From Fedora Project Wiki

(Update requirements)
 
(8 intermediate revisions by 4 users not shown)
Line 2: Line 2:
 
|description=Verify FreeIPA's SSH public key management using realmd to join the current machine to a FreeIPA domain.
 
|description=Verify FreeIPA's SSH public key management using realmd to join the current machine to a FreeIPA domain.
 
|setup=
 
|setup=
# Run through the [[QA:Testcase_FreeIPA_realmd_join|test case to join the domain]].
+
# If you have not already done so, run through the [[QA:Testcase_FreeIPA_realmd_join|test case to join the domain]].
  
 
|actions=
 
|actions=
Line 16: Line 16:
 
  user@server$ kinit admin
 
  user@server$ kinit admin
  
Verify that the host entry of <code>server.ipa.example.com</code> has the correct SSH public keys set:
+
Verify that the host entry of <code>server.ipa.example.org</code> has the correct SSH public keys set:
  
  user@server$ ipa host-show server.ipa.example.com --all
+
  user@server$ ipa host-show server.ipa.example.org --all
  Host name: server.ipa.example.com
+
  Host name: server.ipa.example.org
  Principal name: host/server.ipa.example.com@IPA.EXAMPLE.COM
+
  Principal name: host/server.ipa.example.org@IPA.EXAMPLE.ORG
 
  SSH public key fingerprint: <span style="color: green">5A:CE:70:8F:A3:AF:57:C1:D1:C0:C6:28:FC:D4:42:07</span> (ssh-dss), <span style="color: red">76:2B:1F:98:1C:02:EE:29:43:C1:18:FD:75:57:36:8F</span> (ssh-rsa)
 
  SSH public key fingerprint: <span style="color: green">5A:CE:70:8F:A3:AF:57:C1:D1:C0:C6:28:FC:D4:42:07</span> (ssh-dss), <span style="color: red">76:2B:1F:98:1C:02:EE:29:43:C1:18:FD:75:57:36:8F</span> (ssh-rsa)
 
  Password: False
 
  Password: False
 
  Keytab: True
 
  Keytab: True
  Managed by: server.ipa.example.com
+
  Managed by: server.ipa.example.org
 
   
 
   
 
  user@server$ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub
 
  user@server$ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub
Line 32: Line 32:
 
  2048 <span style="color: red">76:2b:1f:98:1c:02:ee:29:43:c1:18:fd:75:57:36:8f</span> (RSA)
 
  2048 <span style="color: red">76:2b:1f:98:1c:02:ee:29:43:c1:18:fd:75:57:36:8f</span> (RSA)
  
The same procedure can be used to verify host public keys of <code>client.ipa.example.com</code>.
+
The same procedure can be used to verify host public keys of <code>client.ipa.example.org</code>.
  
 
Verify that DNS SSHFP records were updated correctly for client:
 
Verify that DNS SSHFP records were updated correctly for client:
  
  user@client$ dig +short client.ipa.example.com SSHFP
+
  user@client$ dig +short client.ipa.example.org SSHFP
 
  <span style="color: green">2 1 D017B7B96C1CF0DC9A9CC317AED198EBE61C8369</span>
 
  <span style="color: green">2 1 D017B7B96C1CF0DC9A9CC317AED198EBE61C8369</span>
 
  <span style="color: red">1 1 EEA71C381935401361301366B2E4E2627CB470CD</span>
 
  <span style="color: red">1 1 EEA71C381935401361301366B2E4E2627CB470CD</span>
 
   
 
   
  user@client$ ssh-keygen -r client.ipa.example.com -f /etc/ssh/ssh_host_dsa_key.pub
+
  user@client$ ssh-keygen -r client.ipa.example.org -f /etc/ssh/ssh_host_dsa_key.pub
  client.ipa.example.com IN SSHFP <span style="color: green">2 1 d017b7b96c1cf0dc9a9cc317aed198ebe61c8369</span>
+
  client.ipa.example.org IN SSHFP <span style="color: green">2 1 d017b7b96c1cf0dc9a9cc317aed198ebe61c8369</span>
 
   
 
   
  user@client$ ssh-keygen -r client.ipa.example.com -f /etc/ssh/ssh_host_rsa_key.pub
+
  user@client$ ssh-keygen -r client.ipa.example.org -f /etc/ssh/ssh_host_rsa_key.pub
  client.ipa.example.com IN SSHFP <span style="color: red">1 1 eea71c381935401361301366b2e4e2627cb470cd</span>
+
  client.ipa.example.org IN SSHFP <span style="color: red">1 1 eea71c381935401361301366b2e4e2627cb470cd</span>
 
 
Again, the same procedure can be used to verify DNS SSHFP records of <code>client.ipa.example.com</code>.
 
  
 
=== Public key management ===
 
=== Public key management ===
Line 54: Line 52:
 
  user@server$ ssh-keygen -t rsa
 
  user@server$ ssh-keygen -t rsa
 
   
 
   
  user@server$ ipa user-add sshuser --first=SSH --last=User --sshpubkey=‘cat .ssh/id_rsa.pub‘
+
  user@server$ ipa user-add sshuser --first=SSH --last=User --sshpubkey="`cat .ssh/id_rsa.pub`"
  
 
Verify that the user entry has the correct SSH public key set:
 
Verify that the user entry has the correct SSH public key set:
Line 67: Line 65:
 
  GID: 12345678
 
  GID: 12345678
 
  Account disabled: False
 
  Account disabled: False
  SSH public key fingerprint: <span style="color: blue">38:FA:5A:79:DF:21:D6:C6:EC:F0:5C:98:8A:4F:AF:04</span> user@server.ipa.example.com (ssh-rsa)
+
  SSH public key fingerprint: <span style="color: blue">38:FA:5A:79:DF:21:D6:C6:EC:F0:5C:98:8A:4F:AF:04</span> user@server.ipa.example.org (ssh-rsa)
 
  Password: False
 
  Password: False
 
  Member of groups: ipausers
 
  Member of groups: ipausers
Line 73: Line 71:
 
   
 
   
 
  user@server$ ssh-keygen -l -f .ssh/id_rsa.pub
 
  user@server$ ssh-keygen -l -f .ssh/id_rsa.pub
  2048 <span style="color: blue">38:fa:5a:79:df:21:d6:c6:ec:f0:5c:98:8a:4f:af:04</span> user@server.ipa.example.com (RSA)
+
  2048 <span style="color: blue">38:fa:5a:79:df:21:d6:c6:ec:f0:5c:98:8a:4f:af:04</span> user@server.ipa.example.org (RSA)
  
Generate another SSH keypair on <code>client.ipa.example.com</code>:
+
Generate another SSH keypair on <code>client.ipa.example.org</code>:
  
 
  user@client$ ssh-keygen -t rsa
 
  user@client$ ssh-keygen -t rsa
 
   
 
   
 
  user@client$ cat .ssh/id_rsa.pub
 
  user@client$ cat .ssh/id_rsa.pub
  <span style="color: purple">ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.com</span>
+
  <span style="color: purple">ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.org</span>
  
 
Add the public key to <code>sshuser</code>:
 
Add the public key to <code>sshuser</code>:
  
  user@server$ ipa user-mod sshuser --addattr ipasshpubkey='<span style="color: purple">ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.com</span>'
+
  user@server$ ipa user-mod sshuser --addattr ipasshpubkey='<span style="color: purple">ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.org</span>'
  
 
You can experiment further with <code>ipa user-add</code>, <code>ipa user-mod</code>, <code>ipa host-add</code>, <code>ipa host-mod</code> commands, all of them allow setting SSH public keys (in OpenSSH authorized_keys format, see <code>man sshd</code>) using the <code>--sshpubkey</code> option. Note that <code>--sshpubkey</code> overwrites the public keys of user or host with the new value(s), if you want to add or delete public keys, you have to use <code>--addattr ipasshpubkey=...</code> or <code>--delattr ipasshpubkey=...</code> instead.
 
You can experiment further with <code>ipa user-add</code>, <code>ipa user-mod</code>, <code>ipa host-add</code>, <code>ipa host-mod</code> commands, all of them allow setting SSH public keys (in OpenSSH authorized_keys format, see <code>man sshd</code>) using the <code>--sshpubkey</code> option. Note that <code>--sshpubkey</code> overwrites the public keys of user or host with the new value(s), if you want to add or delete public keys, you have to use <code>--addattr ipasshpubkey=...</code> or <code>--delattr ipasshpubkey=...</code> instead.
Line 91: Line 89:
 
|results=
 
|results=
  
Now that public keys for both hosts and user are set, you can try using ssh to log in remotely from <code>server.ipa.example.com</code> to <code>client.ipa.example.com</code> and vice-versa:
+
Now that public keys for both hosts and user are set, you can try using ssh to log in remotely from <code>server.ipa.example.org</code> to <code>client.ipa.example.org</code> and vice-versa:
  
  user@server$ ssh sshuser@client
+
  user@server$ ssh sshuser@ipa.example.org@client.ipa.example.org
  
  user@client$ ssh sshuser@server
+
  user@client$ ssh sshuser@ipa.example.org@server.ipa.example.org
  
 
Both these commands should work without any warnings or errors and should '''NOT''' prompt for verification of host identity or password.
 
Both these commands should work without any warnings or errors and should '''NOT''' prompt for verification of host identity or password.
Line 102: Line 100:
 
== Troubleshooting ==
 
== Troubleshooting ==
  
'''Known Issue:''' Ssh to other host still asks password. Please add to file /etc/ssh/sshd_config
+
'''Known Issue [[https://bugzilla.redhat.com/show_bug.cgi?id=953534 openssh]], [[https://bugzilla.redhat.com/show_bug.cgi?id=953617 freeipa]],[[https://fedorahosted.org/freeipa/ticket/3571 freeipa]]:''' Ssh to other host still asks password. Please add to file /etc/ssh/sshd_config
  
 
<pre>
 
<pre>
 +
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
 
AuthorizedKeysCommandUser nobody
 
AuthorizedKeysCommandUser nobody
 
</pre>
 
</pre>
  
The selinux profile for realmd isn't yet stable, so you may want turn off enforcement. Please do still file bugs for the SElinux AVC notifications you see.
+
[[Category:FreeIPA_Test_Cases]] [[Category:Realmd_Test_Cases]]
 
 
'''Known Issue [[https://bugzilla.redhat.com/show_bug.cgi?id=867873 Selinux]]:''' You need to turn off selinux to complete the join. Please do:
 
 
 
<pre>
 
$ sudo setenforce 0
 
</pre>
 
 
 
Please file all realmd AVC's at this bug: https://bugzilla.redhat.com/show_bug.cgi?id=867873
 
 
 
<pre>
 
$ sudo grep realmd /var/log/audit/audit.log
 
</pre>
 
 
 
[[Category:Active_Directory_Test_Cases]]
 

Latest revision as of 06:48, 9 May 2013

Description

Verify FreeIPA's SSH public key management using realmd to join the current machine to a FreeIPA domain.

Setup

  1. If you have not already done so, run through the test case to join the domain.

How to test

Note: All examples below are executed either on server or client. The right place should be indicated by prompt:

user@server$
user@client$

Verify installation

First authenticate as admin:

user@server$ kinit admin

Verify that the host entry of server.ipa.example.org has the correct SSH public keys set:

user@server$ ipa host-show server.ipa.example.org --all
Host name: server.ipa.example.org
Principal name: host/server.ipa.example.org@IPA.EXAMPLE.ORG
SSH public key fingerprint: 5A:CE:70:8F:A3:AF:57:C1:D1:C0:C6:28:FC:D4:42:07 (ssh-dss), 76:2B:1F:98:1C:02:EE:29:43:C1:18:FD:75:57:36:8F (ssh-rsa)
Password: False
Keytab: True
Managed by: server.ipa.example.org

user@server$ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub
1024 5a:ce:70:8f:a3:af:57:c1:d1:c0:c6:28:fc:d4:42:07 (DSA)

user@server$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
2048 76:2b:1f:98:1c:02:ee:29:43:c1:18:fd:75:57:36:8f (RSA)

The same procedure can be used to verify host public keys of client.ipa.example.org.

Verify that DNS SSHFP records were updated correctly for client:

user@client$ dig +short client.ipa.example.org SSHFP
2 1 D017B7B96C1CF0DC9A9CC317AED198EBE61C8369
1 1 EEA71C381935401361301366B2E4E2627CB470CD

user@client$ ssh-keygen -r client.ipa.example.org -f /etc/ssh/ssh_host_dsa_key.pub
client.ipa.example.org IN SSHFP 2 1 d017b7b96c1cf0dc9a9cc317aed198ebe61c8369

user@client$ ssh-keygen -r client.ipa.example.org -f /etc/ssh/ssh_host_rsa_key.pub
client.ipa.example.org IN SSHFP 1 1 eea71c381935401361301366b2e4e2627cb470cd

Public key management

Generate a SSH keypair and create new FreeIPA user with the public key set:

user@server$ ssh-keygen -t rsa

user@server$ ipa user-add sshuser --first=SSH --last=User --sshpubkey="cat .ssh/id_rsa.pub"

Verify that the user entry has the correct SSH public key set:

user@server$ ipa user-show sshuser
User login: sshuser
First name: SSH
Last name: User
Home directory: /home/sshuser
Login shell: /bin/sh
UID: 12345678
GID: 12345678
Account disabled: False
SSH public key fingerprint: 38:FA:5A:79:DF:21:D6:C6:EC:F0:5C:98:8A:4F:AF:04 user@server.ipa.example.org (ssh-rsa)
Password: False
Member of groups: ipausers
Kerberos keys available: False

user@server$ ssh-keygen -l -f .ssh/id_rsa.pub
2048 38:fa:5a:79:df:21:d6:c6:ec:f0:5c:98:8a:4f:af:04 user@server.ipa.example.org (RSA)

Generate another SSH keypair on client.ipa.example.org:

user@client$ ssh-keygen -t rsa

user@client$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.org

Add the public key to sshuser:

user@server$ ipa user-mod sshuser --addattr ipasshpubkey='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.org'

You can experiment further with ipa user-add, ipa user-mod, ipa host-add, ipa host-mod commands, all of them allow setting SSH public keys (in OpenSSH authorized_keys format, see man sshd) using the --sshpubkey option. Note that --sshpubkey overwrites the public keys of user or host with the new value(s), if you want to add or delete public keys, you have to use --addattr ipasshpubkey=... or --delattr ipasshpubkey=... instead.

Expected Results

Now that public keys for both hosts and user are set, you can try using ssh to log in remotely from server.ipa.example.org to client.ipa.example.org and vice-versa:

user@server$ ssh sshuser@ipa.example.org@client.ipa.example.org
user@client$ ssh sshuser@ipa.example.org@server.ipa.example.org

Both these commands should work without any warnings or errors and should NOT prompt for verification of host identity or password.



Troubleshooting

Known Issue [openssh], [freeipa],[freeipa]: Ssh to other host still asks password. Please add to file /etc/ssh/sshd_config

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody