From ddd8988f1cd2c5ecafb476a6efca15e906cb84df Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 18 Apr 2013 18:06:54 +0200 Subject: [PATCH] Add support for OpenSSH 6.2. Run sss_ssh_authorizedkeyscommand as nobody. Automatically update sshd_config on openssh-server update. https://fedorahosted.org/freeipa/ticket/3571 --- freeipa.spec.in | 39 ++++++++++++++ ipa-client/ipa-install/ipa-client-install | 63 +++++++++++++++-------- 2 files changed, 81 insertions(+), 21 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fc1c6abd6..a10d80e1a 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -570,6 +570,42 @@ if [ $1 -gt 1 ] ; then fi fi +%triggerin -n freeipa-client -- openssh-server +# Has the client been configured? +restore=0 +test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') + +if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then + if egrep -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then + sed -r ' + /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d + ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew + + if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody'; then + sed -ri ' + s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ + s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/ + ' /etc/ssh/sshd_config.ipanew + elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody'; then + sed -ri ' + s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ + s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/ + ' /etc/ssh/sshd_config.ipanew + elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody'; then + sed -ri ' + s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/ + s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/ + ' /etc/ssh/sshd_config.ipanew + fi + + mv /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config + /sbin/restorecon /etc/ssh/sshd_config + chmod 600 /etc/ssh/sshd_config + + /bin/systemctl condrestart sshd.service 2>&1 || : + fi +fi + %if ! %{ONLY_CLIENT} %files server -f server-python.list %defattr(-,root,root,-) @@ -799,6 +835,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Tue Apr 30 2013 Jan Cholasta - 3.1.99-8 +- Add triggerin scriptlet to update sshd_config on openssh-server update + * Thu Apr 25 2013 Rob Crittenden - 3.1.99-7 - Update nss and nss-tools dependency to fix certutil problem (#872761) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 8cd253eed..385e47257 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -64,6 +64,10 @@ CLIENT_NOT_CONFIGURED = 2 CLIENT_ALREADY_CONFIGURED = 3 CLIENT_UNINSTALL_ERROR = 4 # error after restoring files/state +SSH_AUTHORIZEDKEYSCOMMAND = '/usr/bin/sss_ssh_authorizedkeys' +SSH_PROXYCOMMAND = '/usr/bin/sss_ssh_knownhostsproxy' +SSH_KNOWNHOSTSFILE = '/var/lib/sss/pubconf/known_hosts' + client_nss_nickname_format = 'IPA Machine Certificate - %s' def parse_options(): @@ -1212,9 +1216,9 @@ def configure_ssh_config(fstore, options): if options.trust_sshfp: changes['VerifyHostKeyDNS'] = 'yes' changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss' - elif options.sssd and file_exists('/usr/bin/sss_ssh_knownhostsproxy'): - changes['ProxyCommand'] = '/usr/bin/sss_ssh_knownhostsproxy -p %p %h' - changes['GlobalKnownHostsFile'] = '/var/lib/sss/pubconf/known_hosts' + elif options.sssd and file_exists(SSH_PROXYCOMMAND): + changes['ProxyCommand'] = '%s -p %%p %%h' % SSH_PROXYCOMMAND + changes['GlobalKnownHostsFile'] = SSH_KNOWNHOSTSFILE change_ssh_config(ssh_config, changes, ['Host']) root_logger.info('Configured %s', ssh_config) @@ -1237,25 +1241,42 @@ def configure_sshd_config(fstore, options): 'UsePAM': 'yes', } - if options.sssd and file_exists('/usr/bin/sss_ssh_authorizedkeys'): - authorized_keys_command = '/usr/bin/sss_ssh_authorizedkeys' - (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null', - '-o', 'AuthorizedKeysCommand=%s' % authorized_keys_command], raiseonerr=False) - if retcode == 0: - changes['AuthorizedKeysCommand'] = authorized_keys_command - changes['AuthorizedKeysCommandRunAs'] = None - else: - authorized_keys_command = '/usr/bin/sss_ssh_authorizedkeys %u' - (stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null', - '-o', 'PubKeyAgent=%s' % authorized_keys_command], raiseonerr=False) + if options.sssd and file_exists(SSH_AUTHORIZEDKEYSCOMMAND): + authorized_keys_changes = None + + candidates = ( + { + 'AuthorizedKeysCommand': SSH_AUTHORIZEDKEYSCOMMAND, + 'AuthorizedKeysCommandUser': 'nobody', + }, + { + 'AuthorizedKeysCommand': SSH_AUTHORIZEDKEYSCOMMAND, + 'AuthorizedKeysCommandRunAs': 'nobody', + }, + { + 'PubKeyAgent': '%s %%u' % SSH_AUTHORIZEDKEYSCOMMAND, + 'PubKeyAgentRunAs': 'nobody', + }, + ) + + for candidate in candidates: + args = ['sshd', '-t', '-f', '/dev/null'] + for item in candidate.iteritems(): + args.append('-o') + args.append('%s=%s' % item) + + (stdout, stderr, retcode) = ipautil.run(args, raiseonerr=False) if retcode == 0: - changes['PubKeyAgent'] = authorized_keys_command - changes['PubkeyAgentRunAs'] = None - else: - root_logger.warning("Installed OpenSSH server does not " + - "support dynamically loading authorized user keys. " + - "Public key authentication of IPA users will not be " + - "available.") + authorized_keys_changes = candidate + break + + if authorized_keys_changes is not None: + changes.update(authorized_keys_changes) + else: + root_logger.warning("Installed OpenSSH server does not " + "support dynamically loading authorized user keys. " + "Public key authentication of IPA users will not be " + "available.") change_ssh_config(sshd_config, changes, ['Match']) root_logger.info('Configured %s', sshd_config)