thanks Jarrod. I will restart my test, as I must have made an error somewhere. Will keep you posted of my progress.
--imam On Wed, Jan 22, 2020 at 11:22 AM Jarrod Johnson <[email protected]> wrote: > Note that the root user ignores /etc/ssh/shosts.equiv, root access is only > through ~root/.shosts > > > > Depending on how things are and what OS, the other thing I’ve seen is > ssh-keysign permissions being off. You’d have to show permissions on the > private keys and check the ssh-keysign permissions. Ssh-keysign being > setgid to ssh_keys and having the ssh private host key being group readable > by ssh_keys group for example. > > > > I don’t know if that was the issue, but if you have some info I might > recognize. > > > > With FreeIPA, I assume you’d do kerberized ssh for user authentication? > That’s generally good for node to node within a cluster. One limitation is > that for a user coming in from outside, I think they would have to enter > their password once on the way in to get a valid keytab. This isn’t too > bad, but it’s a bit nicer if I can ssh in with my key and then be able to > hop on over to other nodes. > > > > Of course, just like I connected CA approach to known_hosts with host > based authentication as a strategy, I’m sure you could take FreeIPA host > key information and do the same thing instead of an SSH CA. I intend to > make SSH CA easier to use, but if you can do FreeIPA with no problem then > that should be able to do the same thing. > > > > *From:* Imam Toufique <[email protected]> > *Sent:* Wednesday, January 22, 2020 1:50 PM > *To:* xCAT Users Mailing list <[email protected]> > *Subject:* Re: [xcat-user] [External] Re: host based authentication > > > > thanks Jarrod and Joseph! > > > > Jarrod, I am in the process of trying out host-based authentication. I > might have made an error somewhere, so it does not work yet for me. I > guess I will keep on it. > > > > Josef, Since you are already using freeIPA, do you mind summarizing how > it can help aid host-based authentication management for local accounts? I > am very interested in it. > > > > thanks > > > > On Wed, Jan 22, 2020 at 5:39 AM Jarrod Johnson <[email protected]> > wrote: > > For completion, I'll document what I was discussing. > > I strangely can't find my notes, but here's some perspective on how my > system looks: > First is my global known hosts file. This works to not require a user to > maintain known_hosts for its normal usage and a prelude for host based > authentication: > $ cat /etc/ssh/ssh_known_hosts > @cert-authority * ecdsa-sha2-nistp256 > AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBum8H7Wf8k3vLBI8+mEZtvklpb0UxsLXrswMoXfLfELq70iLcmGqg3gcRSR7eUSyj/HQHxQYrH7l9/2mVrvn6M= > root@leonidas > > With this, the associated set of private ssh keys with that line can use > ssh-keygen to sign public keys. It does not allow all keys signed by the > CA to authenticate, you will also need an /etc/shosts.equiv, which is just > a list of ips and/or names. Unlike rhosts usage, wildcards are not > allowed, so the list will have to ultimately have each and every node > listed in it. > > > For a client to use ssh client-side host based authentication: > Host <entry> > HostbasedAuthentication yes > EnableSSHKeysign yes > > The EnableSSHKeysign is what tells ssh-keysign that it's ok to use the > host private key on behalf of users. > > In sshd_config: > HostbasedAuthentication yes > HostbasedUsesNameFromPacketOnly yes > IgnoreRhosts no (to use ~/.shosts) > > Some material on host based authentication > https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Host-based_Authentication > > Mix and match with CA to get the above: > https://www.lorier.net/docs/ssh-ca.html > > > For reference, my plans are for a new node authentication scheme for > provisioning (to enable some tighter security) and plan for it to always > enable host based authentication (convenient for local accounts including > node to node ssh as root if desired while using a moderately sane strategy > for key management) and based on user configuration either nothing more, > freeipa, or active directory joining. This would make control over the > security behaviors a bit more straightforward and lock in some more > hardened options than xCAT currently offers. > > As an aside, my current thinking in this future strategy is for the > default behavior when not specifying a root password to change from 'not > able to work' to 'deploy with root password access disabled, root access by > key only'. > > -----Original Message----- > From: Josef Dvoracek <[email protected]> > Sent: Wednesday, January 22, 2020 4:28 AM > To: [email protected] > Subject: [External] Re: [xcat-user] host based authentication > > > I’m using FreeIPA too so the hostkeys are stored on LDAP, it's > integrated. > > thanks for mentioning this. I was struggling to design simple AND secure > hostkey deployment mechanism. Good to know freeIPA can manage this. > > cheers > > josef > > On 21. 01. 20 23:28, Vinícius Ferrão via xCAT-user wrote: > ... > > Josef Dvoracek > Institute of Physics | Czech Academy of Sciences > cell: +420 608 563 558 | office: +420 266 052 669 | fzu phone nr. : 2669 > > > > _______________________________________________ > xCAT-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/xcat-user > > _______________________________________________ > xCAT-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/xcat-user > > > > > -- > > Regards, > > *Imam Toufique* > > *213-700-5485* > _______________________________________________ > xCAT-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/xcat-user > -- Regards, *Imam Toufique* *213-700-5485*
_______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user
