From Fedora Project Wiki

m (note about OpenSSH format)
No edit summary
 
(One intermediate revision by the same user not shown)
Line 56: Line 56:
  user@server$ ssh-keygen -t rsa
  user@server$ ssh-keygen -t rsa
   
   
  user@server$ ipa user-add user --uid=$UID --first=User --last=Test --sshpubkey=‘cat .ssh/id_rsa.pub‘
  user@server$ ipa user-add sshuser --first=SSH --last=User --sshpubkey=‘cat .ssh/id_rsa.pub‘


Verify that the user entry has the correct SSH public key set:
Verify that the user entry has the correct SSH public key set:


  user@server$ ipa user-show user
  user@server$ ipa user-show sshuser
  User login: user
  User login: sshuser
  First name: User
  First name: SSH
  Last name: Test
  Last name: User
  Home directory: /home/user
  Home directory: /home/sshuser
  Login shell: /bin/sh
  Login shell: /bin/sh
  UID: 1000
  UID: 12345678
  GID: 1000
  GID: 12345678
  Account disabled: False
  Account disabled: False
  SSH public key fingerprint: <span style="color: blue">38:FA:5A:79:DF:21:D6:C6:EC:F0:5C:98:8A:4F:AF:04</span> user@server.ipa.example.com (ssh-rsa)
  SSH public key fingerprint: <span style="color: blue">38:FA:5A:79:DF:21:D6:C6:EC:F0:5C:98:8A:4F:AF:04</span> user@server.ipa.example.com (ssh-rsa)
Line 77: Line 77:
  2048 <span style="color: blue">38:fa:5a:79:df:21:d6:c6:ec:f0:5c:98:8a:4f:af:04</span> user@server.ipa.example.com (RSA)
  2048 <span style="color: blue">38:fa:5a:79:df:21:d6:c6:ec:f0:5c:98:8a:4f:af:04</span> user@server.ipa.example.com (RSA)


You can experiment further with <code>ipa user-add</code>, <code>ipa user-mod</code>, <code>ipa host-add</code>, <code>ipa host-mod</code> commands, all of them allow setting SSH public keys (in OpenSSH authorized_keys format, see <code>man sshd</code>) using the <code>--sshpubkey</code> option. Note that you can't use <code>--sshpubkey</code> to add or delete public keys of a user or host, you have to use <code>--addattr ipasshpubkey=...</code> or <code>--delattr ipasshpubkey=...</code> instead.
Generate another SSH keypair on <code>client.ipa.example.com</code>:
 
user@client$ ssh-keygen -t rsa
user@client$ cat .ssh/id_rsa.pub
<span style="color: purple">ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.com</span>
 
Add the public key to <code>sshuser</code>:
 
user@server$ ipa user-mod sshuser --addattr ipasshpubkey='<span style="color: purple">ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.com</span>'
 
You can experiment further with <code>ipa user-add</code>, <code>ipa user-mod</code>, <code>ipa host-add</code>, <code>ipa host-mod</code> commands, all of them allow setting SSH public keys (in OpenSSH authorized_keys format, see <code>man sshd</code>) using the <code>--sshpubkey</code> option. Note that <code>--sshpubkey</code> overwrites the public keys of user or host with the new value(s), if you want to add or delete public keys, you have to use <code>--addattr ipasshpubkey=...</code> or <code>--delattr ipasshpubkey=...</code> instead.


=== OpenSSH integration ===
=== OpenSSH integration ===
Line 83: Line 94:
Now that public keys for both hosts and user are set, you can try using ssh to log in remotely from <code>server.ipa.example.com</code> to <code>client.ipa.example.com</code> and vice-versa:
Now that public keys for both hosts and user are set, you can try using ssh to log in remotely from <code>server.ipa.example.com</code> to <code>client.ipa.example.com</code> and vice-versa:


  user@server$ ssh user@client
  user@server$ ssh sshuser@client


  user@client$ ssh user@server
  user@client$ ssh sshuser@server


Both these commands should work without any warnings or errors and should '''NOT''' prompt for verification of host identity or password.
Both these commands should work without any warnings or errors and should '''NOT''' prompt for verification of host identity or password.

Latest revision as of 07:31, 13 September 2012

Description

SSH public key management and OpenSSH integration.

Setup

  • Make sure you have SSSD 1.9.0beta7 or later installed (Koji build).
  • Install FreeIPA server with DNS on one machine, server.ipa.example.com, and FreeIPA client on another machine, client.ipa.example.com (see Basic installation tests).

How to test

Verify installation

First authenticate as admin:

user@server$ kinit admin

Verify that the host entry of server.ipa.example.com has the correct SSH public keys set:

user@server$ ipa host-show server.ipa.example.com --all
Host name: server.ipa.example.com
Principal name: host/server.ipa.example.com@IPA.EXAMPLE.COM
SSH public key fingerprint: 5A:CE:70:8F:A3:AF:57:C1:D1:C0:C6:28:FC:D4:42:07 (ssh-dss), 76:2B:1F:98:1C:02:EE:29:43:C1:18:FD:75:57:36:8F (ssh-rsa)
Password: False
Keytab: True
Managed by: server.ipa.example.com

user@server$ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub
1024 5a:ce:70:8f:a3:af:57:c1:d1:c0:c6:28:fc:d4:42:07 (DSA)

user@server$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
2048 76:2b:1f:98:1c:02:ee:29:43:c1:18:fd:75:57:36:8f (RSA)

The same procedure can be used to verify host public keys of client.ipa.example.com.

Verify that DNS SSHFP records were updated correctly:

user@server$ dig +short server.ipa.example.com SSHFP
2 1 D017B7B96C1CF0DC9A9CC317AED198EBE61C8369
1 1 EEA71C381935401361301366B2E4E2627CB470CD

user@server$ ssh-keygen -r server.ipa.example.com -f /etc/ssh/ssh_host_dsa_key.pub
server.ipa.example.com IN SSHFP 2 1 d017b7b96c1cf0dc9a9cc317aed198ebe61c8369

user@server$ ssh-keygen -r server.ipa.example.com -f /etc/ssh/ssh_host_rsa_key.pub
server.ipa.example.com IN SSHFP 1 1 eea71c381935401361301366b2e4e2627cb470cd

Again, the same procedure can be used to verify DNS SSHFP records of client.ipa.example.com.

Public key management

Generate a SSH keypair and create new FreeIPA user with the public key set:

user@server$ ssh-keygen -t rsa

user@server$ ipa user-add sshuser --first=SSH --last=User --sshpubkey=‘cat .ssh/id_rsa.pub‘

Verify that the user entry has the correct SSH public key set:

user@server$ ipa user-show sshuser
User login: sshuser
First name: SSH
Last name: User
Home directory: /home/sshuser
Login shell: /bin/sh
UID: 12345678
GID: 12345678
Account disabled: False
SSH public key fingerprint: 38:FA:5A:79:DF:21:D6:C6:EC:F0:5C:98:8A:4F:AF:04 user@server.ipa.example.com (ssh-rsa)
Password: False
Member of groups: ipausers
Kerberos keys available: False

user@server$ ssh-keygen -l -f .ssh/id_rsa.pub
2048 38:fa:5a:79:df:21:d6:c6:ec:f0:5c:98:8a:4f:af:04 user@server.ipa.example.com (RSA)

Generate another SSH keypair on client.ipa.example.com:

user@client$ ssh-keygen -t rsa

user@client$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.com

Add the public key to sshuser:

user@server$ ipa user-mod sshuser --addattr ipasshpubkey='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.com'

You can experiment further with ipa user-add, ipa user-mod, ipa host-add, ipa host-mod commands, all of them allow setting SSH public keys (in OpenSSH authorized_keys format, see man sshd) using the --sshpubkey option. Note that --sshpubkey overwrites the public keys of user or host with the new value(s), if you want to add or delete public keys, you have to use --addattr ipasshpubkey=... or --delattr ipasshpubkey=... instead.

OpenSSH integration

Now that public keys for both hosts and user are set, you can try using ssh to log in remotely from server.ipa.example.com to client.ipa.example.com and vice-versa:

user@server$ ssh sshuser@client
user@client$ ssh sshuser@server

Both these commands should work without any warnings or errors and should NOT prompt for verification of host identity or password.

Expected Results

All the test steps should end with the specified results.