Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/3571 This is because the optional AuthorizedKeysCommandRunAs option has been changed to mandatory AuthorizedKeysCommandUSer option. The AuthorizedKeysCommandUser option should be set for both new client installs and on client updates.
Steps to verify in bug 953617
Fixed upstream. master: ddd8988f1cd2c5ecafb476a6efca15e906cb84df ipa-3-1: 47f701cde394e74442410307623ce25314319047
Verified. IPA client version: =================== [root@rhel70-client ~]# rpm -q ipa-client openssh ipa-client-3.3.3-10.el7.x86_64 openssh-6.4p1-4.el7.x86_64 [root@rhel70-client ~]# (1)IPA client install [root@rhel70-client ~]# ipa-client-install -U --domain=testrelm.com --realm=TESTRELM.COM -p admin -w xxxxxxxx --server=rhel70-master.testrelm.com Hostname: rhel70-client.testrelm.com .. .. Configured /etc/krb5.conf for IPA realm TESTRELM.COM Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub ... Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. [root@rhel70-client ~]# Snippet from /var/log/ipaclient-install.log: ============================================ 2014-01-13T07:35:16Z DEBUG Backing up system configuration file '/etc/ssh/sshd_config' 2014-01-13T07:35:16Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2014-01-13T07:35:16Z DEBUG Starting external process 2014-01-13T07:35:16Z DEBUG args=sshd -t -f /dev/null -o AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys -o AuthorizedKeysCommandUser=nobody 2014-01-13T07:35:16Z DEBUG Process finished, return code=0 2014-01-13T07:35:16Z DEBUG stdout= 2014-01-13T07:35:16Z DEBUG stderr= 2014-01-13T07:35:16Z INFO Configured /etc/ssh/sshd_config
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.