J N via FreeIPA-users wrote:
When I have a look at either ipa-client-install or Ansible role
'ipaserver' I come across the options for OpenSSH:
ipaclient_no_ssh
ipaclient_no_sshd <--- What I'm interested in.
I want to install a IPA server and my question is:
What exactly is being configured, and should I use this option?
By default the client and server installers enable the ssh service in SSSD.
On the client if ssh is enabled it sets PubkeyAuthentication to yes,
enables the SSSD known hosts proxy and sets VerifyHostKeyDNS to yes (if
--no-dns-sshfp is not set).
When sshd configuration is enabled (default) it sets:
PubkeyAuthentication yes
KerberosAuthentication no
GSSAPIAuthentication yes
UsePAM yes
ChallengeResponseAuthentication yes
Depending on release of sshd it will also set AuthorizedKeysCommand or
PubKeyAgent.
rob