[Pkg-freeipa-devel] Bug#1111396: freeipa-client: /etc/ssh/ssh_config.d/04-ipa.conf create before 4.12 make ssh error
zen wen
zen.8841 at ccns.ncku.edu.tw
Sun Aug 17 16:44:11 BST 2025
Package: freeipa-client
Version: 4.12.4-1
Severity: normal
Tags: patch
Dear Maintainer,
After system update, command `sss_ssh_knownhostsproxy` is deprecate
by SSSD.
But the file /etc/ssh/ssh_config.d/04-ipa.conf create by
`ipa-client-install` before 4.12 contain these line.
/etc/ssh/ssh_config.d/04-ipa.conf create before 4.12
```
# IPA-related configuration changes to ssh_config
#
PubkeyAuthentication yes
# disabled by ipa-client update
# GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
#VerifyHostKeyDNS yes
# assumes that if a user does not have shell (/sbin/nologin),
# this will return nonzero exit code and proxy command will be ignored
Match exec true
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
```
Therefore, ssh will return error
```
******************************************************************************
Your system is configured to use the obsolete tool
sss_ssh_knownhostsproxy.
Please read the sss_ssh_knownhosts(1) man page to learn about its
replacement.
******************************************************************************
Connection closed by UNKNOWN port 65535
```
This file is not contain in freeipa-client, it is create by
`ipa-client-install`.
So it won't change after update.
Fix:
freeipa 4.12 release fix the issue 9536: Client configuration of
ssh: Replace sss_ssh_knownhostsproxy with sss_ssh_knownhosts
https://www.freeipa.org/release-notes/4-12-0.html
https://pagure.io/freeipa/issue/9536
In 4.12 release also include a mechanism to apply change when
upgrading from older versions, and downgrading from newer versions.
But this mechanism is base on the spec file, a RPM package control
file.
It "only" work on RPM base system.
commit a41e5e2a244f8fa2edfd7db1e821d8b0f3bbd997 is the change.
https://pagure.io/freeipa/c/a41e5e2a244f8fa2edfd7db1e821d8b0f3bbd997
But this change doesn't convert to the DEB control file,
debian/freeipa-client.postinst.
https://salsa.debian.org/freeipa-team/freeipa/-/tree/master/debian
No freeipa-client.postinst is exist.
I think these line should be add into
debian/freeipa-client.postinst to fix the problem while package update.
```
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" =
"abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
# Has the client been configured?
restore=0
test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' &&
restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk
'{print $1}')
if [ $restore -ge 2 ]; then
SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config"
if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then
# https://pagure.io/freeipa/issue/9536
# replace sss_ssh_knownhostsproxy with sss_ssh_knownhosts
if [ -f '/usr/bin/sss_ssh_knownhosts' ]; then
if grep -E -q 'Include' $SSH_CLIENT_SYSTEM_CONF
2>/dev/null ; then
SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config.d/04-ipa.conf"
fi
sed -E --in-place=.orig 's/^(GlobalKnownHostsFile
\/var\/lib\/sss\/pubconf\/known_hosts)$/# disabled by ipa-client
update\n# \1/' $SSH_CLIENT_SYSTEM_CONF
sed -E --in-place=.orig 's/(ProxyCommand
\/usr\/bin\/sss_ssh_knownhostsproxy -p \%p \%h)/# replaced by ipa-client
update\n KnownHostsCommand \/usr\/bin\/sss_ssh_knownhosts \%H/'
$SSH_CLIENT_SYSTEM_CONF
fi
fi
fi
fi
```
/etc/ssh/ssh_config.d/04-ipa.conf after fix
```
# IPA-related configuration changes to ssh_config
#
PubkeyAuthentication yes
# disabled by ipa-client update
# GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
#VerifyHostKeyDNS yes
# assumes that if a user does not have shell (/sbin/nologin),
# this will return nonzero exit code and proxy command will be ignored
Match exec true
# replaced by ipa-client update
KnownHostsCommand /usr/bin/sss_ssh_knownhosts %H
```
-- System Information:
Debian Release: 13.0
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.14.8-2-pve (SMP w/32 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE
not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages freeipa-client depends on:
ii bind9-dnsutils 1:9.20.11-4
ii bind9-utils 1:9.20.11-4
ii certmonger 0.79.20-2
ii curl 8.14.1-2
ii freeipa-common 4.12.4-1
ii krb5-user 1.21.3-5
ii libc6 2.41-12
ii libcom-err2 1.47.2-3+b3
ii libcurl4t64 8.14.1-2
ii libini-config5t64 0.6.2-3
ii libjansson4 2.14-2+b3
ii libk5crypto3 1.21.3-5
ii libkrb5-3 1.21.3-5
ii libldap2 2.6.10+dfsg-1
ii libnss-sss 2.10.1-2+b1
ii libnss3-tools 2:3.110-1
ii libpam-sss 2.10.1-2+b1
ii libpopt0 1.19+dfsg-2
ii libsasl2-modules-gssapi-mit 2.1.28+dfsg1-9
ii libssl3t64 3.5.1-1
ii libsss-sudo 2.10.1-2+b1
ii oddjob-mkhomedir 0.34.7-2.1
ii python3 3.13.5-1
ii python3-dnspython 2.7.0-1
ii python3-gssapi 1.9.0-1+b2
ii python3-ipaclient 4.12.4-1
ii python3-ldap 3.4.4-1+b5
ii python3-sss 2.10.1-2+b1
ii sssd 2.10.1-2+b1
Versions of packages freeipa-client recommends:
ii chrony 4.6.1-3
ii sssd-passkey 2.10.1-2+b1
Versions of packages freeipa-client suggests:
pn libnss-myhostname <none>
pn libpam-krb5 <none>
-- no debconf information
More information about the Pkg-freeipa-devel
mailing list