Hi,
I'm running FreeIPA v4.8.7. I have a requirement that end user systems (not enrolled in FreeIPA) be allowed SSH access on FreeIPA enrolled servers through Kerberos authentication. As of now I'm using user keytabs on the end systems to get a ticket and then authenticate to SSH with GSSAPI.
However, I've run into few issues:
1) I've read about authentication indicators in FreeIPA, how can enforce a policy where the end user is required to enter their password+OTP when authenticating to the web UI? But, OTP remains optional for SSH login. This policy assumes that I've both "Password and Two factor authentication (password + OTP)" set as user authentication method.
2) Probably a long shot, but, is there any way that user keytabs can be generated and retrieved via an API call? I'd like to have some automation so that when a new user is created on the FreeIPA server or a user changes their password, the new resulting keytab can be downloaded on the end user systems via an API call to the JSON RPC endpoint.
Any help is appreciated. Thanks.
The authentication indicator stuff was enabled after little more digging through the documentation. But I'd really appreciate if anybody could help me with the keytab issue.
Alternatively, should I look towards PKINIT for getting TGTs that are later used for SSH, on non-IPA clients?
On ke, 10 helmi 2021, Kevin Cassar via FreeIPA-users wrote:
Hi,
I'm running FreeIPA v4.8.7. I have a requirement that end user systems (not enrolled in FreeIPA) be allowed SSH access on FreeIPA enrolled servers through Kerberos authentication. As of now I'm using user keytabs on the end systems to get a ticket and then authenticate to SSH with GSSAPI.
However, I've run into few issues:
- I've read about authentication indicators in FreeIPA, how can
enforce a policy where the end user is required to enter their password+OTP when authenticating to the web UI? But, OTP remains optional for SSH login. This policy assumes that I've both "Password and Two factor authentication (password + OTP)" set as user authentication method.
You cannot. Please read https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy...., it has a separate section that also explains why.
- Probably a long shot, but, is there any way that user keytabs can be
generated and retrieved via an API call? I'd like to have some automation so that when a new user is created on the FreeIPA server or a user changes their password, the new resulting keytab can be downloaded on the end user systems via an API call to the JSON RPC endpoint.
This is not implemented and not considered because we already have a tool that allows to securely request keytabs.
A key for a Kerberos principal can be retrieved with 'ipa-getkeytab -r' (see man page before ever trying) but you must have rights to do so. By default, access controls only allow cn=Directory Manager to retrieve such keytabs for any Kerberos principal. For specific principal types the retrieval is preconfigured:
- host keytab can be retrieved by a host's managedBy entry (typically, an administrator that created it);
- service keytab can be retrieved by a host that manages the service.
See 'ipa help host' and 'ipa help service' for keytab-related access granting commands. There is no such support for user object, thus it is not possible to preconfigure other users to be able to retrieve keytabs of users. But 'cn=Directory Manager' can do that:
[root@master ~]# ipa-getkeytab -D 'cn=Directory Manager' -W -p admin -r -k ./test.keytab Enter LDAP password: Keytab successfully retrieved and stored in: ./test.keytab
[root@master ~]# klist -ket ./test.keytab Keytab name: FILE:./test.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 12.02.2021 07.54.00 admin@IPA.TEST (aes256-cts-hmac-sha1-96) 1 12.02.2021 07.54.00 admin@IPA.TEST (aes128-cts-hmac-sha1-96)
[root@master ~]# kinit -kt ./test.keytab admin [root@master ~]# ldapwhoami -Y GSSAPI SASL/GSSAPI authentication started SASL username: admin@IPA.TEST SASL SSF: 256 SASL data security layer installed. dn: uid=admin,cn=users,cn=accounts,dc=ipa,dc=test
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Kevin Cassar