Re: [Freeipa-devel] [Freeipa-users] OpenSSH integration - known_hosts
CCing freeipa-devel so that others can benefit from replies too. On Wed, 2011-11-09 at 09:49 -0500, Dan Scott wrote: > > Well in 2-way trusts you could do that. But in general you do not want > > to have any client in realm1 to contact any server in realm2. They might > > be geographically very far and use high latency/low bandwidth links. > > I must be missing something here. Why does it need to be a 2-way > trust? Because otherwise you may not have access to the keys at all unless anonymous binds are allowed (this is the default indeed). > My local IPA server doesn't have to trust the remote IPA server > at all, does it (other than encryption/certificates to prevent a MITM > - although the existing system doesn't help with that either, for the > initial host key transfer)? Even then, wouldn't an unauthenticated > LDAP lookup be OK for transferring the host keys? No, this is the other aspect. With GSSAPI auth you have mutual authentication. This means you can trust the remote server. If you just let clients do anonymous binds and fetch data from a server w/o authentication then it is easy for an attacker to MITM the LDAP connection and give you public keys for a ssh server that will also MITM you. I know that in many environments people will consider this an unlikely threat and not care about it, so maybe an RFC to allow SSSD to do this with un-authenticated connections will be allowed. > My client would be trying to contact a system in the other realm > anyway, so I don't really see the latency/bandwidth problems. It depends on the architecture of your specific setup. I was giving generic reasons why. > Surely > whatever I'm doing over SSH will require more bandwidth than the key > transfer. Maybe, maybe not, you may have a host in your local lan that belongs to a remote realm and only the KDC/LDAP server is remote to you. > Instead of my client contacting the remote SSH host > directly. My local SSSD would contact the other realm's IPA server to > get the key of the host I'm connecting to. Even then, this would be a > 'one-time' key transfer although it would need to be re-checked > occasionally. Yes, hence we may allow it. > > So, for a first implementation, we could do what you say, but I rather > > think it through and see how to cache/transfer information making > > clients go through their IPA server rather than trying to connect > > directly to a remote one. > > Sure, makes sense. Getting it working in one realm is the priority. There is also another reason why going through a 'proxy' service is useful. If you have different IPA versions (or even different DC technology like IPA vs AD) on the 2 sides of the trust we would be able to build a 'translation' service on the IPA server so that clients do not need to learn how to speak to other Identity Domains directly. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Freeipa-users] OpenSSH integration - known_hosts
Hi, On Tue, Nov 8, 2011 at 18:35, Simo Sorce wrote: > On Tue, 2011-11-08 at 17:57 -0500, Dmitri Pal wrote: >> On 11/08/2011 02:56 PM, Dan Scott wrote: >> > Hi, >> > >> > This is a great feature. It feels like I'm always re-installing VMs >> > and having to remove old SSH keys and re-accept new ones. >> > >> > One feature I'd like is to have this working cross-realm. We have 2 >> > IPA realms here and it would be great if I could configure SSSD to >> > check the local realm if I'm SSHing to a local PC and to check the >> > other IPA server(s) if my SSH target is part of the other realm. Even >> > better if it could do this without explicit configuration. >> > >> > Do you think it would be possible to do this securely? >> >> When we start to support Cross Realm Kerberos Trusts for IPA to IPA I >> think this would be doable but then I do not think the ssh host keys >> will be used (needed). Simo, am I correct? > > We do not have the GSSAPI key exchange patches in OpenSSH. With those > the ssh host key is not necessary when using GSSAPI auth, even in the > same realm. > > But when you want to use ssh host keys, across realm kerberos trust is > not going to help. I don't quite understand this. What trust is required, other than the cross-realm authentication of kerberos tickets? Surely each realm would manage its own host keys. All I'm looking for is an authenticated cross-realm key lookup so that my client can pre-cache entries in the known_hosts file. Wouldn't this just be an LDAP lookup? Dan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Freeipa-users] OpenSSH integration - known_hosts
On Tue, 2011-11-08 at 20:45 -0500, Dan Scott wrote: > Hi, > > On Tue, Nov 8, 2011 at 18:35, Simo Sorce wrote: > > On Tue, 2011-11-08 at 17:57 -0500, Dmitri Pal wrote: > >> On 11/08/2011 02:56 PM, Dan Scott wrote: > >> > Hi, > >> > > >> > This is a great feature. It feels like I'm always re-installing VMs > >> > and having to remove old SSH keys and re-accept new ones. > >> > > >> > One feature I'd like is to have this working cross-realm. We have 2 > >> > IPA realms here and it would be great if I could configure SSSD to > >> > check the local realm if I'm SSHing to a local PC and to check the > >> > other IPA server(s) if my SSH target is part of the other realm. Even > >> > better if it could do this without explicit configuration. > >> > > >> > Do you think it would be possible to do this securely? > >> > >> When we start to support Cross Realm Kerberos Trusts for IPA to IPA I > >> think this would be doable but then I do not think the ssh host keys > >> will be used (needed). Simo, am I correct? > > > > We do not have the GSSAPI key exchange patches in OpenSSH. With those > > the ssh host key is not necessary when using GSSAPI auth, even in the > > same realm. > > > > But when you want to use ssh host keys, across realm kerberos trust is > > not going to help. > > I don't quite understand this. What trust is required, other than the > cross-realm authentication of kerberos tickets? Surely each realm > would manage its own host keys. All I'm looking for is an > authenticated cross-realm key lookup so that my client can pre-cache > entries in the known_hosts file. Wouldn't this just be an LDAP lookup? Well in 2-way trusts you could do that. But in general you do not want to have any client in realm1 to contact any server in realm2. They might be geographically very far and use high latency/low bandwidth links. So, for a first implementation, we could do what you say, but I rather think it through and see how to cache/transfer information making clients go through their IPA server rather than trying to connect directly to a remote one. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Freeipa-users] OpenSSH integration - known_hosts
On 11/08/2011 06:35 PM, Simo Sorce wrote: > On Tue, 2011-11-08 at 17:57 -0500, Dmitri Pal wrote: >> On 11/08/2011 02:56 PM, Dan Scott wrote: >>> Hi, >>> >>> This is a great feature. It feels like I'm always re-installing VMs >>> and having to remove old SSH keys and re-accept new ones. >>> >>> One feature I'd like is to have this working cross-realm. We have 2 >>> IPA realms here and it would be great if I could configure SSSD to >>> check the local realm if I'm SSHing to a local PC and to check the >>> other IPA server(s) if my SSH target is part of the other realm. Even >>> better if it could do this without explicit configuration. >>> >>> Do you think it would be possible to do this securely? >> When we start to support Cross Realm Kerberos Trusts for IPA to IPA I >> think this would be doable but then I do not think the ssh host keys >> will be used (needed). Simo, am I correct? > We do not have the GSSAPI key exchange patches in OpenSSH. With those > the ssh host key is not necessary when using GSSAPI auth, even in the > same realm. > > But when you want to use ssh host keys, across realm kerberos trust is > not going to help. > > In order to validate keys from different realms I guess we could use > DNSSEC where the signatures of one realm are trusted by the other. > Then by storing ssh host keys as DNS fields a different domain could > still trust those keys. This works only for enrolled hosts though, I > guess. Or at least only for hosts in DNS domains that are controlled by > IPA. For hosts in other DNS domains we cannot distribute keys through > DNS. > If that is necessary then we would have to define some sort of protocol > to allow fetching of keys from one domain to the other. > We could use a mechanism similar to what we will need to implement for > sid2name resolution for windows domain trusts. Where the IPA server > becomes a proxy to request host keys from other domains. > > Bottom line, we can come up with something but it is not scoped yet. And > needs some more thinking so that we put in place something that scales > well. > > Simo. > Ok: https://fedorahosted.org/freeipa/ticket/2081 -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Freeipa-users] OpenSSH integration - known_hosts
On Tue, 2011-11-08 at 17:57 -0500, Dmitri Pal wrote: > On 11/08/2011 02:56 PM, Dan Scott wrote: > > Hi, > > > > This is a great feature. It feels like I'm always re-installing VMs > > and having to remove old SSH keys and re-accept new ones. > > > > One feature I'd like is to have this working cross-realm. We have 2 > > IPA realms here and it would be great if I could configure SSSD to > > check the local realm if I'm SSHing to a local PC and to check the > > other IPA server(s) if my SSH target is part of the other realm. Even > > better if it could do this without explicit configuration. > > > > Do you think it would be possible to do this securely? > > When we start to support Cross Realm Kerberos Trusts for IPA to IPA I > think this would be doable but then I do not think the ssh host keys > will be used (needed). Simo, am I correct? We do not have the GSSAPI key exchange patches in OpenSSH. With those the ssh host key is not necessary when using GSSAPI auth, even in the same realm. But when you want to use ssh host keys, across realm kerberos trust is not going to help. In order to validate keys from different realms I guess we could use DNSSEC where the signatures of one realm are trusted by the other. Then by storing ssh host keys as DNS fields a different domain could still trust those keys. This works only for enrolled hosts though, I guess. Or at least only for hosts in DNS domains that are controlled by IPA. For hosts in other DNS domains we cannot distribute keys through DNS. If that is necessary then we would have to define some sort of protocol to allow fetching of keys from one domain to the other. We could use a mechanism similar to what we will need to implement for sid2name resolution for windows domain trusts. Where the IPA server becomes a proxy to request host keys from other domains. Bottom line, we can come up with something but it is not scoped yet. And needs some more thinking so that we put in place something that scales well. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Freeipa-users] OpenSSH integration - known_hosts
On 11/08/2011 02:56 PM, Dan Scott wrote: > Hi, > > This is a great feature. It feels like I'm always re-installing VMs > and having to remove old SSH keys and re-accept new ones. > > One feature I'd like is to have this working cross-realm. We have 2 > IPA realms here and it would be great if I could configure SSSD to > check the local realm if I'm SSHing to a local PC and to check the > other IPA server(s) if my SSH target is part of the other realm. Even > better if it could do this without explicit configuration. > > Do you think it would be possible to do this securely? When we start to support Cross Realm Kerberos Trusts for IPA to IPA I think this would be doable but then I do not think the ssh host keys will be used (needed). Simo, am I correct? > Dan > > On Tue, Nov 8, 2011 at 12:38, Jan Zelenı wrote: >> Hello everyone, >> there is a new effort in IPA and SSSD teams and that is SSH key integration >> in >> both parts of SSSD-IPA infrastructure. We've put together some basic plans >> and >> now we would like to know your opinion. >> >> Note that this is just shortened version to make it easier to read. It >> doesn't >> contain every bit of information about the design. For full version see >> https://fedorahosted.org/freeipa/wiki/SSH-FreeIPA-Integration >> >> Problems: >> = >> * the known_hosts file becomes outdated as machines get new host keys (e.g. >> re- >> installed systems in virtualized environment) >> * the user accepts any host key of the remote host without validating its >> authenticity >> >> >> Solution: >> = >> Instead of checking stale known_hosts file, provide a dynamic mechanism to >> lookup and deliver the public ssh key of the remote host to the client and >> use >> it for validation of the remote host identity. The dynamic mechanism would >> imply that no action is needed from the user because the source of the >> retrieved key is trusted. >> >> >> Limitations: >> >> It is out of scope of this work to solve the problem in general. We propose a >> solution for following use case: >> >> Client host is a managed host meaning that it has SSSD installed and it is >> joined an IPA domain. It also has OpenSSH patched to interact with SSSD to >> get >> the information about the remote host >> >> Other UNIX machines or Windows machines as SSH clients are out of the scope >> of >> the current project. For the client hosts that can not be managed but can >> access IPA via the standard LDAP tools we will provide documentation on how >> to >> construct the content of the known_hosts file by querying LDAP server and >> saving the results. >> >> The remote host can be a managed (joined IPA domain via SSSD) or an unmanaged >> host. IPA server needs to provide a way to create entries for any managed and >> unmanaged hosts and store public keys for those hosts in that entries. >> >> What would change in IPA: >> = >> * external host would have entries with the possibility of storing their >> public keys >> * new mechanism to work with keys through UI and CLI >> * host key fingerprints would be stored in SSHFP DNS records for each host >> joined in IPA domain >> >> What would change on the client: >> >> * SSSD would fetch and cache host public keys from IPA >> * joining to IPA domain would upload host public key >> * ssh client would communicate with SSSD, probably through ssh-agent, to >> check >> if the remote host is known >> >> It is still a question whether the solution is sufficient enough to address >> the >> needs and pains of the real deployments or other technologies outside the >> proposed should be used later (or instead). >> >> -- >> Thank you >> Jan Zeleny >> >> Red Hat Software Engineer >> Brno, Czech Republic >> >> ___ >> Freeipa-users mailing list >> freeipa-us...@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Freeipa-users] OpenSSH integration - known_hosts
Hi, This is a great feature. It feels like I'm always re-installing VMs and having to remove old SSH keys and re-accept new ones. One feature I'd like is to have this working cross-realm. We have 2 IPA realms here and it would be great if I could configure SSSD to check the local realm if I'm SSHing to a local PC and to check the other IPA server(s) if my SSH target is part of the other realm. Even better if it could do this without explicit configuration. Do you think it would be possible to do this securely? Dan On Tue, Nov 8, 2011 at 12:38, Jan Zelenı wrote: > Hello everyone, > there is a new effort in IPA and SSSD teams and that is SSH key integration in > both parts of SSSD-IPA infrastructure. We've put together some basic plans and > now we would like to know your opinion. > > Note that this is just shortened version to make it easier to read. It doesn't > contain every bit of information about the design. For full version see > https://fedorahosted.org/freeipa/wiki/SSH-FreeIPA-Integration > > Problems: > = > * the known_hosts file becomes outdated as machines get new host keys (e.g. > re- > installed systems in virtualized environment) > * the user accepts any host key of the remote host without validating its > authenticity > > > Solution: > = > Instead of checking stale known_hosts file, provide a dynamic mechanism to > lookup and deliver the public ssh key of the remote host to the client and use > it for validation of the remote host identity. The dynamic mechanism would > imply that no action is needed from the user because the source of the > retrieved key is trusted. > > > Limitations: > > It is out of scope of this work to solve the problem in general. We propose a > solution for following use case: > > Client host is a managed host meaning that it has SSSD installed and it is > joined an IPA domain. It also has OpenSSH patched to interact with SSSD to get > the information about the remote host > > Other UNIX machines or Windows machines as SSH clients are out of the scope of > the current project. For the client hosts that can not be managed but can > access IPA via the standard LDAP tools we will provide documentation on how to > construct the content of the known_hosts file by querying LDAP server and > saving the results. > > The remote host can be a managed (joined IPA domain via SSSD) or an unmanaged > host. IPA server needs to provide a way to create entries for any managed and > unmanaged hosts and store public keys for those hosts in that entries. > > What would change in IPA: > = > * external host would have entries with the possibility of storing their > public keys > * new mechanism to work with keys through UI and CLI > * host key fingerprints would be stored in SSHFP DNS records for each host > joined in IPA domain > > What would change on the client: > > * SSSD would fetch and cache host public keys from IPA > * joining to IPA domain would upload host public key > * ssh client would communicate with SSSD, probably through ssh-agent, to check > if the remote host is known > > It is still a question whether the solution is sufficient enough to address > the > needs and pains of the real deployments or other technologies outside the > proposed should be used later (or instead). > > -- > Thank you > Jan Zeleny > > Red Hat Software Engineer > Brno, Czech Republic > > ___ > Freeipa-users mailing list > freeipa-us...@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
