mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
Add support for OpenSSH 6.2.
Run sss_ssh_authorizedkeyscommand as nobody. Automatically update sshd_config on openssh-server update. https://fedorahosted.org/freeipa/ticket/3571
This commit is contained in:
parent
5d6a9d3bef
commit
ddd8988f1c
@ -570,6 +570,42 @@ if [ $1 -gt 1 ] ; then
|
||||
fi
|
||||
fi
|
||||
|
||||
%triggerin -n freeipa-client -- openssh-server
|
||||
# Has the client been configured?
|
||||
restore=0
|
||||
test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
|
||||
|
||||
if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
|
||||
if egrep -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then
|
||||
sed -r '
|
||||
/^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
|
||||
' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
|
||||
|
||||
if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody'; then
|
||||
sed -ri '
|
||||
s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
|
||||
s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
|
||||
' /etc/ssh/sshd_config.ipanew
|
||||
elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody'; then
|
||||
sed -ri '
|
||||
s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
|
||||
s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
|
||||
' /etc/ssh/sshd_config.ipanew
|
||||
elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody'; then
|
||||
sed -ri '
|
||||
s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
|
||||
s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/
|
||||
' /etc/ssh/sshd_config.ipanew
|
||||
fi
|
||||
|
||||
mv /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
|
||||
/sbin/restorecon /etc/ssh/sshd_config
|
||||
chmod 600 /etc/ssh/sshd_config
|
||||
|
||||
/bin/systemctl condrestart sshd.service 2>&1 || :
|
||||
fi
|
||||
fi
|
||||
|
||||
%if ! %{ONLY_CLIENT}
|
||||
%files server -f server-python.list
|
||||
%defattr(-,root,root,-)
|
||||
@ -799,6 +835,9 @@ fi
|
||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
|
||||
|
||||
%changelog
|
||||
* Tue Apr 30 2013 Jan Cholasta <jcholast@redhat.com> - 3.1.99-8
|
||||
- Add triggerin scriptlet to update sshd_config on openssh-server update
|
||||
|
||||
* Thu Apr 25 2013 Rob Crittenden <rcritten@redhat.com> - 3.1.99-7
|
||||
- Update nss and nss-tools dependency to fix certutil problem (#872761)
|
||||
|
||||
|
@ -64,6 +64,10 @@ CLIENT_NOT_CONFIGURED = 2
|
||||
CLIENT_ALREADY_CONFIGURED = 3
|
||||
CLIENT_UNINSTALL_ERROR = 4 # error after restoring files/state
|
||||
|
||||
SSH_AUTHORIZEDKEYSCOMMAND = '/usr/bin/sss_ssh_authorizedkeys'
|
||||
SSH_PROXYCOMMAND = '/usr/bin/sss_ssh_knownhostsproxy'
|
||||
SSH_KNOWNHOSTSFILE = '/var/lib/sss/pubconf/known_hosts'
|
||||
|
||||
client_nss_nickname_format = 'IPA Machine Certificate - %s'
|
||||
|
||||
def parse_options():
|
||||
@ -1212,9 +1216,9 @@ def configure_ssh_config(fstore, options):
|
||||
if options.trust_sshfp:
|
||||
changes['VerifyHostKeyDNS'] = 'yes'
|
||||
changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss'
|
||||
elif options.sssd and file_exists('/usr/bin/sss_ssh_knownhostsproxy'):
|
||||
changes['ProxyCommand'] = '/usr/bin/sss_ssh_knownhostsproxy -p %p %h'
|
||||
changes['GlobalKnownHostsFile'] = '/var/lib/sss/pubconf/known_hosts'
|
||||
elif options.sssd and file_exists(SSH_PROXYCOMMAND):
|
||||
changes['ProxyCommand'] = '%s -p %%p %%h' % SSH_PROXYCOMMAND
|
||||
changes['GlobalKnownHostsFile'] = SSH_KNOWNHOSTSFILE
|
||||
|
||||
change_ssh_config(ssh_config, changes, ['Host'])
|
||||
root_logger.info('Configured %s', ssh_config)
|
||||
@ -1237,25 +1241,42 @@ def configure_sshd_config(fstore, options):
|
||||
'UsePAM': 'yes',
|
||||
}
|
||||
|
||||
if options.sssd and file_exists('/usr/bin/sss_ssh_authorizedkeys'):
|
||||
authorized_keys_command = '/usr/bin/sss_ssh_authorizedkeys'
|
||||
(stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null',
|
||||
'-o', 'AuthorizedKeysCommand=%s' % authorized_keys_command], raiseonerr=False)
|
||||
if retcode == 0:
|
||||
changes['AuthorizedKeysCommand'] = authorized_keys_command
|
||||
changes['AuthorizedKeysCommandRunAs'] = None
|
||||
else:
|
||||
authorized_keys_command = '/usr/bin/sss_ssh_authorizedkeys %u'
|
||||
(stdout, stderr, retcode) = ipautil.run(['sshd', '-t', '-f', '/dev/null',
|
||||
'-o', 'PubKeyAgent=%s' % authorized_keys_command], raiseonerr=False)
|
||||
if options.sssd and file_exists(SSH_AUTHORIZEDKEYSCOMMAND):
|
||||
authorized_keys_changes = None
|
||||
|
||||
candidates = (
|
||||
{
|
||||
'AuthorizedKeysCommand': SSH_AUTHORIZEDKEYSCOMMAND,
|
||||
'AuthorizedKeysCommandUser': 'nobody',
|
||||
},
|
||||
{
|
||||
'AuthorizedKeysCommand': SSH_AUTHORIZEDKEYSCOMMAND,
|
||||
'AuthorizedKeysCommandRunAs': 'nobody',
|
||||
},
|
||||
{
|
||||
'PubKeyAgent': '%s %%u' % SSH_AUTHORIZEDKEYSCOMMAND,
|
||||
'PubKeyAgentRunAs': 'nobody',
|
||||
},
|
||||
)
|
||||
|
||||
for candidate in candidates:
|
||||
args = ['sshd', '-t', '-f', '/dev/null']
|
||||
for item in candidate.iteritems():
|
||||
args.append('-o')
|
||||
args.append('%s=%s' % item)
|
||||
|
||||
(stdout, stderr, retcode) = ipautil.run(args, raiseonerr=False)
|
||||
if retcode == 0:
|
||||
changes['PubKeyAgent'] = authorized_keys_command
|
||||
changes['PubkeyAgentRunAs'] = None
|
||||
else:
|
||||
root_logger.warning("Installed OpenSSH server does not " +
|
||||
"support dynamically loading authorized user keys. " +
|
||||
"Public key authentication of IPA users will not be " +
|
||||
"available.")
|
||||
authorized_keys_changes = candidate
|
||||
break
|
||||
|
||||
if authorized_keys_changes is not None:
|
||||
changes.update(authorized_keys_changes)
|
||||
else:
|
||||
root_logger.warning("Installed OpenSSH server does not "
|
||||
"support dynamically loading authorized user keys. "
|
||||
"Public key authentication of IPA users will not be "
|
||||
"available.")
|
||||
|
||||
change_ssh_config(sshd_config, changes, ['Match'])
|
||||
root_logger.info('Configured %s', sshd_config)
|
||||
|
Loading…
Reference in New Issue
Block a user