In this model, starting from example one, we will see how to make a more secure authentication in the system using the best of Kerberos and Ldap technologies.
For this example, in the Client we will see how the System-Auth works with these two technologies, and we will perform a series of checks to make sure it works correctly.
Docker Images used for this example:
I Made this example for show how to configure your Ldap Server , anyway if you only want check how to it works , maybe be interesed in this another explanation.Automated Build and How it Works
- Openldap Server for use to backup user information
- Secure GSSAPI Authentification for LDAP client utilities
- Secure connection between client and server using StartTLS
- Fastest operations with LDAP Client Utilities
- Secure authentification through Kerberos
- Nslcd and nsswitch file configurated for host retrieving
- Own Certificates for CA and Server with properly FQDN in Server Certificate.
- LDAP Server: ldap.edt.org 172.18.0.2
- Kerberos Server: kserver.edt.org 172.18.0.3
- Client: client.edt.org 172.18.0.8
Starting from the base that we already have an openldap server running without these technologies.
To properly configure the servers and the client, we have to be careful in 3 essential things.
- Need to have working the GSSAPI Auth On LDAP Server , if you dont have it please see Example 1
- Configure sssd service for Kerberos Auth , Take information from LDAP, and finally use kerberos password instead ldap
- Configure auth-config for enable sssd Service
- Check if Pam is properly configured
- Try in client to login with an user with principal created and another one without
In our case for this example we will use some docker containers that I created for the occasion. In these containers are already made the modifications, are just an example, you can do it on your own server If you dont want use my examples , go directly to Configure.
Note: My Containers can communicate between them , because i configurated ldap for do ip resolution Here , if u don't using my containers , you should put all container entries in /etc/hosts for each container , like this.
172.18.0.2 ldap.edt.org
172.18.0.3 kserver.edt.org
172.18.0.8 client.edt.org
This is for a very important reason, we need to always have the same container IP for the proper Ip distribution through LDAP and NSLCD. In the default Bridge Network , we can't assign ips for containers
# docker network create --subnet 172.18.0.0/16 -d bridge ldap# docker run --name ldap --hostname ldap.edt.org --net ldap --ip 172.18.0.2 --detach antagme/ldap_sssd# docker run --name kerberos --hostname kserver.edt.org --net ldap --ip 172.18.0.3 --detach antagme/kerberos:supervisord# docker run --name client --hostname client.edt.org --net ldap --ip 172.18.0.8 --detach antagme/client:pam_tlsThese dockers containers are not interactive, to access you have to do the following order:
docker exec --interactive --tty [Docker Name] bash
If you preffer to use an Automated Builds , can take the script i created for this.HERE
Configure sssd service for Kerberos Auth , Take information from LDAP, and finally use kerberos password instead ldap
We gonna configure the sssd , the official daemon offered by Fedora for Control Authentification in the System and configure the Backends and use it in authconfig.
The first step you need is install the Packets of SSSD with this command: dnf install -y sssd sssd-client authconfig
Note:You should install authconfig packet too for configure system-auth
Installed this , we gonna configure the sssd.conf file. The key parts is configure our kerberos and ldap servers for the properly authentification to system.
Lets see the file:
[sssd]
config_file_version = 2
domains = default
services = pam, nss
[domain/default]
id_provider = ldap
ldap_uri = ldap://172.18.0.2
ldap_search_base = dc=edt,dc=org
auth_provider = krb5
chpass_provider = krb5
krb5_realm = EDT.ORG
krb5_server = 172.18.0.3
krb5_kpasswd = 172.18.0.3
cache_credentials = True
krb5_store_password_if_offline = True
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5This is my configuration , maybe this can be better , anyway sssd is a pussy daemon. Now , we gonna profundize through the key parts.
-
[domain/default]
id_provider = ldapDefine what is our id provider. (if the entry doesnt exist on ldap , can't enter to the system)ldap_uri = ldap://172.18.0.2Our ldap uri (Some problem on Docker with DNS i resolve this putting Ip instead FQDN)ldap_search_base = dc=edt,dc=orgBase of the LDAP Backendauth_provider = krb5Define who is the authentification provider , in our case we wants to auth through kerberos for PAMchpass_provider = krb5Define who is the Password PAM provider , in our case is kerberoskrb5_realm = EDT.ORGDefine who is our kerberos5 REALMkrb5_server = 172.18.0.3Define what is the kerberos5 server (Some problem on Docker with DNS i resolve this putting ip instead FQDN)krb5_kpasswd = 172.18.0.3Define what is the kerberos5 password server ( This enable the possibility topasswdand change our passwordcache_credentials = TrueDefine if you want keep in cache the credentials (This is needed for work without ethernet connection)krb5_store_password_if_offline = TrueSame the last entry but for password
-
[nss]
filter_groups = rootFilter Group root when do nss resoluionfilter_users = rootFilter user root when do nss resolutionreconnection_retries = 3Try 3 times reconnect and if fail , dont start this process
-
[pam]
reconnection_retries = 3Try connect 3 times when use PAM and if fail dont start this processoffline_credentials_expiration = 2Days to expire the credentials offlineoffline_failed_login_attempts = 3Chances to fail if offlineoffline_failed_login_delay = 5Delay for fail login offline
Now we have sssd.conf file propery configurated for Auth:Kerberos User:LDAP Password:Kerberos but we need configure authconfig and check PAM before start all.
I do not know exactly what is the best configuration about authconfig , this tool is a headcache at all , so i will put you my configuration file and if you want to do for you , you are welcome to try it and help me to improve.
The file is:
IPADOMAINJOINED=no
PASSWDALGORITHM=sha512
USESSSD=yes
USEMKHOMEDIR=no
USEDB=no
USEPASSWDQC=no
USESSSDAUTH=yes
USEHESIOD=no
CACHECREDENTIALS=yes
USESYSNETAUTH=no
USEECRYPTFS=no
USESMARTCARD=no
USEWINBINDAUTH=no
USEIPAV2=no
USELDAP=yes
WINBINDKRB5=no
USELOCAUTHORIZE=yes
USEKERBEROS=yes
USELDAPAUTH=no
USEPAMACCESS=no
USEWINBIND=no
FORCELEGACY=no
USEPWQUALITY=yes
USENIS=no
FORCESMARTCARD=no
USESHADOW=yes
USEFPRINTD=no
IPAV2NONTP=no
You should copy this to /etc/sysconfig/ and perform this order authconfig --update
Now my recommendation is check your /etc/krb5.conf, /etc/nsswitch/ and /etc/openldap/ldap.conf for make sure this files not changed for authconfig.
Now for reach our objetive only need if our pam configuration is the needed and if not , configure this.
We need to configure su and system-authPAM files for properly system authentification .
Lets see my files(the location is /etc/pam.d/):
su PAM file:
#%PAM-1.0
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.soNote: This check all from system-auth PAM file
system-auth PAM FILE:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so use_authtok
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so user_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session optional pam_krb5.soThe system authentification process will check if this account is UNIX , if not , check if kerberos account.
Note:I know this PAM file is not the perfect configuration , fell free to help me to improve
Now is time to check if our configuration is working well!!! We need to start sssd daemon in the client machine.
In our case , we will supervisorctl start sssd and we gonna try if the client can start properly with a kerberos user.
We gonna try with our user01 he have kuser01 password.
su user01
now check with id and who the identity of the user.
and finally check who we are in Ldap Database.
ldapwhoami -ZZ
We configured the system authentification for perform Kerberos authentification , account information from Ldap and finally the password will be retrieved from Kerberos