Currently I'm able to kinit to a service using 2 vms (windows-server and linux). But I generate the keytab on the windows server, which is the domain controller.
I want to create the keytab from linux.
Currently I'm doing the following
in AD windows server [DOMAIN MYNETWORK.NET]
Create a service = aservice
Create a security group = ServiceAcc.
Make aservice member of ServiceAcc
Create a User = auser which is a Domain Controller of an OU
setspn -S HTTP/aservice.mynetwork.net auser
keytab: ktpass -Out service-a.keytab -Princ HTTP/aservice.mynetwork.net#MYNETWORK.NET -mapUser auser -Crypto All -Ptype KRB5_NT_PRINCIPAL -Pass *
In linux with krb5.conf configurated and dns pointing to the AD:
kinit: kinit -kt aservice.keytab HTTP/aservice.mynetwork.net#MYNETWORK.NET
So this works correctly. If I don't do the keytab with the user I can't kinit, etc.
Now, the issue I'm having is how to do all this directly from Linux and I'm not sure how to perfor this. All the documentation I can find is to do the following:
ktutil
ktutil: addent -password -p auser -k 1 -e aes256-cts
Password for auser#MYNETWORK.NET:
ktutil: wkt auser.keytab
But:
I can't kinit after that.
This only adds a user, not the service. I could do the same with the service but then I'm not adding the user.
I saw a way to possible do this with kadmin, but I was having issues with that too as I get identification issues every time I try to use it.
Related
This question was migrated from Stack Overflow because it can be answered on Super User.
Migrated 15 days ago.
I installed Kerberos on CentOS 7 via yum command.
yum install krb5-server krb5-libs krb5-workstation pam_krb5 -y
My situation is as below:
There is 1 KDC.
It has 2 Service Servers.
The KDC's krb5.conf file is set as follows.
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = MYREALM.NET
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
MYREALM.NET = {
kdc = kdc.myrealm.net
admin_server = kdc.myrealm.net
}
[domain_realm]
.myrealm.net = MYREALM.NET
myrealm.net = MYREALM.NET
And I added the host principal with the following command.
# kadmin.local -q 'addprinc -randkey host/build.myrealm.net'
# kadmin.local -q 'ktadd -k /tmp/build.keytab host/build.myrealm.net'
# scp /tmp/build.keytab build.myrealm.net:/etc/krb5.keytab
# kadmin.local -q 'addprinc -randkey host/api.myrealm.net'
# kadmin.local -q 'ktadd -k /tmp/api.keytab host/api.myrealm.net'
# scp /tmp/api.keytab api.myrealm.net:/etc/krb5.keytab
And I added a user principal with the following command.
# kadmin.local -q 'addprinc eric'
With the user principal added above, the two service servers are successfully connected without a password through the following ssh command.
By the way, I want to manage a service server accessible by user principal.
I am wondering how to set the added user principal not to access a specific host principal of realms.
To summarize, I would like advice on how to make the added user principal eric accessible only to api.myrealm.net among the service servers.
I added a user principal and a host principal, and copied the host principal keytab file to the service server.
The service server in the same realm is successfully accessed without a password.
However, what I want to do is manage authorization per user principal.
As an answer to my question, I recommend using FreeIPA.
Creating a policy in FreeIPA, and applying it on a per-user basis, solved my intended problem.
https://www.freeipa.org/page/Main_Page
Note: I've tried to keep things as simple as possible in this question as that is as far as my knowledge goes. Any form of help is appreciated
I'm new to FreeIPA and I struggle to request a SSL certificate and key file from FreeIPA as Certificate Authority.
I verify I get a krbtgt using klist using the credentials of Certificate Admin.
$ klist
Valid starting Expires Service principal
01/05/2022 5:35:35 01/06/2022 5:35:35 krbtgt/MYDOM#MYDOM
renew until 01/12/2022 5:35:35
sudo /usr/bin/ipa-getcert request -r -w -k /tmp/test.key \
-f /tmp/test.cert.pem \
-g 4096
-K HTTP/service.mydom \
-T caIPAserviceCert \
-D test.myDom -N CN=test.myDom,O=MYDOM
New signing request "20220105093346" added.
Only thing being created is the private key:
$ ls /tmp
test.key
Why isn't the certificate being created ? Insufficient privileges.
Error:
$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20220105093346':
status: CA_REJECTED
ca-error: Server at https://idm.myDom/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=HTTP/service.mydom#MYDOM,cn=services,cn=accounts,dc=mydom'.).
stuck: yes
key pair storage: type=FILE,location='/tmp/test.key'
certificate: type=FILE,location='/tmp/test.cert.pem'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Though I am able to run
$ ipa service-mod HTTP/service.mydom --certificate=
Possible duplicatae freeipa-request-certificate-with-cname
Any ideas?
Turns out the machine I am requesting the certificate from needs to be allowed to manage the web service for web host.
Only the target machine can create a certificate (IPA uses the host
kerberos ticket) by default, so to be able to create the certificate
on your IPA server you need to allow it to manage the web service for
the www host.
[root#ipa-server ~]# ipa service-add-host --hosts=ipa-server.test.lan HTTP/www.test.lan
Source:
Creating certs and keys for services using freeipadogtag/
I'm learning ansible, I experimented working with ansible for like 4-5 servers. I was copying the Public-Key to the machines manually.
I want to know what would be the case if we have to do it for 1000's
of servers?
Like should we do the same thing, providing the other team with SSH-public key and ask them to add it to their machines? Are there any alternatives? How do people in the industry deal with it?
TIA
No, if you are managing really large number of servers, configuring your SSH key into each and every server is not a good way. If we are talking about server on cloud, which are highly dynamic in nature, ie, they are started/terminated as and when needed.
You can always configure which "remote user" to use for SSH connections on Ansible master configuration.
Apart from that, you can configure the user anywhere playbook or roles or pass as command line parameter.
For connecting to remote server, using SSH key, same methods can be used.
eg : from command line :
ansible-playbook <playbook yml> -u <user name on remote host> --key-file <SSH key file name with path on master host>
ansible-playbook abc.yml -u "user1" --key-file "/u01/ansible_keys/user1_key.pem"
You can setup these keys in inventory file as well, as below :
myHost ansible_ssh_private_key_file=~/.ssh/mykey1.pem
myOtherHost ansible_ssh_private_key_file=~/.ssh/mykey2.pem
Reference : Specifying ssh key in ansible playbook file
1.If all machines password are same.
ansible -i <inventory_file> -m copy -a "src=<public_key_filepath> dest=<target_filepath> -k"
Input the password to copy Public-key to all machines and using ansible as before
2.If the most part of all machines password are same. You can do this in inventory.
[groupA]
machine01
machine02
[groupB]
machine03
machine04 ansible_ssh_pass=<different password from others>
[all:vars]
ansible_ssh_user=<ssh_useranme>
ansible_ssh_pass=<machine password>
Then (Do not need to input password)
ansible -i <inventory_file> -m copy -a "src=<public_key_filepath> dest=<target_filepath>"
Then delete the password in inventory file, and using ansible as before
For myself, I prefer method 2 because I have all machines root password and no one can login machines with root account. So I write plaintext password in root directory.But I think your Public-key method maybe more secure.
On-premise, we do not use public-private key to connect to Linux VM, launched on ESX.
root user create/configure local users(with an expiry) on the VM and provide access to non-root users
Admin user(IAM) on AWS console, creates an EC2 instance, that is supposed to be used by multiple non-admin users(IAM).
Admin user(IAM) can connect to EC2 instance, using command:
ssh -i /local_to_machine/my_private_key.pem user_name#public_dns_name
Admin user does not have root access to EC2 instance, instead the user name is ec2_user(UID=1000), which is a normal user, but has sudo access to almost do everything
$ cat /etc/group | grep ec2-user
adm:x:4:ec2-user
wheel:x:10:ec2-user
systemd-journal:x:190:ec2-user
ec2-user:x:1000:
1) Can IAM admin user have root access(UID=0) to EC2 instance?
2) Being a root user, can multiple non-root users connect to this instance? without a private key...
I don't know about 1. but here's what I can help you with.
The permission to access a root/ non-root user on an EC2 instance is determined by the keys.
For example, by default the .pem file given by AWS when you launch the instance doesn't have root access, why ? because the public key of this .pem file is not listed under the authorized keys that can access the root user.
what you can do to check is the following
ssh-keygen -f my_private_key.pem -y > my_public_key.pub (1)
cat my_public_key.pub (2)
Now SSH into your instance by using this command :
ssh -i /local_to_machine/my_private_key.pem user_name#public_dns_name (3)
cat ~/.ssh/authorized_keys (4)
Here at least 1 entry will be the public part of the pem file you got by 2.
Now suppose you want to give a computer direct root access to the EC2 instance. What you want to do is to add their public key to the authorized_keys file under the root account :
//Ask them to give you the PUBLIC key
ssh -i /local_to_machine/my_private_key.pem user_name#public_dns_name
sudo su // changes from current user to root user
echo "<their public key>" >> ~/.ssh/authorized_keys
Now they can directly access the root user by
ssh root#public_dns_name
For managing several accounts with root/non-root privileges. My recommendation is to keep the .pem file to your self (keep it for emergencies) and manage the access the appending/removing entries in the ~./ssh/authorized_keys file.
If you don't want to ask for their public keys you can actually create pem files yourself
1) Can IAM admin user have root access(UID=0) to EC2 instance?
IAM is not in charge of your EC2 instance OS access, it only defines access policy to AWS entities(EC2, S3, SQS etc.). You are connecting to the EC2 instance using preconfigured ssh user and your public key, not by using your IAM user credentials, thus all further ssh acccess configuration relies completely in you responsibility and not related to IAM.
When I tried to create Principal ("prabhat/admin") in Kerberos (Kadmind Server) using the addprinc command.
kadmin -q "addprinc prabhat/admin"
I got the following error
Authenticating as principal prabhat/admin with password.
Kadmin: client not found in kerberos database while initializing kadmin interface
In order to create principals in Kadmin server, first you will have to create a principal using kadmin.local command,
kadmin.local -q "addprinc user1/admin"
kadmin.local -q "list_principals"
will give a list of principals, that will help you to get authenticated.
Now, you can use user1/admin as an authorized principal to create further principals, without using kadmin.local
kadmin -p user1/admin -q "addprinc user2/admin"