ipa-client-install: add support for sss_ssh_knownhosts

sss_ssh_knownhostsproxy will be deprecated in favor of sss_ssh_knownhosts.

With this update, if the file /usr/bin/sss_ssh_knownhosts is present,
KnownHostsCommand will be used instead of ProxyCommand. Also, GlobalKnownHostsFile
is disabled as it is no longer needed.

Fixes: https://pagure.io/freeipa/issue/9536
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Francisco Trivino 2024-02-27 17:28:23 +01:00 committed by Florence Blanc-Renaud
parent 6af8577d58
commit 7d54a6daaf
3 changed files with 32 additions and 2 deletions

View File

@ -4,6 +4,12 @@ PubkeyAuthentication yes
${ENABLEPROXY}GlobalKnownHostsFile $KNOWNHOSTS ${ENABLEPROXY}GlobalKnownHostsFile $KNOWNHOSTS
${VERIFYHOSTKEYDNS}VerifyHostKeyDNS yes ${VERIFYHOSTKEYDNS}VerifyHostKeyDNS yes
# use sss_ssh_knownhosts if available
# assumes that if a user does not have shell (/sbin/nologin),
# this will return nonzero exit code and proxy command will be ignored
${ENABLEKNOWNHOSTS}Match exec true
${ENABLEKNOWNHOSTS} KnownHostsCommand $KNOWNHOSTSCOMMAND %H
# assumes that if a user does not have shell (/sbin/nologin), # assumes that if a user does not have shell (/sbin/nologin),
# this will return nonzero exit code and proxy command will be ignored # this will return nonzero exit code and proxy command will be ignored
${ENABLEPROXY}Match exec true ${ENABLEPROXY}Match exec true

View File

@ -1145,7 +1145,21 @@ def configure_ssh_config(fstore, options):
def modify_ssh_config(options): def modify_ssh_config(options):
changes = {'PubkeyAuthentication': 'yes'} changes = {'PubkeyAuthentication': 'yes'}
if options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTSPROXY): # sss_ssh_knownhostsproxy is deprecated in favor of sss_ssh_knownhosts
# use sss_ssh_knownhosts when possible
enableknownhosts = bool(
options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTS)
)
enableproxy = bool(
options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTSPROXY)
and not enableknownhosts
)
if options.sssd and enableknownhosts:
changes[
'KnownHostsCommand'] = '%s %%H' % paths.SSS_SSH_KNOWNHOSTS
if options.sssd and enableproxy:
changes[ changes[
'ProxyCommand'] = '%s -p %%p %%h' % paths.SSS_SSH_KNOWNHOSTSPROXY 'ProxyCommand'] = '%s -p %%p %%h' % paths.SSS_SSH_KNOWNHOSTSPROXY
changes['GlobalKnownHostsFile'] = paths.SSSD_PUBCONF_KNOWN_HOSTS changes['GlobalKnownHostsFile'] = paths.SSSD_PUBCONF_KNOWN_HOSTS
@ -1157,14 +1171,23 @@ def modify_ssh_config(options):
def create_ssh_ipa_config(options): def create_ssh_ipa_config(options):
"""Add the IPA snippet for ssh""" """Add the IPA snippet for ssh"""
# sss_ssh_knownhostsproxy is deprecated in favor of sss_ssh_knownhosts
# use sss_ssh_knownhosts when possible
enableknownhosts = bool(
options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTS)
)
enableproxy = bool( enableproxy = bool(
options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTSPROXY) options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTSPROXY)
and not enableknownhosts
) )
ipautil.copy_template_file( ipautil.copy_template_file(
os.path.join(paths.SSH_IPA_CONFIG_TEMPLATE), os.path.join(paths.SSH_IPA_CONFIG_TEMPLATE),
paths.SSH_IPA_CONFIG, paths.SSH_IPA_CONFIG,
dict( dict(
ENABLEKNOWNHOSTS='' if enableknownhosts else '#',
KNOWNHOSTSCOMMAND=paths.SSS_SSH_KNOWNHOSTS,
ENABLEPROXY='' if enableproxy else '#', ENABLEPROXY='' if enableproxy else '#',
KNOWNHOSTSPROXY=paths.SSS_SSH_KNOWNHOSTSPROXY, KNOWNHOSTSPROXY=paths.SSS_SSH_KNOWNHOSTSPROXY,
KNOWNHOSTS=paths.SSSD_PUBCONF_KNOWN_HOSTS, KNOWNHOSTS=paths.SSSD_PUBCONF_KNOWN_HOSTS,

View File

@ -229,6 +229,7 @@ class BasePathNamespace:
SOFTHSM2_UTIL = "/usr/bin/softhsm2-util" SOFTHSM2_UTIL = "/usr/bin/softhsm2-util"
SSLGET = "/usr/bin/sslget" SSLGET = "/usr/bin/sslget"
SSS_SSH_AUTHORIZEDKEYS = "/usr/bin/sss_ssh_authorizedkeys" SSS_SSH_AUTHORIZEDKEYS = "/usr/bin/sss_ssh_authorizedkeys"
SSS_SSH_KNOWNHOSTS = "/usr/bin/sss_ssh_knownhosts"
SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy" SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy"
BIN_TIMEOUT = "/usr/bin/timeout" BIN_TIMEOUT = "/usr/bin/timeout"
UPDATE_CA_TRUST = "/usr/bin/update-ca-trust" UPDATE_CA_TRUST = "/usr/bin/update-ca-trust"