mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 15:13:50 -06:00
ipa-client-install: add support for sss_ssh_knownhosts
sss_ssh_knownhostsproxy will be deprecated in favor of sss_ssh_knownhosts. With this update, if the file /usr/bin/sss_ssh_knownhosts is present, KnownHostsCommand will be used instead of ProxyCommand. Also, GlobalKnownHostsFile is disabled as it is no longer needed. Fixes: https://pagure.io/freeipa/issue/9536 Signed-off-by: Francisco Trivino <ftrivino@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
parent
6af8577d58
commit
7d54a6daaf
@ -4,7 +4,13 @@ PubkeyAuthentication yes
|
||||
${ENABLEPROXY}GlobalKnownHostsFile $KNOWNHOSTS
|
||||
${VERIFYHOSTKEYDNS}VerifyHostKeyDNS yes
|
||||
|
||||
# use sss_ssh_knownhosts if available
|
||||
# assumes that if a user does not have shell (/sbin/nologin),
|
||||
# this will return nonzero exit code and proxy command will be ignored
|
||||
${ENABLEPROXY}Match exec true
|
||||
${ENABLEKNOWNHOSTS}Match exec true
|
||||
${ENABLEKNOWNHOSTS} KnownHostsCommand $KNOWNHOSTSCOMMAND %H
|
||||
|
||||
# assumes that if a user does not have shell (/sbin/nologin),
|
||||
# this will return nonzero exit code and proxy command will be ignored
|
||||
${ENABLEPROXY}Match exec true
|
||||
${ENABLEPROXY} ProxyCommand $KNOWNHOSTSPROXY -p %p %h
|
||||
|
@ -1145,7 +1145,21 @@ def configure_ssh_config(fstore, options):
|
||||
def modify_ssh_config(options):
|
||||
changes = {'PubkeyAuthentication': 'yes'}
|
||||
|
||||
if options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTSPROXY):
|
||||
# sss_ssh_knownhostsproxy is deprecated in favor of sss_ssh_knownhosts
|
||||
# use sss_ssh_knownhosts when possible
|
||||
enableknownhosts = bool(
|
||||
options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTS)
|
||||
)
|
||||
|
||||
enableproxy = bool(
|
||||
options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTSPROXY)
|
||||
and not enableknownhosts
|
||||
)
|
||||
|
||||
if options.sssd and enableknownhosts:
|
||||
changes[
|
||||
'KnownHostsCommand'] = '%s %%H' % paths.SSS_SSH_KNOWNHOSTS
|
||||
if options.sssd and enableproxy:
|
||||
changes[
|
||||
'ProxyCommand'] = '%s -p %%p %%h' % paths.SSS_SSH_KNOWNHOSTSPROXY
|
||||
changes['GlobalKnownHostsFile'] = paths.SSSD_PUBCONF_KNOWN_HOSTS
|
||||
@ -1157,14 +1171,23 @@ def modify_ssh_config(options):
|
||||
|
||||
def create_ssh_ipa_config(options):
|
||||
"""Add the IPA snippet for ssh"""
|
||||
# sss_ssh_knownhostsproxy is deprecated in favor of sss_ssh_knownhosts
|
||||
# use sss_ssh_knownhosts when possible
|
||||
enableknownhosts = bool(
|
||||
options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTS)
|
||||
)
|
||||
|
||||
enableproxy = bool(
|
||||
options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTSPROXY)
|
||||
and not enableknownhosts
|
||||
)
|
||||
|
||||
ipautil.copy_template_file(
|
||||
os.path.join(paths.SSH_IPA_CONFIG_TEMPLATE),
|
||||
paths.SSH_IPA_CONFIG,
|
||||
dict(
|
||||
ENABLEKNOWNHOSTS='' if enableknownhosts else '#',
|
||||
KNOWNHOSTSCOMMAND=paths.SSS_SSH_KNOWNHOSTS,
|
||||
ENABLEPROXY='' if enableproxy else '#',
|
||||
KNOWNHOSTSPROXY=paths.SSS_SSH_KNOWNHOSTSPROXY,
|
||||
KNOWNHOSTS=paths.SSSD_PUBCONF_KNOWN_HOSTS,
|
||||
|
@ -229,6 +229,7 @@ class BasePathNamespace:
|
||||
SOFTHSM2_UTIL = "/usr/bin/softhsm2-util"
|
||||
SSLGET = "/usr/bin/sslget"
|
||||
SSS_SSH_AUTHORIZEDKEYS = "/usr/bin/sss_ssh_authorizedkeys"
|
||||
SSS_SSH_KNOWNHOSTS = "/usr/bin/sss_ssh_knownhosts"
|
||||
SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy"
|
||||
BIN_TIMEOUT = "/usr/bin/timeout"
|
||||
UPDATE_CA_TRUST = "/usr/bin/update-ca-trust"
|
||||
|
Loading…
Reference in New Issue
Block a user