IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Update host SSH public keys on the server during client install.

Browse Source 
This is done by calling host-mod to update the keys on IPA server and nsupdate
to update DNS SSHFP records. DNS update can be disabled using --no-dns-sshfp
ipa-client-install option.

https://fedorahosted.org/freeipa/ticket/1634
This commit is contained in:
Jan Cholasta
2011-12-07 03:40:51 -05:00
committed by Rob Crittenden
parent 9b6649a1ce
commit c34f5fbc88
7 changed files with 86 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
ipa-client/ipa-install/ipa-client-install
View File

@@ -28,6 +28,7 @@ try:
from ipapython.ipa_log_manager import *
import tempfile
import getpass
from base64 import b64decode
from ipaclient import ipadiscovery
import ipaclient.ipachangeconf
import ipaclient.ntpconf
@@ -83,6 +84,8 @@ def parse_options():
basic_group.add_option("--ntp-server", dest="ntp_server", help="ntp server to use")
basic_group.add_option("-N", "--no-ntp", action="store_false",
help="do not configure ntp", default=True, dest="conf_ntp")
basic_group.add_option("--no-dns-sshfp", dest="create_sshfp", default=True, action="store_false",
help="do not automatically create DNS SSHFP records")
basic_group.add_option("-f", "--force", dest="force", action="store_true",
default=False, help="force setting of LDAP/Kerberos conf")
basic_group.add_option("-d", "--debug", dest="debug", action="store_true",
@@ -853,6 +856,65 @@ def client_dns(server, hostname, dns_updates=False):
if dns_updates or not dns_ok:
update_dns(server, hostname)
def update_ssh_keys(server, hostname, ssh_dir, create_sshfp):
pubkeys = []
for basename in os.listdir(ssh_dir):
if not basename.endswith('.pub'):
continue
filename = os.path.join(ssh_dir, basename)
try:
f = open(filename, 'r')
except IOError, e:
root_logger.warning("Failed to open '%s': %s" % (filename, str(e)))
continue
for line in f:
line = line[:-1]
if line.startswith('#'):
continue
parts = line.split()
if len(parts) < 2:
continue
try:
pubkey = b64decode(parts[1])
except TypeError:
continue
try:
algo, data, fp = ipautil.decode_ssh_pubkey(pubkey)
except ValueError:
continue
if parts[0] != algo:
continue
root_logger.debug("Adding SSH public key from %s" % filename)
pubkeys.append(unicode(parts[1]))
f.close()
try:
result = api.Command['host_mod'](unicode(hostname), ipasshpubkey=pubkeys, updatedns=False)
except errors.EmptyModlist:
pass
except StandardError, e:
root_logger.warning("host_mod: %s" % str(e))
print >>sys.stderr, "Failed to upload host SSH public keys."
return
if create_sshfp:
zone = '.'.join(hostname.split('.')[1:])
ttl = 1200
update_txt = 'zone %s.\nupdate delete %s. IN SSHFP\nsend\n' % (zone, hostname)
for pubkey in pubkeys:
pubkey = b64decode(pubkey)
sshfp = ipautil.make_sshfp(pubkey)
if sshfp is not None:
update_txt += 'update add %s. %s IN SSHFP %s\n' % (hostname, ttl, sshfp)
update_txt += 'send\n'
if not do_nsupdate(update_txt):
print "Warning: Could not update DNS SSHFP records."
def install(options, env, fstore, statestore):
dnsok = False
@@ -1160,6 +1222,8 @@ def install(options, env, fstore, statestore):
client_dns(cli_server, hostname, options.dns_updates)
configure_certmonger(fstore, subject_base, cli_realm, hostname, options)
update_ssh_keys(cli_server, hostname, ipaservices.knownservices.sshd.get_config_dir(), options.create_sshfp)
try:
os.remove(CCACHE_FILE)
except:

3
ipa-client/man/ipa-client-install.1
View File

@@ -63,6 +63,9 @@ Configure ntpd to use this NTP server.
\fB\-N\fR, \fB\-\-no\-ntp\fR
Do not configure or enable NTP.
.TP
\fB\-\-no\-dns\-sshfp\fR
Do not automatically create DNS SSHFP records.
.TP
\fB\-f\fR, \fB\-\-force\fR
Force the settings even if errors occur
.TP