Bug 953617 - freeipa-client 3.2 install openssh does not support dynamically loading authorized user keys
freeipa-client 3.2 install openssh does not support dynamically loading autho...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: freeipa (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Rob Crittenden
Fedora Extras Quality Assurance
:
: 959493 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-04-18 12:34 EDT by Scott Poore
Modified: 2013-05-24 16:41 EDT (History)
5 users (show)

See Also:
Fixed In Version: freeipa-3.2.0-2.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-24 16:41:32 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Scott Poore 2013-04-18 12:34:18 EDT
Description of problem:

FreeIPA version in F19 shows the following error during ipa-client-install:

Installed OpenSSH server does not support dynamically loading authorized user keys. Public key authentication of IPA users will not be available.

This is due to changes in OpenSSH 6.2 as described here:

https://fedorahosted.org/freeipa/ticket/3571

Version-Release number of selected component (if applicable):
freeipa-client-3.2.0-0.2.beta1.fc19.x86_64
openssh-6.2p1-3.fc19.x86_64

How reproducible:
always

Steps to Reproduce:
1.  Setup F19 FreeIPA server
2.  ipa-client-install # on client
3.
  
Actual results:

client installs but shows error message above about not supporting ssh user keys.

Expected results:

no errors and ssh user keys supported.

Additional info:

    [root@f19-3 ~]# ipa-client-install --domain=ipa.example.org --server=f19-1.ipa.example.org -p admin -w Secret123 -U
    WARNING: ntpd time&date synchronization service will not be configured as
    conflicting service (chronyd) is enabled
    Use --force-ntpd option to disable it and force configuration of ntpd
     
    Hostname: f19-3.ipa.example.org
    Realm: IPA.EXAMPLE.ORG
    DNS Domain: ipa.example.org
    IPA Server: f19-1.ipa.example.org
    BaseDN: dc=ipa,dc=example,dc=org
     
    Synchronizing time with KDC...
    Successfully retrieved CA cert
    Subject: CN=Certificate Authority,O=IPA.EXAMPLE.ORG
    Issuer: CN=Certificate Authority,O=IPA.EXAMPLE.ORG
    Valid From: Thu Apr 18 15:38:54 2013 UTC
    Valid Until: Mon Apr 18 15:38:54 2033 UTC
     
    Enrolled in IPA realm IPA.EXAMPLE.ORG
    Created /etc/ipa/default.conf
    New SSSD config will be created
    Configured /etc/sssd/sssd.conf
    Configured /etc/krb5.conf for IPA realm IPA.EXAMPLE.ORG
    trying https://f19-1.ipa.example.org/ipa/xml
    Forwarding 'env' to server u'https://f19-1.ipa.example.org/ipa/xml'
    Hostname (f19-3.ipa.example.org) not found in DNS
    DNS server record set to: f19-3.ipa.example.org -> 192.168.122.193
    Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
    Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
    Forwarding 'host_mod' to server u'https://f19-1.ipa.example.org/ipa/xml'
    SSSD enabled
    Configured /etc/openldap/ldap.conf
    Configured /etc/ssh/ssh_config
    Installed OpenSSH server does not support dynamically loading authorized user keys. Public key authentication of IPA users will not be available.
    Configured /etc/ssh/sshd_config
    Client configuration complete.
     
     
    [root@f19-3 ~]# rpm -qa|egrep "openss|freeipa"|sort
    freeipa-admintools-3.2.0-0.2.beta1.fc19.x86_64
    freeipa-client-3.2.0-0.2.beta1.fc19.x86_64
    freeipa-python-3.2.0-0.2.beta1.fc19.x86_64
    freeipa-server-3.2.0-0.2.beta1.fc19.x86_64
    freeipa-server-selinux-3.2.0-0.2.beta1.fc19.x86_64
    freeipa-server-trust-ad-3.2.0-0.2.beta1.fc19.x86_64
    openssh-6.2p1-3.fc19.x86_64
    openssh-clients-6.2p1-3.fc19.x86_64
    openssh-server-6.2p1-3.fc19.x86_64
    openssl-1.0.1e-4.fc19.x86_64
    openssl-libs-1.0.1e-4.fc19.x86_64
     
    /var/log/ipaclient-install.log :
     
    2013-04-18T16:00:29Z INFO Configured /etc/ssh/ssh_config
    2013-04-18T16:00:29Z DEBUG Backing up system configuration file '/etc/ssh/sshd_config'
    2013-04-18T16:00:29Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
    2013-04-18T16:00:29Z DEBUG Starting external process
    2013-04-18T16:00:29Z DEBUG args=sshd -t -f /dev/null -o AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys
    2013-04-18T16:00:29Z DEBUG Process finished, return code=255
    2013-04-18T16:00:29Z DEBUG stdout=
    2013-04-18T16:00:29Z DEBUG stderr=AuthorizedKeysCommand set without AuthorizedKeysCommandUser
     
    2013-04-18T16:00:29Z DEBUG Starting external process
    2013-04-18T16:00:29Z DEBUG args=sshd -t -f /dev/null -o PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u
    2013-04-18T16:00:29Z DEBUG Process finished, return code=1
    2013-04-18T16:00:29Z DEBUG stdout=
    2013-04-18T16:00:29Z DEBUG stderr=command-line: line 0: Bad configuration option: PubKeyAgent
     
    2013-04-18T16:00:29Z WARNING Installed OpenSSH server does not support dynamically loading authorized user keys. Public key authentication of IPA users will not be available.
    2013-04-18T16:00:29Z INFO Configured /etc/ssh/sshd_config
    2013-04-18T16:00:29Z DEBUG Starting external process
    2013-04-18T16:00:29Z DEBUG args=/bin/systemctl is-active sshd.service
    2013-04-18T16:00:29Z DEBUG Process finished, return code=0
    2013-04-18T16:00:29Z DEBUG stdout=active
     
    2013-04-18T16:00:29Z DEBUG stderr=
    2013-04-18T16:00:29Z DEBUG Starting external process
    2013-04-18T16:00:29Z DEBUG args=/bin/systemctl restart sshd.service
    2013-04-18T16:00:29Z DEBUG Process finished, return code=0
    2013-04-18T16:00:29Z DEBUG stdout=
    2013-04-18T16:00:29Z DEBUG stderr=
    2013-04-18T16:00:29Z DEBUG Starting external process
    2013-04-18T16:00:29Z DEBUG args=/bin/systemctl is-active sshd.service
    2013-04-18T16:00:29Z DEBUG Process finished, return code=0
    2013-04-18T16:00:29Z DEBUG stdout=active
Comment 1 Rob Crittenden 2013-04-18 13:28:23 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3571
Comment 2 Martin Kosek 2013-04-22 09:25:50 EDT
Related Bugzilla fixing the broken behavior in Fedora 18: Bug 953534.
Comment 3 Rob Crittenden 2013-04-30 11:11:25 EDT
Fixed upstream.

master: ddd8988f1cd2c5ecafb476a6efca15e906cb84df

ipa-3-1: 47f701cde394e74442410307623ce25314319047
Comment 4 Rob Crittenden 2013-05-03 14:30:55 EDT
*** Bug 959493 has been marked as a duplicate of this bug. ***
Comment 5 Fedora Update System 2013-05-10 13:30:05 EDT
freeipa-3.2.0-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/freeipa-3.2.0-1.fc19
Comment 6 Scott Poore 2013-05-10 20:44:36 EDT
[root@f19-3 repo]# ipa-client-install --domain=ipa.example.org --server=f19-1.ipa.example.org -p admin -w Secret123 -U
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Hostname: f19-3.ipa.example.org
Realm: IPA.EXAMPLE.ORG
DNS Domain: ipa.example.org
IPA Server: f19-1.ipa.example.org
BaseDN: dc=ipa,dc=example,dc=org

Synchronizing time with KDC...
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=IPA.EXAMPLE.ORG
    Issuer:      CN=Certificate Authority,O=IPA.EXAMPLE.ORG
    Valid From:  Sat May 11 00:02:23 2013 UTC
    Valid Until: Wed May 11 00:02:23 2033 UTC

Enrolled in IPA realm IPA.EXAMPLE.ORG
Created /etc/ipa/default.conf
Unable to parse existing SSSD config. As option --preserve-sssd was not specified, new config will override the old one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.EXAMPLE.ORG
trying https://f19-1.ipa.example.org/ipa/xml
Forwarding 'env' to server u'https://f19-1.ipa.example.org/ipa/xml'
Hostname (f19-3.ipa.example.org) not found in DNS
DNS server record set to: f19-3.ipa.example.org -> 192.168.122.193
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to server u'https://f19-1.ipa.example.org/ipa/xml'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.

Also, I see in the log that it looks like it's successfully doing the host_mod to add the keys
Comment 7 Fedora Update System 2013-05-10 22:38:14 EDT
Package freeipa-3.2.0-1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeipa-3.2.0-1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-7911/freeipa-3.2.0-1.fc19
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2013-05-24 16:41:32 EDT
freeipa-3.2.0-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.