No edit summary |
(Update requirements) |
||
(9 intermediate revisions by 4 users not shown) | |||
Line 2: | Line 2: | ||
|description=Verify FreeIPA's SSH public key management using realmd to join the current machine to a FreeIPA domain. | |description=Verify FreeIPA's SSH public key management using realmd to join the current machine to a FreeIPA domain. | ||
|setup= | |setup= | ||
# | # If you have not already done so, run through the [[QA:Testcase_FreeIPA_realmd_join|test case to join the domain]]. | ||
|actions= | |actions= | ||
Note: All examples below are executed either on server or client. The right place should be indicated by prompt: | |||
user@server$ | |||
user@client$ | |||
=== Verify installation === | === Verify installation === | ||
Line 11: | Line 16: | ||
user@server$ kinit admin | user@server$ kinit admin | ||
Verify that the host entry of <code>server.ipa.example. | Verify that the host entry of <code>server.ipa.example.org</code> has the correct SSH public keys set: | ||
user@server$ ipa host-show server.ipa.example. | user@server$ ipa host-show server.ipa.example.org --all | ||
Host name: server.ipa.example. | Host name: server.ipa.example.org | ||
Principal name: host/server.ipa.example. | Principal name: host/server.ipa.example.org@IPA.EXAMPLE.ORG | ||
SSH public key fingerprint: <span style="color: green">5A:CE:70:8F:A3:AF:57:C1:D1:C0:C6:28:FC:D4:42:07</span> (ssh-dss), <span style="color: red">76:2B:1F:98:1C:02:EE:29:43:C1:18:FD:75:57:36:8F</span> (ssh-rsa) | SSH public key fingerprint: <span style="color: green">5A:CE:70:8F:A3:AF:57:C1:D1:C0:C6:28:FC:D4:42:07</span> (ssh-dss), <span style="color: red">76:2B:1F:98:1C:02:EE:29:43:C1:18:FD:75:57:36:8F</span> (ssh-rsa) | ||
Password: False | Password: False | ||
Keytab: True | Keytab: True | ||
Managed by: server.ipa.example. | Managed by: server.ipa.example.org | ||
user@server$ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub | user@server$ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub | ||
Line 27: | Line 32: | ||
2048 <span style="color: red">76:2b:1f:98:1c:02:ee:29:43:c1:18:fd:75:57:36:8f</span> (RSA) | 2048 <span style="color: red">76:2b:1f:98:1c:02:ee:29:43:c1:18:fd:75:57:36:8f</span> (RSA) | ||
The same procedure can be used to verify host public keys of <code>client.ipa.example. | The same procedure can be used to verify host public keys of <code>client.ipa.example.org</code>. | ||
Verify that DNS SSHFP records were updated correctly: | Verify that DNS SSHFP records were updated correctly for client: | ||
user@ | user@client$ dig +short client.ipa.example.org SSHFP | ||
<span style="color: green">2 1 D017B7B96C1CF0DC9A9CC317AED198EBE61C8369</span> | <span style="color: green">2 1 D017B7B96C1CF0DC9A9CC317AED198EBE61C8369</span> | ||
<span style="color: red">1 1 EEA71C381935401361301366B2E4E2627CB470CD</span> | <span style="color: red">1 1 EEA71C381935401361301366B2E4E2627CB470CD</span> | ||
user@ | user@client$ ssh-keygen -r client.ipa.example.org -f /etc/ssh/ssh_host_dsa_key.pub | ||
client.ipa.example.org IN SSHFP <span style="color: green">2 1 d017b7b96c1cf0dc9a9cc317aed198ebe61c8369</span> | |||
user@ | user@client$ ssh-keygen -r client.ipa.example.org -f /etc/ssh/ssh_host_rsa_key.pub | ||
client.ipa.example.org IN SSHFP <span style="color: red">1 1 eea71c381935401361301366b2e4e2627cb470cd</span> | |||
=== Public key management === | === Public key management === | ||
Line 49: | Line 52: | ||
user@server$ ssh-keygen -t rsa | user@server$ ssh-keygen -t rsa | ||
user@server$ ipa user-add sshuser --first=SSH --last=User --sshpubkey= | user@server$ ipa user-add sshuser --first=SSH --last=User --sshpubkey="`cat .ssh/id_rsa.pub`" | ||
Verify that the user entry has the correct SSH public key set: | Verify that the user entry has the correct SSH public key set: | ||
Line 62: | Line 65: | ||
GID: 12345678 | GID: 12345678 | ||
Account disabled: False | Account disabled: False | ||
SSH public key fingerprint: <span style="color: blue">38:FA:5A:79:DF:21:D6:C6:EC:F0:5C:98:8A:4F:AF:04</span> user@server.ipa.example. | SSH public key fingerprint: <span style="color: blue">38:FA:5A:79:DF:21:D6:C6:EC:F0:5C:98:8A:4F:AF:04</span> user@server.ipa.example.org (ssh-rsa) | ||
Password: False | Password: False | ||
Member of groups: ipausers | Member of groups: ipausers | ||
Line 68: | Line 71: | ||
user@server$ ssh-keygen -l -f .ssh/id_rsa.pub | user@server$ ssh-keygen -l -f .ssh/id_rsa.pub | ||
2048 <span style="color: blue">38:fa:5a:79:df:21:d6:c6:ec:f0:5c:98:8a:4f:af:04</span> user@server.ipa.example. | 2048 <span style="color: blue">38:fa:5a:79:df:21:d6:c6:ec:f0:5c:98:8a:4f:af:04</span> user@server.ipa.example.org (RSA) | ||
Generate another SSH keypair on <code>client.ipa.example. | Generate another SSH keypair on <code>client.ipa.example.org</code>: | ||
user@client$ ssh-keygen -t rsa | user@client$ ssh-keygen -t rsa | ||
user@client$ cat .ssh/id_rsa.pub | user@client$ cat .ssh/id_rsa.pub | ||
<span style="color: purple">ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example. | <span style="color: purple">ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.org</span> | ||
Add the public key to <code>sshuser</code>: | Add the public key to <code>sshuser</code>: | ||
user@server$ ipa user-mod sshuser --addattr ipasshpubkey='<span style="color: purple">ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example. | user@server$ ipa user-mod sshuser --addattr ipasshpubkey='<span style="color: purple">ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.org</span>' | ||
You can experiment further with <code>ipa user-add</code>, <code>ipa user-mod</code>, <code>ipa host-add</code>, <code>ipa host-mod</code> commands, all of them allow setting SSH public keys (in OpenSSH authorized_keys format, see <code>man sshd</code>) using the <code>--sshpubkey</code> option. Note that <code>--sshpubkey</code> overwrites the public keys of user or host with the new value(s), if you want to add or delete public keys, you have to use <code>--addattr ipasshpubkey=...</code> or <code>--delattr ipasshpubkey=...</code> instead. | You can experiment further with <code>ipa user-add</code>, <code>ipa user-mod</code>, <code>ipa host-add</code>, <code>ipa host-mod</code> commands, all of them allow setting SSH public keys (in OpenSSH authorized_keys format, see <code>man sshd</code>) using the <code>--sshpubkey</code> option. Note that <code>--sshpubkey</code> overwrites the public keys of user or host with the new value(s), if you want to add or delete public keys, you have to use <code>--addattr ipasshpubkey=...</code> or <code>--delattr ipasshpubkey=...</code> instead. | ||
Line 86: | Line 89: | ||
|results= | |results= | ||
Now that public keys for both hosts and user are set, you can try using ssh to log in remotely from <code>server.ipa.example. | Now that public keys for both hosts and user are set, you can try using ssh to log in remotely from <code>server.ipa.example.org</code> to <code>client.ipa.example.org</code> and vice-versa: | ||
user@server$ ssh sshuser@client | user@server$ ssh sshuser@ipa.example.org@client.ipa.example.org | ||
user@client$ ssh sshuser@server | user@client$ ssh sshuser@ipa.example.org@server.ipa.example.org | ||
Both these commands should work without any warnings or errors and should '''NOT''' prompt for verification of host identity or password. | Both these commands should work without any warnings or errors and should '''NOT''' prompt for verification of host identity or password. | ||
Line 97: | Line 100: | ||
== Troubleshooting == | == Troubleshooting == | ||
'''Known Issue:''' Ssh to other host still asks password. Please add to file /etc/ssh/sshd_config | '''Known Issue [[https://bugzilla.redhat.com/show_bug.cgi?id=953534 openssh]], [[https://bugzilla.redhat.com/show_bug.cgi?id=953617 freeipa]],[[https://fedorahosted.org/freeipa/ticket/3571 freeipa]]:''' Ssh to other host still asks password. Please add to file /etc/ssh/sshd_config | ||
<pre> | <pre> | ||
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys | |||
AuthorizedKeysCommandUser nobody | AuthorizedKeysCommandUser nobody | ||
</pre> | </pre> | ||
[[Category:FreeIPA_Test_Cases]] [[Category:Realmd_Test_Cases]] | |||
[[Category: |
Latest revision as of 06:48, 9 May 2013
Description
Verify FreeIPA's SSH public key management using realmd to join the current machine to a FreeIPA domain.
Setup
- If you have not already done so, run through the test case to join the domain.
How to test
Note: All examples below are executed either on server or client. The right place should be indicated by prompt:
user@server$ user@client$
Verify installation
First authenticate as admin:
user@server$ kinit admin
Verify that the host entry of server.ipa.example.org
has the correct SSH public keys set:
user@server$ ipa host-show server.ipa.example.org --all Host name: server.ipa.example.org Principal name: host/server.ipa.example.org@IPA.EXAMPLE.ORG SSH public key fingerprint: 5A:CE:70:8F:A3:AF:57:C1:D1:C0:C6:28:FC:D4:42:07 (ssh-dss), 76:2B:1F:98:1C:02:EE:29:43:C1:18:FD:75:57:36:8F (ssh-rsa) Password: False Keytab: True Managed by: server.ipa.example.org user@server$ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub 1024 5a:ce:70:8f:a3:af:57:c1:d1:c0:c6:28:fc:d4:42:07 (DSA) user@server$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub 2048 76:2b:1f:98:1c:02:ee:29:43:c1:18:fd:75:57:36:8f (RSA)
The same procedure can be used to verify host public keys of client.ipa.example.org
.
Verify that DNS SSHFP records were updated correctly for client:
user@client$ dig +short client.ipa.example.org SSHFP 2 1 D017B7B96C1CF0DC9A9CC317AED198EBE61C8369 1 1 EEA71C381935401361301366B2E4E2627CB470CD user@client$ ssh-keygen -r client.ipa.example.org -f /etc/ssh/ssh_host_dsa_key.pub client.ipa.example.org IN SSHFP 2 1 d017b7b96c1cf0dc9a9cc317aed198ebe61c8369 user@client$ ssh-keygen -r client.ipa.example.org -f /etc/ssh/ssh_host_rsa_key.pub client.ipa.example.org IN SSHFP 1 1 eea71c381935401361301366b2e4e2627cb470cd
Public key management
Generate a SSH keypair and create new FreeIPA user with the public key set:
user@server$ ssh-keygen -t rsa
user@server$ ipa user-add sshuser --first=SSH --last=User --sshpubkey="cat .ssh/id_rsa.pub
"
Verify that the user entry has the correct SSH public key set:
user@server$ ipa user-show sshuser User login: sshuser First name: SSH Last name: User Home directory: /home/sshuser Login shell: /bin/sh UID: 12345678 GID: 12345678 Account disabled: False SSH public key fingerprint: 38:FA:5A:79:DF:21:D6:C6:EC:F0:5C:98:8A:4F:AF:04 user@server.ipa.example.org (ssh-rsa) Password: False Member of groups: ipausers Kerberos keys available: False user@server$ ssh-keygen -l -f .ssh/id_rsa.pub 2048 38:fa:5a:79:df:21:d6:c6:ec:f0:5c:98:8a:4f:af:04 user@server.ipa.example.org (RSA)
Generate another SSH keypair on client.ipa.example.org
:
user@client$ ssh-keygen -t rsa
user@client$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.org
Add the public key to sshuser
:
user@server$ ipa user-mod sshuser --addattr ipasshpubkey='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.org'
You can experiment further with ipa user-add
, ipa user-mod
, ipa host-add
, ipa host-mod
commands, all of them allow setting SSH public keys (in OpenSSH authorized_keys format, see man sshd
) using the --sshpubkey
option. Note that --sshpubkey
overwrites the public keys of user or host with the new value(s), if you want to add or delete public keys, you have to use --addattr ipasshpubkey=...
or --delattr ipasshpubkey=...
instead.
Expected Results
Now that public keys for both hosts and user are set, you can try using ssh to log in remotely from server.ipa.example.org
to client.ipa.example.org
and vice-versa:
user@server$ ssh sshuser@ipa.example.org@client.ipa.example.org
user@client$ ssh sshuser@ipa.example.org@server.ipa.example.org
Both these commands should work without any warnings or errors and should NOT prompt for verification of host identity or password.
Troubleshooting
Known Issue [openssh], [freeipa],[freeipa]: Ssh to other host still asks password. Please add to file /etc/ssh/sshd_config
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody