• No results found

SSSD and OpenSSH Integration

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "SSSD and OpenSSH Integration"

Copied!
17
0
0

Loading.... (view fulltext now)

Download now ( 17 Page )

Full text

(1)

FreeIPA Training Series

FreeIPA Training Series

SSSD and OpenSSH Integration

SSSD and OpenSSH Integration

Jan Cholasta

Jan Cholasta

01-04-2013 01-04-2013

(2)

Introduction to OpenSSH

OpenSSH is an implementation of the SSH

protocol

Provides both server (

sshd

) and client (

ssh

)

SSH allows secure access to resources on a

remote system

Most commonly access to remote shell

Both users and hosts are authenticated

Users are authenticated by the server (

sshd

)

Hosts are authenticated by the client (

ssh

)

(3)

User authentication in

sshd

SSH supports multiple mechanisms for authenticating

users

● Password authentication, public key authentication,

GSSAPI authentication, …

Public key authentication uses digital signatures to

verify the user's identity

● The user's private key is stored on the client

(~/.ssh/id_rsa)

● The user's public keys are stored on the server

(4)

Host authentication in

ssh

Only public key authentication is supported for

authenticating hosts

● The host's private key is stored on the server

(/etc/ssh/ssh_host_rsa_key)

● Host names and their respective public keys are stored

on the client (~/.ssh/known_hosts)

When

ssh

connects to an unknown host, its identity

must be manually verified by the user

● When verified, the host is automatically added to the

(5)

Motivation

OpenSSH can be already used with SSSD for user

authentication

Password authentication is handled by PAM

Kerberos authentication is handled by GSSAPI

However, OpenSSH does public key authentication

on its own

No centralized management of public keys

No host authentication without user interaction

Make public key authentication work with identity

information stored in FreeIPA

(6)

SSH public keys in FreeIPA

● SSH public keys in FreeIPA are stored in LDAP attribute

ipaSshPubKey

● User and host LDAP entries with object classes

ipaSshUser and ipaSshHost can contain the attribute

● It is possible to configure SSSD to use a different attribute

for SSH public keys

● Configuration option ldap_user_ssh_public_key ● Configuration option ipa_host_ssh_public_key

(7)

SSH public keys in FreeIPA example

Set user's public key using

ipa

command:

$ ipa user-mod user –sshpubkey='ssh-rsa AAAA…'

(see “SSH Public Keys in FreeIPA” slides for more

information)

A user's LDAP entry with a SSH public key:

dn: uid=user,cn=accounts,dc=example,dc=com objectClass: posixAccount

objectClass: ipaSshUser …

uid: user

ipaSshPubKey: ssh-rsa AAAAB3NzaC1yc2EA… …

(8)

Configure OpenSSH to work with SSSD

(1)

Configure

sshd

in

/etc/ssh/sshd_config

● Use PAM for password authentication

UsePAM yes

● Make sure we do not kinit ourselves and let SSSD do it

KerberosAuthentication no

● Get authorized_keys from SSSD

AuthorizedKeysCommand

/usr/bin/sss_ssh_authorizedkeys

(note that AuthorizedKeysCommand is available only in patched OpenSSH – available in RHEL and Fedora)

(9)

Configure OpenSSH to work with SSSD

(2)

Configure

ssh

in

/etc/ssh/ssh_config

Get

known_hosts

from SSSD

GlobalKnownHostsFile

/var/lib/sss/pubconf/known_hosts

ProxyCommand

/usr/bin/sss_ssh_knownhostsproxy -p %p

%h

(10)

Configure SSSD to work with OpenSSH

Configure SSSD in

/etc/sssd/sssd.conf

Append

ssh

to the

services

line in the

[sssd]

section

Create an empty

[ssh]

section if it does not exist

(11)

User public key authentication with SSSD

1. ​sshd receives a public key authentication request

2. ​sshd executes sss_ssh_authorizedkeys <user>

3. ​sss_ssh_authorizedkeys asks SSSD to get the user's

public keys from FreeIPA server

4. ​sss_ssh_authorizedkeys prints the public keys in authorized_keys format to its standard output

5. ​sshd reads and processes the output as if it was an actual

authorized_keys file

(note that this requires patched OpenSSH - available in RHEL and Fedora)

(12)

Host authentication with SSSD

1. User executes ssh <host>

2. ​ssh executes sss_ssh_knownhostsproxy -p 22 <host> to connect to the host

3. ​sss_ssh_knownhostsproxy asks SSSD to get the host's

public keys from FreeIPA server (LDAP, not DNS!) 4. SSSD adds the host's name and public keys to

/var/lib/sss/pubconf/known_hosts

5. ​sss_ssh_knownhostsproxy connects to the host and

pipes all communication through its standard I/O

6. ​ssh processes SSSD known_hosts the same way as any

(13)

Debugging the OpenSSH configuration

Check that the required options have correct

values in

sshd_config

and

ssh_config

Debug

sshd

# /usr/sbin/sshd -D -ddd -p <port>

(you must use the full path!)

Debug

ssh

(14)

Debugging the SSSD configuration (1)

Check that the

ssh

service is enabled in

sssd.conf

and the

sssd_ssh

process is running

Check SSSD debug logs

Set the

debug_level

option in

[ssh]

and

[domain/<domain>]

sections in

sssd.conf

Restart SSSD

Inspect

sssd_ssh.log

and

(15)

Debugging the SSSD configuration (2)

Run

sss_ssh_authorizedkeys

manually

$ sss_ssh_authorizedkeys --debug 10 <user>

You should get a list of public keys for the user and

no error messages

(16)

Debugging the SSSD configuration (3)

Run

sss_ssh_knownhostsproxy

manually

● (opt.) Set ssh_hash_known_hosts option to false

in the [ssh] section of sssd.conf and restart SSSD

$ sss_ssh_knownhostsproxy --debug 10 -p <port> <host>

● You should get a hello message from the server and no

error messages (exit with Ctrl+C)

● Check if /var/lib/sss/pubconf/known_hosts

was updated with the correct information for the host

(17)

Additional information

OpenSSH manual pages

sshd(8)

,

sshd_config(5)

,

ssh(1)

,

ssh_config(5)

SSSD manual pages

sssd.conf(5)

,

sssd-ldap(5)

,

sssd-ipa(5)

,

sss_ssh_authorizedkeys(1)

,

sss_ssh_knownhostsproxy(1)

References

Download now ( PDF - 17 Page - 103.63 KB )

Related documents

Social clubs and social capital: the effect of electronic gaming machines in disadvantaged regions on the creation or destruction of community resilience

Specifically, whether and in what ways Social Clubs as community actors may engender social capital creation opportunities through programs and activities supporting volunteering

Oesophageal stent insertion

Oesophageal stent insertion is a very safe procedure, but there are some risks and complications that can arise, as with any medical treatment.. It is possible that a little

Accelerating Regional Development Using the Human Development Index Approach (A Case Study of Southeast Sulawesi)

Based on the interpretation of the analysis results, the following conclusions are drawn: (a) components that can help accelerate development in Southeast Sulawesi are the

Configuring Secure Shell (SSH)

C a u t i o n To enable client public-key authentication to block SSH clients whose public keys are not in the client-public-key file copied into the switch, you must configure

Using sftp in Informatica PowerCenter

¾ You need to create a ssh keys on the informatica server using ssh –keygen command in Unix ¾ Share the public key with the team that maintains your SFTP server and ask them

Grammatical and pragmatic use of referential expressions in picture-based narratives of bilingual and monolingual children in Russian and German

The main aim of the study was to find out how Russian- German bilingual children and monolingual children of the respective languages deal with the choice of referential

Problem Drinking Part 1 - Screening and Assessment

14 Refer to Problem Drinking Part 3 - Office Based Management of Alcohol Withdrawal and Prescribing Medications for Alcohol Dependence.. Prescribing medications for

Adobe LiveCycle Data Services 3 Performance Brief

This test demonstrates the impact on Remoting throughput as we vary the number of concurrent clients with one and two LiveCycle Data Services server instances.. This test was test