mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 08:00:02 -06:00
Module added about ssh pubkey management
This commit is contained in:
parent
a097485eb1
commit
c14042dc32
130
workshop.rst
130
workshop.rst
@ -31,6 +31,7 @@ Curriculum overview
|
||||
- `Unit 7: Replica installation`_
|
||||
- `Unit 8: Sudo rule management`_
|
||||
- `Unit 9: SELinux User Maps`_
|
||||
- `Unit 10: SSH user and host key management`_
|
||||
|
||||
|
||||
Editing files on VMs
|
||||
@ -1518,3 +1519,132 @@ the program being run::
|
||||
staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
|
||||
sh-4.3# systemctl restart httpd
|
||||
sh-4.3#
|
||||
|
||||
|
||||
Unit 10: SSH user and host key management
|
||||
=========================================
|
||||
|
||||
In this module you will explore how to use FreeIPA as a backend
|
||||
provider for SSH keys. Instead of distributing ``authorized_keys``
|
||||
and ``known_hosts`` files, SSH keys are uploaded to their
|
||||
corresponding user and host entries in FreeIPA.
|
||||
|
||||
Using FreeIPA as a backend store for SSH user keys
|
||||
--------------------------------------------------
|
||||
|
||||
OpenSSH can use *public-private key pairs* to authenticate users. A
|
||||
user wanting to access a host can get her *public key* added to an
|
||||
``authorized_keys`` file on the target host. When the user attempts
|
||||
to log in, she presents her public key and the host grants access if
|
||||
her key is in an ``authorized_keys`` file. There are system-wide
|
||||
and per-user ``authorized_keys`` files, but if the target systems do
|
||||
not mount a network-backed home directory (e.g. NFS), then the user
|
||||
must copy her public key to every system she intends to log in to.
|
||||
|
||||
On FreeIPA-enrolled systems, SSSD can be configured to cache and
|
||||
retrieve user SSH keys so that applications and services only have
|
||||
to look in one location for user public keys. FreeIPA provides the
|
||||
centralized repository of keys, which users can manage themselves.
|
||||
Administrators do not need to worry about distributing, updating or
|
||||
verifying user SSH keys.
|
||||
|
||||
Generate a user keypair on the client system::
|
||||
|
||||
[client]$ sudo -i -u alice
|
||||
[alice@client]$
|
||||
[alice@client]$ ssh-keygen -C alice@ipademo.local
|
||||
Generating public/private rsa key pair.
|
||||
Enter file in which to save the key (/home/alice/.ssh/id_rsa):
|
||||
Created directory '/home/alice/.ssh'.
|
||||
Enter passphrase (empty for no passphrase):
|
||||
Enter same passphrase again:
|
||||
Your identification has been saved in /home/alice/.ssh/id_rsa.
|
||||
Your public key has been saved in /home/alice/.ssh/id_rsa.pub.
|
||||
The key fingerprint is:
|
||||
SHA256:TbuWICAdqkdXwG3uQoXxh03DuJdRC6Vh3ntOcacdfHM alice@ipademo.local
|
||||
The key's randomart image is:
|
||||
+---[RSA 2048]----+
|
||||
| .+=.o*oo |
|
||||
| oo+=*o* . . |
|
||||
| + ++o.=o+ . .+E|
|
||||
| o o..o.oo o o +=|
|
||||
|. .. ...S + o . .|
|
||||
| . . .. . * |
|
||||
| . + . |
|
||||
| . |
|
||||
| |
|
||||
+----[SHA256]-----+
|
||||
|
||||
The public key is stored in ``/home/alice/.ssh/id_rsa.pub`` in an
|
||||
OpenSSH-specific format. ``alice`` can now upload it to her user
|
||||
entry in FreeIPA::
|
||||
|
||||
[alice@client]$ kinit alice
|
||||
Password for alice@IPADEMO.LOCAL:
|
||||
[alice@client]$ ipa user-mod alice \
|
||||
--sshpubkey="$(cat /home/alice/.ssh/id_rsa.pub)"
|
||||
---------------------
|
||||
Modified user "alice"
|
||||
---------------------
|
||||
User login: alice
|
||||
First name: Alice
|
||||
Last name: Able
|
||||
Home directory: /home/alice
|
||||
Login shell: /bin/sh
|
||||
Email address: alice@ipademo.local
|
||||
UID: 1278000001
|
||||
GID: 1278000001
|
||||
SSH public key: ssh-rsa
|
||||
AAAAB3NzaC1yc2EAAAADAQABAAABAQDH8pLi61DjkEPqNZnfOgGLLZfLdu9EqVL9UrZeXD3M/j3ig+xeDCCO80YjzuND0UZE4CHgA+uGrtoinQMYkt/FRkm/ie8wcinP/8BxSoOeYSHDNG+cG3iSNJrDiHoqPeQ/+nzBS5n6HWy18N5IMNoqC+f9f2VDuHWZCKqPHMLD29MAX6vOgawdHWFcAk416O+EgS43w3ub89+VPz3Egz4z9K+gjpoboFHk94n7n09B+qyzzImVMsz9vMFSr0rcaVRd9Tb0Q6HlUXkU7aH1Vjkl/DJdQalCpPYJXujkRYAZIs1ouU5IBuuq6k54fk1vBmwjv2tK2NkpvfWfhaxQVwdn
|
||||
alice@ipademo.local
|
||||
Account disabled: False
|
||||
Password: True
|
||||
Member of groups: ipausers, sysadmin
|
||||
Indirect Member of Sudo rule: sysadmin_sudo
|
||||
Indirect Member of HBAC rule: sysadmin_all
|
||||
Kerberos keys available: True
|
||||
SSH public key fingerprint: C4:62:89:7A:65:F9:82:12:EF:08:96:D1:C9:7D:51:A5 alice@ipademo.local
|
||||
(ssh-rsa)
|
||||
|
||||
During enrolment of the systems, SSSD has been configured to use
|
||||
FreeIPA as one of its identity domains and OpenSSH has been
|
||||
configured to use SSSD for managing user keys.
|
||||
|
||||
If you have disabled the ``allow_all`` HBAC rule, add a new rule
|
||||
that will **allow ``alice`` to access the ``sshd`` service on any
|
||||
host**.
|
||||
|
||||
Logging in to the server using SSH public key authentication should
|
||||
now work::
|
||||
|
||||
[alice@client]$ ssh -o GSSAPIAuthentication=no server.ipademo.local
|
||||
Last login: Tue Feb 2 15:10:13 2016
|
||||
[alice@server]$
|
||||
|
||||
To verify the SSH public key was used for authentication, you can
|
||||
check the ``sshd`` service journal on the server, which should have
|
||||
an entry like::
|
||||
|
||||
server.ipademo.local sshd[19729]: \
|
||||
Accepted publickey for alice from 192.168.33.20 port 37244 \
|
||||
ssh2: RSA SHA256:rgVSyPM/yn/b5bsZQIsAXWF+16zkP59VS9GS+k+bbOg
|
||||
|
||||
|
||||
Using FreeIPA as a backend store for SSH host keys
|
||||
--------------------------------------------------
|
||||
|
||||
OpenSSH uses public keys to authenticate hosts. When a client
|
||||
attempts to log in over SSH, the target host presents its public
|
||||
key. The first time the host authenticates, the user may have to
|
||||
examine the target host's public key and manually authenticate it.
|
||||
The client then stores the host's public key in a ``known_hosts``
|
||||
file. On subsequent attempts to log in, the client checks its
|
||||
``known_hosts`` files and automatically grants access to recognised
|
||||
hosts.
|
||||
|
||||
Based on the last exercise, try to figure out how to upload SSH host
|
||||
keys to the FreeIPA server.
|
||||
|
||||
**Note:** OpenSSH has already been configured to look up known hosts
|
||||
on the FreeIPA server, so no manual configuration is required for
|
||||
this section.
|
||||
|
Loading…
Reference in New Issue
Block a user