HOWTO: Attach a system to auth.sshchicago.org

From sshcWiki
Revision as of 20:14, 3 June 2014 by Cswingler (talk | contribs) (Adding install NTP instructions)
Jump to navigation Jump to search


Enrolling a system in FreeIPA (auth.sshchicago.org)

CentOS 6, Fedora 20

These instructions are tested and known working on a clean system.

  • Log in, assume root privileges.
 sudo su - 
  • Make certain the clock is correct.
 yum -y install ntp
 ntpdate -u 0.pool.ntp.org
 23 Mar 10:44:55 ntpdate[23148]: adjust time server 66.175.209.17 offset 0.002981 sec
  • Make certain the system has an FQDN.
hostname --fqdn
zenoss.sshchicago.org
  • Install the freeipa-client packages
 yum -y install ipa-client
  • Enroll. You'll get a couple warnings that can be disregarded for now. Full output of a session follows:
 # ipa-client-install --domain=sshchicago.org --server=auth.sshchicago.org --mkhomedir
 Autodiscovery of servers for failover cannot work with this configuration.
 If you proceed with the installation, services will be configured to always access the discovered 
 server for all operations and will not fail over to other servers in case of failure.
 Proceed with fixed values and no DNS discovery? [no]: yes
 Hostname: zenoss.sshchicago.org
 Realm: SSHCHICAGO.ORG
 DNS Domain: sshchicago.org
 IPA Server: auth.sshchicago.org
 BaseDN: dc=sshchicago,dc=org
 
 Continue to configure the system with these values? [no]: yes
 User authorized to enroll computers: cswingler
 Synchronizing time with KDC...
 Unable to sync time with IPA NTP server, assuming the time is in sync. 
 Please check that 123 UDP port is opened.
 Password for cswingler@SSHCHICAGO.ORG: 
 Successfully retrieved CA cert
     Subject:     CN=Certificate Authority,O=SSHCHICAGO.ORG
     Issuer:      CN=Certificate Authority,O=SSHCHICAGO.ORG
     Valid From:  Sun Mar 16 19:04:05 2014 UTC
     Valid Until: Thu Mar 16 19:04:05 2034 UTC
 
 Enrolled in IPA realm SSHCHICAGO.ORG
 Created /etc/ipa/default.conf
 New SSSD config will be created
 Configured /etc/sssd/sssd.conf
 Configured /etc/krb5.conf for IPA realm SSHCHICAGO.ORG
 trying https://auth.sshchicago.org/ipa/xml
 Forwarding 'env' to server u'https://auth.sshchicago.org/ipa/xml'
 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
 Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
 Forwarding 'host_mod' to server u'https://auth.sshchicago.org/ipa/xml'
 Could not update DNS SSHFP records.
 SSSD enabled
 Configured /etc/openldap/ldap.conf
 NTP enabled
 Configured /etc/ssh/ssh_config
 Configured /etc/ssh/sshd_config
 Client configuration complete.


On Debian/Ubuntu

  • Add the random untrusted repo containing freeipa-client (this particular one is for Debian)
 # echo 'deb http://apt.numeezy.fr wheezy main
 deb-src http://apt.numeezy.fr wheezy main' > /etc/apt/sources.list.d/randomfreeipadude.list
 # wget -qO - http://apt.numeezy.fr/numeezy.asc | apt-key add -     
 OK
 # apt-get update
 # apt-get install freeipa-client
  • Set up the NSS cert database with an empty password
 # mkdir -p /etc/pki/nssdb
 # certutil -N -d /etc/pki/nssdb
 Enter a password which will be used to encrypt your keys.
 The password should be at least 8 characters long,
 and should contain at least one non-alphabetic character.
 Enter new password: [BLANK]
 Re-enter password: [BLANK]
  • Enroll the computer
 root@monkey:~# ipa-client-install --domain=sshchicago.org --server=auth.sshchicago.org --mkhomedir
 Autodiscovery of servers for failover cannot work with this configuration.
 If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
 Proceed with fixed values and no DNS discovery? [no]: yes
 Hostname: monkey.sshchicago.org
 Realm: SSHCHICAGO.ORG
 DNS Domain: sshchicago.org
 IPA Server: auth.sshchicago.org
 BaseDN: dc=sshchicago,dc=org
 Continue to configure the system with these values? [no]: yes
 User authorized to enroll computers: mdonahue
 Synchronizing time with KDC...
 Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
 Password for mdonahue@SSHCHICAGO.ORG: 
 Enrolled in IPA realm SSHCHICAGO.ORG
 Created /etc/ipa/default.conf
 Domain sshchicago.org is already configured in existing SSSD config, creating a new one.
 The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
 Configured /etc/sssd/sssd.conf
 Configured /etc/krb5.conf for IPA realm SSHCHICAGO.ORG
 trying https://auth.sshchicago.org/ipa/xml
 Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
 Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
 Forwarding 'host_mod' to server u'https://auth.sshchicago.org/ipa/xml'
 Could not update DNS SSHFP records.
  • Set up mkhomedir because, despite its existence in the command line above, it didn't actually happen.
 # echo 'session     required      pam_mkhomedir.so skel=/etc/skel umask=0022' >> /etc/pam.d/common-session
  • TODO: Figure out a way to make sudoers work, and ideally, let ssh's authenticated keys stuff be handled by IPA

Other distributions

Instructions should be similar to these instructions, but are as of now untested.

Windows

I need to get a Samba shim in place before we can get to this point.


About FreeIPA

What is it?

FreeIPA (http://www.freeipa.org) is a Unix Identity Management Platform. It's analogous to a Windows Domain Controller, but focused on - and has several features related to - managing Unix systems.

It includes the following pieces of software:

  • An HTTP server for managing users (at https://auth.sshchicago.org)
  • An LDAP server, powered by 389 Directory Server
  • A Kerberos server, powered by MIT Kerberos server
  • A SSL CA, powered by Dogtag

As well as a DNS server, DHCPD, and NTP server, which we have disabled and are running on separate hosts.

Why?

This allows us to have a centralized authentication system that we can use for all of our Unix systems within the space. Any new systems we stand up - virtual machines, workstations out in the space, servers, and so on - can be attached to FreeIPA and members will be able to log in (and, in the future, have a floating home directory that is automatically mounted).

In addition, it can be used as a back-end for webapps (like our wiki) and RFID keytag authentication on doors and equipment.

This also allows any member project systems that the member may wish to share with the full membership an easy way to allow logins, without having to maintain their own member database.