Author: jsuchome Date: Wed Apr 9 16:04:56 2008 New Revision: 46291 URL: http://svn.opensuse.org/viewcvs/yast?rev=46291&view=rev Log: - enable single sign-on for SSH (fate #303415) Modified: trunk/samba-client/src/Samba.ycp trunk/samba-client/src/dialogs.ycp trunk/samba-client/yast2-samba-client.spec.in Modified: trunk/samba-client/src/Samba.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/samba-client/src/Samba.ycp?rev=46... ============================================================================== --- trunk/samba-client/src/Samba.ycp (original) +++ trunk/samba-client/src/Samba.ycp Wed Apr 9 16:04:56 2008 @@ -98,6 +98,21 @@ // if changing hostname by DHCP should be disabled (#169260) global boolean disable_dhcp_hostname = false; +// support for SSH single-sign-on (fate #303415) +global boolean ssh_support = false; + +// initial status of single-sign-on suport in ssh_config +boolean ssh_was_enabled = false; + +// initial status of single-sign-on suport in sshd_config +boolean sshd_was_enabled = false; + +// if it ssh support was modified +boolean ssh_modified = false; + +// section in /etc/ssh/ssh_config file for storing single-sign-on settings +string ssh_section = "*"; + // packages to install for specific arhitectures (#224418) global map arch_packages = $[ "krb5" : $[ @@ -145,7 +160,7 @@ */ global boolean GetModified() { y2debug("modified=%1",modified); - return modified || mkhomedir_modified || shares_modified || SambaConfig::GetModified(); + return modified || mkhomedir_modified || shares_modified || SambaConfig::GetModified() || ssh_modified; }; /** @@ -286,6 +301,96 @@ } /** + * Read the current status of ssh single-sign-on support (fate #303415) + */ +global define boolean ReadSSHSupport () { + + boolean ssh = nil; + boolean sshd = false; + + if (FileUtils::Exists ("/etc/ssh/ssh_config") && + FileUtils::Exists ("/etc/ssh/sshd_config")) + { + string hostname = "*"; + map out = (map)SCR::Execute(.target.bash_output,"LANG=C /bin/hostname"); + if (out["stderr"]:nil == "") + hostname = deletechars(out["stdout"]:"", "\n"); + foreach (string sec, SCR::Dir (.etc.ssh.ssh_config.s), { + if (ssh != nil) return; + list cont = SCR::Dir (add(.etc.ssh.ssh_config.v, sec)); + y2debug ("section %1 contains: %2", sec, cont); + + if ((sec == "*" || sec == hostname) && + (contains (cont, "GSSAPIAuthentication") && + contains (cont, "GSSAPIDelegateCredentials"))) + { + ssh = + (SCR::Read (add (add (.etc.ssh.ssh_config.v, sec), + "GSSAPIAuthentication")) == "yes") && + (SCR::Read (add (add (.etc.ssh.ssh_config.v, sec), + "GSSAPIDelegateCredentials")) == "yes"); + ssh_section = sec; + } + }); + sshd = true; + foreach (string key, ["GSSAPIAuthentication","GSSAPICleanupCredentials", + "ChallengeResponseAuthentication", "UsePAM" ], { + sshd = sshd && contains ( + (list)SCR::Read (add (.etc.ssh.sshd_config, key)), "yes"); + }); + } + ssh_was_enabled = (ssh == true); + sshd_was_enabled = sshd; + ssh_support = ssh_was_enabled && sshd_was_enabled; + return ssh_support; +} + +/** + * Get the current status of ssh single-sign-on support + */ +global define boolean GetSSHSupport () { + return ssh_support; +} + +/** + * Set the new value for sh single-sign-on support + */ +global define boolean SetSSHSupport (boolean enable) { + ssh_support = enable; + ssh_modified = (enable != (ssh_was_enabled && sshd_was_enabled)); + return enable; +} + +/** + * Write the new value for sh single-sign-on support (fate #303415) + */ +global define boolean WriteSSHSupport (boolean enable) { + + string write = enable ? "yes": "no"; + + // do not write "no" everywhere, there might be some user setting... + if (enable || ssh_was_enabled) + { + SCR::Write (add (add (.etc.ssh.ssh_config.v, ssh_section), + "GSSAPIAuthentication"), write); + SCR::Write (add (add (.etc.ssh.ssh_config.v, ssh_section), + "GSSAPIDelegateCredentials"), write); + SCR::Write (.etc.ssh.ssh_config, nil); + y2milestone ("/etc/ssh/ssh_config modified"); + } + if (enable || sshd_was_enabled) + { + foreach (string key, ["GSSAPIAuthentication","GSSAPICleanupCredentials", + "ChallengeResponseAuthentication", "UsePAM" ], { + SCR::Write (add (.etc.ssh.sshd_config, key), [write]); + }); + SCR::Write (.etc.ssh.sshd_config, nil); + y2milestone ("/etc/ssh/sshd_config modified"); + } + return enable; +} + +/** * Start/Stop and FAM service according to current settings * @param write_only do not start/stop services * @return success @@ -439,6 +544,8 @@ ReadSharesSetting (); + ReadSSHSupport (); + Autologin::Read(); // read network settings @@ -539,7 +646,8 @@ SambaNetJoin::Join (SambaConfig::GlobalGetStr("workgroup",""), "member", password_data["user"]:password_data["username"]:"", - password_data["password"]:password_data["passwd"]:"" + password_data["password"]:password_data["passwd"]:"", + password_data["machine"]:nil ); } } @@ -608,6 +716,8 @@ WriteShares (); AdjustSharesServices (write_only); + WriteSSHSupport (ssh_support); + // finished Progress::NextStage(); modified = false; Modified: trunk/samba-client/src/dialogs.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/samba-client/src/dialogs.ycp?rev=... ============================================================================== --- trunk/samba-client/src/dialogs.ycp (original) +++ trunk/samba-client/src/dialogs.ycp Wed Apr 9 16:04:56 2008 @@ -166,7 +166,7 @@ // winbind enabled on start boolean was_winbind = Samba::GetWinbind(); - term winbind_term = Stage::cont() ? `Empty () : `VBox( + term winbind_term = Stage::cont() ? `Empty () : `VBox ( `VSpacing (0.5), `Left(`CheckBox(`id(`winbind), `opt (`notify), // translators: checkbox label to enable winbind @@ -214,10 +214,12 @@ `VBox ( `HBox( `HSpacing (0.2), - `TextEntry(`id(`workgroup), (Stage::cont() ? + `InputField (`id(`workgroup), `opt (`hstretch), + (Stage::cont() ? _("&Domain") : // translators: text entry label - _("&Domain or Workgroup")), Samba::GetWorkgroupOrRealm()) + _("&Domain or Workgroup")), Samba::GetWorkgroupOrRealm() + ) ), status_term, winbind_term, @@ -230,6 +232,11 @@ `CheckBox(`id(`caching),_("Off&line Authentication"), Samba::GetWinbindCaching ()) ), + `Left ( + // checkbox label + `CheckBox (`id(`ssh),_("&Single Sign-On for SSH"), + Samba::GetSSHSupport ()) + ), `VSpacing (0.2) ) ) @@ -255,7 +262,7 @@ HELPS["MembershipDialog_NTP"]:""), Label::BackButton(), Stage::cont() ? Label::NextButton() : Label::FinishButton() ); - foreach (symbol t, [`mkhomedir, `caching], { + foreach (symbol t, [`mkhomedir, `caching, `ssh], { UI::ChangeWidget (`id(t), `Enabled, Samba::GetWinbind() || Stage::cont()); }); foreach (symbol t, [`group, `max_shares, `guest_ch], { @@ -282,6 +289,7 @@ else if (ret == `winbind) { UI::ChangeWidget (`id(`mkhomedir), `Enabled, use_winbind); UI::ChangeWidget (`id(`caching), `Enabled, use_winbind); + UI::ChangeWidget (`id(`ssh), `Enabled, use_winbind); } else if (ret == `share_ch) { foreach (symbol t, [`group, `max_shares, `guest_ch], { @@ -417,6 +425,8 @@ (boolean)UI::QueryWidget(`id(`mkhomedir), `Value)); Samba::SetWinbindCaching (use_winbind && (boolean)UI::QueryWidget(`id(`caching), `Value)); + Samba::SetSSHSupport (use_winbind && + (boolean)UI::QueryWidget (`id(`ssh), `Value)); boolean new_share = (boolean)UI::QueryWidget(`id(`share_ch),`Value); if (new_share && ! allow_share && SharesExist (Samba::shares_dir)) Modified: trunk/samba-client/yast2-samba-client.spec.in URL: http://svn.opensuse.org/viewcvs/yast/trunk/samba-client/yast2-samba-client.s... ============================================================================== --- trunk/samba-client/yast2-samba-client.spec.in (original) +++ trunk/samba-client/yast2-samba-client.spec.in Wed Apr 9 16:04:56 2008 @@ -2,10 +2,13 @@ @HEADER@ BuildRequires: yast2-pam yast2-devtools yast2-perl-bindings perl-XML-Writer yast2-testsuite update-desktop-files -Requires: yast2 yast2-kerberos-client +Requires: yast2-kerberos-client # new Pam.ycp API -Requires: yast2 yast2-pam >= 2.14.0 +Requires: yast2-pam >= 2.14.0 + +# .etc.ssh.sshd_config +Requires: yast2 >= 2.16.41 BuildArchitectures: noarch -- To unsubscribe, e-mail: yast-commit+unsubscribe@opensuse.org For additional commands, e-mail: yast-commit+help@opensuse.org