Bug 730318 - ipa-install-client does not enable Kerberos, GSSAPI or UsePAM in sshd
Summary: ipa-install-client does not enable Kerberos, GSSAPI or UsePAM in sshd
Alias: None
Product: Fedora
Classification: Fedora
Component: ipa
Version: 15
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: 766072
TreeView+ depends on / blocked
Reported: 2011-08-12 13:29 UTC by Asbjørn Bjørnstad
Modified: 2012-05-08 04:13 UTC (History)
5 users (show)

Fixed In Version: freeipa-2.2.0-1.fc17
Doc Type: Enhancement
Doc Text:
Clone Of:
: 766072 (view as bug list)
Last Closed: 2012-05-08 04:13:22 UTC

Attachments (Terms of Use)

Description Asbjørn Bjørnstad 2011-08-12 13:29:47 UTC
Description of problem:

Ran ipa-install-client as part of server install,
GSSAPIAuthentication, Kerberos and UsePAM was not enabled in /etc/ssh/sshd_config

Version-Release number of selected component (if applicable):


How reproducible:

Run install script.

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Comment 1 Dmitri Pal 2011-08-12 22:22:17 UTC

Would you mind adding more details to the ticket that I opened?
Here are some questions:

1) Why do you think IPA should touch the SSH on the machine?
2) Should it be a client option?
3) Should be a server install option to configure SSH that would be passed to the client?
4) It seems that SSH can be configured in different ways, what is the preferred configuration? Can you provide a sample config file?

Thank you

Comment 2 Asbjørn Bjørnstad 2011-08-13 05:07:26 UTC
1) I think ipa-client-install should enable the required settings in sshd_config because ssh is the most common way of accessing linux machines. (Servers in particular.) As a user I expect to be able to log in to the server with IPA credentials after the setup. It's also a part of the server install instructions to restart the ssh service so it can retrieve its kerberos principal, which doesn't make much sense if kerberos is not enabled in sshd. (6.3 point 4 in the management guide)  Also given that ipa-client-install touches nsswitch/pam/sssd/kerberos config files, ssh feels like the missing piece. 

2) Not sure if you mean client vs. server option or option vs. mandatory. It should definitely be done by the client, I would say a --no-sshd option similar to the --no-sssd option would be natural.

3) Personally I don't think so, as this is really a client issue. 

4) I don't have a sample config file, but there's 3 required settings (Please confirm this, as I'm new to kerberos and IPA):

  4.1)  Enable kerberos, this is required to be able to log in with ipa credentials (I set them all to yes, which I think is a reasonable configuration. We may have some service accounts in local password file):

KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes

  4.2)  Enable GSSAPI, this to allow ssh to other machine without retyping password.
GSSAPIAuthentication yes

  4.3) Enable UsePAM, this is required to make HBAC rules work. Otherwise all users in the IPA realm will have access to the server:
UsePAM yes

Comment 3 Asbjørn Bjørnstad 2011-08-14 06:36:08 UTC
Correction, the Kerberos would not be required if UsePAM is enabled and sssd is being configured as pam is set up to use sssd.

I think GSSAPI would still be required to enable passwordless ssh using tickets.

Comment 4 Martin Kosek 2012-05-03 11:05:55 UTC
This issue has been fixed upstream. ipa-client-install in the next version of IPA (2.2) will set GSSAPIAuthentication and UsePAM to "yes". KerberosAuthentication will be set to "no" so that the authentication request is passed to PAM stack (and SSSD).

Comment 5 Fedora Update System 2012-05-03 19:01:16 UTC
freeipa-2.2.0-1.fc17 has been submitted as an update for Fedora 17.

Comment 6 Fedora Update System 2012-05-04 03:11:40 UTC
Package freeipa-2.2.0-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeipa-2.2.0-1.fc17'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2012-05-08 04:13:22 UTC
freeipa-2.2.0-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.