Re: [Freeipa-users] Understanding role of the certificate in client - server communication.
Thank you for the answer. Sory if i lack the knowledge, but why SSL is needed when using kerberos? Kerberos is based on 3th party that is trusted, why there is a need for public key encryption? On Mar 19, 2014 12:24 AM, Rob Crittenden rcrit...@redhat.com wrote: Genadi Postrilko wrote: Hello all. I'm trying to understand the use of the certificates in the communication between an IPA client and server. The documentation describes the retrieval of CA certificate while client setup: Retrieve the CA certificate for the IdM CA And retrieval of SSL server certificate: Enable certmonger, retrieve an SSL server certificate, and install the certificate in |/etc/pki/nssdb| https://access.redhat.com/site/documentation/en-US/Red_ Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ setting-up-clients.html#what-happens-clients From my understanding the authentication in IPA environment is kerberos based, therefore the client and server share a secret that allows the user to authenticate himself to the server and vice versa. Where comes the need for certificate? Some of the IPA server services are not kerberized? Kerberos over HTTP requires SSL which is why the CA is retrieved and installed. We don't currently use the machine certificate. This was for future-proofing. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Understanding role of the certificate in client - server communication.
On Wed, 19 Mar 2014, Genadi Postrilko wrote: Thank you for the answer. Sory if i lack the knowledge, but why SSL is needed when using kerberos? Kerberos is based on 3th party that is trusted, why there is a need for public key encryption? Using Kerberos only, without asking for integrity and confidentiality services, without channel bindings to the outer encryption, is prone to MITM even with valid TLS channels. Use of certificates allows to perform mutual authentication at the SSL level and later perform channel bindings of the tunnelled Kerberos communication. Note that Kerberos over HTTP is weak without transport level security. HTTP authentication per se is independent of the transport. For more details you can look at Joe Orton's talk at ApacheCon'2008: http://www.apachecon.com/eu2008/program/materials/kerb-sso-http.pdf -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] passwordless login into IPA clients possible from non IPA client?
Hi, Subject says it all actually. I have a laptop with Fedora20. I work as a contractor on different assignments. Some of them have an IPA domain set up. Their RHEL6 servers are all IPA clients. I would like to ssh into these servers passwordless using ssh-agent and such. Is this possible? If so, how would I set this up? BTW passwordless login already works when ssh-ing from an IPA client into another IPA client. Fred ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] passwordless login into IPA clients possible from non IPA client?
Hi Fred, You can add your public keys to the users profile via the GUI of CLI. Take contents of the .ssh/id_rsa.pub from your Fedora20 Laptop and insert it in the GUI. User - ACCOUNT SETTINGS - SSH public keys - add http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/user-keys.html Thanks, Andrew On 19 March 2014 09:38, Fred van Zwieten fvzwie...@vxcompany.com wrote: Hi, Subject says it all actually. I have a laptop with Fedora20. I work as a contractor on different assignments. Some of them have an IPA domain set up. Their RHEL6 servers are all IPA clients. I would like to ssh into these servers passwordless using ssh-agent and such. Is this possible? If so, how would I set this up? BTW passwordless login already works when ssh-ing from an IPA client into another IPA client. Fred ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Understanding role of the certificate in client - server communication.
On Wed, 2014-03-19 at 10:56 +0200, Alexander Bokovoy wrote: On Wed, 19 Mar 2014, Genadi Postrilko wrote: Thank you for the answer. Sory if i lack the knowledge, but why SSL is needed when using kerberos? Kerberos is based on 3th party that is trusted, why there is a need for public key encryption? Using Kerberos only, without asking for integrity and confidentiality services, without channel bindings to the outer encryption, is prone to MITM even with valid TLS channels. Use of certificates allows to perform mutual authentication at the SSL level and later perform channel bindings of the tunnelled Kerberos communication. Note that Kerberos over HTTP is weak without transport level security. HTTP authentication per se is independent of the transport. For more details you can look at Joe Orton's talk at ApacheCon'2008: http://www.apachecon.com/eu2008/program/materials/kerb-sso-http.pdf Note also that Negotiate does not actually use channel binding to the outer TLS channel in all implementation I know of :/ Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA DNS response issue
On 18.3.2014 15:26, David wrote: Hi all - We have an installation of FreeIPA (through CentOS 6.5) that's exhibiting some odd behavior with respect to serving DNS. Periodically (interval at random) named running on a replica will stop serving requests from the LDAP server but continue to respond with recursive requests. This type of failure causes us problems, as you could imagine. (It doesn't fail cleanly so it won't request from another server.) We've adjusted the amount of connections each named makes to 389, but it doesn't seem to make a difference. We're not seeing anything in the logs so troubleshooting this is becoming a bit of a (high-visibility) puzzle to us. I do happen to have a core file that I grabbed last night before sending a SIGKILL to named and restarting. (A SIGTERM has no effect.) Hopefully there's an easy answer here that we can get rolled into the environment quickly. FreeIPA has treated us extraordinarily well so far! David About our configuration: OS: CentOS 6.5, x86_64 Packages: bind-9.8.2-0.23.rc1.el6_5.1.x86_64 bind-dyndb-ldap-2.3-5.el6.x86_64 ipa-server-3.0.0-37.el6.x86_64 Configuration: bind-dyndb-ldap is used in conjunction with IPA 3.0.0-37. The version of bind is 9.8.2-0.23.rc1 Our dynamic-db section of named.conf is as follows: dynamic-db ipa { library ldap.so; arg uri ldapi://%2fvar%2frun%2fslapd-XXX-XXX.socket; arg connections 10; arg base cn=dns, dc=XXX,dc=XXX; arg fake_mname XXX.ipa.hosted.zone.; arg auth_method sasl; arg sasl_mech GSSAPI; arg sasl_user DNS/XXX.ipa.hosted.zone; arg zone_refresh 0; arg psearch yes; arg serial_autoincrement yes; arg verbose_checks yes; }; We do not have any text based or DLZ zones configured. We do not have any global forwarders configured. We do not have any settings in the global configuration object in LDAP. $ ldapsearch -Y GSSAPI -b 'cn=dns,dc=XXX,dc=XXX' '(objectClass=idnsConfigObject)' SASL/GSSAPI authentication started ... # dns, XXX.XXX dn: cn=dns,dc=XXX,dc=XXX objectClass: idnsConfigObject objectClass: nsContainer objectClass: top cn: dns # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 Note that David (I guess :-) added logs to the ticket https://fedorahosted.org/bind-dyndb-ldap/ticket/131 and I'm looking into it. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA DNS response issue
On Wed, Mar 19, 2014 at 01:57:24PM +0100, Petr Spacek wrote: On 18.3.2014 15:26, David wrote: We have an installation of FreeIPA (through CentOS 6.5) that's exhibiting some odd behavior with respect to serving DNS. Periodically (interval at random) named running on a replica will stop serving requests from the LDAP server but continue to respond with recursive requests. This type of failure causes us problems, as you could imagine. (It doesn't fail cleanly so it won't request from another server.) We've adjusted the amount of connections each named makes to 389, but it doesn't seem to make a difference. We're not seeing anything in the logs so troubleshooting this is becoming a bit of a (high-visibility) puzzle to us. I do happen to have a core file that I grabbed last night before sending a SIGKILL to named and restarting. (A SIGTERM has no effect.) Hopefully there's an easy answer here that we can get rolled into the environment quickly. FreeIPA has treated us extraordinarily well so far! snip Note that David (I guess :-) added logs to the ticket https://fedorahosted.org/bind-dyndb-ldap/ticket/131 and I'm looking into it. Actually, that's not me! I don't have anywhere near as much logging... At least I'm not alone... Our failures also seem to happen around log rotation time. The Kerberos ticket expiring is interesting. I'll poke around on my installation and see what I see on this side. If you need any other information, please let me know. David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] passwordless login into IPA clients possible from non IPA client?
Andrew's suggestion works fine, but you can also set up a simple krb5.conf on the source hosts and then issue a kinit. It doesn't have to be a full IPA client for that to work. You can also do this from a Windows box by using the MIT Kerberos for Windows package: http://web.mit.edu/Kerberos/dist/ (you can also do ssh keys from windows with putty.) On Wed, Mar 19, 2014 at 7:20 AM, Andrew Holway andrew.hol...@gmail.comwrote: Hi Fred, You can add your public keys to the users profile via the GUI of CLI. Take contents of the .ssh/id_rsa.pub from your Fedora20 Laptop and insert it in the GUI. User - ACCOUNT SETTINGS - SSH public keys - add http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/user-keys.html Thanks, Andrew On 19 March 2014 09:38, Fred van Zwieten fvzwie...@vxcompany.com wrote: Hi, Subject says it all actually. I have a laptop with Fedora20. I work as a contractor on different assignments. Some of them have an IPA domain set up. Their RHEL6 servers are all IPA clients. I would like to ssh into these servers passwordless using ssh-agent and such. Is this possible? If so, how would I set this up? BTW passwordless login already works when ssh-ing from an IPA client into another IPA client. Fred ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users