+${ENABLEPROXY}Match exec true   
+${ENABLEPROXY}	ProxyCommand $KNOWNHOSTSPROXY -p %p %h
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@ -1109,6 +1109,22 @@ def configure_ssh_config(fstore, options):

    fstore.backup_file(paths.SSH_CONFIG)

+    def ssh_version_supports_include():
+        with open(paths.SSH_CONFIG, 'r') as f:
+            for line in f:
+                if re.match(r"^Include\s", line):
+                    return True
+        return False
+
+    if ssh_version_supports_include():
+        create_ssh_ipa_config(options)
+    else:
+        modify_ssh_config(options)
+
+    logger.info('Configured %s', paths.SSH_CONFIG)
+
+
+def modify_ssh_config(options):
    changes = {'PubkeyAuthentication': 'yes'}

    if options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTSPROXY):
@ -1119,7 +1135,25 @@ def configure_ssh_config(fstore, options):
        changes['VerifyHostKeyDNS'] = 'yes'

    change_ssh_config(paths.SSH_CONFIG, changes, ['Host', 'Match'])
-    logger.info('Configured %s', paths.SSH_CONFIG)
+
+
+def create_ssh_ipa_config(options):
+    """Add the IPA snippet for ssh"""
+    enableproxy = bool(
+        options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTSPROXY)
+    )
+
+    ipautil.copy_template_file(
+        os.path.join(paths.SSH_IPA_CONFIG_TEMPLATE),
+        paths.SSH_IPA_CONFIG,
+        dict(
+            ENABLEPROXY='' if enableproxy else '#',
+            KNOWNHOSTSPROXY=paths.SSS_SSH_KNOWNHOSTSPROXY,
+            KNOWNHOSTS=paths.SSSD_PUBCONF_KNOWN_HOSTS,
+            VERIFYHOSTKEYDNS='' if options.trust_sshfp else '#'
+        )
+    )
+    os.chmod(paths.SSH_IPA_CONFIG, 0o644)


 def configure_sshd_config(fstore, options):
@ -3500,6 +3534,7 @@ def uninstall(options):

    if was_sshd_configured and services.knownservices.sshd.is_running():
        remove_file(paths.SSHD_IPA_CONFIG)
+        remove_file(paths.SSH_IPA_CONFIG)
        services.knownservices.sshd.restart()

    # Remove the Firefox configuration
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@ -135,6 +135,8 @@ class BasePathNamespace:
    LIMITS_CONF = "/etc/security/limits.conf"
    SSH_CONFIG_DIR = "/etc/ssh"
    SSH_CONFIG = "/etc/ssh/ssh_config"
+    SSH_IPA_CONFIG_TEMPLATE = "/usr/share/ipa/client/ssh_ipa.conf.template"
+    SSH_IPA_CONFIG = "/etc/ssh/ssh_config.d/04-ipa.conf"
    SSHD_CONFIG = "/etc/ssh/sshd_config"
    SSHD_IPA_CONFIG = "/etc/ssh/sshd_config.d/04-ipa.conf"
    SSHD_IPA_CONFIG_TEMPLATE = "/usr/share/ipa/client/sshd_ipa.conf.template"