diff --git a/install/share/Makefile.am b/install/share/Makefile.am index e95796dfb..042403f68 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -101,6 +101,7 @@ dist_app_DATA = \ ipaca_default.ini \ ipaca_customize.ini \ ipaca_softhsm2.ini \ + sshd_ipa.conf.template \ $(NULL) kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy diff --git a/install/share/sshd_ipa.conf.template b/install/share/sshd_ipa.conf.template new file mode 100644 index 000000000..a7fbc3cbb --- /dev/null +++ b/install/share/sshd_ipa.conf.template @@ -0,0 +1,8 @@ +# IPA-related configuration changes to sshd_config + +PubkeyAuthentication yes +KerberosAuthentication no +GSSAPIAuthentication yes +UsePAM yes +ChallengeResponseAuthentication yes +$SSSD_SSHD_OPTIONS diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 5ad8ed730..1b8bc3432 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -26,6 +26,7 @@ import shutil import socket import sys import tempfile +import textwrap import time import traceback import warnings @@ -1130,6 +1131,29 @@ def configure_sshd_config(fstore, options): fstore.backup_file(paths.SSHD_CONFIG) + # If openssh-server >= 8.2, the config needs to go in a new snippet + # in /etc/ssh/sshd_config.d/04-ipa.conf + # instead of /etc/ssh/sshd_config file + def sshd_version_supports_include(): + with open(paths.SSHD_CONFIG, 'r') as f: + for line in f: + if re.match(r"^Include\s", line): + return True + return False + + if sshd_version_supports_include(): + create_sshd_ipa_config(options) + else: + modify_sshd_config(options) + + if sshd.is_running(): + try: + sshd.restart() + except Exception as e: + log_service_error(sshd.service_name, 'restart', e) + + +def modify_sshd_config(options): changes = { 'PubkeyAuthentication': 'yes', 'KerberosAuthentication': 'no', @@ -1178,11 +1202,24 @@ def configure_sshd_config(fstore, options): change_ssh_config(paths.SSHD_CONFIG, changes, ['Match']) logger.info('Configured %s', paths.SSHD_CONFIG) - if sshd.is_running(): - try: - sshd.restart() - except Exception as e: - log_service_error(sshd.service_name, 'restart', e) + +def create_sshd_ipa_config(options): + """Add the IPA snippet for sshd""" + sssd_sshd_options = "" + if options.sssd and os.path.isfile(paths.SSS_SSH_AUTHORIZEDKEYS): + sssd_sshd_options = textwrap.dedent("""\ + AuthorizedKeysCommand {} + AuthorizedKeysCommandUser nobody + """).format(paths.SSS_SSH_AUTHORIZEDKEYS) + + ipautil.copy_template_file( + os.path.join(paths.SSHD_IPA_CONFIG_TEMPLATE), + paths.SSHD_IPA_CONFIG, + dict( + SSSD_SSHD_OPTIONS=sssd_sshd_options, + ) + ) + logger.info('Configured %s', paths.SSHD_IPA_CONFIG) def configure_automount(options): @@ -3448,6 +3485,7 @@ def uninstall(options): restore_time_sync(statestore, fstore) if was_sshd_configured and services.knownservices.sshd.is_running(): + remove_file(paths.SSHD_IPA_CONFIG) services.knownservices.sshd.restart() # Remove the Firefox configuration diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index df9cd9849..ba4718f30 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -126,6 +126,8 @@ class BasePathNamespace: SSH_CONFIG_DIR = "/etc/ssh" SSH_CONFIG = "/etc/ssh/ssh_config" SSHD_CONFIG = "/etc/ssh/sshd_config" + SSHD_IPA_CONFIG = "/etc/ssh/sshd_config.d/04-ipa.conf" + SSHD_IPA_CONFIG_TEMPLATE = "/usr/share/ipa/sshd_ipa.conf.template" SSSD_CONF = "/etc/sssd/sssd.conf" SSSD_CONF_BKP = "/etc/sssd/sssd.conf.bkp" SSSD_CONF_DELETED = "/etc/sssd/sssd.conf.deleted" diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index ef80aa2c8..39347643d 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -155,6 +155,7 @@ class Backup(admintool.AdminTool): paths.HTTPD_KEY_FILE, paths.HTTPD_IPA_CONF, paths.SSHD_CONFIG, + paths.SSHD_IPA_CONFIG, paths.SSH_CONFIG, paths.KRB5_CONF, paths.KDC_CA_BUNDLE_PEM,