ipa / client: pass --no-sshd to client enroll

In RHEL9, ipa-enroll-client by default adds a /etc/ssh/sshd_config.d/04-ipa.conf file with some sshd configuration. Almost all of these things are things we already set in our sshd_config, but one of them causes sshd to enable password (and 2nd factor required) auth. We don't want this, we only want to allow ssh keys. So, pass --no-sshd to enrollment and that should prevent it from messing with our sshd config. I have also removed this file and reloaded sshd all around. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2023-09-20 10:52:17 -07:00 · 2023-09-20 10:52:17 -07:00 · df1445a64b
commit df1445a64b
parent 6f48779818
1 changed files with 1 additions and 0 deletions
--- a/roles/ipa/client/tasks/main.yml
+++ b/roles/ipa/client/tasks/main.yml
@ -27,6 +27,7 @@
         -U -N --force-join
         --mkhomedir
         --no-ssh
+         --no-sshd
    creates: /etc/ipa/default.conf
  notify: clean sss caches
  tags: