URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/694/head:pr694 git checkout pr694
From a047c9c02bef7c9991553017917b3747cf2b3115 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Fri, 31 Mar 2017 15:06:46 +0200 Subject: [PATCH 1/7] Allow for configuration of all three PKINIT variants when deploying KDC The PKINIT setup code now can configure PKINIT using IPA CA signed certificate, 3rd party certificate and local PKINIT with self-signed keypair. The local PKINIT is also selected as a fallback mechanism if the CSR is rejected by CA master or `--no-pkinit` is used. http://www.freeipa.org/page/V4/Kerberos_PKINIT https://pagure.io/freeipa/issue/6830 --- ipaserver/install/krbinstance.py | 145 +++++++++++++++++++++++++-------------- 1 file changed, 93 insertions(+), 52 deletions(-) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 6c105f7..8021578 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -38,6 +38,7 @@ from ipalib.install import certmonger from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN +from ipapython.dogtag import KDC_PROFILE from ipaserver.install import replication from ipaserver.install import ldapupdate @@ -354,61 +355,84 @@ def _wait_for_replica_kdc_entry(self): remote_ldap.gssapi_bind() replication.wait_for_entry(remote_ldap, kdc_dn, timeout=60) - def setup_pkinit(self): - if self.pkcs12_info: - certs.install_pem_from_p12(self.pkcs12_info[0], - self.pkcs12_info[1], - paths.KDC_CERT) - certs.install_key_from_p12(self.pkcs12_info[0], - self.pkcs12_info[1], - paths.KDC_KEY) - else: - subject = str(DN(('cn', self.fqdn), self.subject_base)) - krbtgt = "krbtgt/" + self.realm + "@" + self.realm - certpath = (paths.KDC_CERT, paths.KDC_KEY) + def _call_certmonger(self, certmonger_ca='IPA'): + subject = str(DN(('cn', self.fqdn), self.subject_base)) + krbtgt = "krbtgt/" + self.realm + "@" + self.realm + certpath = (paths.KDC_CERT, paths.KDC_KEY) - try: - prev_helper = None - if self.master_fqdn is None: - ca_args = [ - paths.CERTMONGER_DOGTAG_SUBMIT, - '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn, - '--certfile', paths.RA_AGENT_PEM, - '--keyfile', paths.RA_AGENT_KEY, - '--cafile', paths.IPA_CA_CRT, - '--agent-submit' - ] - helper = " ".join(ca_args) - prev_helper = certmonger.modify_ca_helper('IPA', helper) - else: - self._wait_for_replica_kdc_entry() - - certmonger.request_and_wait_for_cert( - certpath, - subject, - krbtgt, - dns=self.fqdn, - storage='FILE', - profile='KDCs_PKINIT_Certs') - except dbus.DBusException as e: - # if the certificate is already tracked, ignore the error - name = e.get_dbus_name() - if name != 'org.fedorahosted.certmonger.duplicate': - root_logger.error("Failed to initiate the request: %s", e) - return - finally: - if prev_helper is not None: - certmonger.modify_ca_helper('IPA', prev_helper) - - # Finally copy the cacert in the krb directory so we don't - # have any selinux issues with the file context + try: + prev_helper = None + # on the first CA-ful master without '--no-pkinit', we issue the + # certificate by contacting Dogtag directly + use_dogtag_submit = all( + [self.master_fqdn is None, + self.pkcs12_info is None, + self.config_pkinit]) + + if use_dogtag_submit: + ca_args = [ + paths.CERTMONGER_DOGTAG_SUBMIT, + '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn, + '--certfile', paths.RA_AGENT_PEM, + '--keyfile', paths.RA_AGENT_KEY, + '--cafile', paths.IPA_CA_CRT, + '--agent-submit' + ] + helper = " ".join(ca_args) + prev_helper = certmonger.modify_ca_helper(certmonger_ca, helper) + + certmonger.request_and_wait_for_cert( + certpath, + subject, + krbtgt, + ca=certmonger_ca, + dns=self.fqdn, + storage='FILE', + profile=KDC_PROFILE) + except dbus.DBusException as e: + # if the certificate is already tracked, ignore the error + name = e.get_dbus_name() + if name != 'org.fedorahosted.certmonger.duplicate': + root_logger.error("Failed to initiate the request: %s", e) + return + finally: + if prev_helper is not None: + certmonger.modify_ca_helper(certmonger_ca, prev_helper) + + def issue_selfsigned_pkinit_certs(self): + self._call_certmonger(certmonger_ca="SelfSign") + # for self-signed certificate, the certificate is its own CA, copy it + # as CA cert + shutil.copyfile(paths.KDC_CERT, paths.CACERT_PEM) + + def issue_ipa_ca_signed_pkinit_certs(self): + try: + self._call_certmonger() + # copy IPA CA bundle to the KDC's CA cert bundle + shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM) + except RuntimeError as e: + root_logger.error("PKINIT certificate request failed: %s", e) + root_logger.error("Failed to configure PKINIT") + self.stop_tracking_certs() + self.issue_selfsigned_pkinit_certs() + + def install_external_pkinit_certs(self): + certs.install_pem_from_p12(self.pkcs12_info[0], + self.pkcs12_info[1], + paths.KDC_CERT) + certs.install_key_from_p12(self.pkcs12_info[0], + self.pkcs12_info[1], + paths.KDC_KEY) + # copy IPA CA bundle to the KDC's CA cert bundle + # NOTE: this may not be the same set of CA certificates trusted by + # externally provided PKINIT cert. shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM) - try: - self.restart() - except Exception: - root_logger.critical("krb5kdc service failed to restart") - raise + def setup_pkinit(self): + if self.pkcs12_info: + self.install_external_pkinit_certs() + elif self.config_pkinit: + self.issue_ipa_ca_signed_pkinit_certs() def test_anonymous_pkinit(self): with ipautil.private_ccache() as anon_ccache: @@ -418,6 +442,15 @@ def test_anonymous_pkinit(self): raise RuntimeError("Failed to configure anonymous PKINIT") def enable_ssl(self): + """ + generate PKINIT certificate for KDC. If `--no-pkinit` was specified, + only configure local self-signed KDC certificate for use as a FAST + channel generator for WebUI. Do not advertise the installation steps in + this case. + """ + if self.master_fqdn is not None: + self._wait_for_replica_kdc_entry() + if self.config_pkinit: self.steps = [] self.step("installing X509 Certificate for PKINIT", @@ -425,6 +458,14 @@ def enable_ssl(self): self.step("testing anonymous PKINIT", self.test_anonymous_pkinit) self.start_creation() + else: + self.issue_selfsigned_pkinit_certs() + + try: + self.restart() + except Exception: + root_logger.critical("krb5kdc service failed to restart") + raise def get_anonymous_principal_name(self): return "%s@%s" % (ANON_USER, self.realm) From bc6a3a34e05b0917ba1f1c29fd6a4fc17bab222f Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Fri, 31 Mar 2017 14:44:29 +0200 Subject: [PATCH 2/7] API for retrieval of master's PKINIT status and publishing it in LDAP An API was provided to report whether PKINIT is enabled for clients or not. If yes, the pkinitEnabled value will be added to the ipaConfigString attribute of master's KDC entry. See http://www.freeipa.org/page/V4/Kerberos_PKINIT#Configuration for more details. https://pagure.io/freeipa/issue/6830 --- ipaserver/install/krbinstance.py | 41 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 8021578..4e0061c 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -48,6 +48,38 @@ from ipaplatform.tasks import tasks from ipaplatform.paths import paths +PKINIT_ENABLED = 'pkinitEnabled' + + +def get_pkinit_request_ca(): + """ + Return the certmonger CA name which is serving the PKINIT certificate + request. If the certificate is not tracked by Certmonger, return None + """ + pkinit_request_id = certmonger.get_request_id( + {'cert-file': paths.KDC_CERT}) + + if pkinit_request_id is None: + return + + return certmonger.get_request_value(pkinit_request_id, 'ca-name') + + +def is_pkinit_enabled(): + """ + check whether PKINIT is enabled on the master by checking for the presence + of KDC certificate and it's tracking CA + """ + + if os.path.exists(paths.KDC_CERT): + pkinit_request_ca = get_pkinit_request_ca() + + if pkinit_request_ca is None or pkinit_request_ca == "IPA": + return True + + return False + + class KpasswdInstance(service.SimpleServiceInstance): def __init__(self): service.SimpleServiceInstance.__init__(self, "kadmin") @@ -399,6 +431,13 @@ def _call_certmonger(self, certmonger_ca='IPA'): if prev_helper is not None: certmonger.modify_ca_helper(certmonger_ca, prev_helper) + def pkinit_enable(self): + """ + advertise enabled PKINIT feature in master's KDC entry in LDAP + """ + service.set_service_entry_config( + 'KDC', self.fqdn, [PKINIT_ENABLED], self.suffix) + def issue_selfsigned_pkinit_certs(self): self._call_certmonger(certmonger_ca="SelfSign") # for self-signed certificate, the certificate is its own CA, copy it @@ -410,6 +449,7 @@ def issue_ipa_ca_signed_pkinit_certs(self): self._call_certmonger() # copy IPA CA bundle to the KDC's CA cert bundle shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM) + self.pkinit_enable() except RuntimeError as e: root_logger.error("PKINIT certificate request failed: %s", e) root_logger.error("Failed to configure PKINIT") @@ -427,6 +467,7 @@ def install_external_pkinit_certs(self): # NOTE: this may not be the same set of CA certificates trusted by # externally provided PKINIT cert. shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM) + self.pkinit_enable() def setup_pkinit(self): if self.pkcs12_info: From 627b7a44b06171e21f1790e78f9241b150edd360 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Fri, 31 Mar 2017 14:14:11 +0200 Subject: [PATCH 3/7] Use only anonymous PKINIT to fetch armor ccache Since the anonymous principal can only use PKINIT to fetch credential cache it makes no sense to try and use its kerberos key to establish FAST channel. We should also be able to use custom PKINIT anchor for the armoring. https://pagure.io/freeipa/issue/6830 --- ipalib/install/kinit.py | 30 +++++++++++++----------------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py index 1e4d1a8..fb6caee 100644 --- a/ipalib/install/kinit.py +++ b/ipalib/install/kinit.py @@ -7,7 +7,6 @@ import gssapi -from ipalib.constants import ANON_USER from ipaplatform.paths import paths from ipapython.ipa_log_manager import root_logger from ipapython.ipautil import run @@ -97,29 +96,26 @@ def kinit_password(principal, password, ccache_name, config=None, raise RuntimeError(result.error_output) -def kinit_armor(ccache_name): +def kinit_armor(ccache_name, pkinit_anchor=None): """ - perform kinit to obtain anonymous ticket to be used as armor for FAST. + perform anonymous pkinit to obtain anonymous ticket to be used as armor + for FAST. + + :param ccache_name: location of the armor ccache + :param pkinit_anchor: if not None, the location of PKINIT anchor file to + use. Otherwise the value from Kerberos client library configuration is + used + + :raises: CalledProcessError if the anonymous PKINIT fails """ root_logger.debug("Initializing anonymous ccache") env = {'LC_ALL': 'C'} - # try with the keytab first and then again fallback to try with pkinit in - # case someone decided it is fun to remove Anonymous keys from the entry - # or in future pkinit enabled principal enforce the use of pkinit - try: - # Gssapi does not understand anonymous cred use kinit command instead - args = [paths.KINIT, '-k', '-t', paths.ANON_KEYTAB, - ANON_USER, '-c', ccache_name] - run(args, env=env, raiseonerr=True, capture_error=True) - return - except Exception as e: - root_logger.debug("Failed to init Anonymous keytab: %s", e, - exc_info=True) - - root_logger.debug("Fallback to slower Anonymous PKINIT") args = [paths.KINIT, '-n', '-c', ccache_name] + if pkinit_anchor is not None: + args.extend(['-X', 'X509_anchors=FILE:{}'.format(pkinit_anchor)]) + # this workaround enables us to capture stderr and put it # into the raised exception in case of unsuccessful authentication run(args, env=env, raiseonerr=True, capture_error=True) From 0c4955eee84b59b36fe0b26c83fd691a07730f11 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Wed, 5 Apr 2017 17:29:26 +0200 Subject: [PATCH 4/7] Stop requesting anonymous keytab and purge all references of it anonymous kinit using keytab never worked so we may safely remove all code that requests/uses it. https://pagure.io/freeipa/issue/6830 --- ipaplatform/base/paths.py | 1 - ipaserver/install/httpinstance.py | 17 ----------------- ipaserver/install/ipa_backup.py | 1 - ipaserver/install/server/upgrade.py | 1 - 4 files changed, 20 deletions(-) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index dbdd71e..f80c9e9 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -50,7 +50,6 @@ class BasePathNamespace(object): HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf" OLD_IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab" HTTP_KEYTAB = "/var/lib/ipa/gssproxy/http.keytab" - ANON_KEYTAB = "/var/lib/ipa/api/anon.keytab" HTTPD_PASSWORD_CONF = "/etc/httpd/conf/password.conf" IDMAPD_CONF = "/etc/idmapd.conf" ETC_IPA = "/etc/ipa" diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index aeb5c5e..0f83bd9 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -30,7 +30,6 @@ import six -from ipalib.constants import IPAAPI_USER from ipalib.install import certmonger from ipaserver.install import service from ipaserver.install import certs @@ -43,7 +42,6 @@ from ipaserver.install import sysupgrade from ipalib import api from ipalib import errors -from ipalib.constants import ANON_USER from ipaplatform.constants import constants from ipaplatform.tasks import tasks from ipaplatform.paths import paths @@ -159,7 +157,6 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) - self.step("retrieving anonymous keytab", self.request_anon_keytab) self.step("configuring Gssproxy", self.configure_gssproxy) self.step("setting up ssl", self.__setup_ssl) if self.ca_is_configured: @@ -305,20 +302,6 @@ def configure_certmonger_renewal_guard(self): if certmonger_stopped: certmonger.stop() - def request_anon_keytab(self): - parent = os.path.dirname(paths.ANON_KEYTAB) - if not os.path.exists(parent): - os.makedirs(parent, 0o755) - - self.clean_previous_keytab(keytab=paths.ANON_KEYTAB) - self.run_getkeytab(self.api.env.ldap_uri, paths.ANON_KEYTAB, ANON_USER) - - pent = pwd.getpwnam(IPAAPI_USER) - os.chmod(parent, 0o700) - os.chown(parent, pent.pw_uid, pent.pw_gid) - - self.set_keytab_owner(keytab=paths.ANON_KEYTAB, owner=IPAAPI_USER) - def create_password_conf(self): """ This is the format of mod_nss pin files. diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index f71a40b..40f08d7 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -120,7 +120,6 @@ class Backup(admintool.AdminTool): ) files = ( - paths.ANON_KEYTAB, paths.NAMED_CONF, paths.NAMED_KEYTAB, paths.RESOLV_CONF, diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 927acb0..ea2918f 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1795,7 +1795,6 @@ def upgrade_configuration(): KDC_KEY=paths.KDC_KEY, CACERT_PEM=paths.CACERT_PEM) krb.add_anonymous_principal() - http.request_anon_keytab() setup_pkinit(krb) if not ds_running: From 5fcaa2725aa386cb877798c4175bfaf074cd62c4 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Fri, 31 Mar 2017 15:15:50 +0200 Subject: [PATCH 5/7] Use local anchor when armoring password requests https://pagure.io/freeipa/issue/6830 --- ipaserver/rpcserver.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 77ed7e1..1618724 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -944,7 +944,7 @@ def kinit(self, principal, password, ccache_name): self.debug('Obtaining armor in ccache %s', armor_path) try: - kinit_armor(armor_path) + kinit_armor(armor_path, pkinit_anchor=paths.CACERT_PEM) except RuntimeError as e: self.error("Failed to obtain armor cache") # We try to continue w/o armor, 2FA will be impacted From 5f6f8e61f1a6739ac31b46c22090c52bf310cf29 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Thu, 6 Apr 2017 18:52:05 +0200 Subject: [PATCH 6/7] Upgrade: configure local/full PKINIT depending on the master status The upgrader has been modified to configure either local or full PKINIT depending on the CA status. Additionally, the new PKINIT configuration will be written to the master's KDC entry. https://pagure.io/freeipa/issue/6830 http://www.freeipa.org/page/V4/Kerberos_PKINIT --- ipaserver/install/server/upgrade.py | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index ea2918f..8da9181 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1485,14 +1485,17 @@ def add_default_caacl(ca): def setup_pkinit(krb): root_logger.info("[Setup PKINIT]") - if not api.Command.ca_is_enabled()['result']: - root_logger.info("CA is not enabled") - return + pkinit_is_enabled = krbinstance.is_pkinit_enabled() + ca_is_enabled = api.Command.ca_is_enabled()['result'] - if not os.path.exists(paths.KDC_CERT): - root_logger.info("Requesting PKINIT certificate") - krb.setup_pkinit() + if not pkinit_is_enabled: + if ca_is_enabled: + krb.issue_ipa_ca_signed_pkinit_certs() + else: + krb.issue_selfsigned_pkinit_certs() + # reconfigure KDC just in case in order to handle potentially broken + # 4.5.0 -> 4.5.1 upgrade path replacevars = dict() replacevars['pkinit_identity'] = 'FILE:{},{}'.format( paths.KDC_CERT,paths.KDC_KEY) From 6164b7c465d9c5d645b36e8eabf5d9cb32510481 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Tue, 25 Apr 2017 19:12:51 +0200 Subject: [PATCH 7/7] Do not test anonymous PKINIT after install/upgrade Local FAST armoring will now work regardless of PKINIT status so there is no need to explicitly test for working PKINIT. If there is, there should be a test case for that. https://pagure.io/freeipa/issue/6830 --- ipaserver/install/krbinstance.py | 9 --------- ipaserver/install/server/upgrade.py | 1 - 2 files changed, 10 deletions(-) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 4e0061c..e87c201 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -475,13 +475,6 @@ def setup_pkinit(self): elif self.config_pkinit: self.issue_ipa_ca_signed_pkinit_certs() - def test_anonymous_pkinit(self): - with ipautil.private_ccache() as anon_ccache: - try: - ipautil.run([paths.KINIT, '-n', '-c', anon_ccache]) - except ipautil.CalledProcessError: - raise RuntimeError("Failed to configure anonymous PKINIT") - def enable_ssl(self): """ generate PKINIT certificate for KDC. If `--no-pkinit` was specified, @@ -496,8 +489,6 @@ def enable_ssl(self): self.steps = [] self.step("installing X509 Certificate for PKINIT", self.setup_pkinit) - self.step("testing anonymous PKINIT", self.test_anonymous_pkinit) - self.start_creation() else: self.issue_selfsigned_pkinit_certs() diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 8da9181..0f27428 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1507,7 +1507,6 @@ def setup_pkinit(krb): if krb.is_running(): krb.stop() krb.start() - krb.test_anonymous_pkinit() def disable_httpd_system_trust(http):
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code