SSH configuration fixes.

Use GlobalKnownHostsFile instead of GlobalKnownHostsFile2 in ssh_config, as the latter has been deprecated in OpenSSH 5.9. If DNS host key verification is enabled, restrict the set of allowed host public key algorithms to ssh-rsa and ssh-dss, as DNS SSHFP records support only these algorithms. Make sure public key user authentication is enabled in both ssh and sshd. ticket 2769
2025-02-25 18:55:28 -06:00 · 2012-05-23 05:00:55 -04:00 · 2012-05-23 05:00:55 -04:00 · d62b2d9be5
commit d62b2d9be5
parent 43701d2735
1 changed files with 7 additions and 2 deletions
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@ -856,12 +856,16 @@ def configure_ssh(fstore, ssh_dir, options):
    if file_exists(ssh_config):
        fstore.backup_file(ssh_config)

-        changes = {}
+        changes = {
+            'PubkeyAuthentication': 'yes',
+        }
+
        if options.trust_sshfp:
            changes['VerifyHostKeyDNS'] = 'yes'
+            changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss'
        elif options.sssd and file_exists('/usr/bin/sss_ssh_knownhostsproxy'):
            changes['ProxyCommand'] = '/usr/bin/sss_ssh_knownhostsproxy -p %p %h'
-            changes['GlobalKnownHostsFile2'] = '/var/lib/sss/pubconf/known_hosts'
+            changes['GlobalKnownHostsFile'] = '/var/lib/sss/pubconf/known_hosts'

        change_ssh_config(ssh_config, changes, ['Host'])
        print 'Configured', ssh_config
@ -877,6 +881,7 @@ def configure_ssh(fstore, ssh_dir, options):
    fstore.backup_file(sshd_config)

    changes = {
+        'PubkeyAuthentication': 'yes',
        'KerberosAuthentication': 'no',
        'GSSAPIAuthentication': 'yes',
        'UsePAM': 'yes',