From 7d54a6daaf0ef91d608d67b3c70e2d566868be05 Mon Sep 17 00:00:00 2001 From: Francisco Trivino Date: Tue, 27 Feb 2024 17:28:23 +0100 Subject: [PATCH] ipa-client-install: add support for sss_ssh_knownhosts sss_ssh_knownhostsproxy will be deprecated in favor of sss_ssh_knownhosts. With this update, if the file /usr/bin/sss_ssh_knownhosts is present, KnownHostsCommand will be used instead of ProxyCommand. Also, GlobalKnownHostsFile is disabled as it is no longer needed. Fixes: https://pagure.io/freeipa/issue/9536 Signed-off-by: Francisco Trivino Reviewed-By: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- client/share/ssh_ipa.conf.template | 8 +++++++- ipaclient/install/client.py | 25 ++++++++++++++++++++++++- ipaplatform/base/paths.py | 1 + 3 files changed, 32 insertions(+), 2 deletions(-) diff --git a/client/share/ssh_ipa.conf.template b/client/share/ssh_ipa.conf.template index a4e238e35..568fc9362 100644 --- a/client/share/ssh_ipa.conf.template +++ b/client/share/ssh_ipa.conf.template @@ -4,7 +4,13 @@ PubkeyAuthentication yes ${ENABLEPROXY}GlobalKnownHostsFile $KNOWNHOSTS ${VERIFYHOSTKEYDNS}VerifyHostKeyDNS yes +# use sss_ssh_knownhosts if available # assumes that if a user does not have shell (/sbin/nologin), # this will return nonzero exit code and proxy command will be ignored -${ENABLEPROXY}Match exec true +${ENABLEKNOWNHOSTS}Match exec true +${ENABLEKNOWNHOSTS} KnownHostsCommand $KNOWNHOSTSCOMMAND %H + +# assumes that if a user does not have shell (/sbin/nologin), +# this will return nonzero exit code and proxy command will be ignored +${ENABLEPROXY}Match exec true ${ENABLEPROXY} ProxyCommand $KNOWNHOSTSPROXY -p %p %h diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 4ba82025a..29aff5f41 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -1145,7 +1145,21 @@ def configure_ssh_config(fstore, options): def modify_ssh_config(options): changes = {'PubkeyAuthentication': 'yes'} - if options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTSPROXY): + # sss_ssh_knownhostsproxy is deprecated in favor of sss_ssh_knownhosts + # use sss_ssh_knownhosts when possible + enableknownhosts = bool( + options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTS) + ) + + enableproxy = bool( + options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTSPROXY) + and not enableknownhosts + ) + + if options.sssd and enableknownhosts: + changes[ + 'KnownHostsCommand'] = '%s %%H' % paths.SSS_SSH_KNOWNHOSTS + if options.sssd and enableproxy: changes[ 'ProxyCommand'] = '%s -p %%p %%h' % paths.SSS_SSH_KNOWNHOSTSPROXY changes['GlobalKnownHostsFile'] = paths.SSSD_PUBCONF_KNOWN_HOSTS @@ -1157,14 +1171,23 @@ def modify_ssh_config(options): def create_ssh_ipa_config(options): """Add the IPA snippet for ssh""" + # sss_ssh_knownhostsproxy is deprecated in favor of sss_ssh_knownhosts + # use sss_ssh_knownhosts when possible + enableknownhosts = bool( + options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTS) + ) + enableproxy = bool( options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTSPROXY) + and not enableknownhosts ) ipautil.copy_template_file( os.path.join(paths.SSH_IPA_CONFIG_TEMPLATE), paths.SSH_IPA_CONFIG, dict( + ENABLEKNOWNHOSTS='' if enableknownhosts else '#', + KNOWNHOSTSCOMMAND=paths.SSS_SSH_KNOWNHOSTS, ENABLEPROXY='' if enableproxy else '#', KNOWNHOSTSPROXY=paths.SSS_SSH_KNOWNHOSTSPROXY, KNOWNHOSTS=paths.SSSD_PUBCONF_KNOWN_HOSTS, diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index e7092dd52..12244c3a2 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -229,6 +229,7 @@ class BasePathNamespace: SOFTHSM2_UTIL = "/usr/bin/softhsm2-util" SSLGET = "/usr/bin/sslget" SSS_SSH_AUTHORIZEDKEYS = "/usr/bin/sss_ssh_authorizedkeys" + SSS_SSH_KNOWNHOSTS = "/usr/bin/sss_ssh_knownhosts" SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy" BIN_TIMEOUT = "/usr/bin/timeout" UPDATE_CA_TRUST = "/usr/bin/update-ca-trust"