Description of problem: FreeIPA version in F19 shows the following error during ipa-client-install: Installed OpenSSH server does not support dynamically loading authorized user keys. Public key authentication of IPA users will not be available. This is due to changes in OpenSSH 6.2 as described here: https://fedorahosted.org/freeipa/ticket/3571 Version-Release number of selected component (if applicable): freeipa-client-3.2.0-0.2.beta1.fc19.x86_64 openssh-6.2p1-3.fc19.x86_64 How reproducible: always Steps to Reproduce: 1. Setup F19 FreeIPA server 2. ipa-client-install # on client 3. Actual results: client installs but shows error message above about not supporting ssh user keys. Expected results: no errors and ssh user keys supported. Additional info: [root@f19-3 ~]# ipa-client-install --domain=ipa.example.org --server=f19-1.ipa.example.org -p admin -w Secret123 -U WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Hostname: f19-3.ipa.example.org Realm: IPA.EXAMPLE.ORG DNS Domain: ipa.example.org IPA Server: f19-1.ipa.example.org BaseDN: dc=ipa,dc=example,dc=org Synchronizing time with KDC... Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.EXAMPLE.ORG Issuer: CN=Certificate Authority,O=IPA.EXAMPLE.ORG Valid From: Thu Apr 18 15:38:54 2013 UTC Valid Until: Mon Apr 18 15:38:54 2033 UTC Enrolled in IPA realm IPA.EXAMPLE.ORG Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm IPA.EXAMPLE.ORG trying https://f19-1.ipa.example.org/ipa/xml Forwarding 'env' to server u'https://f19-1.ipa.example.org/ipa/xml' Hostname (f19-3.ipa.example.org) not found in DNS DNS server record set to: f19-3.ipa.example.org -> 192.168.122.193 Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server u'https://f19-1.ipa.example.org/ipa/xml' SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Installed OpenSSH server does not support dynamically loading authorized user keys. Public key authentication of IPA users will not be available. Configured /etc/ssh/sshd_config Client configuration complete. [root@f19-3 ~]# rpm -qa|egrep "openss|freeipa"|sort freeipa-admintools-3.2.0-0.2.beta1.fc19.x86_64 freeipa-client-3.2.0-0.2.beta1.fc19.x86_64 freeipa-python-3.2.0-0.2.beta1.fc19.x86_64 freeipa-server-3.2.0-0.2.beta1.fc19.x86_64 freeipa-server-selinux-3.2.0-0.2.beta1.fc19.x86_64 freeipa-server-trust-ad-3.2.0-0.2.beta1.fc19.x86_64 openssh-6.2p1-3.fc19.x86_64 openssh-clients-6.2p1-3.fc19.x86_64 openssh-server-6.2p1-3.fc19.x86_64 openssl-1.0.1e-4.fc19.x86_64 openssl-libs-1.0.1e-4.fc19.x86_64 /var/log/ipaclient-install.log : 2013-04-18T16:00:29Z INFO Configured /etc/ssh/ssh_config 2013-04-18T16:00:29Z DEBUG Backing up system configuration file '/etc/ssh/sshd_config' 2013-04-18T16:00:29Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2013-04-18T16:00:29Z DEBUG Starting external process 2013-04-18T16:00:29Z DEBUG args=sshd -t -f /dev/null -o AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys 2013-04-18T16:00:29Z DEBUG Process finished, return code=255 2013-04-18T16:00:29Z DEBUG stdout= 2013-04-18T16:00:29Z DEBUG stderr=AuthorizedKeysCommand set without AuthorizedKeysCommandUser 2013-04-18T16:00:29Z DEBUG Starting external process 2013-04-18T16:00:29Z DEBUG args=sshd -t -f /dev/null -o PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u 2013-04-18T16:00:29Z DEBUG Process finished, return code=1 2013-04-18T16:00:29Z DEBUG stdout= 2013-04-18T16:00:29Z DEBUG stderr=command-line: line 0: Bad configuration option: PubKeyAgent 2013-04-18T16:00:29Z WARNING Installed OpenSSH server does not support dynamically loading authorized user keys. Public key authentication of IPA users will not be available. 2013-04-18T16:00:29Z INFO Configured /etc/ssh/sshd_config 2013-04-18T16:00:29Z DEBUG Starting external process 2013-04-18T16:00:29Z DEBUG args=/bin/systemctl is-active sshd.service 2013-04-18T16:00:29Z DEBUG Process finished, return code=0 2013-04-18T16:00:29Z DEBUG stdout=active 2013-04-18T16:00:29Z DEBUG stderr= 2013-04-18T16:00:29Z DEBUG Starting external process 2013-04-18T16:00:29Z DEBUG args=/bin/systemctl restart sshd.service 2013-04-18T16:00:29Z DEBUG Process finished, return code=0 2013-04-18T16:00:29Z DEBUG stdout= 2013-04-18T16:00:29Z DEBUG stderr= 2013-04-18T16:00:29Z DEBUG Starting external process 2013-04-18T16:00:29Z DEBUG args=/bin/systemctl is-active sshd.service 2013-04-18T16:00:29Z DEBUG Process finished, return code=0 2013-04-18T16:00:29Z DEBUG stdout=active
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3571
Related Bugzilla fixing the broken behavior in Fedora 18: Bug 953534.
Fixed upstream. master: ddd8988f1cd2c5ecafb476a6efca15e906cb84df ipa-3-1: 47f701cde394e74442410307623ce25314319047
*** Bug 959493 has been marked as a duplicate of this bug. ***
freeipa-3.2.0-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/freeipa-3.2.0-1.fc19
[root@f19-3 repo]# ipa-client-install --domain=ipa.example.org --server=f19-1.ipa.example.org -p admin -w Secret123 -U WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Hostname: f19-3.ipa.example.org Realm: IPA.EXAMPLE.ORG DNS Domain: ipa.example.org IPA Server: f19-1.ipa.example.org BaseDN: dc=ipa,dc=example,dc=org Synchronizing time with KDC... Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.EXAMPLE.ORG Issuer: CN=Certificate Authority,O=IPA.EXAMPLE.ORG Valid From: Sat May 11 00:02:23 2013 UTC Valid Until: Wed May 11 00:02:23 2033 UTC Enrolled in IPA realm IPA.EXAMPLE.ORG Created /etc/ipa/default.conf Unable to parse existing SSSD config. As option --preserve-sssd was not specified, new config will override the old one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm IPA.EXAMPLE.ORG trying https://f19-1.ipa.example.org/ipa/xml Forwarding 'env' to server u'https://f19-1.ipa.example.org/ipa/xml' Hostname (f19-3.ipa.example.org) not found in DNS DNS server record set to: f19-3.ipa.example.org -> 192.168.122.193 Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server u'https://f19-1.ipa.example.org/ipa/xml' SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. Also, I see in the log that it looks like it's successfully doing the host_mod to add the keys
Package freeipa-3.2.0-1.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-3.2.0-1.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-7911/freeipa-3.2.0-1.fc19 then log in and leave karma (feedback).
freeipa-3.2.0-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.