Fix for kerberos user

redhat-qe-security · Jan 29, 2025 · 5321e73 · 5321e73
1 parent 6d96b9b
commit 5321e73
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 21 deletions.
diff --git a/SCAutolib/controller.py b/SCAutolib/controller.py
@@ -163,7 +163,7 @@ def setup_system(self, install_missing: bool, gdm: bool, graphical: bool):
             run("dnf -y copr enable jjelen/vsmartcard{0}".format(extra_args))
 
         # Add IPA packages if needed
-        if any([u["user_type"] != UserType.local
+        if any([u["user_type"] == UserType.ipa
                 for u in self.lib_conf["users"]]):
             packages += self._general_steps_for_ipa()
 
@@ -563,9 +563,9 @@ def _general_steps_for_ipa():
             logger.debug("idm:DL1 module is installed")
 
         if isDistro('fedora'):
-            return ["freeipa-client"]
+            return ["e2fsprogs", "freeipa-client"]
         else:
-            return ["ipa-client"]
+            return ["e2fsprogs", "ipa-client"]
 
     def get_user_dict(self, name):
         """

diff --git a/SCAutolib/models/CA.py b/SCAutolib/models/CA.py
@@ -9,7 +9,7 @@
 import os
 import python_freeipa
 from cryptography import x509
-from hashlib import md5
+from hashlib import sha256
 from pathlib import Path, PosixPath
 from python_freeipa import exceptions
 from python_freeipa.client_meta import ClientMeta
@@ -578,8 +578,6 @@ def _add_to_resolv(self):
                 f.write(cnt)
             logger.info(
                 "IPA server is added to /etc/resolv.conf as first nameserver")
-            run("chattr -i /etc/resolv.conf")
-            logger.info("File /etc/resolv.conf is blocked for editing")
 
         with open("/etc/resolv.conf", "r") as f:
             logger.debug(f"New resolv.conf\n{f.read()}")
@@ -608,18 +606,6 @@ def _get_sc_setup_script(self):
         from invoke import Responder
         from fabric.connection import Connection
 
-        class __PKeyChild(paramiko.PKey):
-            """This child class is need to fix SSH connection with MD5 algorithm
-            in FIPS mode
-
-            This is just workaround until PR in paramiko would be accepted
-            https://github.com/paramiko/paramiko/issues/396. After this PR is
-            merged, delete this class
-            """
-
-            def get_fingerprint_improved(self):
-                return md5(self.asbytes(), usedforsecurity=False).digest()
-
         kinitpass = Responder(
             pattern=f"Password for admin@{self._ipa_server_realm}: ",
             response=f"{self._ipa_server_admin_passwd}\n")
@@ -628,11 +614,11 @@ def get_fingerprint_improved(self):
         with Connection(self._ipa_server_ip, user="root",
                         connect_kwargs={
                             "password": self._ipa_server_root_passwd}) as c:
-            # Delete this block when PR in paramiko will be accepted
+            # TODO Delete this block when PR in paramiko will be accepted
             # https://github.com/paramiko/paramiko/issues/396
             #### noqa:E266
             paramiko.PKey.get_fingerprint = \
-                self.__PKeyChild.get_fingerprint_improved
+                lambda x: sha256(x.asbytes()).digest()
             c.client = paramiko.SSHClient()
             c.client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
             #### noqa:E266

diff --git a/setup.py b/setup.py
@@ -24,7 +24,7 @@
 
 setup(
     name="SCAutolib",
-    version="3.4.0",
+    version="3.4.1",
     description=description,
     long_description=long_description,
     long_description_content_type='text/markdown',