Re: [Freeipa-users] FreeIPA client setup in AWS

2013-10-09 Thread Mohan Cheema 
r -p /opt/ssh
# cd /opt/ssh
# wget
http://packages.us-east-1.amazonaws.com/2013.09/main/201309001984/x86_64/Pac
kages/openssh-server-6.2p2-4.34.amzn1.x86_64.rpm
# wget
http://packages.us-east-1.amazonaws.com/2013.09/main/201309001984/x86_64/Pac
kages/openssh-6.2p2-4.34.amzn1.x86_64.rpm
# wget
http://packages.us-east-1.amazonaws.com/2013.09/main/201309001984/x86_64/Pac
kages/openssh-clients-6.2p2-4.34.amzn1.x86_64.rpm
# rpm -Uvh *.rpm
# yum update -y

# ipa-client-install --server kdc1.iocs-systems.internal --server
kdc2.iocs-systems.internal --domain IOCS-SYSTEMS.INTERNAL --fixed-primary
--mkhomedir

# vi /etc/ssh/sshd_config

Add following lines at the end
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

# service sshd restart
# mkdir -p /etc/selinux/targeted/logins

That's it.

Regards,

Mohan 

> -Original Message-
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Friday, October 04, 2013 2:03 PM
> To: Mohan Cheema; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] FreeIPA client setup in AWS
> 
> Mohan Cheema wrote:
> > Hi,
> >
> > We are number of Amazon AMI (Amazon Linux) in AWS. As this is based
> on
> > RHEL we installed number of packages to enable user on those machine
> to
> > get authenticated against ipa. The client gets configured with below
> > warning.
> >
> > ---
> > WARNING Installed OpenSSH server does not support dynamically loading
> > authorized user keys. Public key authentication of IPA users will not
> be
> > available.
> > ---
> >
> > When user tries to authenticate the SSH connection is dropped, ipa
> > server issues the authentication ticket to the machine.
> >
> > Packages that has been installed.
> >
> > --
> > ipa-python-3.0.0-25.el6.x86_64.rpm
> >
> > python-ldap-2.3.10-1.el6.x86_64.rpm
> >
> > cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64.rpm
> >
> > pam_krb5-2.3.11-9.el6.i686.rpm
> >
> > sssd-1.9.2-82.el6.x86_64.rpm
> >
> > certmonger-0.61-3.el6.x86_64.rpm
> >
> > oddjob-mkhomedir-0.30-5.el6.x86_64.rpm
> >
> > python-krbV-1.0.90-3.el6.x86_64.rpm
> >
> > libsss_autofs-1.9.2-82.el6.x86_64.rpm
> >
> > autofs-5.0.5-73.el6.x86_64.rpm
> >
> > nfs-utils-1.2.3-36.el6.x86_64.rpm
> >
> > sssd-client-1.9.2-82.el6.x86_64.rpm
> >
> > python-kerberos-1.1-6.2.el6.x86_64.rpm
> >
> > python-nss-0.13-1.el6.x86_64.rpm
> >
> > python-lxml-2.2.3-1.1.el6.x86_64.rpm
> >
> > python-netaddr-0.7.5-4.el6.noarch.rpm
> >
> > pyOpenSSL-0.10-2.el6.x86_64.rpm
> >
> > libipa_hbac-python-1.9.2-82.el6.x86_64.rpm
> >
> > libgssglue-0.1-11.el6.x86_64.rpm
> >
> > nfs-utils-lib-1.1.5-6.el6.x86_64.rpm
> >
> > rpcbind-0.2.0-11.el6.x86_64.rpm
> >
> > oddjob-0.30-5.el6.x86_64.rpm
> >
> > libipa_hbac-1.9.2-82.el6.x86_64.rpm
> >
> > libldb-1.1.13-3.el6.x86_64.rpm
> >
> > libsss_idmap-1.9.2-82.el6.x86_64.rpm
> >
> > libevent-1.4.13-4.el6.x86_64.rpm
> >
> > libtalloc-2.0.7-2.el6.x86_64.rpm
> >
> > keyutils-1.4-4.el6.x86_64.rpm
> >
> > libdhash-0.4.2-9.el6.x86_64.rpm
> >
> > libtirpc-0.2.1-5.el6.x86_64.rpm
> >
> > ipa-client-3.0.0-25.el6.x86_64.rpm
> >
> > libtevent-0.9.17-1.el6.x86_64.rpm
> >
> > libtdb-1.2.10-1.el6.x86_64.rpm
> >
> > libini_config-0.6.1-9.el6.x86_64.rpm
> >
> > libcollection-0.6.0-9.el6.x86_64.rpm
> >
> > libpath_utils-0.2.1-9.el6.x86_64.rpm
> >
> > libref_array-0.1.1-9.el6.x86_64.rpm
> >
> > c-ares-1.7.0-6.el6.x86_64.rpm
> >
> > samba4-libs-4.0.0-55.el6.rc4.x86_64.rpm
> >
> > libnl-1.1-14.el6.x86_64.rpm
> > --
> >
> > Are there any other package that need to be installed to make it
> working.
> >
> > Below is the ssh version.
> >
> > # rpm -qa | grep ssh
> >
> > libssh2-1.4.2-1.10.amzn1.x86_64
> >
> > openssh-6.2p2-4.34.amzn1.x86_64
> >
> > openssh-clients-6.2p2-4.34.amzn1.x86_64
> >
> > openssh-server-6.2p2-4.34.amzn1.x86_64
> 
> I'm guessing the problem is the Amazon-specific version of ssh. It
> needs
> to support one of these command combinations:
> 
> AuthorizedKeysCommand and AuthorizedKeysCommandUser
> AuthorizedKeysCommand and AuthorizedKeysCommandRunAs
> PubKeyAgent and PubKeyAgentRunAs
> 
> /var/log/ipaclient-install.log should contain the output of the probing
> for this support.
> 
> rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA client setup in AWS

2013-10-04 Thread Rob Crittenden 

Mohan Cheema wrote:

Hi,

We are number of Amazon AMI (Amazon Linux) in AWS. As this is based on
RHEL we installed number of packages to enable user on those machine to
get authenticated against ipa. The client gets configured with below
warning.

---
WARNING Installed OpenSSH server does not support dynamically loading
authorized user keys. Public key authentication of IPA users will not be
available.
---

When user tries to authenticate the SSH connection is dropped, ipa
server issues the authentication ticket to the machine.

Packages that has been installed.

--
ipa-python-3.0.0-25.el6.x86_64.rpm

python-ldap-2.3.10-1.el6.x86_64.rpm

cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64.rpm

pam_krb5-2.3.11-9.el6.i686.rpm

sssd-1.9.2-82.el6.x86_64.rpm

certmonger-0.61-3.el6.x86_64.rpm

oddjob-mkhomedir-0.30-5.el6.x86_64.rpm

python-krbV-1.0.90-3.el6.x86_64.rpm

libsss_autofs-1.9.2-82.el6.x86_64.rpm

autofs-5.0.5-73.el6.x86_64.rpm

nfs-utils-1.2.3-36.el6.x86_64.rpm

sssd-client-1.9.2-82.el6.x86_64.rpm

python-kerberos-1.1-6.2.el6.x86_64.rpm

python-nss-0.13-1.el6.x86_64.rpm

python-lxml-2.2.3-1.1.el6.x86_64.rpm

python-netaddr-0.7.5-4.el6.noarch.rpm

pyOpenSSL-0.10-2.el6.x86_64.rpm

libipa_hbac-python-1.9.2-82.el6.x86_64.rpm

libgssglue-0.1-11.el6.x86_64.rpm

nfs-utils-lib-1.1.5-6.el6.x86_64.rpm

rpcbind-0.2.0-11.el6.x86_64.rpm

oddjob-0.30-5.el6.x86_64.rpm

libipa_hbac-1.9.2-82.el6.x86_64.rpm

libldb-1.1.13-3.el6.x86_64.rpm

libsss_idmap-1.9.2-82.el6.x86_64.rpm

libevent-1.4.13-4.el6.x86_64.rpm

libtalloc-2.0.7-2.el6.x86_64.rpm

keyutils-1.4-4.el6.x86_64.rpm

libdhash-0.4.2-9.el6.x86_64.rpm

libtirpc-0.2.1-5.el6.x86_64.rpm

ipa-client-3.0.0-25.el6.x86_64.rpm

libtevent-0.9.17-1.el6.x86_64.rpm

libtdb-1.2.10-1.el6.x86_64.rpm

libini_config-0.6.1-9.el6.x86_64.rpm

libcollection-0.6.0-9.el6.x86_64.rpm

libpath_utils-0.2.1-9.el6.x86_64.rpm

libref_array-0.1.1-9.el6.x86_64.rpm

c-ares-1.7.0-6.el6.x86_64.rpm

samba4-libs-4.0.0-55.el6.rc4.x86_64.rpm

libnl-1.1-14.el6.x86_64.rpm
--

Are there any other package that need to be installed to make it working.

Below is the ssh version.

# rpm -qa | grep ssh

libssh2-1.4.2-1.10.amzn1.x86_64

openssh-6.2p2-4.34.amzn1.x86_64

openssh-clients-6.2p2-4.34.amzn1.x86_64

openssh-server-6.2p2-4.34.amzn1.x86_64


I'm guessing the problem is the Amazon-specific version of ssh. It needs 
to support one of these command combinations:


AuthorizedKeysCommand and AuthorizedKeysCommandUser
AuthorizedKeysCommand and AuthorizedKeysCommandRunAs
PubKeyAgent and PubKeyAgentRunAs

/var/log/ipaclient-install.log should contain the output of the probing 
for this support.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users