1 files changed, 47 insertions, 0 deletions

diff --git a/install.freeipa b/install.freeipa
new file mode 100644
index 000000000000..4d2bd0e9788a
--- /dev/null
+++ b/install.freeipa
@@ -0,0 +1,47 @@
+post_upgrade() {
+  # Has the client been configured?
+  restore=0
+  test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
+
+  if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then
+    if ! grep -Eq '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null; then
+      echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew
+      cat /etc/krb5.conf >> /etc/krb5.conf.ipanew
+      mv /etc/krb5.conf.ipanew /etc/krb5.conf
+    fi
+  fi
+
+  # Has the client been configured?
+  restore=0
+  test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' \
+    && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' \
+                 | awk '{print $1}')
+
+  if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
+    if grep -Eq '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then
+      sed -r '
+          /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
+      ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
+
+      if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody'; then
+        sed -ri '
+            s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
+            s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
+        ' /etc/ssh/sshd_config.ipanew
+      elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody'; then
+        sed -ri '
+            s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
+            s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
+        ' /etc/ssh/sshd_config.ipanew
+      elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody'; then
+        sed -ri '
+            s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
+            s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/
+        ' /etc/ssh/sshd_config.ipanew
+      fi
+
+      mv /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
+      chmod 600 /etc/ssh/sshd_config
+    fi
+  fi
+}