SSH: Remove sss_ssh_knownhostsproxy and keep the stub

The --with-ssh-known-host-proxy option is removed from ./configure.
The tool sss_ssh_knownhostproxy is removed along with all the code
specific to it and its man page.
The stub displaying an error message is kept, and is the only thing
that is now built.
The RPM's post-install script deletes any remaining
/var/lib/sss/pubconf/known_hosts file.

:relnote: The deprecated tool 'sss_ssh_knownhostsproxy' was finally
          removed, together with the './configure' option
          '--with-ssh-known-host-proxy' used to built it. It is now
          replaced by a stub which displays an error message.
          Instead of this tool, you must now use 'sss_ssh_knownhosts`.
          Please check the sss_ssh_knownhosts(1) man page for detailed
          information.

Reviewed-by: Iker Pedrosa <[email protected]>
Reviewed-by: Tomáš Halman <[email protected]>

Author: aplopez

Makefile.am

@@ -1571,10 +1571,7 @@ sssd_ssh_SOURCES = \
     src/responder/ssh/ssh_cert_to_ssh_key.c \
     $(SSSD_RESPONDER_OBJ) \
     $(NULL)
-if BUILD_SSH_KNOWN_HOSTS_PROXY
-sssd_ssh_SOURCES += \
-    src/responder/ssh/ssh_known_hosts.c
-endif
+
 sssd_ssh_LDADD = \
     $(LIBADD_DL) \
     $(SSSD_LIBS) \
@@ -2604,10 +2601,7 @@ ssh_srv_tests_SOURCES = \
     src/responder/ssh/ssh_reply.c \
     src/responder/ssh/ssh_cert_to_ssh_key.c \
     $(NULL)
-if BUILD_SSH_KNOWN_HOSTS_PROXY
-ssh_srv_tests_SOURCES += \
-    src/responder/ssh/ssh_known_hosts.c
-endif
+
 ssh_srv_tests_CFLAGS = \
     -U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \
     -I$(abs_builddir)/src \

configure.ac

@@ -186,7 +186,6 @@ WITH_SUBID
 WITH_SUBID_LIB_PATH
 WITH_PASSKEY
 WITH_SSH
-WITH_SSH_KNOWN_HOSTS_PROXY
 WITH_SYSLOG
 WITH_SAMBA
 WITH_NFS

contrib/sssd.spec.in

@@ -37,12 +37,6 @@
 
 %global build_passkey 1
 
-%if 0%{?fedora} >= 41 || 0%{?rhel} >= 10
-%global build_ssh_known_hosts_proxy 0
-%else
-%global build_ssh_known_hosts_proxy 1
-%endif
-
 # we don't want to provide private python extension libs
 %define __provides_exclude_from %{python3_sitearch}/.*\.so$
 
@@ -574,9 +568,6 @@ autoreconf -ivf
 %endif
 %if %{build_passkey}
     --with-passkey \
-%endif
-%if %{build_ssh_known_hosts_proxy}
-    --with-ssh-known-hosts-proxy \
 %endif
     %{nil}
 
@@ -818,9 +809,6 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
 %{_datadir}/sssd/cfg_rules.ini
 %{_mandir}/man1/sss_ssh_authorizedkeys.1*
 %{_mandir}/man1/sss_ssh_knownhosts.1*
-%if %{build_ssh_known_hosts_proxy}
-%{_mandir}/man1/sss_ssh_knownhostsproxy.1*
-%endif
 %{_mandir}/man5/sssd.conf.5*
 %{_mandir}/man5/sssd-simple.5*
 %{_mandir}/man5/sssd-sudo.5*
@@ -1062,6 +1050,7 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi
 %__rm -f %{mcpath}/group
 %__rm -f %{mcpath}/initgroups
 %__rm -f %{mcpath}/sid
+%__rm -f %{pubconfpath}/known_hosts
 %__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true
 %__chmod -f -R g+r %{_sysconfdir}/sssd || true
 %__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true

src/conf_macros.m4

@@ -709,22 +709,6 @@ AC_DEFUN([WITH_SSH],
     AM_CONDITIONAL([BUILD_SSH], [test x"$with_ssh" = xyes])
   ])
 
-AC_DEFUN([WITH_SSH_KNOWN_HOSTS_PROXY],
-  [ AC_ARG_WITH([ssh-known-hosts-proxy],
-                [AC_HELP_STRING([--with-ssh-known-hosts-proxy],
-                                [Whether to build the sss_ssh_knownhostsproxy tool [no]]
-                               )
-                ],
-                [with_ssh_know_hosts_proxy=$withval],
-                with_ssh_know_hosts_proxy=no
-               )
-
-    if test x"$with_ssh" = xyes -a x"$with_ssh_know_hosts_proxy" = xyes; then
-        AC_DEFINE(BUILD_SSH_KNOWN_HOSTS_PROXY, 1, [whether to build the sss_ssh_knownhostsproxy tool])
-    fi
-    AM_CONDITIONAL([BUILD_SSH_KNOWN_HOSTS_PROXY], [test x"$with_ssh" = xyes -a x"$with_ssh_know_hosts_proxy" = xyes])
-  ])
-
 AC_DEFUN([WITH_SAMBA],
   [ AC_ARG_WITH([samba],
                 [AC_HELP_STRING([--with-samba],

src/confdb/confdb.h

@@ -168,16 +168,6 @@
 
 /* SSH */
 #define CONFDB_SSH_CONF_ENTRY "config/ssh"
-#ifdef BUILD_SSH_KNOWN_HOSTS_PROXY
-/****************************************************************************
- * Don't forget to update src/config/cfg_rules.ini when these options are
- * definitively removed.
- ****************************************************************************/
-#define CONFDB_SSH_HASH_KNOWN_HOSTS "ssh_hash_known_hosts"
-#define CONFDB_DEFAULT_SSH_HASH_KNOWN_HOSTS false
-#define CONFDB_SSH_KNOWN_HOSTS_TIMEOUT "ssh_known_hosts_timeout"
-#define CONFDB_DEFAULT_SSH_KNOWN_HOSTS_TIMEOUT 180
-#endif
 #define CONFDB_SSH_CA_DB "ca_db"
 #define CONFDB_DEFAULT_SSH_CA_DB SYSCONFDIR"/sssd/pki/sssd_auth_ca_db.pem"
 #define CONFDB_SSH_USE_CERT_KEYS "ssh_use_certificate_keys"

src/config/cfg_rules.ini

@@ -202,8 +202,6 @@ option = responder_idle_timeout
 option = cache_first
 
 # ssh service
-option = ssh_hash_known_hosts
-option = ssh_known_hosts_timeout
 option = ca_db
 option = ssh_use_certificate_keys
 option = ssh_use_certificate_matching_rules

src/man/Makefile.am

@@ -17,9 +17,6 @@ AUTOFS_CONDS = ;with_autofs
 endif
 if BUILD_SSH
 SSH_CONDS = ;with_ssh
-if BUILD_SSH_KNOWN_HOSTS_PROXY
-SSH_KNOWN_HOSTS_PROXY_CONDS = ;with_ssh_known_hosts_proxy
-endif
 endif
 if BUILD_PAC_RESPONDER
 PAC_RESPONDER_CONDS = ;with_pac_responder
@@ -68,7 +65,7 @@ LIBNL_CONDS = ;have_libnl
 endif
 
 
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(SSH_KNOWN_HOSTS_PROXY_CONDS)$(PAC_RESPONDER_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(ENUM_CONDS)$(LIBNL_CONDS)$(AD_CONDS)
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(ENUM_CONDS)$(LIBNL_CONDS)$(AD_CONDS)
 
 
 #Special Rules:
@@ -98,9 +95,6 @@ endif
 if BUILD_SSH
 man_MANS += sss_ssh_authorizedkeys.1 \
             sss_ssh_knownhosts.1
-if BUILD_SSH_KNOWN_HOSTS_PROXY
-man_MANS += sss_ssh_knownhostsproxy.1
-endif
 endif
 
 if BUILD_SUDO

src/man/po/po4a.cfg

@@ -21,7 +21,6 @@
 [type:docbook] sss_rpcidmapd.5.xml $lang:$(builddir)/$lang/sss_rpcidmapd.5.xml
 [type:docbook] sss_ssh_authorizedkeys.1.xml $lang:$(builddir)/$lang/sss_ssh_authorizedkeys.1.xml
 [type:docbook] sss_ssh_knownhosts.1.xml $lang:$(builddir)/$lang/sss_ssh_knownhosts.1.xml
-[type:docbook] sss_ssh_knownhostsproxy.1.xml $lang:$(builddir)/$lang/sss_ssh_knownhostsproxy.1.xml
 [type:docbook] idmap_sss.8.xml $lang:$(builddir)/$lang/idmap_sss.8.xml
 [type:docbook] sssctl.8.xml $lang:$(builddir)/$lang/sssctl.8.xml
 [type:docbook] sssd-session-recording.5.xml $lang:$(builddir)/$lang/sssd-session-recording.5.xml

src/man/sss_ssh_knownhostsproxy.1.xml

@@ -2062,30 +2062,6 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
                 These options can be used to configure the SSH service.
             </para>
             <variablelist>
-                <varlistentry condition="with_ssh_known_hosts_proxy">
-                    <term>ssh_hash_known_hosts (bool)</term>
-                    <listitem>
-                        <para>
-                            Whether or not to hash host names and addresses in
-                            the managed known_hosts file.
-                        </para>
-                        <para>
-                            Default: false
-                        </para>
-                    </listitem>
-                </varlistentry>
-                <varlistentry condition="with_ssh_known_hosts_proxy">
-                    <term>ssh_known_hosts_timeout (integer)</term>
-                    <listitem>
-                        <para>
-                            How many seconds to keep a host in the managed
-                            known_hosts file after its host keys were requested.
-                        </para>
-                        <para>
-                            Default: 180
-                        </para>
-                    </listitem>
-                </varlistentry>
                 <varlistentry>
                     <term>ssh_use_certificate_keys (bool)</term>
                     <listitem>

src/man/sssd.conf.5.xml

@@ -54,20 +54,6 @@ ssh_check_non_sssd_user(const char *username)
 }
 
 
-#ifdef BUILD_SSH_KNOWN_HOSTS_PROXY
-static struct sss_domain_info *
-ssh_get_result_domain(struct resp_ctx *rctx,
-                      struct cache_req_result *result,
-                      const char *name)
-{
-    if (result != NULL) {
-        return result->domain;
-    }
-
-    return find_domain_by_name(rctx->domains, name, true);
-}
-#endif
-
 static void ssh_cmd_get_user_pubkeys_done(struct tevent_req *subreq);
 
 static errno_t ssh_cmd_get_user_pubkeys(struct cli_ctx *cli_ctx)
@@ -361,27 +347,12 @@ static void ssh_cmd_get_host_pubkeys_done(struct tevent_req *subreq)
     struct cache_req_result *result = NULL;
     struct ssh_cmd_ctx *cmd_ctx;
     errno_t ret;
-#ifdef BUILD_SSH_KNOWN_HOSTS_PROXY
-    struct sss_domain_info *domain;
-    struct ssh_ctx *ssh_ctx;
-#endif
 
     cmd_ctx = tevent_req_callback_data(subreq, struct ssh_cmd_ctx);
 
     ret = cache_req_ssh_host_id_by_name_recv(cmd_ctx, subreq, &result);
     talloc_zfree(subreq);
 
-#ifdef BUILD_SSH_KNOWN_HOSTS_PROXY
-    if (ret == EOK || ret == ENOENT) {
-        ssh_ctx = talloc_get_type(cmd_ctx->cli_ctx->rctx->pvt_ctx, struct ssh_ctx);
-        domain = ssh_get_result_domain(ssh_ctx->rctx, result, cmd_ctx->domain);
-
-        ssh_update_known_hosts_file(ssh_ctx->rctx->domains, domain,
-                                    cmd_ctx->name, ssh_ctx->hash_known_hosts,
-                                    ssh_ctx->known_hosts_timeout);
-    }
-#endif
-
     if (ret != EOK) {
         ssh_protocol_done(cmd_ctx->cli_ctx, ret);
         goto done;