FreeIPA

FreeIPA is an open-source Identity, Policy and Audit (IPA) suite, sponsored by Red Hat, which provides services similar to Microsoft's Active Directory

Manual configuration as IPA client

Make sure your clocks are synchronized. Kerberos will not work otherwise. NTP is recommended.

Instead of using ipa-client-install script for automated client configuration and enrollment, the following sections describe a manual procedure for enrolling the client client.example.com to the FreeIPA server ipaserver.example.com in the example.com domain.

Configure SSSD and Kerberos

Follow the LDAP auth instructions to setup SSSD. Use a SSSD configuration similar to the following, substituting the requisite fields:

/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam, sudo, ssh
domains = ''EXAMPLE.COM''
#debug_level = 9

[domain/''EXAMPLE.COM'']
#debug_level = 9
cache_credentials = true
krb5_store_password_if_offline = true
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
#ipa_domain=''example.com''  # Optional if you set SRV records in DNS
#ipa_server=''ipaserver.example.com''  # Optional if you set SRV records in DNS
ipa_hostname=''client.example.com''

Configure pam in similar way to LDAP, replacing pam_ldap.so with pam_sss.so.

Create an file for your domain:

Enroll the client

On FreeIPA server, add the client to the IPA server (From Fedora documentation):

  1. Login and request and admin session
  2. Create a host entry if the host does not have a static IP, use
  3. Set the client to be managed by IPA
  4. Generate keytab for the client 
    # ipa-getkeytab -s ''ipaserver.example.com''  -p host/''client.example.com'' -k /tmp/client1.keytab

Install the keytab on the client:

$ scp user@ipaserver.example.com:/tmp/client1.keytab krb5.keytab
# mv krb5.keytab /etc/krb5.keytab

authorized_keys

You can configure SSHD to fetch users SSH public key from the LDAP directory by uncommenting those lines in /etc/ssh/sshd_config:

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

Then restart .

You can add your ssh key to your FreeIPA user account through the web interface or use the argument to the or commands.

Test it:

$ sudo -u nobody sss_ssh_authorizedkeys <username>

You should see your ssh public key on standard output and no error message on standard error.

known_hosts

You can configure SSH to fetch hosts public key information from their directory entries in FreeIPA by adding those lines in :

GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

Kerberos/GSS API Authentication

You can enabled Kerberos / GSS API Authentication for the SSH Client to FreeIPA member hosts by uncommenting and changing the following lines in :

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

See also
gollark: Wrong.
gollark: But someone then has to evaluate the proof.
gollark: Actually looking at the companies being invested in probably adds fees.
gollark: I don't know how big an effect this actually is.
gollark: It might be the case that index funds drive up stock prices a bit which ??? more capital availability, sure.
This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.