Create IPA ssh client configuration and move ProxyCommand

The ProxyCommand is non-executable if the user does not have
a valid shell (like /sbin/nologin) so skip it in that case.

https://pagure.io/freeipa/issue/7676

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

client/share/Makefile.am

@@ -4,6 +4,7 @@ appdir = $(IPA_DATA_DIR)/client
 dist_app_DATA =				\
 	freeipa.template		\
 	sshd_ipa.conf.template	\
+	ssh_ipa.conf.template	\
 	$(NULL)
 
 epnconfdir = $(IPA_SYSCONF_DIR)

client/share/ssh_ipa.conf.template

@@ -0,0 +1,10 @@
+# IPA-related configuration changes to ssh_config
+#
+PubkeyAuthentication yes
+${ENABLEPROXY}GlobalKnownHostsFile $KNOWNHOSTS
+${VERIFYHOSTKEYDNS}VerifyHostKeyDNS yes
+
+# assumes that if a user does not have shell (/sbin/nologin),
+# this will return nonzero exit code and proxy command will be ignored
+${ENABLEPROXY}Match exec true   
+${ENABLEPROXY}	ProxyCommand $KNOWNHOSTSPROXY -p %p %h

ipaclient/install/client.py

@@ -1109,6 +1109,22 @@ def configure_ssh_config(fstore, options):
 
     fstore.backup_file(paths.SSH_CONFIG)
 
+    def ssh_version_supports_include():
+        with open(paths.SSH_CONFIG, 'r') as f:
+            for line in f:
+                if re.match(r"^Include\s", line):
+                    return True
+        return False
+
+    if ssh_version_supports_include():
+        create_ssh_ipa_config(options)
+    else:
+        modify_ssh_config(options)
+
+    logger.info('Configured %s', paths.SSH_CONFIG)
+
+
+def modify_ssh_config(options):
     changes = {'PubkeyAuthentication': 'yes'}
 
     if options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTSPROXY):
@@ -1119,7 +1135,25 @@ def configure_ssh_config(fstore, options):
         changes['VerifyHostKeyDNS'] = 'yes'
 
     change_ssh_config(paths.SSH_CONFIG, changes, ['Host', 'Match'])
-    logger.info('Configured %s', paths.SSH_CONFIG)
+
+
+def create_ssh_ipa_config(options):
+    """Add the IPA snippet for ssh"""
+    enableproxy = bool(
+        options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTSPROXY)
+    )
+
+    ipautil.copy_template_file(
+        os.path.join(paths.SSH_IPA_CONFIG_TEMPLATE),
+        paths.SSH_IPA_CONFIG,
+        dict(
+            ENABLEPROXY='' if enableproxy else '#',
+            KNOWNHOSTSPROXY=paths.SSS_SSH_KNOWNHOSTSPROXY,
+            KNOWNHOSTS=paths.SSSD_PUBCONF_KNOWN_HOSTS,
+            VERIFYHOSTKEYDNS='' if options.trust_sshfp else '#'
+        )
+    )
+    os.chmod(paths.SSH_IPA_CONFIG, 0o644)
 
 
 def configure_sshd_config(fstore, options):
@@ -3500,6 +3534,7 @@ def uninstall(options):
 
     if was_sshd_configured and services.knownservices.sshd.is_running():
         remove_file(paths.SSHD_IPA_CONFIG)
+        remove_file(paths.SSH_IPA_CONFIG)
         services.knownservices.sshd.restart()
 
     # Remove the Firefox configuration

ipaplatform/base/paths.py

@@ -135,6 +135,8 @@ class BasePathNamespace:
     LIMITS_CONF = "/etc/security/limits.conf"
     SSH_CONFIG_DIR = "/etc/ssh"
     SSH_CONFIG = "/etc/ssh/ssh_config"
+    SSH_IPA_CONFIG_TEMPLATE = "/usr/share/ipa/client/ssh_ipa.conf.template"
+    SSH_IPA_CONFIG = "/etc/ssh/ssh_config.d/04-ipa.conf"
     SSHD_CONFIG = "/etc/ssh/sshd_config"
     SSHD_IPA_CONFIG = "/etc/ssh/sshd_config.d/04-ipa.conf"
     SSHD_IPA_CONFIG_TEMPLATE = "/usr/share/ipa/client/sshd_ipa.conf.template"