From Fedora Project Wiki

Revision as of 13:43, 19 June 2018 by Lruzicka (talk | contribs) (Create the new test case)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Test Case: Passwordless Single-Sign-On with FreeIPA

The Free IPA server can serve as a domain controller for providing identity management. This test case tests whether clients in the same realm that obtain the Kerberos ticket provided by the domain controller will be able to connect without password over the ssh using the GSSAPI.

Setup the testing environment

Installing the FreeIPA Server

First of all, a domain controller must be installed to provide identity management. In this test case, FreeIPA will take this role. Install FreeIPA on Fedora:

  1. Set the hostname. To avoid possible difficulties, or errors, only use letters and numbers in the hostname. The hostname must be a fully qualified hostname. That means it must have all three parts, such as ipa.example.com.

    # hostnamectl set-hostname ipa.example.com

  2. Install the freeipa-server package and the freeipa-server-dns package.

    # dnf install freeipa-server freeipa-server-dns

  3. Run the FreeIPA installation and configuration program.

    # ipa-server-install -U -a Secret123 -p Secret123 --setup-dns -n example.com -r EXAMPLE.COM --allow-zone-overlap --forwarder 10.37.170.1

    The command parameters stand for:

    • -a sets the password for the admin account

    • -p sets the password for the domain master

    • -n sets the domain

    • -r sets the realm, which must be set in capitals

    • --allow-zone-overlap sets DNS to tolerate if the domain already exists

    • --forwarder sets the DNS forwarder (must be a real DNS forwarder)

  4. Open firewall ports needed by FreeIPA.

    firewall-cmd --permanent --add-service=freeipa-ldap --add-service=freeipa-ldaps

  5. You have now successfully installed the server.

  6. Reboot the server.


Installing the FreeIPA client

The FreeIPA client is a machine that connects to the server and lets the server handle its identity and authentication requirements. To install the FreeIPA client:

  1. Install the freeipa-client package.

  2. Set up the client’s fully qualified hostname.

    # hostnamectl set-hostname client01.example.com

  3. Install and configure the FreeIPA client

    # ipa-client-install -p admin -w Secret123 --domain example.com --realm EXAMPLE.COM --server ipa.example.com --hostname client01.example.com

    Note: In the installing command, you must use the fully qualified names. You cannot use IP addresses. To ensure that the client machine will see the server machine, add its address into /etc/hosts/ file.

  4. Reboot the client.
  5. Repeat these steps for other clients.
    6. Note: If you have more than one client, pay attention to naming them. The names must be unique.

Testing the functionality

Create users on the FreeIPA server.

In order to be able to get a valid Kerberos ticket from the IPA server, you need to authenticate against a valid user in the Kerberos system. Kerberos users and system users are not the same, so if you need to authenticate against a Kerberos user, you must add them, although they already have a system account on the server machine.

  1. Add a new Kerberos user.

    ipa user-add <username>

  2. Create a password for the user.

    ipa passwd <username>


Set up sshd to use passwordless GSSAPI authentication method

On the server, edit the /etc/ssh/sshd_config file and make sure you have the following setting:

  1. Set the GSSAPIAuthentication variable to yes.

    GSSAPIAuthentication yes

  2. Restart the sshd service.

    systemctl restart sshd.service

Obtain a Kerberos ticket on the client machine

If you want Kerberos and IPA server to provide identity management to you, you have to authenticate yourself with Kerberos.

  1. Get a Kerberos ticket from the same REALM in which your client machine is enroled:

    kinit <username>

  2. Check that you have a valid Kerberos ticket.

    klist

Connect to the server machine via ssh

To test the passwordless sign-on, try to log onto the server machine via the ssh. 

ssh <username>@<full-server-address>

You should be able to connect to the server machine without being asked for a password.

Connect to another client machine via ssh

To test the passwordless sign-on, try to log onto another server machine via the ssh. 

ssh <username>@<full-client-address>

You should be able to connect to another client machine without being asked for a password.

Evaluating the test

The test will pass if you can:

  • create a Kerberos user.
  • obtain a valid Kerberos ticket
  • log on the target (server or client) machine without a password
Retrieved from "https://fedoraproject.org/w/index.php?title=Lruzicka/Testcase_SSO_with_GSSAPI&oldid=520824"