ipa-client-install: use sshd drop-in configuration

sshd 8.2+ now supports the "Include" keyword in sshd_config and ships by default /etc/ssh/sshd_config with "Include /etc/ssh/sshd_config.d/*" As fedora 32 provides a config file in that directory (05-redhat.conf) with ChallengeResponseAuthentication no that is conflicting with IPA client config, ipa-client-install now needs to make its config changes in a drop-in file read before 05-redhat.conf (the files are read in lexicographic order and the first setting wins). There is no need to handle upgrades from sshd < 8.2: if openssh-server detects a customisation in /etc/ssh/sshd_config, it will not update the file but create /etc/ssh/sshd_config.rpmnew and ask the admin to manually handle the config upgrade. Fixes: https://pagure.io/freeipa/issue/8304 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-06-11 21:08:36 +02:00
parent 1e804bf19d
commit b317222d51
5 changed files with 55 additions and 5 deletions
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -101,6 +101,7 @@ dist_app_DATA =				\
 	ipaca_default.ini		\
 	ipaca_customize.ini		\
 	ipaca_softhsm2.ini		\
+	sshd_ipa.conf.template	\
 	$(NULL)

 kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy
--- a/install/share/sshd_ipa.conf.template
+++ b/install/share/sshd_ipa.conf.template
@@ -0,0 +1,8 @@
+# IPA-related configuration changes to sshd_config
+
+PubkeyAuthentication yes
+KerberosAuthentication no
+GSSAPIAuthentication yes
+UsePAM yes
+ChallengeResponseAuthentication yes
+$SSSD_SSHD_OPTIONS
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -26,6 +26,7 @@ import shutil
 import socket
 import sys
 import tempfile
+import textwrap
 import time
 import traceback
 import warnings
@@ -1130,6 +1131,29 @@ def configure_sshd_config(fstore, options):

    fstore.backup_file(paths.SSHD_CONFIG)

+    # If openssh-server >= 8.2, the config needs to go in a new snippet
+    # in /etc/ssh/sshd_config.d/04-ipa.conf
+    # instead of /etc/ssh/sshd_config file
+    def sshd_version_supports_include():
+        with open(paths.SSHD_CONFIG, 'r') as f:
+            for line in f:
+                if re.match(r"^Include\s", line):
+                    return True
+        return False
+
+    if sshd_version_supports_include():
+        create_sshd_ipa_config(options)
+    else:
+        modify_sshd_config(options)
+
+    if sshd.is_running():
+        try:
+            sshd.restart()
+        except Exception as e:
+            log_service_error(sshd.service_name, 'restart', e)
+
+
+def modify_sshd_config(options):
    changes = {
        'PubkeyAuthentication': 'yes',
        'KerberosAuthentication': 'no',
@@ -1178,11 +1202,24 @@ def configure_sshd_config(fstore, options):
    change_ssh_config(paths.SSHD_CONFIG, changes, ['Match'])
    logger.info('Configured %s', paths.SSHD_CONFIG)

-    if sshd.is_running():
-        try:
-            sshd.restart()
-        except Exception as e:
-            log_service_error(sshd.service_name, 'restart', e)
+
+def create_sshd_ipa_config(options):
+    """Add the IPA snippet for sshd"""
+    sssd_sshd_options = ""
+    if options.sssd and os.path.isfile(paths.SSS_SSH_AUTHORIZEDKEYS):
+        sssd_sshd_options = textwrap.dedent("""\
+            AuthorizedKeysCommand {}
+            AuthorizedKeysCommandUser nobody
+        """).format(paths.SSS_SSH_AUTHORIZEDKEYS)
+
+    ipautil.copy_template_file(
+        os.path.join(paths.SSHD_IPA_CONFIG_TEMPLATE),
+        paths.SSHD_IPA_CONFIG,
+        dict(
+            SSSD_SSHD_OPTIONS=sssd_sshd_options,
+        )
+    )
+    logger.info('Configured %s', paths.SSHD_IPA_CONFIG)


 def configure_automount(options):
@@ -3448,6 +3485,7 @@ def uninstall(options):
    restore_time_sync(statestore, fstore)

    if was_sshd_configured and services.knownservices.sshd.is_running():
+        remove_file(paths.SSHD_IPA_CONFIG)
        services.knownservices.sshd.restart()

    # Remove the Firefox configuration
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -126,6 +126,8 @@ class BasePathNamespace:
    SSH_CONFIG_DIR = "/etc/ssh"
    SSH_CONFIG = "/etc/ssh/ssh_config"
    SSHD_CONFIG = "/etc/ssh/sshd_config"
+    SSHD_IPA_CONFIG = "/etc/ssh/sshd_config.d/04-ipa.conf"
+    SSHD_IPA_CONFIG_TEMPLATE = "/usr/share/ipa/sshd_ipa.conf.template"
    SSSD_CONF = "/etc/sssd/sssd.conf"
    SSSD_CONF_BKP = "/etc/sssd/sssd.conf.bkp"
    SSSD_CONF_DELETED = "/etc/sssd/sssd.conf.deleted"
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -155,6 +155,7 @@ class Backup(admintool.AdminTool):
        paths.HTTPD_KEY_FILE,
        paths.HTTPD_IPA_CONF,
        paths.SSHD_CONFIG,
+        paths.SSHD_IPA_CONFIG,
        paths.SSH_CONFIG,
        paths.KRB5_CONF,
        paths.KDC_CA_BUNDLE_PEM,