On ke, 10 helmi 2021, Kevin Cassar via FreeIPA-users wrote:
Hi,
I'm running FreeIPA v4.8.7. I have a requirement that end user systems
(not enrolled in FreeIPA) be allowed SSH access on FreeIPA enrolled
servers through Kerberos authentication. As of now I'm using user
keytabs on the end systems to get a ticket and then authenticate to SSH
with GSSAPI.
However, I've run into few issues:
1) I've read about authentication indicators in FreeIPA, how can
enforce a policy where the end user is required to enter their
password+OTP when authenticating to the web UI? But, OTP remains
optional for SSH login. This policy assumes that I've both "Password
and Two factor authentication (password + OTP)" set as user
authentication method.
You cannot. Please read
https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy.html,
it has a separate section that also explains why.
2) Probably a long shot, but, is there any way that user keytabs can be
generated and retrieved via an API call? I'd like to have some
automation so that when a new user is created on the FreeIPA server or
a user changes their password, the new resulting keytab can be
downloaded on the end user systems via an API call to the JSON RPC
endpoint.
This is not implemented and not considered because we already have a
tool that allows to securely request keytabs.
A key for a Kerberos principal can be retrieved with 'ipa-getkeytab -r'
(see man page before ever trying) but you must have rights to do so. By
default, access controls only allow cn=Directory Manager to retrieve
such keytabs for any Kerberos principal. For specific principal types
the retrieval is preconfigured:
- host keytab can be retrieved by a host's managedBy entry (typically,
an administrator that created it);
- service keytab can be retrieved by a host that manages the service.
See 'ipa help host' and 'ipa help service' for keytab-related access
granting commands. There is no such support for user object, thus it is
not possible to preconfigure other users to be able to retrieve keytabs
of users. But 'cn=Directory Manager' can do that:
[root@master ~]# ipa-getkeytab -D 'cn=Directory Manager' -W -p admin -r -k
./test.keytab
Enter LDAP password:
Keytab successfully retrieved and stored in: ./test.keytab
[root@master ~]# klist -ket ./test.keytab
Keytab name: FILE:./test.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 12.02.2021 07.54.00 ad...@ipa.test (aes256-cts-hmac-sha1-96)
1 12.02.2021 07.54.00 ad...@ipa.test (aes128-cts-hmac-sha1-96)
[root@master ~]# kinit -kt ./test.keytab admin
[root@master ~]# ldapwhoami -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: ad...@ipa.test
SASL SSF: 256
SASL data security layer installed.
dn: uid=admin,cn=users,cn=accounts,dc=ipa,dc=test
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
