SSSD and OpenSSH Integration

Similar documents
Identity Management based on FreeIPA

SSSD Active Directory Improvements

Secure Shell. The Protocol

FreeIPA 3.3 Trust features

System Security Services Daemon

SSH! Keep it secret. Keep it safe

TS-800. Configuring SSH Client Software in UNIX and Windows Environments for Use with the SFTP Access Method in SAS 9.2, SAS 9.3, and SAS 9.

SSH, SCP, SFTP, Denyhosts. Süha TUNA Res. Assist.

Using SFTP on the z/os Platform

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA

Single Sign-On for Kerberized Linux and UNIX Applications

CAC AND KERBEROS FROM VISION TO REALITY

Pro OpenSSH. Michael Stahnke. Apress* =# # w^ l&l ## frsft. *,«.,*

This presentation explains how to integrate Microsoft Active Directory to enable LDAP authentication in the IBM InfoSphere Master Data Management

RHEL Clients to AD Integrating RHEL clients to Active Directory

Using OpenSSH in a Single Sign-On Corporate Environment with z/os, Windows and Linux

External and Federated Identities on the Web

SSSD DNS Improvements in AD Environment

OpenSSH: Secure Shell

FreeIPA v3: Trust Basic trust setup

Secure File Transfer Installation. Sender Recipient Attached FIles Pages Date. Development Internal/External None 11 6/23/08

SSSD. Client side identity management. LinuxAlt 2012 Jakub Hrozek 3. listopadu 2012

FreeIPA Client and Server

FreeIPA Cross Forest Trusts

AD Integration options for Linux Systems

Connectivity using ssh, rsync & vsftpd

FreeIPA - Open Source Identity Management in Linux

Integrating Linux systems with Active Directory

Interoperability Update: Red Hat Enterprise Linux 7 beta and Microsoft Windows

Managed File Transfer

Laboration 3 - Administration

Securing Windows Remote Desktop with CopSSH

Red Hat Identity Management

SSH The Secure Shell

Building Open Source Identity Management with FreeIPA. Martin Kosek

Using LDAP Authentication in a PowerCenter Domain

A Guide for Administrators

Univention Corporate Server. Extended domain services documentation

Advancements in Linux Authentication and Authorisation using SSSD

Enabling Active Directory Authentication with ESX Server 1

Configuring SSH and Telnet

SUSE Manager 1.2.x ADS Authentication

Securing Windows Remote Desktop with CopSSH

noway.toonux.com 09 January 2014

Secure Shell Demon setup under Windows XP / Windows Server 2003

LDAP and Active Directory Guide

Back Up Linux And Windows Systems With BackupPC

IBM WebSphere Application Server Version 7.0

Nessus Training Session 2 - Scanning and Reporting

File Transfer Examples. Running commands on other computers and transferring files between computers

Encrypted File Transfer - Customer Testing

Red Hat Enterprise Identity (IPA) Centralized Management of Identities & Authentication

Tivoli Directory Server v6.3 Part03 of 06 Backup and Recovery

Cloud Implementation using OpenNebula

Router CLI Overview. CradlePoint, Inc.

EMC VNX Version 8.1 Configuring and Using the Audit Tool on VNX for File P/N Rev 01 August, 2013

IPA Identity, Policy, Audit Karl Wirth, Red Hat Kevin Unthank, Red Hat

How to build an Identity Management System on Linux. Simo Sorce Principal Software Engineer Red Hat, Inc.

UNIX PINE Setup process to access Exchange Mail Account

Chapter 3 Authenticating Users

Managing Identity & Access in On-premise and Cloud Environments. Ellen Newlands Identity Management Product Manager Red Hat, Inc

1 Introduction. Ubuntu Linux Server & Client and Active Directory. Page 1 of 14

Linux Operating System Security

FreeIPA Client and Server

Identity Management: The authentic & authoritative guide for the modern enterprise

Secure access to the DESY network using SSH

IIS, FTP Server and Windows

Authentication in a Heterogeneous Environment

Introduction to Linux (Authentication Systems, User Accounts, LDAP and NIS) Süha TUNA Res. Assist.

SSSD AD Provider: Access Control

Install and Configure an Open Source Identity Server Lab

SCOPTEL WITH ACTIVE DIRECTORY USER DOCUMENTATION

Security with LDAP. Andrew Findlay. February Skills 1st Ltd

How to Tunnel Remote Desktop using SSH (Cygwin) for Windows XP (SP2)

QUANTIFY INSTALLATION GUIDE

Using Active Directory as your Solaris Authentication Source

F-SECURE MESSAGING SECURITY GATEWAY

Adobe Connect LMS Integration for Blackboard Learn 9

Migration of Windows Intranet domain to Linux Domain Moving Linux to a Wider World

Integrating Red Hat Enterprise Linux 6 with Microsoft Active Directory Presentation

Cloud Control Panel (CCP) Installation Guide

Linux Security Ideas and Tips

Kerberos + Android. A Tale of Opportunity. Slide 1 / 39. Copyright 2012 yassl

Preparing for the Installation

GL254 - RED HAT ENTERPRISE LINUX SYSTEMS ADMINISTRATION III

F-Secure Messaging Security Gateway. Deployment Guide

Using LiveAction with Cisco Secure ACS (TACACS+ Server)

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

Configuring CSS Remote Access Methods

Quality Center LDAP Guide

How To Authenticate An Ssl Vpn With Libap On A Safeprocess On A Libp Server On A Fortigate On A Pc Or Ipad On A Ipad Or Ipa On A Macbook Or Ipod On A Network

External Identity and Authentication Providers For Apache HTTP Server

Using sftp in Informatica PowerCenter

Dante, Module LDAP. Inferno Nettverk A/S Oslo Research Park Gaustadalleen 21 NO-0349 Oslo Norway. Date: 2011/06/13 13:19:23

1 Reflection ZFE 5. 2 Security Considerations Troubleshooting the Installation 19. Contents 1

Configure Backup Server for Cisco Unified Communications Manager

Transcription:

FreeIPA Training Series SSSD and OpenSSH Integration Jan Cholasta 01-04-2013

Introduction to OpenSSH OpenSSH is an implementation of the SSH protocol Provides both server (sshd) and client (ssh) SSH allows secure access to resources on a remote system Most commonly access to remote shell Both users and hosts are authenticated Users are authenticated by the server (sshd) Hosts are authenticated by the client (ssh) 2 FreeIPA Training Series

User authentication in sshd SSH supports multiple mechanisms for authenticating users Password authentication, public key authentication, GSSAPI authentication, Public key authentication uses digital signatures to verify the user's identity The user's private key is stored on the client (~/.ssh/id_rsa) The user's public keys are stored on the server (~/.ssh/authorized_keys) 3 FreeIPA Training Series

Host authentication in ssh Only public key authentication is supported for authenticating hosts The host's private key is stored on the server (/etc/ssh/ssh_host_rsa_key) Host names and their respective public keys are stored on the client (~/.ssh/known_hosts) When ssh connects to an unknown host, its identity must be manually verified by the user When verified, the host is automatically added to the known_hosts file by ssh 4 FreeIPA Training Series

Motivation OpenSSH can be already used with SSSD for user authentication Password authentication is handled by PAM Kerberos authentication is handled by GSSAPI However, OpenSSH does public key authentication on its own No centralized management of public keys No host authentication without user interaction Make public key authentication work with identity information stored in FreeIPA 5 FreeIPA Training Series

SSH public keys in FreeIPA SSH public keys in FreeIPA are stored in LDAP attribute ipasshpubkey User and host LDAP entries with object classes ipasshuser and ipasshhost can contain the attribute It is possible to configure SSSD to use a different attribute for SSH public keys Configuration option ldap_user_ssh_public_key Configuration option ipa_host_ssh_public_key 6 FreeIPA Training Series

SSH public keys in FreeIPA example Set user's public key using ipa command: $ ipa user-mod user sshpubkey='ssh-rsa AAAA ' (see SSH Public Keys in FreeIPA slides for more information) A user's LDAP entry with a SSH public key: dn: uid=user,cn=accounts,dc=example,dc=com objectclass: posixaccount objectclass: ipasshuser uid: user ipasshpubkey: ssh-rsa AAAAB3NzaC1yc2EA 7 FreeIPA Training Series

Configure OpenSSH to work with SSSD (1) Configure sshd in /etc/ssh/sshd_config Use PAM for password authentication UsePAM yes Make sure we do not kinit ourselves and let SSSD do it KerberosAuthentication no Get authorized_keys from SSSD AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys (note that AuthorizedKeysCommand is available only in patched OpenSSH available in RHEL and Fedora) Restart sshd 8 FreeIPA Training Series

Configure OpenSSH to work with SSSD (2) Configure ssh in /etc/ssh/ssh_config Get known_hosts from SSSD GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h 9 FreeIPA Training Series

Configure SSSD to work with OpenSSH Configure SSSD in /etc/sssd/sssd.conf Append ssh to the services line in the [sssd] section Create an empty [ssh] section if it does not exist Restart SSSD 10 FreeIPA Training Series

User public key authentication with SSSD 1. sshd receives a public key authentication request 2. sshd executes sss_ssh_authorizedkeys <user> 3. sss_ssh_authorizedkeys asks SSSD to get the user's public keys from FreeIPA server 4. sss_ssh_authorizedkeys prints the public keys in authorized_keys format to its standard output 5. sshd reads and processes the output as if it was an actual authorized_keys file (note that this requires patched OpenSSH - available in RHEL and Fedora) 11 FreeIPA Training Series

Host authentication with SSSD 1. User executes ssh <host> 2. ssh executes sss_ssh_knownhostsproxy -p 22 <host> to connect to the host 3. sss_ssh_knownhostsproxy asks SSSD to get the host's public keys from FreeIPA server (LDAP, not DNS!) 4. SSSD adds the host's name and public keys to /var/lib/sss/pubconf/known_hosts 5. sss_ssh_knownhostsproxy connects to the host and pipes all communication through its standard I/O 6. ssh processes SSSD known_hosts the same way as any other known_hosts file 12 FreeIPA Training Series

Debugging the OpenSSH configuration Check that the required options have correct values in sshd_config and ssh_config Debug sshd # /usr/sbin/sshd -D -ddd -p <port> (you must use the full path!) Debug ssh # ssh -vvv -p <port> -l <login> <host> 13 FreeIPA Training Series

Debugging the SSSD configuration (1) Check that the ssh service is enabled in sssd.conf and the sssd_ssh process is running Check SSSD debug logs Set the debug_level option in[ssh] and [domain/<domain>] sections in sssd.conf Restart SSSD Inspect sssd_ssh.log and sssd_<domain>.log in /var/log/sssd 14 FreeIPA Training Series

Debugging the SSSD configuration (2) Run sss_ssh_authorizedkeys manually $ sss_ssh_authorizedkeys --debug 10 <user> You should get a list of public keys for the user and no error messages Check SSSD debug logs 15 FreeIPA Training Series

Debugging the SSSD configuration (3) Run sss_ssh_knownhostsproxy manually (opt.) Set ssh_hash_known_hosts option to false in the [ssh] section of sssd.conf and restart SSSD $ sss_ssh_knownhostsproxy --debug 10 -p <port> <host> You should get a hello message from the server and no error messages (exit with Ctrl+C) Check if /var/lib/sss/pubconf/known_hosts was updated with the correct information for the host Check SSSD debug logs 16 FreeIPA Training Series

Additional information OpenSSH manual pages sshd(8), sshd_config(5), ssh(1), ssh_config(5) SSSD manual pages sssd.conf(5), sssd-ldap(5), sssd-ipa(5), sss_ssh_authorizedkeys(1), sss_ssh_knownhostsproxy(1) SSH Public Keys in FreeIPA slides 17 FreeIPA Training Series

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information