8:50 a.m.
When I have a look at either ipa-client-install or Ansible role 'ipaserver' I come
across the options for OpenSSH:
ipaclient_no_ssh
ipaclient_no_sshd <--- What I'm interested in.
I want to install a IPA server and my question is:
What exactly is being configured, and should I use this option?
9:26 a.m.
New subject: IPA installation and SSHD configuration - What is being configured?
J N via FreeIPA-users wrote:
When I have a look at either ipa-client-install or Ansible role
'ipaserver' I come across the options for OpenSSH:
ipaclient_no_ssh
ipaclient_no_sshd <--- What I'm interested in.
I want to install a IPA server and my question is:
What exactly is being configured, and should I use this option?
By default the client and server installers enable the ssh service in SSSD.
On the client if ssh is enabled it sets PubkeyAuthentication to yes,
enables the SSSD known hosts proxy and sets VerifyHostKeyDNS to yes (if
--no-dns-sshfp is not set).
When sshd configuration is enabled (default) it sets:
PubkeyAuthentication yes
KerberosAuthentication no
GSSAPIAuthentication yes
UsePAM yes
ChallengeResponseAuthentication yes
Depending on release of sshd it will also set AuthorizedKeysCommand or
PubKeyAgent.
rob
5:15 a.m.
New subject: IPA installation and SSHD configuration - What is being configured?
J N via FreeIPA-users wrote:
By default the client and server installers enable the ssh service in SSSD.
On the client if ssh is enabled it sets PubkeyAuthentication to yes,
enables the SSSD known hosts proxy and sets VerifyHostKeyDNS to yes (if
--no-dns-sshfp is not set).
When sshd configuration is enabled (default) it sets:
PubkeyAuthentication yes
KerberosAuthentication no
GSSAPIAuthentication yes
UsePAM yes
ChallengeResponseAuthentication yes
Depending on release of sshd it will also set AuthorizedKeysCommand or
PubKeyAgent.
rob
Thanks.
I'm not going to use FreeIPA as DNS, would you recommend me to set --no-dns-sshfp to
true?
BTW, is this mentioned in some documentation?
362
days inactive
363
days old
freeipa-users@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
J N -
Rob Crittenden