Re: [Freeipa-users] Cross-realm trust with AD and ssh keys management
On 25.9.2013 10:17, Martin Kosek wrote: On 09/24/2013 04:40 PM, Alexander Bokovoy wrote: On Tue, 24 Sep 2013, Alexandre Ellert wrote: Hi, I've successfully setup a testing environment with an IPA server (RHEL 6.4) and a cross realm trust with my Active Directory (Win2008 R2). Authentication works both with AD passwords and Kerberos GSS-API. Now, I'm trying to find the way to manage ssh key which belong to AD users. It seems that I can do that only with users declared on IPA domain. Can you confirm that ? Yes. AD users do not exist physically in IPA LDAP, therefore there is no object to assign attributes into. Does winsync method provide a way to add ssh key to an AD user ? Under winsync AD users would become 'normal' LDAP objects in IPA, therefore you can assign additional values/attributes to them. Though note that winsync, one would loose all the SSO capabilities... Alexander, I am just thinking about possibilities. We now have the concept of external groups in FreeIPA which one can then use as members of normal POSIX groups and use them in HBAC or other policies. Would it be possible to create external users, i.e. user entries identified by FQDN/SID and then be able to assign selected set of user attributes (like SSH public key, home directory, shell...) which could then be leveraged by SSSD? Martin I think that if you add proper schema to AD, you can have SSSD directly use SSH public keys stored in AD. Honza -- Jan Cholasta ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cross-realm trust with AD and ssh keys management
On Wed, 25 Sep 2013, Martin Kosek wrote: On 09/24/2013 04:40 PM, Alexander Bokovoy wrote: On Tue, 24 Sep 2013, Alexandre Ellert wrote: Hi, I've successfully setup a testing environment with an IPA server (RHEL 6.4) and a cross realm trust with my Active Directory (Win2008 R2). Authentication works both with AD passwords and Kerberos GSS-API. Now, I'm trying to find the way to manage ssh key which belong to AD users. It seems that I can do that only with users declared on IPA domain. Can you confirm that ? Yes. AD users do not exist physically in IPA LDAP, therefore there is no object to assign attributes into. Does winsync method provide a way to add ssh key to an AD user ? Under winsync AD users would become 'normal' LDAP objects in IPA, therefore you can assign additional values/attributes to them. Though note that winsync, one would loose all the SSO capabilities... Alexander, I am just thinking about possibilities. We now have the concept of external groups in FreeIPA which one can then use as members of normal POSIX groups and use them in HBAC or other policies. Would it be possible to create external users, i.e. user entries identified by FQDN/SID and then be able to assign selected set of user attributes (like SSH public key, home directory, shell...) which could then be leveraged by SSSD? Not sure it makes sense given that one can manage these attributes in AD. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cross-realm trust with AD and ssh keys management
On 09/25/2013 10:30 AM, Alexander Bokovoy wrote: On Wed, 25 Sep 2013, Martin Kosek wrote: On 09/24/2013 04:40 PM, Alexander Bokovoy wrote: On Tue, 24 Sep 2013, Alexandre Ellert wrote: Hi, I've successfully setup a testing environment with an IPA server (RHEL 6.4) and a cross realm trust with my Active Directory (Win2008 R2). Authentication works both with AD passwords and Kerberos GSS-API. Now, I'm trying to find the way to manage ssh key which belong to AD users. It seems that I can do that only with users declared on IPA domain. Can you confirm that ? Yes. AD users do not exist physically in IPA LDAP, therefore there is no object to assign attributes into. Does winsync method provide a way to add ssh key to an AD user ? Under winsync AD users would become 'normal' LDAP objects in IPA, therefore you can assign additional values/attributes to them. Though note that winsync, one would loose all the SSO capabilities... Alexander, I am just thinking about possibilities. We now have the concept of external groups in FreeIPA which one can then use as members of normal POSIX groups and use them in HBAC or other policies. Would it be possible to create external users, i.e. user entries identified by FQDN/SID and then be able to assign selected set of user attributes (like SSH public key, home directory, shell...) which could then be leveraged by SSSD? Not sure it makes sense given that one can manage these attributes in AD. True. This may then lead to a RFE for Services for Identity Management for UNIX Components AD extension... And when it's there, a similar RFE for SSSD to use the new attributes. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cross-realm trust with AD and ssh keys management
On Wed, Sep 25, 2013 at 10:17:04AM +0200, Martin Kosek wrote: On 09/24/2013 04:40 PM, Alexander Bokovoy wrote: On Tue, 24 Sep 2013, Alexandre Ellert wrote: Hi, I've successfully setup a testing environment with an IPA server (RHEL 6.4) and a cross realm trust with my Active Directory (Win2008 R2). Authentication works both with AD passwords and Kerberos GSS-API. Now, I'm trying to find the way to manage ssh key which belong to AD users. It seems that I can do that only with users declared on IPA domain. Can you confirm that ? Yes. AD users do not exist physically in IPA LDAP, therefore there is no object to assign attributes into. Does winsync method provide a way to add ssh key to an AD user ? Under winsync AD users would become 'normal' LDAP objects in IPA, therefore you can assign additional values/attributes to them. Though note that winsync, one would loose all the SSO capabilities... Alexander, I am just thinking about possibilities. We now have the concept of external groups in FreeIPA which one can then use as members of normal POSIX groups and use them in HBAC or other policies. Would it be possible to create external users, i.e. user entries identified by FQDN/SID and then be able to assign selected set of user attributes (like SSH public key, home directory, shell...) which could then be leveraged by SSSD? Does anyone know if there is a ssh key management solution for AD? If yes, I think it would be better to use this and enhance SSSD to fetch them from AD. The data can then be stored in the sssd cache on the IPA servers and distributed to the IPA clients with the LDAP exop we already use to make the AD users available to the clients. bye, Sumit Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cross-realm trust with AD and ssh keys management
On Wed, 25 Sep 2013, Sumit Bose wrote: On Wed, Sep 25, 2013 at 10:17:04AM +0200, Martin Kosek wrote: On 09/24/2013 04:40 PM, Alexander Bokovoy wrote: On Tue, 24 Sep 2013, Alexandre Ellert wrote: Hi, I've successfully setup a testing environment with an IPA server (RHEL 6.4) and a cross realm trust with my Active Directory (Win2008 R2). Authentication works both with AD passwords and Kerberos GSS-API. Now, I'm trying to find the way to manage ssh key which belong to AD users. It seems that I can do that only with users declared on IPA domain. Can you confirm that ? Yes. AD users do not exist physically in IPA LDAP, therefore there is no object to assign attributes into. Does winsync method provide a way to add ssh key to an AD user ? Under winsync AD users would become 'normal' LDAP objects in IPA, therefore you can assign additional values/attributes to them. Though note that winsync, one would loose all the SSO capabilities... Alexander, I am just thinking about possibilities. We now have the concept of external groups in FreeIPA which one can then use as members of normal POSIX groups and use them in HBAC or other policies. Would it be possible to create external users, i.e. user entries identified by FQDN/SID and then be able to assign selected set of user attributes (like SSH public key, home directory, shell...) which could then be leveraged by SSSD? Does anyone know if there is a ssh key management solution for AD? If yes, I think it would be better to use this and enhance SSSD to fetch them from AD. The data can then be stored in the sssd cache on the IPA servers and distributed to the IPA clients with the LDAP exop we already use to make the AD users available to the clients. Yes, there are few commercial solutions. Many of them use their own schemes so supporting them would need to work on multiple different schemes. http://tools.ietf.org/html/draft-ylonen-sshkeybcp-01 describes recommended practices. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cross-realm trust with AD and ssh keys management
On Wed, Sep 25, 2013 at 12:01:38PM +0300, Alexander Bokovoy wrote: On Wed, 25 Sep 2013, Sumit Bose wrote: On Wed, Sep 25, 2013 at 10:17:04AM +0200, Martin Kosek wrote: On 09/24/2013 04:40 PM, Alexander Bokovoy wrote: On Tue, 24 Sep 2013, Alexandre Ellert wrote: Hi, I've successfully setup a testing environment with an IPA server (RHEL 6.4) and a cross realm trust with my Active Directory (Win2008 R2). Authentication works both with AD passwords and Kerberos GSS-API. Now, I'm trying to find the way to manage ssh key which belong to AD users. It seems that I can do that only with users declared on IPA domain. Can you confirm that ? Yes. AD users do not exist physically in IPA LDAP, therefore there is no object to assign attributes into. Does winsync method provide a way to add ssh key to an AD user ? Under winsync AD users would become 'normal' LDAP objects in IPA, therefore you can assign additional values/attributes to them. Though note that winsync, one would loose all the SSO capabilities... Alexander, I am just thinking about possibilities. We now have the concept of external groups in FreeIPA which one can then use as members of normal POSIX groups and use them in HBAC or other policies. Would it be possible to create external users, i.e. user entries identified by FQDN/SID and then be able to assign selected set of user attributes (like SSH public key, home directory, shell...) which could then be leveraged by SSSD? Does anyone know if there is a ssh key management solution for AD? If yes, I think it would be better to use this and enhance SSSD to fetch them from AD. The data can then be stored in the sssd cache on the IPA servers and distributed to the IPA clients with the LDAP exop we already use to make the AD users available to the clients. Yes, there are few commercial solutions. Many of them use their own schemes so supporting them would need to work on multiple different schemes. http://tools.ietf.org/html/draft-ylonen-sshkeybcp-01 describes recommended practices. Thank you for the details. So it looks that this might be an interesting RFE. bye, Sumit -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cross-realm trust with AD and ssh keys management
On 09/25/2013 06:34 AM, Martin Kosek wrote: On 09/25/2013 11:15 AM, Sumit Bose wrote: On Wed, Sep 25, 2013 at 12:01:38PM +0300, Alexander Bokovoy wrote: On Wed, 25 Sep 2013, Sumit Bose wrote: On Wed, Sep 25, 2013 at 10:17:04AM +0200, Martin Kosek wrote: On 09/24/2013 04:40 PM, Alexander Bokovoy wrote: On Tue, 24 Sep 2013, Alexandre Ellert wrote: Hi, I've successfully setup a testing environment with an IPA server (RHEL 6.4) and a cross realm trust with my Active Directory (Win2008 R2). Authentication works both with AD passwords and Kerberos GSS-API. Now, I'm trying to find the way to manage ssh key which belong to AD users. It seems that I can do that only with users declared on IPA domain. Can you confirm that ? Yes. AD users do not exist physically in IPA LDAP, therefore there is no object to assign attributes into. Does winsync method provide a way to add ssh key to an AD user ? Under winsync AD users would become 'normal' LDAP objects in IPA, therefore you can assign additional values/attributes to them. Though note that winsync, one would loose all the SSO capabilities... Alexander, I am just thinking about possibilities. We now have the concept of external groups in FreeIPA which one can then use as members of normal POSIX groups and use them in HBAC or other policies. Would it be possible to create external users, i.e. user entries identified by FQDN/SID and then be able to assign selected set of user attributes (like SSH public key, home directory, shell...) which could then be leveraged by SSSD? Does anyone know if there is a ssh key management solution for AD? If yes, I think it would be better to use this and enhance SSSD to fetch them from AD. The data can then be stored in the sssd cache on the IPA servers and distributed to the IPA clients with the LDAP exop we already use to make the AD users available to the clients. Yes, there are few commercial solutions. Many of them use their own schemes so supporting them would need to work on multiple different schemes. http://tools.ietf.org/html/draft-ylonen-sshkeybcp-01 describes recommended practices. Thank you for the details. So it looks that this might be an interesting RFE. bye, Sumit Agreed. I filed a RFE ticket: https://fedorahosted.org/sssd/ticket/2099 Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users And to get back to the original question. When you have trusts and HBAC why do you need SSH keys? They do not add any value and become a burden to manage. You can use you Kerberos ticket to access systems you need and systems would check if you are allowed to access so I fail to see the need for the SSH in this case at all. What am I missing? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Cross-realm trust with AD and ssh keys management
Hi, I've successfully setup a testing environment with an IPA server (RHEL 6.4) and a cross realm trust with my Active Directory (Win2008 R2). Authentication works both with AD passwords and Kerberos GSS-API. Now, I'm trying to find the way to manage ssh key which belong to AD users. It seems that I can do that only with users declared on IPA domain. Can you confirm that ? Does winsync method provide a way to add ssh key to an AD user ? Your suggestions are welcome. Thanks. Alexandre. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cross-realm trust with AD and ssh keys management
On Tue, 24 Sep 2013, Alexandre Ellert wrote: Hi, I've successfully setup a testing environment with an IPA server (RHEL 6.4) and a cross realm trust with my Active Directory (Win2008 R2). Authentication works both with AD passwords and Kerberos GSS-API. Now, I'm trying to find the way to manage ssh key which belong to AD users. It seems that I can do that only with users declared on IPA domain. Can you confirm that ? Yes. AD users do not exist physically in IPA LDAP, therefore there is no object to assign attributes into. Does winsync method provide a way to add ssh key to an AD user ? Under winsync AD users would become 'normal' LDAP objects in IPA, therefore you can assign additional values/attributes to them. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users