[Freeipa-users] Replace Self-Signed Cert
Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace Self-Signed Cert
I was told by my admin team that Self-signed certs pose a security risk. On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden rcrit...@redhat.com wrote: quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Why do you want to do this? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace Self-Signed Cert
I found some documentation for getting certificate signed by external CA (2.3.3.2. Using Different CA Configurations) - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html But looks like those instructions apply to a first time fresh install, not for upgrading an existing install. On Mon, Oct 13, 2014 at 3:24 PM, quest monger quest.mon...@gmail.com wrote: I was told by my admin team that Self-signed certs pose a security risk. On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden rcrit...@redhat.com wrote: quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Why do you want to do this? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace Self-Signed Cert
I did the default IPA install, didnt change any certs or anything. As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust chain, hence i called them self-signed. We have a contract with a third party CA that issues TLS certs for us. I was asked to find a way to replace those 2 self signed certs with certs from this third party CA. I was wondering if there was a way i could do that. I found this - http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I am currently running 3.0.0. On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal d...@redhat.com wrote: On 10/13/2014 03:39 PM, quest monger wrote: I found some documentation for getting certificate signed by external CA (2.3.3.2. Using Different CA Configurations) - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html But looks like those instructions apply to a first time fresh install, not for upgrading an existing install. On Mon, Oct 13, 2014 at 3:24 PM, quest monger quest.mon...@gmail.com wrote: I was told by my admin team that Self-signed certs pose a security risk. On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden rcrit...@redhat.com wrote: quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Why do you want to do this? rob Do I get it right that you installed IPA using self-signed certificate and now want to change it? What version of IPA you have? Did you use self-signed CA-less install or using self-signed CA? The tools to change the chaining are only being released in 4.1 so you might have to move to latest when we release 4.1 for CentOS. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace Self-Signed Cert
makes sense. i will still try out that cert add command in my test environment, just to see if it works. looks like for now, 4.1 upgrade is my best option. On Mon, Oct 13, 2014 at 7:01 PM, Dmitri Pal d...@redhat.com wrote: On 10/13/2014 06:45 PM, quest monger wrote: I did the default IPA install, didnt change any certs or anything. As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust chain, hence i called them self-signed. We have a contract with a third party CA that issues TLS certs for us. I was asked to find a way to replace those 2 self signed certs with certs from this third party CA. I was wondering if there was a way i could do that. I found this - http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I am currently running 3.0.0. AFAIU the biggest issue will be with the clients. I suspect that they might be quite confused if you just drop in the certs from the 3rd party. If you noticed the page has the following line: The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. I think it should say by external CA to be clear. It is not the case in your situation. If it were the situation the CA would have been already in trust chain on the clients and procedure would have worked but I do not think it would work now. You would need to use the cert chaining tool that was was built in 4.1 when 4.1 gets released on CentOS. On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal d...@redhat.com wrote: On 10/13/2014 03:39 PM, quest monger wrote: I found some documentation for getting certificate signed by external CA (2.3.3.2. Using Different CA Configurations) - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html But looks like those instructions apply to a first time fresh install, not for upgrading an existing install. On Mon, Oct 13, 2014 at 3:24 PM, quest monger quest.mon...@gmail.com wrote: I was told by my admin team that Self-signed certs pose a security risk. On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden rcrit...@redhat.com wrote: quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Why do you want to do this? rob Do I get it right that you installed IPA using self-signed certificate and now want to change it? What version of IPA you have? Did you use self-signed CA-less install or using self-signed CA? The tools to change the chaining are only being released in 4.1 so you might have to move to latest when we release 4.1 for CentOS. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] setup key-based ssh using freeipa
I already ran that command to configure centos host as client. I used 'ipa-client-install --mkhomedir --no-ntp'. Now my IPA users are able to SSH to that box, using passwords set in IPA. Next I would like them to SSH using keys. When I looked through the document for more info, I found this line - 'After uploading the user keys, configure SSSD to use FreeIPA as one of its identity domains and set up OpenSSH to use the SSSD tooling for managing user keys.' I was hoping someone can shed light on how to do that. Or if someone has configured their IPA clients to enable key-based SSH to clients, can they please share their experience. Thanks. On Thu, Apr 17, 2014 at 5:48 PM, Dmitri Pal d...@redhat.com wrote: On 04/17/2014 02:42 PM, quest monger wrote: I have setup freeipa server, and added a centos client that my ipa users can now ssh too by using the freeipa account credentials. Now, i would like my users to be able to ssh to this centos client using keys. I read this - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA _Guide/user-keys.html I generated the key-pair, and added the public key to user account in freeipa web console. Towards the end of that document, i found this - After uploading the user keys, configure SSSD to use FreeIPA as one of its identity domains and set up OpenSSH to use the SSSD tooling for managing user keys. No instructions in the document on how to do this. Do i need to do anything on the centos client-side to make this work? ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users yum install ipa-client then run ipa-client-install with arguments you need (see man pages or manual) which will configure your client. Depending on the version it will also be able to configure SSH integration. See man on ipa-client-install -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] setup key-based ssh using freeipa
I have setup freeipa server, and added a centos client that my ipa users can now ssh too by using the freeipa account credentials. Now, i would like my users to be able to ssh to this centos client using keys. I read this - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA _Guide/user-keys.html I generated the key-pair, and added the public key to user account in freeipa web console. Towards the end of that document, i found this - After uploading the user keys, configure SSSD to use FreeIPA as one of its identity domains and set up OpenSSH to use the SSSD tooling for managing user keys. No instructions in the document on how to do this. Do i need to do anything on the centos client-side to make this work? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA client installation for Solaris 11.
Hi Johan, Wow, that worked. Thank you for all the info. I have a few more questions - Sudo - How do I get sudo working. I have not changed anything on the server side (default FreeIPA install config). Do I need to setup or add sudo policies to the usr/group on the server side? Home Dir - On my CentOS clients, I got it configured such that a home Dir is created the first time a user has a successful login (used ipa-client-install --mkhomedir). Can we do the same for Solaris servers? Again, thank you for this info. I can verify that these instructions worked on a Oracle Solaris 11.1 SPARC machine. Once I have everything nailed out, i will respond to this thread with all the steps Thanks. On Thu, Apr 10, 2014 at 1:37 PM, Johan Petersson johan.peters...@sscspace.com wrote: Proxy user is only necessary if you disable anonymous bind on the IPA LDAP. Example configuration for making Solaris 11 work as an IPA client. If you want autofs of shared NFS home directory too, let me know and i can provide it. I will add this and more to IPA Wiki when i can find the time to go through it properly and polish away some rough edges. I hope it can provide some help. Solaris 11.1 IPA lient configuration. First make sure that the Solaris 11 machine are using the proper DNS and NTP servers. On the IPA server or Client run: ipa host-add --force --ip-address=192.168.0.1 solaris.example.com ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab Move the keytab to the Solaris machine /etc/krb5/krb5.keytab Make sure it have the proper owner and permissions: chown root:sys /etc/krb5/krb5.keytab chmod 700 /etc/krb5/krb5.keytab Edit /etc/nsswitch.ldap, replace ldap with dns from the hosts and ipnodes lines: hosts: files dns ipnodes:files dns Edit /etc/krb5/krb5.conf: [libdefaults] default_realm = EXAMPLE.COM verify_ap_req_nofail = false [realms] EXAMPLE.COM = { kdc = ipaserver.example.com admin_server = ipaserver.example.com } [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM Run the ldapclient with the default DUAProfile. The -a domainName= example.com is needed so that ldapclient does not stop and complain about missing nisdomain name. ldapclient -v init -a profilename=default -a domainName=example.com ipaserver.example.com In Solaris 11.1 the pam configuration have changed but for simplicity i still use the /etc/pam.conf: login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_krb5.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 other account requisite pam_roles.so.1 other account requiredpam_unix_account.so.1 other account requiredpam_krb5.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, April 10, 2014 19:04 To: d...@redhat.com; quest monger Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA client installation for Solaris 11. Dmitri Pal wrote: On 04/10/2014 12:18 PM, quest monger wrote: Sorry about that. So I am Looking at the Solaris 10 client documentation here - http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html It says do the following on Solaris client - ldapclient manual ... -a proxyPassword={NS1}fbc123a92116812 ... Whats that proxyPassword for? I suspect that it is a password that corresponds to the proxy user. The client component on Solaris (pure speculation on my side) seems to use proxy user to connect to LDAP server and do some operations for the host. It is similar to SSSD but SSSD does not use passwords, it uses keytabs if talks to IPA. There are a number of different profile levels available, see http://docs.oracle.com/cd/E23824_01/html/821-1455/ldapsecure-66.html#ldapsecure-74 proxy is usually a shared account that the Solaris box uses to authenticate to the LDAP server. Solaris uses passwords but to prevent them from being stored in configuration in clear the are obfuscated with the NS1 method http://stuff.iain.cx/2008/05/03/ns103eb2365be169abbe3a45088a10a/ I suspect
Re: [Freeipa-users] IPA client installation for Solaris 11.
Thanks Rob, those bug reports help. One more question, in the official Solaris 10 documentation, i see this stuff - -a proxyPassword={NS1}*fbc123a92116812* userPassword:: *e1NTSEF9Mm53KytGeU81Z1dka1FLNUZlaDdXOHJkK093TEppY2NjRmt6Wnc9PQ*= Is there a way to generate that password hash for a new password. I think that should be part of the documentation, dont want all Solaris IPA users to be using the same password and corresponding hash. Thanks. On Wed, Apr 9, 2014 at 4:36 PM, Rob Crittenden rcrit...@redhat.com wrote: quest monger wrote: I have read through the official documentation here for Solaris-10 - http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_ Guide/Configuring_an_IPA_Client_on_Solaris.html I have found a few web posts on how to make it work for Solaris-11. Have any of you tried adding a Solaris-11 host to an existing IPA server? If so, do you have any documentation/how-tos/instructions that i could use to do the same. Any help is appreciated. I am trying to do this to so I can centralize SSH authentication for all my Solaris-11 and Linux hosts. That is pretty much all we've got. There is a bug open with some documentation updates, https://bugzilla.redhat.com/show_bug.cgi?id=815533and some more in https://bugzilla.redhat.com/show_bug.cgi?id=801883 We use sssd to help with centralized SSH auth so it probably won't work as smoothly on Solaris as it does on sssd-based Linux systems. See sss_ssh_authorizedkeys(1) and sss_ssh_knownhostsproxy(8). This document describes how it works in IPA http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA client installation for Solaris 11.
Sorry about that. So I am Looking at the Solaris 10 client documentation here - http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html It says do the following on Solaris client - ldapclient manual ... -a proxyPassword={NS1}fbc123a92116812 ... Whats that proxyPassword for? Thanks. On Thu, Apr 10, 2014 at 12:09 PM, Dmitri Pal d...@redhat.com wrote: On 04/10/2014 11:41 AM, quest monger wrote: Thanks Rob, those bug reports help. One more question, in the official Solaris 10 documentation, i see this stuff - -a proxyPassword={NS1}*fbc123a92116812* userPassword:: *e1NTSEF9Mm53KytGeU81Z1dka1FLNUZlaDdXOHJkK093TEppY2NjRmt6Wnc9PQ*= Is there a way to generate that password hash for a new password. I think that should be part of the documentation, dont want all Solaris IPA users to be using the same password and corresponding hash. Can you rephrase the question? It is unclear what hash you are asking about. If you are using IPA you do not need local password hashes. Thanks. On Wed, Apr 9, 2014 at 4:36 PM, Rob Crittenden rcrit...@redhat.comwrote: quest monger wrote: I have read through the official documentation here for Solaris-10 - http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html I have found a few web posts on how to make it work for Solaris-11. Have any of you tried adding a Solaris-11 host to an existing IPA server? If so, do you have any documentation/how-tos/instructions that i could use to do the same. Any help is appreciated. I am trying to do this to so I can centralize SSH authentication for all my Solaris-11 and Linux hosts. That is pretty much all we've got. There is a bug open with some documentation updates, https://bugzilla.redhat.com/show_bug.cgi?id=815533and some more in https://bugzilla.redhat.com/show_bug.cgi?id=801883 We use sssd to help with centralized SSH auth so it probably won't work as smoothly on Solaris as it does on sssd-based Linux systems. See sss_ssh_authorizedkeys(1) and sss_ssh_knownhostsproxy(8). This document describes how it works in IPA http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf rob ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA client installation for Solaris 11.
I have read through the official documentation here for Solaris-10 - http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html I have found a few web posts on how to make it work for Solaris-11. Have any of you tried adding a Solaris-11 host to an existing IPA server? If so, do you have any documentation/how-tos/instructions that i could use to do the same. Any help is appreciated. I am trying to do this to so I can centralize SSH authentication for all my Solaris-11 and Linux hosts. Thanks. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users