From a525b2ebf01ffff83d0a5925035f4be0fc5c700c Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Nov 24 2020 16:14:42 +0000 Subject: Create IPA ssh client configuration and move ProxyCommand The ProxyCommand is non-executable if the user does not have a valid shell (like /sbin/nologin) so skip it in that case. https://pagure.io/freeipa/issue/7676 Signed-off-by: Rob Crittenden Reviewed-By: Alexander Bokovoy --- diff --git a/client/share/Makefile.am b/client/share/Makefile.am index 961a5c8..bf631a2 100644 --- a/client/share/Makefile.am +++ b/client/share/Makefile.am @@ -4,6 +4,7 @@ appdir = $(IPA_DATA_DIR)/client dist_app_DATA = \ freeipa.template \ sshd_ipa.conf.template \ + ssh_ipa.conf.template \ $(NULL) epnconfdir = $(IPA_SYSCONF_DIR) diff --git a/client/share/ssh_ipa.conf.template b/client/share/ssh_ipa.conf.template new file mode 100644 index 0000000..a4e238e --- /dev/null +++ b/client/share/ssh_ipa.conf.template @@ -0,0 +1,10 @@ +# IPA-related configuration changes to ssh_config +# +PubkeyAuthentication yes +${ENABLEPROXY}GlobalKnownHostsFile $KNOWNHOSTS +${VERIFYHOSTKEYDNS}VerifyHostKeyDNS yes + +# assumes that if a user does not have shell (/sbin/nologin), +# this will return nonzero exit code and proxy command will be ignored +${ENABLEPROXY}Match exec true +${ENABLEPROXY} ProxyCommand $KNOWNHOSTSPROXY -p %p %h diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 175a56c..abb6bd3 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -1109,6 +1109,22 @@ def configure_ssh_config(fstore, options): fstore.backup_file(paths.SSH_CONFIG) + def ssh_version_supports_include(): + with open(paths.SSH_CONFIG, 'r') as f: + for line in f: + if re.match(r"^Include\s", line): + return True + return False + + if ssh_version_supports_include(): + create_ssh_ipa_config(options) + else: + modify_ssh_config(options) + + logger.info('Configured %s', paths.SSH_CONFIG) + + +def modify_ssh_config(options): changes = {'PubkeyAuthentication': 'yes'} if options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTSPROXY): @@ -1119,7 +1135,25 @@ def configure_ssh_config(fstore, options): changes['VerifyHostKeyDNS'] = 'yes' change_ssh_config(paths.SSH_CONFIG, changes, ['Host', 'Match']) - logger.info('Configured %s', paths.SSH_CONFIG) + + +def create_ssh_ipa_config(options): + """Add the IPA snippet for ssh""" + enableproxy = bool( + options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTSPROXY) + ) + + ipautil.copy_template_file( + os.path.join(paths.SSH_IPA_CONFIG_TEMPLATE), + paths.SSH_IPA_CONFIG, + dict( + ENABLEPROXY='' if enableproxy else '#', + KNOWNHOSTSPROXY=paths.SSS_SSH_KNOWNHOSTSPROXY, + KNOWNHOSTS=paths.SSSD_PUBCONF_KNOWN_HOSTS, + VERIFYHOSTKEYDNS='' if options.trust_sshfp else '#' + ) + ) + os.chmod(paths.SSH_IPA_CONFIG, 0o644) def configure_sshd_config(fstore, options): @@ -3500,6 +3534,7 @@ def uninstall(options): if was_sshd_configured and services.knownservices.sshd.is_running(): remove_file(paths.SSHD_IPA_CONFIG) + remove_file(paths.SSH_IPA_CONFIG) services.knownservices.sshd.restart() # Remove the Firefox configuration diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index a8d6c3a..110ae68 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -135,6 +135,8 @@ class BasePathNamespace: LIMITS_CONF = "/etc/security/limits.conf" SSH_CONFIG_DIR = "/etc/ssh" SSH_CONFIG = "/etc/ssh/ssh_config" + SSH_IPA_CONFIG_TEMPLATE = "/usr/share/ipa/client/ssh_ipa.conf.template" + SSH_IPA_CONFIG = "/etc/ssh/ssh_config.d/04-ipa.conf" SSHD_CONFIG = "/etc/ssh/sshd_config" SSHD_IPA_CONFIG = "/etc/ssh/sshd_config.d/04-ipa.conf" SSHD_IPA_CONFIG_TEMPLATE = "/usr/share/ipa/client/sshd_ipa.conf.template"