From Fedora Project Wiki

m (Added Koji link to sssd)
m (note about OpenSSH format)
Line 77: Line 77:
 
  2048 <span style="color: blue">38:fa:5a:79:df:21:d6:c6:ec:f0:5c:98:8a:4f:af:04</span> user@server.ipa.example.com (RSA)
 
  2048 <span style="color: blue">38:fa:5a:79:df:21:d6:c6:ec:f0:5c:98:8a:4f:af:04</span> user@server.ipa.example.com (RSA)
  
You can experiment further with <code>ipa user-add</code>, <code>ipa user-mod</code>, <code>ipa host-add</code>, <code>ipa host-mod</code> commands, all of them allow setting SSH public keys using the <code>--sshpubkey</code> option. Note that you can't use <code>--sshpubkey</code> to add or delete public keys of a user or host, you have to use <code>--addattr ipasshpubkey=...</code> or <code>--delattr ipasshpubkey=...</code> instead.
+
You can experiment further with <code>ipa user-add</code>, <code>ipa user-mod</code>, <code>ipa host-add</code>, <code>ipa host-mod</code> commands, all of them allow setting SSH public keys (in OpenSSH authorized_keys format, see <code>man sshd</code>) using the <code>--sshpubkey</code> option. Note that you can't use <code>--sshpubkey</code> to add or delete public keys of a user or host, you have to use <code>--addattr ipasshpubkey=...</code> or <code>--delattr ipasshpubkey=...</code> instead.
  
 
=== OpenSSH integration ===
 
=== OpenSSH integration ===

Revision as of 07:08, 13 September 2012

Description

SSH public key management and OpenSSH integration.

Setup

  • Make sure you have SSSD 1.9.0beta7 or later installed (Koji build).
  • Install FreeIPA server with DNS on one machine, server.ipa.example.com, and FreeIPA client on another machine, client.ipa.example.com (see Basic installation tests).

How to test

Verify installation

First authenticate as admin:

user@server$ kinit admin

Verify that the host entry of server.ipa.example.com has the correct SSH public keys set:

user@server$ ipa host-show server.ipa.example.com --all
Host name: server.ipa.example.com
Principal name: host/server.ipa.example.com@IPA.EXAMPLE.COM
SSH public key fingerprint: 5A:CE:70:8F:A3:AF:57:C1:D1:C0:C6:28:FC:D4:42:07 (ssh-dss), 76:2B:1F:98:1C:02:EE:29:43:C1:18:FD:75:57:36:8F (ssh-rsa)
Password: False
Keytab: True
Managed by: server.ipa.example.com

user@server$ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub
1024 5a:ce:70:8f:a3:af:57:c1:d1:c0:c6:28:fc:d4:42:07 (DSA)

user@server$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
2048 76:2b:1f:98:1c:02:ee:29:43:c1:18:fd:75:57:36:8f (RSA)

The same procedure can be used to verify host public keys of client.ipa.example.com.

Verify that DNS SSHFP records were updated correctly:

user@server$ dig +short server.ipa.example.com SSHFP
2 1 D017B7B96C1CF0DC9A9CC317AED198EBE61C8369
1 1 EEA71C381935401361301366B2E4E2627CB470CD

user@server$ ssh-keygen -r server.ipa.example.com -f /etc/ssh/ssh_host_dsa_key.pub
server.ipa.example.com IN SSHFP 2 1 d017b7b96c1cf0dc9a9cc317aed198ebe61c8369

user@server$ ssh-keygen -r server.ipa.example.com -f /etc/ssh/ssh_host_rsa_key.pub
server.ipa.example.com IN SSHFP 1 1 eea71c381935401361301366b2e4e2627cb470cd

Again, the same procedure can be used to verify DNS SSHFP records of client.ipa.example.com.

Public key management

Generate a SSH keypair and create new FreeIPA user with the public key set:

user@server$ ssh-keygen -t rsa

user@server$ ipa user-add user --uid=$UID --first=User --last=Test --sshpubkey=‘cat .ssh/id_rsa.pub‘

Verify that the user entry has the correct SSH public key set:

user@server$ ipa user-show user
User login: user
First name: User
Last name: Test
Home directory: /home/user
Login shell: /bin/sh
UID: 1000
GID: 1000
Account disabled: False
SSH public key fingerprint: 38:FA:5A:79:DF:21:D6:C6:EC:F0:5C:98:8A:4F:AF:04 user@server.ipa.example.com (ssh-rsa)
Password: False
Member of groups: ipausers
Kerberos keys available: False

user@server$ ssh-keygen -l -f .ssh/id_rsa.pub
2048 38:fa:5a:79:df:21:d6:c6:ec:f0:5c:98:8a:4f:af:04 user@server.ipa.example.com (RSA)

You can experiment further with ipa user-add, ipa user-mod, ipa host-add, ipa host-mod commands, all of them allow setting SSH public keys (in OpenSSH authorized_keys format, see man sshd) using the --sshpubkey option. Note that you can't use --sshpubkey to add or delete public keys of a user or host, you have to use --addattr ipasshpubkey=... or --delattr ipasshpubkey=... instead.

OpenSSH integration

Now that public keys for both hosts and user are set, you can try using ssh to log in remotely from server.ipa.example.com to client.ipa.example.com and vice-versa:

user@server$ ssh user@client
user@client$ ssh user@server

Both these commands should work without any warnings or errors and should NOT prompt for verification of host identity or password.

Expected Results

All the test steps should end with the specified results.