Hi,
this patch fixes <https://fedorahosted.org/freeipa/ticket/3070>.
If both --no-ssh and --no-sshd are specified, do not configure the SSH
service in SSSD.
Honza
--
Jan Cholasta
>From 2a80c57305b099129b192e7ccf52b7f8cc982c41 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 12 Sep 2012 09:19:26 -0400
Subject: [PATCH] Add --no-ssh option to ipa-client-install to disable OpenSSH
client configuration.
If both --no-ssh and --no-sshd are specified, do not configure the SSH service
in SSSD.
ticket 3070
---
install/tools/ipa-replica-install | 4 ++
install/tools/ipa-server-install | 4 ++
install/tools/man/ipa-replica-install.1 | 3 ++
install/tools/man/ipa-server-install.1 | 3 ++
ipa-client/ipa-install/ipa-client-install | 78 ++++++++++++++++++-------------
ipa-client/man/ipa-client-install.1 | 3 ++
6 files changed, 63 insertions(+), 32 deletions(-)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 41e1ef5..267a70d 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -68,6 +68,8 @@ def parse_options():
default=True, help="Do not automatically redirect to the Web UI")
basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true",
help="configure OpenSSH client to trust DNS SSHFP records")
+ basic_group.add_option("--no-ssh", dest="conf_ssh", default=True, action="store_false",
+ help="do not configure OpenSSH client")
basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false",
help="do not configure OpenSSH server")
basic_group.add_option("--skip-conncheck", dest="skip_conncheck", action="store_true",
@@ -500,6 +502,8 @@ def main():
args.append("--no-dns-sshfp")
if options.trust_sshfp:
args.append("--ssh-trust-dns")
+ if not options.conf_ssh:
+ args.append("--no-ssh")
if not options.conf_sshd:
args.append("--no-sshd")
ipautil.run(args)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index ba056fd..f07aead 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -145,6 +145,8 @@ def parse_options():
default=True, help="Do not automatically redirect to the Web UI")
basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true",
help="configure OpenSSH client to trust DNS SSHFP records")
+ basic_group.add_option("--no-ssh", dest="conf_ssh", default=True, action="store_false",
+ help="do not configure OpenSSH client")
basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false",
help="do not configure OpenSSH server")
basic_group.add_option("-d", "--debug", dest="debug", action="store_true",
@@ -1071,6 +1073,8 @@ def main():
args.append("--no-dns-sshfp")
if options.trust_sshfp:
args.append("--ssh-trust-dns")
+ if not options.conf_ssh:
+ args.append("--no-ssh")
if not options.conf_sshd:
args.append("--no-sshd")
run(args)
diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
index 3f44597..084b454 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -56,6 +56,9 @@ Do not automatically redirect to the Web UI.
\fB\-\-ssh\-trust\-dns\fR
Configure OpenSSH client to trust DNS SSHFP records.
.TP
+\fB\-\-no\-ssh\fR
+Do not configure OpenSSH client.
+.TP
\fB\-\-no\-sshd\fR
Do not configure OpenSSH server.
.TP
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 61b7c66..75c6a78 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -66,6 +66,9 @@ Do not automatically redirect to the Web UI.
\fB\-\-ssh\-trust\-dns\fR
Configure OpenSSH client to trust DNS SSHFP records.
.TP
+\fB\-\-no\-ssh\fR
+Do not configure OpenSSH client.
+.TP
\fB\-\-no\-sshd\fR
Do not configure OpenSSH server.
.TP
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 83f5268..1bd9dcb 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -89,6 +89,8 @@ def parse_options():
help="do not configure ntp", default=True, dest="conf_ntp")
basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true",
help="configure OpenSSH client to trust DNS SSHFP records")
+ basic_group.add_option("--no-ssh", dest="conf_ssh", default=True, action="store_false",
+ help="do not configure OpenSSH client")
basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false",
help="do not configure OpenSSH server")
basic_group.add_option("--no-dns-sshfp", dest="create_sshfp", default=True, action="store_false",
@@ -802,18 +804,23 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie
sssdconfig.new_config()
domain = sssdconfig.new_domain(cli_domain)
- try:
- sssdconfig.new_service('ssh')
- except SSSDConfig.ServiceAlreadyExists:
- pass
- except SSSDConfig.ServiceNotRecognizedError:
- root_logger.error("Unable to activate the SSH service in SSSD config.")
- root_logger.info(
- "Please make sure you have SSSD built with SSH support installed.")
- root_logger.info(
- "Configure SSH support manually in /etc/sssd/sssd.conf.")
+ ssh_dir = ipaservices.knownservices.sshd.get_config_dir()
+ ssh_config = os.path.join(ssh_dir, 'ssh_config')
+ sshd_config = os.path.join(ssh_dir, 'sshd_config')
+
+ if (options.conf_ssh and file_exists(ssh_config)) or (options.conf_sshd and file_exists(sshd_config)):
+ try:
+ sssdconfig.new_service('ssh')
+ except SSSDConfig.ServiceAlreadyExists:
+ pass
+ except SSSDConfig.ServiceNotRecognizedError:
+ root_logger.error("Unable to activate the SSH service in SSSD config.")
+ root_logger.info(
+ "Please make sure you have SSSD built with SSH support installed.")
+ root_logger.info(
+ "Configure SSH support manually in /etc/sssd/sssd.conf.")
- sssdconfig.activate_service('ssh')
+ sssdconfig.activate_service('ssh')
domain.add_provider('ipa', 'id')
@@ -921,34 +928,37 @@ def change_ssh_config(filename, changes, sections):
return True
-def configure_ssh(fstore, ssh_dir, options):
+def configure_ssh_config(fstore, options):
+ ssh_dir = ipaservices.knownservices.sshd.get_config_dir()
ssh_config = os.path.join(ssh_dir, 'ssh_config')
- sshd_config = os.path.join(ssh_dir, 'sshd_config')
- if file_exists(ssh_config):
- fstore.backup_file(ssh_config)
+ if not file_exists(ssh_config):
+ root_logger.info("%s not found, skipping configuration" % ssh_config)
+ return
- changes = {
- 'PubkeyAuthentication': 'yes',
- }
+ fstore.backup_file(ssh_config)
- if options.trust_sshfp:
- changes['VerifyHostKeyDNS'] = 'yes'
- changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss'
- elif options.sssd and file_exists('/usr/bin/sss_ssh_knownhostsproxy'):
- changes['ProxyCommand'] = '/usr/bin/sss_ssh_knownhostsproxy -p %p %h'
- changes['GlobalKnownHostsFile'] = '/var/lib/sss/pubconf/known_hosts'
+ changes = {
+ 'PubkeyAuthentication': 'yes',
+ }
- change_ssh_config(ssh_config, changes, ['Host'])
- root_logger.info('Configured %s', ssh_config)
+ if options.trust_sshfp:
+ changes['VerifyHostKeyDNS'] = 'yes'
+ changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss'
+ elif options.sssd and file_exists('/usr/bin/sss_ssh_knownhostsproxy'):
+ changes['ProxyCommand'] = '/usr/bin/sss_ssh_knownhostsproxy -p %p %h'
+ changes['GlobalKnownHostsFile'] = '/var/lib/sss/pubconf/known_hosts'
- if not options.conf_sshd:
- return
+ change_ssh_config(ssh_config, changes, ['Host'])
+ root_logger.info('Configured %s', ssh_config)
+def configure_sshd_config(fstore, options):
sshd = ipaservices.knownservices.sshd
- if not sshd.is_installed():
- root_logger.info("%s daemon is not installed, skip configuration",
- sshd.service_name)
+ ssh_dir = sshd.get_config_dir()
+ sshd_config = os.path.join(ssh_dir, 'sshd_config')
+
+ if not file_exists(sshd_config):
+ root_logger.info("%s not found, skipping configuration" % sshd_config)
return
fstore.backup_file(sshd_config)
@@ -1767,7 +1777,11 @@ def install(options, env, fstore, statestore):
ipaclient.ntpconf.config_ntp(ntp_server, fstore, statestore)
root_logger.info("NTP enabled")
- configure_ssh(fstore, ipaservices.knownservices.sshd.get_config_dir(), options)
+ if options.conf_ssh:
+ configure_ssh_config(fstore, options)
+
+ if options.conf_sshd:
+ configure_sshd_config(fstore, options)
root_logger.info('Client configuration complete.')
diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1
index c3ec6de..ef77f41 100644
--- a/ipa-client/man/ipa-client-install.1
+++ b/ipa-client/man/ipa-client-install.1
@@ -74,6 +74,9 @@ Do not configure or enable NTP.
\fB\-\-ssh\-trust\-dns\fR
Configure OpenSSH client to trust DNS SSHFP records.
.TP
+\fB\-\-no\-ssh\fR
+Do not configure OpenSSH client.
+.TP
\fB\-\-no\-sshd\fR
Do not configure OpenSSH server.
.TP
--
1.7.11.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
