Red Hat Bugzilla – Bug 973766
The --ssh-trust-dns prevents GlobalKnownHostsFile and ProxyCommand from being configured
Last modified: 2014-06-17 20:09:59 EDT
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/3705 When running {{{ ipa-client-install --ssh-trust-dns }}} it effectively prevents the {{{ GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h }}} from being configured in {{{/etc/ssh/ssh_config}}}. The ipa-client-install man page could be amended to be clear about it, or the behaviour could be changed to always configure both (unless {{{--no-ssh}}} is used).
Will this be a man page change or a configuration update in /etc/ssh/ssh_config ? Please provide steps to verify
There will be a configuration change in /etc/ssh/ssh_config. When ipa-client-install is run with --ssh-trust-dns, then /etc/ssh/ssh_config will contain both standard GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h but also VerifyHostKeyDNS yes
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/736dd0fcd6d35abbea28481dc544502c132f78f8 ipa-3-2: https://fedorahosted.org/freeipa/changeset/9e5ce4f501ed3706808c484e21ae0e322391b783
Verified. Version :: ipa-client-3.3.3-5.el7.x86_64 Test Results :: [root@ipaqa64vmc install-client-cli]# rlRun "ipa-client-install --domain=$DOMAIN --principal=$ADMINID --server=$MASTER --password=$ADMINPW --unattended --realm=$RELM --force-ntpd --ssh-trust-dns" Hostname: ipaqa64vmc.testrelm.com Realm: TESTRELM.COM DNS Domain: testrelm.com IPA Server: cloud-qe-19.testrelm.com BaseDN: dc=testrelm,dc=com Synchronizing time with KDC... Successfully retrieved CA cert Subject: CN=Certificate Authority,O=TESTRELM.COM Issuer: CN=Certificate Authority,O=TESTRELM.COM Valid From: Tue Dec 17 23:42:14 2013 UTC Valid Until: Sat Dec 17 23:42:14 2033 UTC Enrolled in IPA realm TESTRELM.COM Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TESTRELM.COM Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. :: [ PASS ] :: Running 'ipa-client-install --domain=testrelm.com --principal=admin --server=cloud-qe-19.testrelm.com --password=Secret123 --unattended --realm=TESTRELM.COM --force-ntpd --ssh-trust-dns' (Expected 0, got 0) [root@ipaqa64vmc install-client-cli]# ipa_bugcheck_bz973766 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa_bugcheck_bz973766: The --ssh-trust-dns prevents GlobalKnownHostsFile and ProxyCommand from being configured :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 2013-12-18T20:46:58Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': 'testrelm.com', 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'realm_name': 'TESTRELM.COM', 'force_ntpd': True, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'ca_cert_file': None, 'principal': 'admin', 'keytab': None, 'hostname': None, 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': True, 'dns_updates': False, 'mkhomedir': False, 'conf_ssh': True, 'force_join': False, 'server': ['cloud-qe-19.testrelm.com'], 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False} :: [ PASS ] :: File '/etc/ssh/ssh_config' should contain 'GlobalKnownHostsFile.*sss/pubconf/known_hosts' :: [ PASS ] :: File '/etc/ssh/ssh_config' should contain 'ProxyCommand.*knownhostsproxy' :: [ PASS ] :: BZ 973766 not found
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.