| Both sides previous revision
Previous revision
Next revision
|
Previous revision
Next revision
Both sides next revision
|
cluster:157 [2017/03/29 13:38]
hmeij07 [Centralize Key Management] |
cluster:157 [2017/04/06 15:39]
hmeij07 |
| * http://toolkit.globus.org/toolkit/about.html for GSI-OpenSSH | * http://toolkit.globus.org/toolkit/about.html for GSI-OpenSSH |
| |
| I asked the OpenHPC community and got some great suggestions back. One involved using Kerberos without tickets and tying into Active Directoy. I quickly realized not all AD installations are publicly exposed. I'm providing Alan's comments below for future reference. | I asked the OpenHPC community and got some great suggestions back. One involved using Kerberos without tickets and tying into Active Directory. I quickly realized not all AD installations are publicly exposed. I'm providing Alan Sill's comments below for future reference. Another suggestion was to centrally manage SSH keys for password less login functionality, by Derek Simmel. |
| | |
| | ** SSH public key authentication** |
| | |
| | In the ''/etc/ssh/sshd_config'' file, specify the path to user SSH public key files using a description like: |
| | |
| | * ''AuthorizedKeysFile /etc/ssh/authorized_keys/%u'' |
| | |
| | For this example, the /etc, /etc/ssh, and /etc/ssh/authorized_keys are directories owned and only writable by root. The sshd service interprets ''%u'' as the authenticated user's username on the system. So in this approach, every user has a file named after their username in the ''/etc/ssh/authorized_keys'' directory, root-owned. |
| | |
| | <code> |
| | |
| | # ls -ld /etc /etc/ssh /etc/ssh/authorized_keys |
| | drwxr-xr-x. 135 root root 12288 Mar 23 16:59 /etc |
| | drwxr-xr-x. 3 root root 4096 Nov 9 14:02 /etc/ssh |
| | drwxr-xr-x 2 root root 4096 Nov 9 14:01 /etc/ssh/authorized_keys |
| | -r--r--r-- 2 root root 1024 Mar 29 11:01 /etc/ssh/authorized_keys/weshmeij |
| | |
| | </code> |
| | |
| | Unique usernamaes and UID/GID need to be created. We need a simple web page where public keys ''ssh-keygen -t rsa'' can be uploaded with username requested. The username will be prefixed by first 3 characters of College ('wes' for Wesleyan, 'laf' for Lafayette', etc). Script figures from passwd file which UID/GID is next, then |
| | |
| | <code> |
| | nid=15001 |
| | pre=wes |
| | unm=hmeij |
| | [root@ ~]# echo "$pre$unm:x:$nid" >> /etc/group |
| | [root@ ~]# useradd -u $nid -g $nid $pre$unm |
| | [root@ ~]# echo "`date | md5sum | awk '{print $1}'`" | passwd $pre$unm --stdin |
| | [root@ ~]# cp /tmp/$upfile /etc/ssh/authorized_keys/$pre$unm |
| | [root@ ~]# chmod 0444 /etc/ssh/authorized_keys/$pre$unm |
| | </code> |
| | |
| | We need ''root'' authorized keys from each site so that from each college the respective block of UID/GID canbe grabbed and added to local passwd, shadow and group files. |
| | |
| | Hmm, this requires that at CollegeA user hmeij can switch to weshmeij credentials before connecting to CollegeB (echo "$unm $localhost=/bin/su - $pre$unm" >> /etc/sudoers"). Not pretty. |
| |
| |
| <code> | <code> |
| |
| 1. install pam by run commands "yum install pam", "yum install pam_krb5", and "yum install pam_ssh". The last package is needed on a log-in node, it's not required on compute nodes. | 1. install pam by run commands "yum install pam", "yum install pam_krb5", and "yum install pam_ssh". |
| | The last package is needed on a log-in node, it's not required on compute nodes. |
| |
| 2. Modify /etc/krb5.conf as below | 2. Modify /etc/krb5.conf as below |
| |
| (Note for historical reasons we use both upper case and lower case for our kerberos domains. Both resolkve to the same thing. You may not need this - try it and see.) | (Note for historical reasons we use both upper case and lower case for our kerberos domains. |
| | Both resolve to the same thing. You may not need this - try it and see.) |
| |
| |
| Banner /etc/banner | Banner /etc/banner |
| | |
| 8. Modify /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac as follows, making any changes needed to fit this into your setup. | 8. Modify /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac as follows, |
| | making any changes needed to fit this into your setup. |
| |
| |
| service sshd reload | service sshd reload |
| service ntpd restart | service ntpd restart |
| ntpdate your-univ-ntp-server (e.g., ntp.myuniversiry.edu) (optional, if the difference of the system time to the ntp server time is too long, this command can synchronize the system time to the ntp server) | ntpdate your-univ-ntp-server (e.g., ntp.myuniversiry.edu) |
| | |
| | (optional, if the difference of the system time to the ntp server time is too long, |
| | this command can synchronize the system time to the ntp server) |
| |
| 10. If all the above steps are done but it still doesn't work, try running some or all of the following | 10. If all the above steps are done but it still doesn't work, try running some |
| | or all of the following |
| |
| |
| authconfig --test //If the output shows "pam_krb5 is disabled", run "authconfig --enablekrb5 --update" to enable it. If the output shows "pam_krb5 is enabled" and "krb5 kdc via dns is disabled", modify /etc/krb5.conf to make sure it has "dns_lookup_realm = true", and run "service sshd restart" to load the settings then check again. | authconfig --test //If the output shows "pam_krb5 is disabled", |
| | run "authconfig --enablekrb5 --update" to enable it. If the output shows |
| | "pam_krb5 is enabled" and "krb5 kdc via dns is disabled", |
| | modify /etc/krb5.conf to make sure it has "dns_lookup_realm = true", |
| | and run "service sshd restart" to load the settings then check again. |
| |
| </code> | </code> |
