DokuWiki

User Tools

Site Tools

Trace:
cluster:157

Warning: Undefined array key -1 in /usr/share/dokuwiki/inc/html.php on line 1458

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
cluster:157 [2017/03/29 09:38]
hmeij07 [Centralize Key Management] 		cluster:157 [2017/04/06 15:31] (current)
hmeij07
Line 4: Line 4:
 ==== Centralize SSH Key Management ==== ==== Centralize SSH Key Management ====
  
-Lest assume we have 3 colleges (CollegeA, CollegeB, CollegeC) and we write a grant proposal and each institution will do something unique science wise. Grant gets funded and specialized hardware or software gets deployed at each college (for maybe brain scan analyses, deep learning, and engineering).+Lets assume we have 3 colleges (CollegeA, CollegeB, CollegeC) and we write a grant proposal and each institution will do something unique science wise. Grant gets funded and specialized hardware or software gets deployed at each college (for maybe brain scan analyses, deep learning, and engineering).
  
 The grant mentioned that all members of participating colleges can request access at any college. How would one do that without a mess developing? Nobody, not even admins, should have access to any user level passwords. Accounts should be able to be revoked. CPU usage should be accountable. In short, some sort of "federated SSH access". Command line access so we can rule out InCommon, it appears not to be ready for this. One option might be GSI-OpenSSH but it looks very complicated. Consult The grant mentioned that all members of participating colleges can request access at any college. How would one do that without a mess developing? Nobody, not even admins, should have access to any user level passwords. Accounts should be able to be revoked. CPU usage should be accountable. In short, some sort of "federated SSH access". Command line access so we can rule out InCommon, it appears not to be ready for this. One option might be GSI-OpenSSH but it looks very complicated. Consult
Line 11: Line 11:
   * http://toolkit.globus.org/toolkit/about.html for GSI-OpenSSH   * http://toolkit.globus.org/toolkit/about.html for GSI-OpenSSH
  
-I asked the OpenHPC community and got some great suggestions back. One involved using Kerberos without tickets and tying into Active Directoy. I quickly realized not all AD installations are publicly exposed. I'm providing Alan's comments below for future reference.+I asked the OpenHPC community and got some great suggestions back. One involved using Kerberos without tickets and tying into Active Directory. I quickly realized not all AD installations are publicly exposed. I'm providing Alan Sill's comments below for future reference. Another suggestion was to centrally manage SSH keys for password less login functionality, by Derek Simmel. 
 + 
 +** SSH public key authentication**  
 + 
 +On a selected collge, behind the firewall, set up a management server. In the ''/etc/ssh/sshd_config'' file, specify the path to user SSH public key files using a description like: 
 + 
 +  * ''AuthorizedKeysFile /etc/ssh/authorized_keys/%u'' 
 + 
 +For this example, the /etc, /etc/ssh, and /etc/ssh/authorized_keys are directories owned and only writable by root.  The sshd service interprets ''%u'' as the authenticated user's username on the system. So in this approach, every user has a file named after their username in the ''/etc/ssh/authorized_keys'' directory, root-owned. 
 + 
 +<code> 
 + 
 + drwxr-xr-x. 135 root root 12288 Mar 23 16:59 /etc 
 + drwxr-xr-x.   3 root root  4096 Nov  9 14:02 /etc/ssh 
 + drwxr-xr-x    2 root root  4096 Nov  9 14:01 /etc/ssh/authorized_keys 
 + -r--r--r--    2 root root  1024 Mar 29 11:01 /etc/ssh/authorized_keys/weshmeij 
 + 
 +</code> 
 + 
 +We need to collect all ''root'' public keys into a single file called ''root''. So that each college can retrieve the guest accounts and add them to their local passwd/shadow/group files. UID/GID ranges and usernames need to be unique. So we can assign ranges 15001-20000, 20001-25000, 25001-30000 for College[A|B|C]. Usernames prefixed with 3 character (wesleyan with wes, lafayette with laf, etc). 
 + 
 +Workflow 
 +  * User hmeij of CollegeA (Wesleyan) requests access to College[B|C], goes to a web site and type in 'hmeij' 
 +  * Script does the following steps, figures out next UID/GID, referer ip yields prefix 
 +    * echo "weshmeij:x:15001" >> /etc/group 
 +    * useradd -u 15001 -g 15001 weshmeij 
 +    * echo `date | md5sum | awk '{print $1}'` | passwd weshmeij --stdin 
 +    * su - weshmeij -c "ssh-keygen -b 2048 -t rsa -f /home/weshmeij/.ssh/weshmeij -q -N '''' " # 4 single quotes before closing double quote 
 +    * mv /home/weshmeij/.ssh/weshmeij.pub /etc/ssh/authorized_keys/weshmeij 
 +    * chown root:root /etc/ssh/authorized_keys/weshmeij 
 +    * cat /home/weshmeij/.ssh/weshmeij # present in browser 
 +    * CollegeA user hmeij saves private key to $HOME/.ssh/weshmeij.priv; alters permissions chmod go-rwx  
 +    * script finishes; rm -f /home/weshmeij/.ssh/weshmeij 
 +    * that night college[A|B|C] root retrieves all lines in the range 15001-30000 
 +      * makes home dirs if they do not exist (parse lines build useradd, or via pam.d/sshd?
 +      * download public keys, updates in /etc/ssh/authorized_keys (rsync with --delete) 
 +      * replaces local passwd/shadow/group with retrieved lines 
 +  * user hmeij@wes: ssh weshmeij@openhpc.lafayette.edu -i /home/hmeij/.ssh/weshmeij.priv 
 + 
 +That would work. Nobody knows the passwords for these guest accounts.
  
  
Line 18: Line 57:
 <code> <code>
  
-1. install pam by run commands "yum install pam", "yum install pam_krb5", and "yum install pam_ssh". The last package is needed on a log-in node, it's not required on compute nodes.+1. install pam by run commands "yum install pam", "yum install pam_krb5", and "yum install pam_ssh" 
 +The last package is needed on a log-in node, it's not required on compute nodes.
  
  2. Modify /etc/krb5.conf as below  2. Modify /etc/krb5.conf as below
  
-(Note for historical reasons we use both upper case and lower case for our kerberos domains. Both resolkve to the same thing. You may not need this - try it and see.)+(Note for historical reasons we use both upper case and lower case for our kerberos domains.  
 +Both resolve to the same thing. You may not need this - try it and see.)
  
  
Line 95: Line 136:
  Banner /etc/banner  Banner /etc/banner
      
- 8. Modify /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac as follows, making any changes needed to fit this into your setup.+ 8. Modify /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac as follows,  
 +making any changes needed to fit this into your setup.
  
  
Line 153: Line 195:
  service sshd reload  service sshd reload
  service ntpd restart  service ntpd restart
- ntpdate your-univ-ntp-server (e.g., ntp.myuniversiry.edu) (optional, if the difference of the system time to the ntp server time is too long, this command can synchronize the system time to the ntp server)+ ntpdate your-univ-ntp-server (e.g., ntp.myuniversiry.edu)  
 + 
 +(optional, if the difference of the system time to the ntp server time is too long,  
 +this command can synchronize the system time to the ntp server)
  
- 10. If all the above steps are done but it still doesn't work, try running some or all of the following+ 10. If all the above steps are done but it still doesn't work, try running some  
 +or all of the following
  
  
- authconfig --test    //If the output shows "pam_krb5 is disabled", run "authconfig --enablekrb5 --update" to enable it. If the output shows "pam_krb5 is enabled" and "krb5 kdc via dns is disabled", modify /etc/krb5.conf to make sure it has "dns_lookup_realm = true", and run "service sshd restart" to load the settings then check again.+ authconfig --test    //If the output shows "pam_krb5 is disabled",  
 +run "authconfig --enablekrb5 --update" to enable it. If the output shows  
 +"pam_krb5 is enabled" and "krb5 kdc via dns is disabled",  
 +modify /etc/krb5.conf to make sure it has "dns_lookup_realm = true",  
 +and run "service sshd restart" to load the settings then check again.
  
 </code> </code>
cluster/157.1490794722.txt.gz · Last modified: 2017/03/29 09:38 by hmeij07

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki