SSSD and OpenSSH Integration

Slides:



Advertisements
Similar presentations
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
Advertisements

SSH Operation and Techniques - © William Stearns 1 SSH Operation and Techniques The Swiss Army Knife of encryption tools…
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
APACHE SERVER By Innovationframes.com »
Ssh: secure shell. overview Purpose Protocol specifics Configuration Security considerations Other uses.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Hands-On Microsoft Windows Server 2008
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 10 Manage Remote Access.
Building a KDC. Kerberos Implementations RedHat 5 comes with MIT Kerberos 1.6 Ubuntu LTS comes with MIT Kerberos Admin through CLI, but from.
Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.
Andreas Steffen, , 11-SSH.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen M. Liebi Institute for Internet Technologies and Applications.
Learningcomputer.com SQL Server 2008 Configuration Manager.
We will now practice the following concepts: - The use of known_hosts files - SSH connection with password authentication - RSA version 2 protocol key.
Single Sign-on with Kerberos 1 Chris Eberle Ryan Thomas RC Johnson Kim-Lan Tran CS-591 Fall 2008.
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
CSCE 815 Network Security Lecture 26 SSH and SSH Implementation April 24, 2003.
1 Chapter Overview Performing Configuration Tasks Setting Up Additional Features Performing Maintenance Tasks.
Application Services COM211 Communications and Networks CDA College Theodoros Christophides
Secure Shell (SSH) Presented By Scott Duckworth April 19, 2007.
Networking in Linux. ♦ Introduction A computer network is defined as a number of systems that are connected to each other and exchange information across.
ORAFACT The Secure Shell. ORAFACT Secure Shell Replaces unencrypted utilities rlogin and telnet rsh rcp Automates X11 authentication Supports tunneling.
SSH Tricks Slide 1 SSH Tricks Matthew G. Marsh. SSH Tricks Slide 2 Overview  SSH –What is it –How does it work  Discussion of Network Topology –Tricks.
SSH Tricks for CSF Slide 1 NEbraskaCERT SSH Tricks Matthew G. Marsh 05/21/03.
1 Network Information System (NIS). 2 Module – Network Information System (NIS) ♦ Overview This module focuses on configuring and managing Network Information.
File Transfer Protocol (FTP) FTP host stores files Client logs into host Client program sends command to get a file FTP host downloads the file with error.
How to use WS_FTP A Step by Step Guide to File Transfer.
1 Terminology. 2 Requirements for Network Printing Print server Sufficient RAM to process documents Sufficient disk space on the print server.
Vmware 2V0-621D Vmware Exam Questions & Answers VMware Certified Professional 6 Presents
1 Example security systems n Kerberos n Secure shell.
Lightweight Directory Access Protocol Objectives –This chapter will first show you how to install and use LDAP Contents –The LDAP Database Structure –Scenario.
SSSD System Security Services Daemon. 2 Manages communication with centralized identity and authentication stores Provides robust, predictable caching.
SSSD System Security Services Daemon. 2 Manages communication with centralized identity and authentication stores Provides robust, predictable caching.
1 Free Electrons. Kernel, drivers and embedded Linux development, consulting, training and support. http//free-electrons.com SSH Thomas Petazzoni Free.
OpenSSH – Public Key Authentication ● Jonathan Schipp ● Dubois County Linux User Group ● Nov 7 th 2010 ● jonschipp (at) gmail.com.
Security with SSH Unix System Administration Workshop AfNOG 2007 Hervey Allen.
Security with SSH ISP Services Workshop SANOG 9 Hervey Allen.
SSH - Lab We will now practice the following concepts: - The use of known_hosts files - SSH connection with password authentication - RSA version 2.
SSH Security vs. Automation
Overview – SOE Openssh Dec 2013.
New Capabilities of the Web Enabled User Interfaces
Ssh: secure shell.
Chapter 7: Using Network Clients
Introduction to Operating Systems
Instructor Materials Chapter 5 Providing Network Services
Configuring ALSMS Remote Navigation
Gnucash Is a nice home accounting system to track financial information and here's a way to let more than one person to access it. In this presentation,
NTP, Syslog & Secure Shell
Chapter 9 Router Configuration (Ospf, Rip) Webmin, usermin Team viewer
cctld Workshop Georgetown, Guyana Hervey Allen
Module 4 Remote Login.
Chapter 2: System Structures
Radius, LDAP, Radius used in Authenticating Users
Chapter 5: Switch Configuration
Fundamental Concepts in Security and its Application Cloud Computing
SLM: Slice Login Manager
Chapter 5: Switch Configuration
DHCP, DNS, Client Connection, Assignment 1 1.3
Single Sign-on with Kerberos
Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH
Computer Security Distributed System Security
Configuring Internet-related services
Solutions for the Third Problem Set
Remote Computing Services Cloud connection Distributed system
Chapter 7 Network Applications
Preventing Privilege Escalation
Presentation transcript:

SSSD and OpenSSH Integration Jan Cholasta 01-04-2013

Introduction to OpenSSH OpenSSH is an implementation of the SSH protocol Provides both server (sshd) and client (ssh) SSH allows secure access to resources on a remote system Most commonly access to remote shell Both users and hosts are authenticated Users are authenticated by the server (sshd) Hosts are authenticated by the client (ssh)

User authentication in sshd SSH supports multiple mechanisms for authenticating users Password authentication, public key authentication, GSSAPI authentication, … Public key authentication uses digital signatures to verify the user's identity The user's private key is stored on the client (~/.ssh/id_rsa) The user's public keys are stored on the server (~/.ssh/authorized_keys)

Host authentication in ssh Only public key authentication is supported for authenticating hosts The host's private key is stored on the server (/etc/ssh/ssh_host_rsa_key) Host names and their respective public keys are stored on the client (~/.ssh/known_hosts) When ssh connects to an unknown host, its identity must be manually verified by the user When verified, the host is automatically added to the known_hosts file by ssh

Motivation OpenSSH can be already used with SSSD for user authentication Password authentication is handled by PAM Kerberos authentication is handled by GSSAPI However, OpenSSH does public key authentication on its own No centralized management of public keys No host authentication without user interaction Make public key authentication work with identity information stored in FreeIPA

SSH public keys in FreeIPA SSH public keys in FreeIPA are stored in LDAP attribute ipaSshPubKey User and host LDAP entries with object classes ipaSshUser and ipaSshHost can contain the attribute It is possible to configure SSSD to use a different attribute for SSH public keys Configuration option ldap_user_ssh_public_key Configuration option ipa_host_ssh_public_key

SSH public keys in FreeIPA example Set user's public key using ipa command: $ ipa user-mod user –sshpubkey='ssh-rsa AAAA…' (see “SSH Public Keys in FreeIPA” slides for more information) A user's LDAP entry with a SSH public key: dn: uid=user,cn=accounts,dc=example,dc=com objectClass: posixAccount objectClass: ipaSshUser … uid: user ipaSshPubKey: ssh-rsa AAAAB3NzaC1yc2EA…

Configure OpenSSH to work with SSSD (1) Configure sshd in /etc/ssh/sshd_config Use PAM for password authentication UsePAM yes Make sure we do not kinit ourselves and let SSSD do it KerberosAuthentication no Get authorized_keys from SSSD AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys (note that AuthorizedKeysCommand is available only in patched OpenSSH – available in RHEL and Fedora) Restart sshd

Configure OpenSSH to work with SSSD (2) Configure ssh in /etc/ssh/ssh_config Get known_hosts from SSSD GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

Configure SSSD to work with OpenSSH Configure SSSD in /etc/sssd/sssd.conf Append ssh to the services line in the [sssd] section Create an empty [ssh] section if it does not exist Restart SSSD

User public key authentication with SSSD ​sshd receives a public key authentication request ​sshd executes sss_ssh_authorizedkeys <user> ​sss_ssh_authorizedkeys asks SSSD to get the user's public keys from FreeIPA server ​sss_ssh_authorizedkeys prints the public keys in authorized_keys format to its standard output ​sshd reads and processes the output as if it was an actual authorized_keys file (note that this requires patched OpenSSH - available in RHEL and Fedora)

Host authentication with SSSD User executes ssh <host> ​ssh executes sss_ssh_knownhostsproxy -p 22 <host> to connect to the host ​sss_ssh_knownhostsproxy asks SSSD to get the host's public keys from FreeIPA server (LDAP, not DNS!) SSSD adds the host's name and public keys to /var/lib/sss/pubconf/known_hosts ​sss_ssh_knownhostsproxy connects to the host and pipes all communication through its standard I/O ​ssh processes SSSD known_hosts the same way as any other known_hosts file

Debugging the OpenSSH configuration Check that the required options have correct values in sshd_config and ssh_config Debug sshd # /usr/sbin/sshd -D -ddd -p <port> (you must use the full path!) Debug ssh # ssh -vvv -p <port> -l <login> <host>

Debugging the SSSD configuration (1) Check that the ssh service is enabled in sssd.conf and the sssd_ssh process is running Check SSSD debug logs Set the debug_level option in[ssh] and [domain/<domain>] sections in sssd.conf Restart SSSD Inspect sssd_ssh.log and sssd_<domain>.log in /var/log/sssd

Debugging the SSSD configuration (2) Run sss_ssh_authorizedkeys manually $ sss_ssh_authorizedkeys --debug 10 <user> You should get a list of public keys for the user and no error messages Check SSSD debug logs

Debugging the SSSD configuration (3) Run sss_ssh_knownhostsproxy manually (opt.) Set ssh_hash_known_hosts option to false in the [ssh] section of sssd.conf and restart SSSD $ sss_ssh_knownhostsproxy --debug 10 -p <port> <host> You should get a hello message from the server and no error messages (exit with Ctrl+C) Check if /var/lib/sss/pubconf/known_hosts was updated with the correct information for the host Check SSSD debug logs

Additional information OpenSSH manual pages sshd(8), sshd_config(5), ssh(1), ssh_config(5) SSSD manual pages sssd.conf(5), sssd-ldap(5), sssd-ipa(5), sss_ssh_authorizedkeys(1), sss_ssh_knownhostsproxy(1) “SSH Public Keys in FreeIPA” slides

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.