Configure ssh and sshd during ipa-client-install.

For ssh, VerifyHostKeyDNS option is set to 'yes' if --ssh-trust-dns
ipa-client-install option is used.

For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM
options are enabled (this can be disabled using --no-sshd
ipa-client-install option).

ticket 1634

install/tools/ipa-replica-install

@@ -63,6 +63,10 @@ def parse_options():
                       help="do not configure ntp", default=True)
     basic_group.add_option("--no-ui-redirect", dest="ui_redirect", action="store_false",
                       default=True, help="Do not automatically redirect to the Web UI")
+    basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true",
+                      help="configure OpenSSH client to trust DNS SSHFP records")
+    basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false",
+                      help="do not configure OpenSSH server")
     basic_group.add_option("--skip-conncheck", dest="skip_conncheck", action="store_true",
                       default=False, help="skip connection check to remote master")
     basic_group.add_option("-d", "--debug", dest="debug", action="store_true",
@@ -460,6 +464,10 @@ def main():
         args = ["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", config.domain_name, "--server", config.host_name, "--realm", config.realm_name]
         if not options.create_sshfp:
             args.append("--no-dns-sshfp")
+        if options.trust_sshfp:
+            args.append("--ssh-trust-dns")
+        if not options.conf_sshd:
+            args.append("--no-sshd")
         ipautil.run(args)
     except Exception, e:
         print "Configuration of client side components failed!"

install/tools/ipa-server-install

@@ -141,6 +141,10 @@ def parse_options():
                       help="Don't install allow_all HBAC rule")
     basic_group.add_option("--no-ui-redirect", dest="ui_redirect", action="store_false",
                       default=True, help="Do not automatically redirect to the Web UI")
+    basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true",
+                      help="configure OpenSSH client to trust DNS SSHFP records")
+    basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false",
+                      help="do not configure OpenSSH server")
     basic_group.add_option("-d", "--debug", dest="debug", action="store_true",
                       default=False, help="print debugging information")
     basic_group.add_option("-U", "--unattended", dest="unattended", action="store_true",
@@ -1042,6 +1046,10 @@ def main():
         args = ["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name]
         if not options.create_sshfp:
             args.append("--no-dns-sshfp")
+        if options.trust_sshfp:
+            args.append("--ssh-trust-dns")
+        if not options.conf_sshd:
+            args.append("--no-sshd")
         run(args)
     except Exception, e:
         sys.exit("Configuration of client side components failed!\nipa-client-install returned: " + str(e))

install/tools/man/ipa-replica-install.1

@@ -47,6 +47,12 @@ Do not configure NTP
 \fB\-\-no\-ui\-redirect\fR
 Do not automatically redirect to the Web UI.
 .TP
+\fB\-\-ssh\-trust\-dns\fR
+Configure OpenSSH client to trust DNS SSHFP records.
+.TP
+\fB\-\-no\-sshd\fR
+Do not configure OpenSSH server.
+.TP
 \fB\-\-skip\-conncheck\fR
 Skip connection check to remote master
 .TP

install/tools/man/ipa-server-install.1

@@ -63,6 +63,12 @@ Don't install allow_all HBAC rule. This rule lets any user from any host access
 \fB\-\-no\-ui\-redirect\fR
 Do not automatically redirect to the Web UI.
 .TP
+\fB\-\-ssh\-trust\-dns\fR
+Configure OpenSSH client to trust DNS SSHFP records.
+.TP
+\fB\-\-no\-sshd\fR
+Do not configure OpenSSH server.
+.TP
 \fB\-d\fR, \fB\-\-debug\fR
 Enable debug logging when more verbose output is needed
 .TP

ipa-client/ipa-install/ipa-client-install

@@ -84,6 +84,10 @@ def parse_options():
     basic_group.add_option("--ntp-server", dest="ntp_server", help="ntp server to use")
     basic_group.add_option("-N", "--no-ntp", action="store_false",
                       help="do not configure ntp", default=True, dest="conf_ntp")
+    basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true",
+                      help="configure OpenSSH client to trust DNS SSHFP records")
+    basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false",
+                      help="do not configure OpenSSH server")
     basic_group.add_option("--no-dns-sshfp", dest="create_sshfp", default=True, action="store_false",
                       help="do not automatically create DNS SSHFP records")
     basic_group.add_option("-f", "--force", dest="force", action="store_true",
@@ -290,8 +294,12 @@ def uninstall(options, env, quiet=False):
 
     emit_quiet(quiet, "Disabling client Kerberos and LDAP configurations")
     was_sssd_installed = False
+    was_sshd_configured = False
     if fstore.has_files():
         was_sssd_installed = fstore.has_file("/etc/sssd/sssd.conf")
+
+        sshd_config = os.path.join(ipaservices.knownservices.sshd.get_config_dir(), "sshd_config")
+        was_sshd_configured = fstore.has_file(sshd_config)
     try:
         auth_config = ipaservices.authconfig()
         if statestore.has_state('authconfig'):
@@ -385,6 +393,9 @@ def uninstall(options, env, quiet=False):
            if restored:
                ipaservices.knownservices.ntpd.restart()
 
+    if was_sshd_configured and ipaservices.knownservices.sshd.is_running():
+        ipaservices.knownservices.sshd.restart()
+
     if was_sssd_installed and was_sssd_configured:
         # SSSD was installed before our installation, config now is restored, restart it
         emit_quiet(quiet, "The original configuration of SSSD included other domains than IPA-based one.")
@@ -751,6 +762,101 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options):
 
     return 0
 
+def change_ssh_config(filename, changes, sections):
+    if len(changes) == 0:
+        return True
+
+    try:
+        f = open(filename, 'r')
+    except IOError, e:
+        root_logger.error("Failed to open '%s': %s" % (filename, str(e)))
+        return False
+
+    lines = []
+    in_section = False
+    for line in f:
+        if in_section:
+            lines.append(line)
+            continue
+        pline = line.strip()
+        if len(pline) == 0 or pline.startswith('#'):
+            lines.append(line)
+            continue
+        parts = pline.split()
+        option = parts[0].lower()
+        for key in sections:
+            if key.lower() == option:
+                in_section = True
+                break
+        if in_section:
+            break
+        for opt in changes:
+            if opt.lower() == option:
+                line = None
+                break
+        if line is not None:
+            lines.append(line)
+    for opt in changes:
+        lines.append('%s %s\n' % (opt, changes[opt]))
+    lines.append('\n')
+    if in_section:
+        lines.append(line)
+    for line in f:
+        lines.append(line)
+
+    f.close()
+
+    try:
+        f = open(filename, 'w')
+    except IOError, e:
+        root_logger.error("Failed to open '%s': %s" % (filename, str(e)))
+        return False
+
+    f.write(''.join(lines))
+
+    f.close()
+
+    return True
+
+def configure_ssh(fstore, ssh_dir, options):
+    ssh_config = os.path.join(ssh_dir, 'ssh_config')
+    sshd_config = os.path.join(ssh_dir, 'sshd_config')
+
+    if file_exists(ssh_config):
+        fstore.backup_file(ssh_config)
+
+        changes = {}
+        if options.trust_sshfp:
+            changes['VerifyHostKeyDNS'] = 'yes'
+
+        change_ssh_config(ssh_config, changes, ['Host'])
+        print 'Configured', ssh_config
+
+    if not options.conf_sshd:
+        return
+
+    sshd = ipaservices.knownservices.sshd
+    if not sshd.is_installed():
+        root_logger.debug("%s daemon is not installed, skip configuration" % (sshd.service_name))
+        return
+
+    fstore.backup_file(sshd_config)
+
+    changes = {
+        'KerberosAuthentication': 'yes',
+        'GSSAPIAuthentication': 'yes',
+        'UsePAM': 'yes',
+    }
+
+    change_ssh_config(sshd_config, changes, ['Match'])
+    print 'Configured', sshd_config
+
+    if sshd.is_running():
+        try:
+            sshd.restart()
+        except Exception, e:
+            log_service_error(sshd.service_name, 'restart', e)
+
 def resolve_ipaddress(server):
     """ Connect to the server's LDAP port in order to determine what ip
         address this machine uses as "public" ip (relative to the server).
@@ -1340,6 +1446,8 @@ def install(options, env, fstore, statestore):
         ipaclient.ntpconf.config_ntp(ntp_server, fstore, statestore)
         print "NTP enabled"
 
+    configure_ssh(fstore, ipaservices.knownservices.sshd.get_config_dir(), options)
+
     print "Client configuration complete."
 
     return 0

ipa-client/man/ipa-client-install.1

@@ -63,6 +63,12 @@ Configure ntpd to use this NTP server.
 \fB\-N\fR, \fB\-\-no\-ntp\fR
 Do not configure or enable NTP.
 .TP
+\fB\-\-ssh\-trust\-dns\fR
+Configure OpenSSH client to trust DNS SSHFP records.
+.TP
+\fB\-\-no\-sshd\fR
+Do not configure OpenSSH server.
+.TP
 \fB\-\-no\-dns\-sshfp\fR
 Do not automatically create DNS SSHFP records.
 .TP