| Both sides previous revision
Previous revision
Next revision
|
Previous revision
Next revision
Both sides next revision
|
cluster:157 [2017/03/29 09:50]
hmeij07 |
cluster:157 [2017/04/06 11:44]
hmeij07 |
| |
| ** SSH public key authentication** | ** SSH public key authentication** |
| |
| [need a way to collect key files, push them out, and manage passwd/shadow/group unique UID/GID so they do clash, like weshmeij, lafjsimms] | |
| |
| In the ''/etc/ssh/sshd_config'' file, specify the path to user SSH public key files using a description like: | In the ''/etc/ssh/sshd_config'' file, specify the path to user SSH public key files using a description like: |
| * ''AuthorizedKeysFile /etc/ssh/authorized_keys/%u'' | * ''AuthorizedKeysFile /etc/ssh/authorized_keys/%u'' |
| |
| For this example, the /etc, /etc/ssh, and /etc/ssh/authorized_keys are directories owned and only writable by root. | For this example, the /etc, /etc/ssh, and /etc/ssh/authorized_keys are directories owned and only writable by root. The sshd service interprets ''%u'' as the authenticated user's username on the system. So in this approach, every user has a file named after their username in the ''/etc/ssh/authorized_keys'' directory, root-owned. |
| |
| <code> | <code> |
| drwxr-xr-x. 3 root root 4096 Nov 9 14:02 /etc/ssh | drwxr-xr-x. 3 root root 4096 Nov 9 14:02 /etc/ssh |
| drwxr-xr-x 2 root root 4096 Nov 9 14:01 /etc/ssh/authorized_keys | drwxr-xr-x 2 root root 4096 Nov 9 14:01 /etc/ssh/authorized_keys |
| -rwxr-xr-x 2 root root 1024 Mar 29 11:01 /etc/ssh/authorized_keys/weshmeij | -r--r--r-- 2 root root 1024 Mar 29 11:01 /etc/ssh/authorized_keys/weshmeij |
| |
| </code> | </code> |
| |
| The sshd service interprets ''%u'' as the authenticated user's username on the system. So in this approach, every user has a file named after their username in the ''/etc/ssh/authorized_keys'' directory, root-owned. | Unique usernamaes and UID/GID need to be created. We need a simple web page where public keys ''ssh-keygen -t rsa'' can be uploaded with username requested. The username will be prefixed by first 3 characters of College ('wes' for Wesleyan, 'laf' for Lafayette', etc). Script figures from passwd file which UID/GID is next, then |
| | |
| | <code> |
| | nid=15001 |
| | pre=wes |
| | unm=hmeij |
| | [root@ ~]# echo "$pre$unm:x:$nid" >> /etc/group |
| | [root@ ~]# useradd -u $nid -g $nid $pre$unm |
| | [root@ ~]# echo "`date | md5sum | awk '{print $1}'`" | passwd $pre$unm --stdin |
| | [root@ ~]# cp /tmp/$upfile /etc/ssh/authorized_keys/$pre$unm |
| | [root@ ~]# chmod 0444 /etc/ssh/authorized_keys/$pre$unm |
| | </code> |
| | |
| | We need ''root'' authorized keys from each site so that from each college the respective block of UID/GID canbe grabbed and added to local passwd, shadow and group files. |
| |
| Use a secure, automated method to distribute the public key files to each login host's ''/etc/ssh/authorized_keys'' directory - having them on a shared mounted filesystem introduces other potential security and availability issues, and is therefore not recommended. | Hmm, this requires that at CollegeA user hmeij can switch to weshmeij credentials before connecting to CollegeB (echo "$unm $localhost=/bin/su - $pre$unm" >> /etc/sudoers"). Not pretty. |
| |
| | Ahh, since |
| |
| **Kerberos & AD** | **Kerberos & AD** |
| <code> | <code> |
| |
| 1. install pam by run commands "yum install pam", "yum install pam_krb5", and "yum install pam_ssh". The last package is needed on a log-in node, it's not required on compute nodes. | 1. install pam by run commands "yum install pam", "yum install pam_krb5", and "yum install pam_ssh". |
| | The last package is needed on a log-in node, it's not required on compute nodes. |
| |
| 2. Modify /etc/krb5.conf as below | 2. Modify /etc/krb5.conf as below |
| |
| (Note for historical reasons we use both upper case and lower case for our kerberos domains. Both resolkve to the same thing. You may not need this - try it and see.) | (Note for historical reasons we use both upper case and lower case for our kerberos domains. |
| | Both resolve to the same thing. You may not need this - try it and see.) |
| |
| |
| Banner /etc/banner | Banner /etc/banner |
| | |
| 8. Modify /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac as follows, making any changes needed to fit this into your setup. | 8. Modify /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac as follows, |
| | making any changes needed to fit this into your setup. |
| |
| |
| service sshd reload | service sshd reload |
| service ntpd restart | service ntpd restart |
| ntpdate your-univ-ntp-server (e.g., ntp.myuniversiry.edu) (optional, if the difference of the system time to the ntp server time is too long, this command can synchronize the system time to the ntp server) | ntpdate your-univ-ntp-server (e.g., ntp.myuniversiry.edu) |
| | |
| | (optional, if the difference of the system time to the ntp server time is too long, |
| | this command can synchronize the system time to the ntp server) |
| |
| 10. If all the above steps are done but it still doesn't work, try running some or all of the following | 10. If all the above steps are done but it still doesn't work, try running some |
| | or all of the following |
| |
| |
| authconfig --test //If the output shows "pam_krb5 is disabled", run "authconfig --enablekrb5 --update" to enable it. If the output shows "pam_krb5 is enabled" and "krb5 kdc via dns is disabled", modify /etc/krb5.conf to make sure it has "dns_lookup_realm = true", and run "service sshd restart" to load the settings then check again. | authconfig --test //If the output shows "pam_krb5 is disabled", |
| | run "authconfig --enablekrb5 --update" to enable it. If the output shows |
| | "pam_krb5 is enabled" and "krb5 kdc via dns is disabled", |
| | modify /etc/krb5.conf to make sure it has "dns_lookup_realm = true", |
| | and run "service sshd restart" to load the settings then check again. |
| |
| </code> | </code> |
