Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1282845
Description of problem: ipa-client-install reconfigures sshd to use GSSAPI etc.the installer appends the entries at the bottom of the file. If the existing sshd_config contains a "Match" field, the configuration will result in a sshd_config which prevents sshd from starting. Excerpt from man 5 sshd_config "Match Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file". This means that global parameters can not be added at the end of the config file when a Match block comes in place. Version-Release number of selected component (if applicable): 4.1 How reproducible: Always Steps to Reproduce: 1. Enter a Match filed in sshd_config. I.e. Match Address 10.10.10.10 PermitRootLogin without-password 2. run ipa-client-installer 3. Find the following error message in /var/log/messages sshd: /etc/ssh/sshd_config line 146: Directive 'UsePAM' is not allowed within a Match block Actual results: Match Address 10.10.10.10 KerberosAuthentication no PubkeyAuthentication yes UsePAM yes AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys GSSAPIAuthentication yes AuthorizedKeysCommandUser nobody PermitRootLogin without-password Expected results: KerberosAuthentication no PubkeyAuthentication yes UsePAM yes AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys GSSAPIAuthentication yes AuthorizedKeysCommandUser nobody Match Address 10.10.10.10 PermitRootLogin without-password Additional info: Workaround is to use ipa-client-install --no-sshd and distribute a sshd_config which fulfills IPA client requirements.
master:
ipa-4-2:
Metadata Update from @pvoborni: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.2.4
Login to comment on this ticket.