diff --git a/Makefile.am b/Makefile.am
index f2a6b836787..5cf131b07a9 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1627,12 +1627,15 @@ if BUILD_SSH
sssd_ssh_SOURCES = \
src/responder/ssh/sshsrv.c \
src/responder/ssh/ssh_cmd.c \
- src/responder/ssh/ssh_known_hosts.c \
src/responder/ssh/ssh_protocol.c \
src/responder/ssh/ssh_reply.c \
src/responder/ssh/ssh_cert_to_ssh_key.c \
$(SSSD_RESPONDER_OBJ) \
$(NULL)
+if BUILD_SSH_KNOWN_HOSTS_PROXY
+sssd_ssh_SOURCES += \
+ src/responder/ssh/ssh_known_hosts.c
+endif
sssd_ssh_LDADD = \
$(LIBADD_DL) \
$(SSSD_LIBS) \
@@ -2691,11 +2694,14 @@ ssh_srv_tests_SOURCES = \
$(TEST_MOCK_RESP_OBJ) \
src/tests/cmocka/test_ssh_srv.c \
src/responder/ssh/ssh_cmd.c \
- src/responder/ssh/ssh_known_hosts.c \
src/responder/ssh/ssh_protocol.c \
src/responder/ssh/ssh_reply.c \
src/responder/ssh/ssh_cert_to_ssh_key.c \
$(NULL)
+if BUILD_SSH_KNOWN_HOSTS_PROXY
+ssh_srv_tests_SOURCES += \
+ src/responder/ssh/ssh_known_hosts.c
+endif
ssh_srv_tests_CFLAGS = \
-U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \
-I$(abs_builddir)/src \
diff --git a/configure.ac b/configure.ac
index 36302fbfb35..f3469744735 100644
--- a/configure.ac
+++ b/configure.ac
@@ -186,6 +186,7 @@ WITH_SUBID
WITH_SUBID_LIB_PATH
WITH_PASSKEY
WITH_SSH
+WITH_SSH_KNOWN_HOSTS_PROXY
WITH_IFP
WITH_LIBSIFP
WITH_SYSLOG
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 791473d342b..22817bd308f 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -43,6 +43,12 @@
%global build_passkey 0
%endif
+%if 0%{?fedora} >= 41 || 0%{?rhel} >= 10
+%global build_ssh_known_hosts_proxy 0
+%else
+%global build_ssh_known_hosts_proxy 1
+%endif
+
# we don't want to provide private python extension libs
%define __provides_exclude_from %{python3_sitearch}/.*\.so$
@@ -576,6 +582,10 @@ autoreconf -ivf
%if %{build_passkey}
--with-passkey \
%endif
+%if %{build_ssh_known_hosts_proxy}
+ --with-ssh-known-hosts-proxy \
+%endif
+
%{nil}
%make_build all docs runstatedir=%{_rundir}
@@ -811,7 +821,9 @@ install -D -p -m 0644 contrib/sssd.sysusers %{buildroot}%{_sysusersdir}/sssd.con
%{_datadir}/sssd/cfg_rules.ini
%{_mandir}/man1/sss_ssh_authorizedkeys.1*
%{_mandir}/man1/sss_ssh_knownhosts.1*
+%if %{build_ssh_known_hosts_proxy}
%{_mandir}/man1/sss_ssh_knownhostsproxy.1*
+%endif
%{_mandir}/man5/sssd.conf.5*
%{_mandir}/man5/sssd-simple.5*
%{_mandir}/man5/sssd-sudo.5*
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index e37dcd3fee3..0b3daf73b40 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -707,6 +707,22 @@ AC_DEFUN([WITH_SSH],
AM_CONDITIONAL([BUILD_SSH], [test x"$with_ssh" = xyes])
])
+AC_DEFUN([WITH_SSH_KNOWN_HOSTS_PROXY],
+ [ AC_ARG_WITH([ssh-known-hosts-proxy],
+ [AC_HELP_STRING([--with-ssh-known-hosts-proxy],
+ [Whether to build the sss_ssh_knownhostsproxy tool [no]]
+ )
+ ],
+ [with_ssh_know_hosts_proxy=$withval],
+ with_ssh_know_hosts_proxy=no
+ )
+
+ if test x"$with_ssh" = xyes -a x"$with_ssh_know_hosts_proxy" = xyes; then
+ AC_DEFINE(BUILD_SSH_KNOWN_HOSTS_PROXY, 1, [whether to build the sss_ssh_knownhostsproxy tool])
+ fi
+ AM_CONDITIONAL([BUILD_SSH_KNOWN_HOSTS_PROXY], [test x"$with_ssh" = xyes -a x"$with_ssh_know_hosts_proxy" = xyes])
+ ])
+
AC_DEFUN([WITH_IFP],
[ AC_ARG_WITH([infopipe],
[AC_HELP_STRING([--with-infopipe],
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index 5bf257f592e..6e61aed68f0 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -17,6 +17,9 @@ AUTOFS_CONDS = ;with_autofs
endif
if BUILD_SSH
SSH_CONDS = ;with_ssh
+if BUILD_SSH_KNOWN_HOSTS_PROXY
+SSH_KNOWN_HOSTS_PROXY_CONDS = ;with_ssh_known_hosts_proxy
+endif
endif
if BUILD_PAC_RESPONDER
PAC_RESPONDER_CONDS = ;with_pac_responder
@@ -67,7 +70,7 @@ SSSD_NON_ROOT_USER_CONDS = ;without_non_root_user_support
endif
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(ENUM_CONDS)
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(SSH_KNOWN_HOSTS_PROXY_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(ENUM_CONDS)
#Special Rules:
@@ -95,8 +98,11 @@ man_MANS += sssd-ipa.5 sssd-ad.5
endif
if BUILD_SSH
-man_MANS += sss_ssh_authorizedkeys.1 sss_ssh_knownhostsproxy.1 \
+man_MANS += sss_ssh_authorizedkeys.1 \
sss_ssh_knownhosts.1
+if BUILD_SSH_KNOWN_HOSTS_PROXY
+man_MANS += sss_ssh_knownhostsproxy.1
+endif
endif
if BUILD_SUDO
diff --git a/src/responder/ssh/ssh_cmd.c b/src/responder/ssh/ssh_cmd.c
index 45ab57be59f..b9e630bb16c 100644
--- a/src/responder/ssh/ssh_cmd.c
+++ b/src/responder/ssh/ssh_cmd.c
@@ -54,6 +54,7 @@ ssh_check_non_sssd_user(const char *username)
}
+#ifdef BUILD_SSH_KNOWN_HOSTS_PROXY
static struct sss_domain_info *
ssh_get_result_domain(struct resp_ctx *rctx,
struct cache_req_result *result,
@@ -65,6 +66,7 @@ ssh_get_result_domain(struct resp_ctx *rctx,
return find_domain_by_name(rctx->domains, name, true);
}
+#endif
static void ssh_cmd_get_user_pubkeys_done(struct tevent_req *subreq);
@@ -358,24 +360,28 @@ static errno_t ssh_cmd_get_host_pubkeys(struct cli_ctx *cli_ctx)
static void ssh_cmd_get_host_pubkeys_done(struct tevent_req *subreq)
{
struct cache_req_result *result = NULL;
- struct sss_domain_info *domain;
struct ssh_cmd_ctx *cmd_ctx;
- struct ssh_ctx *ssh_ctx;
errno_t ret;
+#ifdef BUILD_SSH_KNOWN_HOSTS_PROXY
+ struct sss_domain_info *domain;
+ struct ssh_ctx *ssh_ctx;
+#endif
cmd_ctx = tevent_req_callback_data(subreq, struct ssh_cmd_ctx);
- ssh_ctx = talloc_get_type(cmd_ctx->cli_ctx->rctx->pvt_ctx, struct ssh_ctx);
ret = cache_req_ssh_host_id_by_name_recv(cmd_ctx, subreq, &result);
talloc_zfree(subreq);
+#ifdef BUILD_SSH_KNOWN_HOSTS_PROXY
if (ret == EOK || ret == ENOENT) {
+ ssh_ctx = talloc_get_type(cmd_ctx->cli_ctx->rctx->pvt_ctx, struct ssh_ctx);
domain = ssh_get_result_domain(ssh_ctx->rctx, result, cmd_ctx->domain);
ssh_update_known_hosts_file(ssh_ctx->rctx->domains, domain,
cmd_ctx->name, ssh_ctx->hash_known_hosts,
ssh_ctx->known_hosts_timeout);
}
+#endif
if (ret != EOK) {
ssh_protocol_done(cmd_ctx->cli_ctx, ret);
diff --git a/src/responder/ssh/ssh_private.h b/src/responder/ssh/ssh_private.h
index 0e4ed10f1f8..c46a479eaf6 100644
--- a/src/responder/ssh/ssh_private.h
+++ b/src/responder/ssh/ssh_private.h
@@ -24,8 +24,10 @@
#include "responder/common/responder.h"
#include "responder/common/cache_req/cache_req.h"
+#ifdef BUILD_SSH_KNOWN_HOSTS_PROXY
#define SSS_SSH_KNOWN_HOSTS_PATH PUBCONF_PATH"/known_hosts"
#define SSS_SSH_KNOWN_HOSTS_TEMP_TMPL PUBCONF_PATH"/.known_hosts.XXXXXX"
+#endif
struct ssh_ctx {
struct resp_ctx *rctx;
@@ -79,12 +81,14 @@ ssh_protocol_build_reply(struct sss_packet *packet,
struct ldb_message_element **elements,
uint32_t num_keys);
+#ifdef BUILD_SSH_KNOWN_HOSTS_PROXY
errno_t
ssh_update_known_hosts_file(struct sss_domain_info *domains,
struct sss_domain_info *domain,
const char *name,
bool hash_known_hosts,
int known_hosts_timeout);
+#endif
struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
index a8afb768b05..4d1ccbed9d8 100644
--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
@@ -18,7 +18,27 @@
along with this program. If not, see .
*/
-#include
+#include
+
+#include "config.h"
+#include "util/util.h"
+
+#ifndef BUILD_SSH_KNOWN_HOSTS_PROXY
+
+int main(void)
+{
+ ERROR("\n"
+ "******************************************************************************\n"
+ "Your system is configured to use the obsolete tool sss_ssh_knownhostsproxy.\n"
+ "Please read the sss_ssh_knownhosts(1) man page to learn about its replacement.\n"
+ "******************************************************************************\n"
+ "\n");
+
+ return EXIT_FAILURE;
+}
+
+#else /* BUILD_SSH_KNOWN_HOSTS_PROXY */
+
#include
#include
#include
@@ -30,7 +50,6 @@
#include
#include
-#include "util/util.h"
#include "util/crypto/sss_crypto.h"
#include "util/sss_ssh.h"
#include "sss_client/sss_cli.h"
@@ -345,3 +364,4 @@ int main(int argc, const char **argv)
return ret;
}
+#endif /* BUILD_SSH_KNOWN_HOSTS_PROXY */
diff --git a/src/tests/multihost/ad/test_adparameters_ported.py b/src/tests/multihost/ad/test_adparameters_ported.py
index c848cc9c5ba..0c3f3707470 100644
--- a/src/tests/multihost/ad/test_adparameters_ported.py
+++ b/src/tests/multihost/ad/test_adparameters_ported.py
@@ -3317,14 +3317,20 @@ def test_0041_ad_parameters_sss_ssh_knownhostsproxy(
'cp /etc/ssh/ssh_config /etc/ssh/ssh_config.working',
raiseonerr=False
)
- # Configure known hosts proxy
- multihost.client[0].run_command(
- r'echo -e "\tGlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts'
- r'" >> /etc/ssh/ssh_config; echo -e "\tPubkeyAuthentication yes"'
- r' >> /etc/ssh/ssh_config; echo -e "\tProxyCommand /usr/bin/'
- r'sss_ssh_knownhostsproxy -p %p %h" >> /etc/ssh/ssh_config',
- raiseonerr=False
- )
+ # Configure the known hosts tool
+ tool = multihost.client[0].run_command('test -x /usr/bin/sss_ssh_knownhosts',
+ raiseonerr=False)
+ if tool.returncode == 0:
+ cmd = r'echo -e "\tPubkeyAuthentication yes" >> /etc/ssh/ssh_config;' \
+ r'echo -e "\tKnownHostsCommand /usr/bin/sss_ssh_knownhosts %H"' \
+ r' >> /etc/ssh/ssh_config'
+ else:
+ cmd = r'echo -e "\tGlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts"' \
+ r' >> /etc/ssh/ssh_config; echo -e "\tPubkeyAuthentication yes"' \
+ r' >> /etc/ssh/ssh_config; echo -e "\tProxyCommand /usr/bin/' \
+ r'sss_ssh_knownhostsproxy -p %p %h" >> /etc/ssh/ssh_config'
+ multihost.client[0].run_command(cmd, raiseonerr=False)
+
# Clear cache and restart SSSD
client.clear_sssd_cache()