Difference between revisions of "HOWTO: Attach a system to auth.sshchicago.org"
(RHEL Team: "Dependencies are hard.") |
m (Bot: Cosmetic changes) |
||
Line 1: | Line 1: | ||
− | |||
− | |||
= Enrolling a system in FreeIPA (auth.sshchicago.org) = | = Enrolling a system in FreeIPA (auth.sshchicago.org) = | ||
Line 6: | Line 4: | ||
These instructions are tested and known working on a clean system. | These instructions are tested and known working on a clean system. | ||
− | * Log in, assume root privileges. | + | * Log in, assume root privileges. |
sudo su - | sudo su - | ||
* Make sure the system is up to date | * Make sure the system is up to date | ||
Line 16: | Line 14: | ||
ntpdate -u 0.pool.ntp.org | ntpdate -u 0.pool.ntp.org | ||
23 Mar 10:44:55 ntpdate[23148]: adjust time server 66.175.209.17 offset 0.002981 sec | 23 Mar 10:44:55 ntpdate[23148]: adjust time server 66.175.209.17 offset 0.002981 sec | ||
− | * Make certain the system has an FQDN. | + | * Make certain the system has an FQDN. |
hostname --fqdn | hostname --fqdn | ||
zenoss.sshchicago.org | zenoss.sshchicago.org | ||
Line 66: | Line 64: | ||
=== Known Issues === | === Known Issues === | ||
− | For some reason, CentOS 6 systems with SELinux disabled running as OpenVZ containers on our Proxmox HV seem to require an SELinux directory to be created to work. | + | For some reason, CentOS 6 systems with SELinux disabled running as OpenVZ containers on our Proxmox HV seem to require an SELinux directory to be created to work. If you're getting booted right away, try this: |
mkdir -p /etc/selinux/targeted/logins/ | mkdir -p /etc/selinux/targeted/logins/ | ||
Line 131: | Line 129: | ||
I need to get a Samba shim in place before we can get to this point. | I need to get a Samba shim in place before we can get to this point. | ||
− | = About FreeIPA = | + | = About FreeIPA = |
== What is it? == | == What is it? == | ||
− | FreeIPA (http://www.freeipa.org) is a Unix Identity Management Platform. It's analogous to a Windows Domain Controller, but focused on - and has several features related to - managing Unix systems. | + | FreeIPA (http://www.freeipa.org) is a Unix Identity Management Platform. It's analogous to a Windows Domain Controller, but focused on - and has several features related to - managing Unix systems. |
It includes the following pieces of software: | It includes the following pieces of software: | ||
Line 151: | Line 149: | ||
This also allows any member project systems that the member may wish to share with the full membership an easy way to allow logins, without having to maintain their own member database. | This also allows any member project systems that the member may wish to share with the full membership an easy way to allow logins, without having to maintain their own member database. | ||
+ | |||
+ | [[Category:System Administration]] |
Latest revision as of 22:18, 27 February 2017
Contents
Enrolling a system in FreeIPA (auth.sshchicago.org)
CentOS 6, Fedora 20
These instructions are tested and known working on a clean system.
- Log in, assume root privileges.
sudo su -
- Make sure the system is up to date
yum -y update && reboot
- Make certain the clock is correct. (You can't use NTP tools on OpenVZ containers, they use the HV's RTC. Don't bother doing anything other than checking the date.)
cp /usr/share/zoneinfo/America/Chicago /etc/localtime yum -y install ntp chkconfig ntpd on && /sbin/service ntpd start ntpdate -u 0.pool.ntp.org 23 Mar 10:44:55 ntpdate[23148]: adjust time server 66.175.209.17 offset 0.002981 sec
- Make certain the system has an FQDN.
hostname --fqdn zenoss.sshchicago.org
- Install the freeipa-client packages
yum -y install ipa-client # On CentOS yum -y install ipa-client dbus-python # On CentOS 7 yum -y install freeipa-client # On Fedora
- Enroll. You'll get a couple warnings that can be disregarded for now. Full output of a session follows:
# ipa-client-install --domain=sshchicago.org --server=auth.sshchicago.org --mkhomedir Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Hostname: zenoss.sshchicago.org Realm: SSHCHICAGO.ORG DNS Domain: sshchicago.org IPA Server: auth.sshchicago.org BaseDN: dc=sshchicago,dc=org Continue to configure the system with these values? [no]: yes User authorized to enroll computers: cswingler Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Password for cswingler@SSHCHICAGO.ORG: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=SSHCHICAGO.ORG Issuer: CN=Certificate Authority,O=SSHCHICAGO.ORG Valid From: Sun Mar 16 19:04:05 2014 UTC Valid Until: Thu Mar 16 19:04:05 2034 UTC Enrolled in IPA realm SSHCHICAGO.ORG Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm SSHCHICAGO.ORG trying https://auth.sshchicago.org/ipa/xml Forwarding 'env' to server u'https://auth.sshchicago.org/ipa/xml' Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server u'https://auth.sshchicago.org/ipa/xml' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete.
Known Issues
For some reason, CentOS 6 systems with SELinux disabled running as OpenVZ containers on our Proxmox HV seem to require an SELinux directory to be created to work. If you're getting booted right away, try this:
mkdir -p /etc/selinux/targeted/logins/ service sssd restart
On Debian/Ubuntu
- Add the random untrusted repo containing freeipa-client (this particular one is for Debian)
# echo 'deb http://apt.numeezy.fr wheezy main deb-src http://apt.numeezy.fr wheezy main' > /etc/apt/sources.list.d/randomfreeipadude.list # wget -qO - http://apt.numeezy.fr/numeezy.asc | apt-key add - OK # apt-get update # apt-get install freeipa-client
- Set up the NSS cert database with an empty password
# mkdir -p /etc/pki/nssdb # certutil -N -d /etc/pki/nssdb Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character.
Enter new password: [BLANK] Re-enter password: [BLANK]
- Enroll the computer
root@monkey:~# ipa-client-install --domain=sshchicago.org --server=auth.sshchicago.org --mkhomedir Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Hostname: monkey.sshchicago.org Realm: SSHCHICAGO.ORG DNS Domain: sshchicago.org IPA Server: auth.sshchicago.org BaseDN: dc=sshchicago,dc=org
Continue to configure the system with these values? [no]: yes User authorized to enroll computers: mdonahue Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Password for mdonahue@SSHCHICAGO.ORG: Enrolled in IPA realm SSHCHICAGO.ORG Created /etc/ipa/default.conf Domain sshchicago.org is already configured in existing SSSD config, creating a new one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm SSHCHICAGO.ORG trying https://auth.sshchicago.org/ipa/xml Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to server u'https://auth.sshchicago.org/ipa/xml' Could not update DNS SSHFP records.
- Set up mkhomedir because, despite its existence in the command line above, it didn't actually happen.
# echo 'session required pam_mkhomedir.so skel=/etc/skel umask=0022' >> /etc/pam.d/common-session
- TODO: Figure out a way to make sudoers work, and ideally, let ssh's authenticated keys stuff be handled by IPA
Other distributions
Instructions should be similar to these instructions, but are as of now untested.
Windows
I need to get a Samba shim in place before we can get to this point.
About FreeIPA
What is it?
FreeIPA (http://www.freeipa.org) is a Unix Identity Management Platform. It's analogous to a Windows Domain Controller, but focused on - and has several features related to - managing Unix systems.
It includes the following pieces of software:
- An HTTP server for managing users (at https://auth.sshchicago.org)
- An LDAP server, powered by 389 Directory Server
- A Kerberos server, powered by MIT Kerberos server
- A SSL CA, powered by Dogtag
As well as a DNS server, DHCPD, and NTP server, which we have disabled and are running on separate hosts.
Why?
This allows us to have a centralized authentication system that we can use for all of our Unix systems within the space. Any new systems we stand up - virtual machines, workstations out in the space, servers, and so on - can be attached to FreeIPA and members will be able to log in (and, in the future, have a floating home directory that is automatically mounted).
In addition, it can be used as a back-end for webapps (like our wiki) and RFID keytag authentication on doors and equipment.
This also allows any member project systems that the member may wish to share with the full membership an easy way to allow logins, without having to maintain their own member database.