On 2015-08-27 08:39, Lukas Slebodnik wrote:
On (27/08/15 08:21), Davor Vusir wrote:
> On 2015-08-26 21:36, Lukas Slebodnik wrote:
>> On (26/08/15 13:09), Davor Vusir wrote:
>>> On 2015-08-25 20:25, Lukas Slebodnik wrote:
>>>> Now you can test with command line utility sss_ssh_authorizedkeys
>>>> wheter ssh responder is correctly configured.
>>>> ("ssh" should be listed in option services; in sssd section)
>>>> If the public key is returned then you need to check
>>>> sshd configuration files for proper integration.
>>>>
>>>> @see more details in man sss_ssh_authorizedkeys
>>> [root@client-1 ~]# sss_ssh_authorizedkeys myLoginID
>>> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
>>>
>>> [myLoginID@client-1 ~]# sss_ssh_authorizedkeys myLoginID
>>> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
>>>
>>> Seems to work. But as soon as I put "subdomains_provider = none"
either sshd
>>> or sssd (I believe it's sssd) bypasses the ssh public key check. It
>>> recognizes that it should check for the password to unlock the private key,
>>> but doesn't care what I'm typing. It solely check for the kerberos
password.
>>>
>> Does sss_ssh_authorizedkeys returns public key with "subdomains_provider =
none"?
>> Please try with empty cache.
>>
> Is this the correct procedure?
yes.
> 1.
> Logged in as "nonPublicKeyUser" su-ing to root in one terminal:
> [root@server-1 ~]# service sssd stop
> Redirecting to /bin/systemctl stop sssd.service
> [root@server-1 ~]# rm -f /var/log/sssd/sssd*
> [root@server-1 ~]# vi /etc/sssd/sssd.conf
> [root@server-1 ~]# service sssd stop && rm -Rf /var/lib/sss/db/* &&
rm -Rf
> /var/lib/sss/mc/* && service sssd start
> Redirecting to /bin/systemctl stop sssd.service
> Redirecting to /bin/systemctl start sssd.service
> [root@server-1 ~]#
>
> 2.
> In another terminal from client-1:
> PublicKeyUser@server-1 ~
> $ ssh
server-1.subdomain.example.org
> Enter passphrase for key '/home/PublicKeyUser/.ssh/id_rsa': <- No
password
> given. Just pressed <return>.
> Password:
> Last login: Wed Aug 26 12:56:21 2015 from
client-1.subdomain2.example.org
> [PublicKeyUser@server-1 ~]$ sss_ssh_authorizedkeys PublicKeyUser
> ssh-rsa AAAAB3NzaC1yc2EAAA...
> [PublicKeyUser@server-1 ~]$ exit
>
> 3.
> Back to the first terminal:
> [root@server-1 ~]# service sssd stop && rm -Rf /var/lib/sss/db/* &&
rm -Rf
> /var/lib/sss/mc/* && service sssd start
> Redirecting to /bin/systemctl stop sssd.service
> Redirecting to /bin/systemctl start sssd.service
> [root@server-1 ~]# sss_ssh_authorizedkeys PublicKeyUser
> ssh-rsa AAAAB3NzaC1yc2E...
> [root@server-1 ~]#
>
You could immediatelly run as root "sss_ssh_authorizedkeys PublicKeyUser"
after restarting sssd with new configuration.
Same result as before.
But it looks like public key is returned even with disabled subdomain
provider.
>>> As soon as I comment out "subdomains_provider = none" user accounts
with
>>> public key uses this type of authentication only and user accounts with
>>> Kerberos password uses Kerberos authentication only. Which, of course, is
the
>>> goal.
>>>
>>> I don't expect you to comment on the sshd_config but here are relevant
parts
>>> of both sshd_config and sssd.conf. Both "ct-linuxuberadmins" and
>>> "ct-linuxservicesadmins" in sshd_config are AD-groups with
corresponding
>>> sudoers-files.
>>>
>>> sssd.conf:
>>> [
domain/ad.example.org]
>>> debug_level = 6
>>> id_provider = ad
>>> auth_provider = ad
>>> access_provider = ad
>>> chpass_provider = ad
>>>
>>> subdomains_provider = none
>>> # subdomain_enumerate = none
>>> ignore_group_members = True
>>>
>>> enumerate = False
>>>
>>> ldap_page_size = 1000
>>> ldap_id_mapping = False
>>> ldap_purge_cache_timeout = 0
>>> ldap_user_ssh_public_key = altSecurityIdentities
>>> ldap_use_tokengroups = True
>>>
>>> dyndns_update = False
>>> dyndns_update_ptr = False
>>>
>>> cache_credentials = true
>>> krb5_store_password_if_offline = true
>>>
>>> sshd_config:
>>> PubkeyAuthentication yes
>>> PasswordAuthentication no
>>> PermitEmptyPasswords no
>>> ChallengeResponseAuthentication yes
>>>
>>> UsePAM yes
>>>
>>> Match Group ct-linuxuberadmins
>>> AuthorizedKeysCommand /bin/sss_ssh_authorizedkeys
>>> AuthorizedKeysCommandUser svcCTSSHDbind
>>>
>>> Match Group ct-linuxservicesadmins
>>> PubkeyAuthentication no
>>>
>> Maybe I'm wrong but you might miss some groups with disabled
subdomain_provider.
>> Please try with empty cache
>>
>> So sshd will not get to the section with AuthorizedKeysCommand.
> After step 3 above:
> [root@server-1 ~]# getent group ct-linuxuberadmins
> ct-linuxuberadmins:*:10287220:
> [root@server-1 ~]# service sssd stop && rm -Rf /var/lib/sss/db/* &&
rm -Rf
> /var/lib/sss/mc/* && service sssd start
> Redirecting to /bin/systemctl stop sssd.service
> Redirecting to /bin/systemctl start sssd.service
> [root@server-1 ~]# getent group ct-linuxservicesadmins
> uuct-gg-linuxservicesadmins:*:10287637:
users are not listed due to enabeld option ignore_group_members.
I would be more interested in output of command.
"id PublicKeyUser" with enabled and disabled subdomain provider.
"subdomains_provider = none":
[root@server-1 ~]# id PublicKeyUser
uid=10051785(PublicKeyUser) gid=10000513(domain users)
groups=10000513(domain users)
[root@its-srv001-t ~]#
"#subdomains_provider = none":
uid=10051785(PublicKeyUser) gid=10000513(domain users)
groups=10000513(domain users),10257368(ct-lg-admins),... all other groups...
Regards
Davor
LS