Presentation is loading. Please wait.

Presentation is loading. Please wait.

SSSD and OpenSSH Integration

Published byMargery Beasley Modified over 6 years ago

Similar presentations

Presentation on theme: "SSSD and OpenSSH Integration"— Presentation transcript:

1 SSSD and OpenSSH Integration
Jan Cholasta

2 Introduction to OpenSSH
OpenSSH is an implementation of the SSH protocol Provides both server (sshd) and client (ssh) SSH allows secure access to resources on a remote system Most commonly access to remote shell Both users and hosts are authenticated Users are authenticated by the server (sshd) Hosts are authenticated by the client (ssh)

3 User authentication in sshd
SSH supports multiple mechanisms for authenticating users Password authentication, public key authentication, GSSAPI authentication, … Public key authentication uses digital signatures to verify the user's identity The user's private key is stored on the client (~/.ssh/id_rsa) The user's public keys are stored on the server (~/.ssh/authorized_keys)

4 Host authentication in ssh
Only public key authentication is supported for authenticating hosts The host's private key is stored on the server (/etc/ssh/ssh_host_rsa_key) Host names and their respective public keys are stored on the client (~/.ssh/known_hosts) When ssh connects to an unknown host, its identity must be manually verified by the user When verified, the host is automatically added to the known_hosts file by ssh

5 Motivation OpenSSH can be already used with SSSD for user authentication Password authentication is handled by PAM Kerberos authentication is handled by GSSAPI However, OpenSSH does public key authentication on its own No centralized management of public keys No host authentication without user interaction Make public key authentication work with identity information stored in FreeIPA

6 SSH public keys in FreeIPA
SSH public keys in FreeIPA are stored in LDAP attribute ipaSshPubKey User and host LDAP entries with object classes ipaSshUser and ipaSshHost can contain the attribute It is possible to configure SSSD to use a different attribute for SSH public keys Configuration option ldap_user_ssh_public_key Configuration option ipa_host_ssh_public_key

7 SSH public keys in FreeIPA example
Set user's public key using ipa command: $ ipa user-mod user –sshpubkey='ssh-rsa AAAA…' (see “SSH Public Keys in FreeIPA” slides for more information) A user's LDAP entry with a SSH public key: dn: uid=user,cn=accounts,dc=example,dc=com objectClass: posixAccount objectClass: ipaSshUser uid: user ipaSshPubKey: ssh-rsa AAAAB3NzaC1yc2EA…

8 Configure OpenSSH to work with SSSD (1)
Configure sshd in /etc/ssh/sshd_config Use PAM for password authentication UsePAM yes Make sure we do not kinit ourselves and let SSSD do it KerberosAuthentication no Get authorized_keys from SSSD AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys (note that AuthorizedKeysCommand is available only in patched OpenSSH – available in RHEL and Fedora) Restart sshd

9 Configure OpenSSH to work with SSSD (2)
Configure ssh in /etc/ssh/ssh_config Get known_hosts from SSSD GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

10 Configure SSSD to work with OpenSSH
Configure SSSD in /etc/sssd/sssd.conf Append ssh to the services line in the [sssd] section Create an empty [ssh] section if it does not exist Restart SSSD

11 User public key authentication with SSSD
​sshd receives a public key authentication request ​sshd executes sss_ssh_authorizedkeys <user> ​sss_ssh_authorizedkeys asks SSSD to get the user's public keys from FreeIPA server ​sss_ssh_authorizedkeys prints the public keys in authorized_keys format to its standard output ​sshd reads and processes the output as if it was an actual authorized_keys file (note that this requires patched OpenSSH - available in RHEL and Fedora)

12 Host authentication with SSSD
User executes ssh <host> ​ssh executes sss_ssh_knownhostsproxy -p 22 <host> to connect to the host ​sss_ssh_knownhostsproxy asks SSSD to get the host's public keys from FreeIPA server (LDAP, not DNS!) SSSD adds the host's name and public keys to /var/lib/sss/pubconf/known_hosts ​sss_ssh_knownhostsproxy connects to the host and pipes all communication through its standard I/O ​ssh processes SSSD known_hosts the same way as any other known_hosts file

13 Debugging the OpenSSH configuration
Check that the required options have correct values in sshd_config and ssh_config Debug sshd # /usr/sbin/sshd -D -ddd -p <port> (you must use the full path!) Debug ssh # ssh -vvv -p <port> -l <login> <host>

14 Debugging the SSSD configuration (1)
Check that the ssh service is enabled in sssd.conf and the sssd_ssh process is running Check SSSD debug logs Set the debug_level option in[ssh] and [domain/<domain>] sections in sssd.conf Restart SSSD Inspect sssd_ssh.log and sssd_<domain>.log in /var/log/sssd

15 Debugging the SSSD configuration (2)
Run sss_ssh_authorizedkeys manually $ sss_ssh_authorizedkeys --debug 10 <user> You should get a list of public keys for the user and no error messages Check SSSD debug logs

16 Debugging the SSSD configuration (3)
Run sss_ssh_knownhostsproxy manually (opt.) Set ssh_hash_known_hosts option to false in the [ssh] section of sssd.conf and restart SSSD $ sss_ssh_knownhostsproxy --debug 10 -p <port> <host> You should get a hello message from the server and no error messages (exit with Ctrl+C) Check if /var/lib/sss/pubconf/known_hosts was updated with the correct information for the host Check SSSD debug logs

17 Additional information
OpenSSH manual pages sshd(8), sshd_config(5), ssh(1), ssh_config(5) SSSD manual pages sssd.conf(5), sssd-ldap(5), sssd-ipa(5), sss_ssh_authorizedkeys(1), sss_ssh_knownhostsproxy(1) “SSH Public Keys in FreeIPA” slides

Download ppt "SSSD and OpenSSH Integration"

Similar presentations

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
SSH Operation and Techniques - © 2001-2006 William Stearns 1 SSH Operation and Techniques The Swiss Army Knife of encryption tools…

SSH Operation and Techniques - © William Stearns 1 SSH Operation and Techniques The Swiss Army Knife of encryption tools…
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
Ssh: secure shell. overview Purpose Protocol specifics Configuration Security considerations Other uses.

Ssh: secure shell. overview Purpose Protocol specifics Configuration Security considerations Other uses.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 10 Manage Remote Access.

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 10 Manage Remote Access.
Building a KDC. Kerberos Implementations RedHat 5 comes with MIT Kerberos 1.6 Ubuntu 10.04 LTS comes with MIT Kerberos 1.8.1 Admin through CLI, but from.

Building a KDC. Kerberos Implementations RedHat 5 comes with MIT Kerberos 1.6 Ubuntu LTS comes with MIT Kerberos Admin through CLI, but from.
Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.

Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.
Andreas Steffen, 15.11.2011, 11-SSH.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen M. Liebi Institute for Internet Technologies and Applications.

Andreas Steffen, , 11-SSH.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen M. Liebi Institute for Internet Technologies and Applications.
Learningcomputer.com SQL Server 2008 Configuration Manager.

Learningcomputer.com SQL Server 2008 Configuration Manager.
We will now practice the following concepts: - The use of known_hosts files - SSH connection with password authentication - RSA version 2 protocol key.

We will now practice the following concepts: - The use of known_hosts files - SSH connection with password authentication - RSA version 2 protocol key.
Single Sign-on with Kerberos 1 Chris Eberle Ryan Thomas RC Johnson Kim-Lan Tran CS-591 Fall 2008.

Single Sign-on with Kerberos 1 Chris Eberle Ryan Thomas RC Johnson Kim-Lan Tran CS-591 Fall 2008.
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,

TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.

1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
CSCE 815 Network Security Lecture 26 SSH and SSH Implementation April 24, 2003.

CSCE 815 Network Security Lecture 26 SSH and SSH Implementation April 24, 2003.
1 Chapter Overview Performing Configuration Tasks Setting Up Additional Features Performing Maintenance Tasks.

1 Chapter Overview Performing Configuration Tasks Setting Up Additional Features Performing Maintenance Tasks.
Application Services COM211 Communications and Networks CDA College Theodoros Christophides

Application Services COM211 Communications and Networks CDA College Theodoros Christophides
Secure Shell (SSH) Presented By Scott Duckworth April 19, 2007.

Secure Shell (SSH) Presented By Scott Duckworth April 19, 2007.

Similar presentations

Ads by Google