Bug 730318

Summary: ipa-install-client does not enable Kerberos, GSSAPI or UsePAM in sshd
Product: [Fedora] Fedora Reporter: Asbjørn Bjørnstad <asbjxrn>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: dpal, jgalipea, mkosek, rcritten, ssorce
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeipa-2.2.0-1.fc17 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 766072 (view as bug list) Environment:
Last Closed: 2012-05-08 04:13:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 766072    

Description Asbjørn Bjørnstad 2011-08-12 13:29:47 UTC 
Description of problem:

Ran ipa-install-client as part of server install,
GSSAPIAuthentication, Kerberos and UsePAM was not enabled in /etc/ssh/sshd_config

Version-Release number of selected component (if applicable):

2.0.0.rc3

How reproducible:

Run install script.

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Dmitri Pal 2011-08-12 22:22:17 UTC 
https://fedorahosted.org/freeipa/ticket/1634

Would you mind adding more details to the ticket that I opened?
Here are some questions:

1) Why do you think IPA should touch the SSH on the machine?
2) Should it be a client option?
3) Should be a server install option to configure SSH that would be passed to the client?
4) It seems that SSH can be configured in different ways, what is the preferred configuration? Can you provide a sample config file?

Thank you
Dmitri
Comment 2 Asbjørn Bjørnstad 2011-08-13 05:07:26 UTC 
1) I think ipa-client-install should enable the required settings in sshd_config because ssh is the most common way of accessing linux machines. (Servers in particular.) As a user I expect to be able to log in to the server with IPA credentials after the setup. It's also a part of the server install instructions to restart the ssh service so it can retrieve its kerberos principal, which doesn't make much sense if kerberos is not enabled in sshd. (6.3 point 4 in the management guide)  Also given that ipa-client-install touches nsswitch/pam/sssd/kerberos config files, ssh feels like the missing piece. 

2) Not sure if you mean client vs. server option or option vs. mandatory. It should definitely be done by the client, I would say a --no-sshd option similar to the --no-sssd option would be natural.

3) Personally I don't think so, as this is really a client issue. 

4) I don't have a sample config file, but there's 3 required settings (Please confirm this, as I'm new to kerberos and IPA):

  4.1)  Enable kerberos, this is required to be able to log in with ipa credentials (I set them all to yes, which I think is a reasonable configuration. We may have some service accounts in local password file):

KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes

  4.2)  Enable GSSAPI, this to allow ssh to other machine without retyping password.
GSSAPIAuthentication yes

  4.3) Enable UsePAM, this is required to make HBAC rules work. Otherwise all users in the IPA realm will have access to the server:
UsePAM yes
Comment 3 Asbjørn Bjørnstad 2011-08-14 06:36:08 UTC 
Correction, the Kerberos would not be required if UsePAM is enabled and sssd is being configured as pam is set up to use sssd.

I think GSSAPI would still be required to enable passwordless ssh using tickets.
Comment 4 Martin Kosek 2012-05-03 11:05:55 UTC 
This issue has been fixed upstream. ipa-client-install in the next version of IPA (2.2) will set GSSAPIAuthentication and UsePAM to "yes". KerberosAuthentication will be set to "no" so that the authentication request is passed to PAM stack (and SSSD).
Comment 5 Fedora Update System 2012-05-03 19:01:16 UTC 
freeipa-2.2.0-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/freeipa-2.2.0-1.fc17
Comment 6 Fedora Update System 2012-05-04 03:11:40 UTC 
Package freeipa-2.2.0-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeipa-2.2.0-1.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-7278/freeipa-2.2.0-1.fc17
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2012-05-08 04:13:22 UTC 
freeipa-2.2.0-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.