SSH: Support ssh's KnownHostsCommand

This option is supported by delivering the tool sss_ssh_knownhosts
which is a symbolic link to existing sss_ssh_authorized_key.
This last tool was modified to change its behavior based on its name.
It keeps its original behavior with the original name and diplays the
host keys when invoked with the new name. In this case, it will also
add the host name right before the key as required by the knownhosts
file format.

The new man page was added and sss_ssh_knownhostsproxy's man page
displays a message stating that it is deprecated and suggest using
the new tool.

Resolves: SSSD#5518

:relnote: sss_ssh_knownhostsproxy is deprecated. Consider using
sss_ssh_knownhosts instead.

:feature: The new tool sss_ssh_knownhosts can be used with ssh's
KnownHostsCommand configuration option to retrieve the host's keys
from a remote server (FreeIPA, LDAP, etc.). This new tool replaces
sss_ssh_knownhostsproxy.

Makefile.am

@@ -5518,6 +5518,10 @@ if BUILD_PYTHON3_BINDINGS
 		mv -f _py3hbac.so pyhbac.so ; \
 		mv -f _py3sss_murmur.so pysss_murmur.so ; \
 		mv -f _py3sss_nss_idmap.so pysss_nss_idmap.so
+endif
+if BUILD_SSH
+	cd $(DESTDIR)$(bindir) && \
+		$(LN_S) sss_ssh_authorizedkeys sss_ssh_knownhosts
 endif
 	for doc in $(SSSD_DOCS); do \
 		$(MKDIR_P) $$doc $(DESTDIR)/$(docdir); \

configure.ac

@@ -7,6 +7,8 @@ AC_INIT([sssd],
 AC_CONFIG_SRCDIR([BUILD.txt])
 AC_CONFIG_AUX_DIR([build])
 
+AC_PROG_LN_S
+
 m4_ifdef([AC_USE_SYSTEM_EXTENSIONS],
     [AC_USE_SYSTEM_EXTENSIONS],
     [AC_GNU_SOURCE])

contrib/sssd.spec.in

@@ -778,6 +778,7 @@ install -D -p -m 0644 contrib/sssd.sysusers %{buildroot}%{_sysusersdir}/sssd.con
 
 %{ldb_modulesdir}/memberof.so
 %{_bindir}/sss_ssh_authorizedkeys
+%{_bindir}/sss_ssh_knownhosts
 %{_bindir}/sss_ssh_knownhostsproxy
 %{_sbindir}/sss_cache
 %{_libexecdir}/%{servicename}/sss_signal
@@ -811,6 +812,7 @@ install -D -p -m 0644 contrib/sssd.sysusers %{buildroot}%{_sysusersdir}/sssd.con
 
 %{_datadir}/sssd/cfg_rules.ini
 %{_mandir}/man1/sss_ssh_authorizedkeys.1*
+%{_mandir}/man1/sss_ssh_knownhosts.1*
 %{_mandir}/man1/sss_ssh_knownhostsproxy.1*
 %{_mandir}/man5/sssd.conf.5*
 %{_mandir}/man5/sssd-simple.5*

src/man/Makefile.am

@@ -95,7 +95,8 @@ man_MANS += sssd-ipa.5 sssd-ad.5
 endif
 
 if BUILD_SSH
-man_MANS += sss_ssh_authorizedkeys.1 sss_ssh_knownhostsproxy.1
+man_MANS += sss_ssh_authorizedkeys.1 sss_ssh_knownhostsproxy.1 \
+            sss_ssh_knownhosts.1
 endif
 
 if BUILD_SUDO

src/man/include/seealso.xml

@@ -58,11 +58,11 @@
             <phrase condition="with_ssh">
                 <citerefentry>
                     <refentrytitle>sss_ssh_authorizedkeys</refentrytitle>
-                    <manvolnum>8</manvolnum>
+                    <manvolnum>1</manvolnum>
                 </citerefentry>,
                 <citerefentry>
-                    <refentrytitle>sss_ssh_knownhostsproxy</refentrytitle>
-                    <manvolnum>8</manvolnum>
+                    <refentrytitle>sss_ssh_knownhosts</refentrytitle>
+                    <manvolnum>1</manvolnum>
                 </citerefentry>,
             </phrase>
             <phrase condition="with_ifp">

src/man/sss_ssh_knownhosts.1.xml

@@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+    <refmeta>
+        <refentrytitle>sss_ssh_knownhosts</refentrytitle>
+        <manvolnum>1</manvolnum>
+    </refmeta>
+
+    <refnamediv id='name'>
+        <refname>sss_ssh_knownhosts</refname>
+        <refpurpose>get OpenSSH known hosts</refpurpose>
+    </refnamediv>
+
+    <refsynopsisdiv id='synopsis'>
+        <cmdsynopsis>
+            <command>sss_ssh_knownhosts</command>
+            <arg choice='opt'>
+                <replaceable>options</replaceable>
+            </arg>
+            <arg choice='plain'><replaceable>HOST</replaceable></arg>
+        </cmdsynopsis>
+    </refsynopsisdiv>
+
+    <refsect1 id='description'>
+        <title>DESCRIPTION</title>
+        <para>
+            <command>sss_ssh_knownhosts</command> acquires SSH
+            public keys for host <replaceable>HOST</replaceable> and
+            outputs them in OpenSSH know-hosts key format (see the
+            <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section of
+            <citerefentry><refentrytitle>sshd</refentrytitle>
+            <manvolnum>8</manvolnum></citerefentry> for more
+            information).
+        </para>
+        <para>
+            <citerefentry><refentrytitle>ssh</refentrytitle>
+            <manvolnum>1</manvolnum></citerefentry> can be configured
+            to use <command>sss_ssh_knownhosts</command> for public
+            key host authentication using the <quote>KnownHostsCommand</quote>
+            option:
+            <programlisting>
+              KnownHostsCommand /usr/bin/sss_ssh_knownhosts %H
+            </programlisting>
+            Please refer to the <citerefentry>
+            <refentrytitle>ssh_config</refentrytitle><manvolnum>5</manvolnum>
+            </citerefentry> man page for more details about this option.
+        </para>
+    </refsect1>
+
+    <refsect1 id='options'>
+        <title>OPTIONS</title>
+        <variablelist remap='IP'>
+            <varlistentry>
+                <term>
+                    <option>-d</option>,<option>--domain</option>
+                    <replaceable>DOMAIN</replaceable>
+                </term>
+                <listitem>
+                    <para>
+                        Search for host public keys in SSSD domain
+                        <replaceable>DOMAIN</replaceable>.
+                    </para>
+                </listitem>
+            </varlistentry>
+            <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" />
+        </variablelist>
+    </refsect1>
+
+    <refsect1 id='exit_status'>
+        <title>EXIT STATUS</title>
+        <para>
+            In case of successful execution, even if no key was found, 0 is
+            returned. 1 is returned in case of error.
+        </para>
+    </refsect1>
+
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
+
+</refentry>
+</reference>

src/man/sss_ssh_knownhostsproxy.1.xml

@@ -27,6 +27,14 @@
         </cmdsynopsis>
     </refsynopsisdiv>
 
+    <refsect1 id='lifecycle'>
+        <title>LIFE-CYCLE</title>
+        <para>
+            This tool is deprecated and will soon be removed. Consider
+            using <command>sss_ssh_knownhosts</command> instead.
+        </para>
+    </refsect1>
+
     <refsect1 id='description'>
         <title>DESCRIPTION</title>
         <para>