add auth_setup role
This commit is contained in:
parent
81ed529b46
commit
f9d7df565a
|
@ -134,6 +134,7 @@ to setup the DNS container, run the following **as root**:
|
|||
```
|
||||
lxc-create -t download -n dns -- -d debian -r buster -a amd64
|
||||
chroot /var/lib/lxc/dns/rootfs
|
||||
echo 'nameserver 1.1.1.1' > /etc/resolv.conf
|
||||
apt update
|
||||
apt install -y python3
|
||||
exit
|
||||
|
|
|
@ -0,0 +1,75 @@
|
|||
# auth1
|
||||
This container provides authentication services to other containers
|
||||
(LDAP and Kerberos).
|
||||
|
||||
## LDAP
|
||||
Here are some recommended readings for LDAP:
|
||||
* https://wiki.csclub.uwaterloo.ca/LDAP
|
||||
* https://wiki.debian.org/LDAP/OpenLDAPSetup
|
||||
* https://wiki.debian.org/LDAP/NSS
|
||||
* https://www.openldap.org/doc/admin24/
|
||||
* https://www.digitalocean.com/community/tutorials/how-to-manage-and-use-ldap-servers-with-openldap-utilities
|
||||
|
||||
It is a good idea to become familiar with the `ldapsearch(1)` utility. Here's
|
||||
a good resource to get started:
|
||||
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/examples-of-common-ldapsearches
|
||||
|
||||
For example, on the CSC servers, you can query information about yourself:
|
||||
```
|
||||
ldapsearch -x uid=your_username
|
||||
```
|
||||
|
||||
You can query the UW LDAP servers to see your student info:
|
||||
```
|
||||
ldapsearch -x -h uwldap.uwaterloo.ca -b dc=uwaterloo,dc=ca uid=your_username
|
||||
```
|
||||
|
||||
You can also see your Active Directory information:
|
||||
```
|
||||
ldapsearch -x -h mixta.teaching.ds.uwaterloo.ca -b 'dc=teaching,dc=ds,dc=uwaterloo,dc=ca' sAMAccountName=your_username
|
||||
```
|
||||
|
||||
Note that we do not use LDAP for authentication; we only use it for NSS
|
||||
(specifically, passwd and shadow information). For authentication, we use...
|
||||
|
||||
## Kerberos
|
||||
Here are some recommended readings for Kerberos:
|
||||
https://wiki.csclub.uwaterloo.ca/Kerberos
|
||||
https://en.wikipedia.org/wiki/Kerberos\_(protocol)
|
||||
https://web.mit.edu/kerberos/krb5-1.12/doc/index.html
|
||||
|
||||
Kerberos is an old, yet still widely-used, protocol for authentication and
|
||||
single sign-on. You should be familiar with kinit(1), as well as the basic
|
||||
commands for kadmin(1) (e.g. addprinc, modprinc, ktadd, etc.).
|
||||
|
||||
When you login to any of the CSC servers, you should acquire a Kerberos ticket
|
||||
with kinit(1). This ticket allows you to login to any of the other CSC
|
||||
machines without having to re-enter your password, as well as a few other
|
||||
services like using ldapsearch(1) with SASL, sending email, etc.
|
||||
|
||||
All of the passwords for the Kerberos principals in this dev environment
|
||||
are "krb5" (no quotes).
|
||||
|
||||
Once you have run the playbook for the auth1 container, make sure you can
|
||||
login using Kerberos credentials:
|
||||
```
|
||||
lxc-attach -n auth1
|
||||
login
|
||||
(enter "ctdalek" for username, "krb5" for password)
|
||||
id
|
||||
(should show "syscom" as one of the supplementary groups)
|
||||
kinit
|
||||
(enter "krb5")
|
||||
klist
|
||||
```
|
||||
The commands above should the Kerberos ticket you just acquired for the
|
||||
user "ctdalek". You should also be able run sudo, since sudo is configured
|
||||
via LDAP. Try SSH'ing into some of the other containers using your
|
||||
Kerberos ticket; you should not be prompted for your password.
|
||||
|
||||
### Side note
|
||||
I've noticed that none of the containers can SSH into auth1 via GSSAPI.
|
||||
I've also noticed that sudo doesn't work in auth1 via lxc-attach
|
||||
(it does work with lxc-console, though). Not sure if those are related.
|
||||
Anyways, if you're having the same problem and you figure out a solution,
|
||||
please document it here.
|
|
@ -37,8 +37,8 @@
|
|||
}
|
||||
|
||||
[domain_realm]
|
||||
.csclub.internal = {{ krb_realm }}
|
||||
csclub.internal = {{ krb_realm }}
|
||||
.{{ base_domain }} = {{ krb_realm }}
|
||||
{{ base_domain }} = {{ krb_realm }}
|
||||
|
||||
[logging]
|
||||
kdc = SYSLOG:INFO:AUTH
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
#BASE dc=example,dc=com
|
||||
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
|
||||
BASE {{ ldap_base }}
|
||||
URI ldap://{{ auth1_ipv4_addr }}
|
||||
URI ldap://ldap1.{{ base_domain }}
|
||||
|
||||
#SIZELIMIT 12
|
||||
#TIMELIMIT 15
|
||||
|
@ -16,5 +16,3 @@ URI ldap://{{ auth1_ipv4_addr }}
|
|||
|
||||
# TLS certificates (needed for GnuTLS)
|
||||
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
|
||||
|
||||
SUDOERS_BASE ou=SUDOers,dc=csclub,dc=internal
|
||||
|
|
|
@ -1,15 +1,11 @@
|
|||
---
|
||||
- hosts: auth1
|
||||
vars:
|
||||
ldap_base: "{{ base_domain.split('.') | map('regex_replace', '^(.*)$', 'dc=\\1') | join(',') }}"
|
||||
krb_realm: "{{ base_domain.upper() }}"
|
||||
tasks:
|
||||
- name: setup networking
|
||||
import_role:
|
||||
name: ../roles/network_setup
|
||||
vars:
|
||||
ipv4_addr: "{{ auth1_ipv4_addr }}"
|
||||
- meta: flush_handlers
|
||||
# LDAP
|
||||
- name: install LDAP packages
|
||||
apt:
|
||||
|
@ -83,6 +79,10 @@
|
|||
notify:
|
||||
- restart nslcd
|
||||
- restart nscd
|
||||
- name: add SUDOERS_BASE to ldap.conf
|
||||
lineinfile:
|
||||
path: /etc/ldap/ldap.conf
|
||||
line: "SUDOERS_BASE ou=SUDOers,{{ ldap_base }}"
|
||||
- name: add member->uniqueMember map
|
||||
lineinfile:
|
||||
line: map group member uniqueMember
|
||||
|
@ -154,6 +154,7 @@
|
|||
addprinc sysadmin/admin
|
||||
krb5
|
||||
krb5
|
||||
# TODO: add more users
|
||||
- name: add user principals
|
||||
command:
|
||||
cmd: kadmin.local
|
||||
|
@ -164,14 +165,12 @@
|
|||
loop:
|
||||
- ctdalek
|
||||
- regular1
|
||||
# TODO: add more hosts
|
||||
- name: add host principals
|
||||
command:
|
||||
cmd: kadmin.local
|
||||
stdin: |
|
||||
addprinc -randkey host/auth1.{{ base_domain }}
|
||||
addprinc -randkey ldap/auth1.{{ base_domain }}
|
||||
# TODO: create an Ansible role for this
|
||||
- name: copy keytab to host
|
||||
command:
|
||||
cmd: kadmin.local
|
||||
|
@ -214,6 +213,9 @@
|
|||
value: '"kerberos5"'
|
||||
notify:
|
||||
- restart saslauthd
|
||||
- name: add miscellaneous auth-related configs
|
||||
import_role:
|
||||
name: ../roles/auth_setup
|
||||
handlers:
|
||||
- name: restart slapd
|
||||
systemd:
|
||||
|
|
|
@ -6,7 +6,9 @@
|
|||
name: ../roles/network_setup
|
||||
vars:
|
||||
ipv4_addr: "{{ coffee_ipv4_addr }}"
|
||||
- meta: flush_handlers
|
||||
- name: setup auth
|
||||
import_role:
|
||||
name: ../roles/auth_setup
|
||||
- name: install MariaDB
|
||||
apt:
|
||||
name: default-mysql-server
|
||||
|
|
|
@ -8,7 +8,10 @@ outsider ansible_lxc_host=outsider
|
|||
[containers:vars]
|
||||
ansible_connection = lxc
|
||||
ansible_python_interpreter = python3
|
||||
base_domain = csclub.internal
|
||||
base_domain = csclub.internal
|
||||
ldap_base = "{{ base_domain.split('.') | map('regex_replace', '^(.*)$', 'dc=\\1') | join(',') }}"
|
||||
krb_realm = "{{ base_domain.upper() }}"
|
||||
csc_hosts = ["dns", "mail", "coffee", "auth1"]
|
||||
|
||||
# the subnet for the containers
|
||||
ipv4_subnet = 192.168.100.0/24
|
||||
|
|
|
@ -6,7 +6,9 @@
|
|||
name: ../roles/network_setup
|
||||
vars:
|
||||
ipv4_addr: "{{ mail_ipv4_addr }}"
|
||||
- meta: flush_handlers
|
||||
- name: setup auth
|
||||
import_role:
|
||||
name: ../roles/auth_setup
|
||||
- name: install packages for email server
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
- name: restart sssd
|
||||
systemd:
|
||||
name: sssd
|
||||
state: restarted
|
||||
- name: restart sshd
|
||||
systemd:
|
||||
name: ssh
|
||||
state: restarted
|
|
@ -0,0 +1,48 @@
|
|||
- name: install auth packages
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
loop:
|
||||
- krb5-user
|
||||
- sssd
|
||||
- sssd-tools
|
||||
- sudo
|
||||
when: ansible_host != 'auth1'
|
||||
- name: install SSH server
|
||||
apt:
|
||||
name: openssh-server
|
||||
- name: copy ldap.conf
|
||||
template:
|
||||
src: ../../auth1/ldap/ldap.conf.j2
|
||||
dest: /etc/ldap/ldap.conf
|
||||
notify: restart sssd
|
||||
when: ansible_host != 'auth1'
|
||||
- name: copy krb5.conf
|
||||
template:
|
||||
src: ../../auth1/kerberos/krb5.conf.j2
|
||||
dest: /etc/krb5.conf
|
||||
notify: restart sssd
|
||||
when: ansible_host != 'auth1'
|
||||
- name: copy sssd.conf
|
||||
template:
|
||||
src: templates/sssd.conf.j2
|
||||
dest: /etc/sssd/sssd.conf
|
||||
mode: 0600
|
||||
notify: restart sssd
|
||||
when: ansible_host != 'auth1'
|
||||
- name: add host principals
|
||||
command:
|
||||
cmd: kadmin -p sysadmin/admin
|
||||
stdin: |
|
||||
krb5
|
||||
addprinc -randkey host/{{ ansible_fqdn }}
|
||||
ktadd host/{{ ansible_fqdn }}
|
||||
when: ansible_host != 'auth1'
|
||||
- name: add ssh config files
|
||||
copy:
|
||||
src: "templates/{{ item }}"
|
||||
dest: "/etc/ssh/{{ item }}"
|
||||
loop:
|
||||
- sshd_config
|
||||
- ssh_config
|
||||
notify: restart sshd
|
||||
- meta: flush_handlers
|
|
@ -0,0 +1,25 @@
|
|||
# This is the ssh client system-wide configuration file. See
|
||||
# ssh_config(5) for more information. This file provides defaults for
|
||||
# users, and the values can be changed in per-user configuration files
|
||||
# or on the command line.
|
||||
|
||||
# Configuration data is parsed as follows:
|
||||
# 1. command line options
|
||||
# 2. user-specific file
|
||||
# 3. system-wide file
|
||||
# Any configuration value is only changed the first time it is set.
|
||||
# Thus, host-specific definitions should be at the beginning of the
|
||||
# configuration file, and defaults at the end.
|
||||
|
||||
# Site-wide defaults for some commonly used options. For a comprehensive
|
||||
# list of available options, their meanings and defaults, please see the
|
||||
# ssh_config(5) man page.
|
||||
|
||||
Host *
|
||||
SendEnv LANG LC_*
|
||||
GSSAPITrustDns yes
|
||||
GSSAPIKeyExchange yes
|
||||
|
||||
GSSAPIAuthentication yes
|
||||
GSSAPIDelegateCredentials yes
|
||||
UseRoaming no
|
|
@ -0,0 +1,65 @@
|
|||
# Package generated configuration file
|
||||
# See the sshd(8) manpage for details
|
||||
|
||||
# What ports, IPs and protocols we listen for
|
||||
Port 22
|
||||
|
||||
# Use only protocol version 2
|
||||
Protocol 2
|
||||
|
||||
# HostKeys for protocol version 2
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||
#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
|
||||
|
||||
# Privilege Separation is turned on for security
|
||||
UsePrivilegeSeparation yes
|
||||
|
||||
# Logging
|
||||
SyslogFacility AUTH
|
||||
LogLevel INFO
|
||||
|
||||
# Authentication
|
||||
UsePAM yes
|
||||
StrictModes yes
|
||||
PermitRootLogin yes
|
||||
LoginGraceTime 120
|
||||
MaxStartups 25:30:100
|
||||
|
||||
# password authentication via PAM (single sign-on initial case)
|
||||
PasswordAuthentication yes
|
||||
PermitEmptyPasswords no
|
||||
|
||||
# keyboard-interactive authentication (like password, works with +needchange)
|
||||
ChallengeResponseAuthentication yes
|
||||
|
||||
# kerberos (single sign-on already authenticated case)
|
||||
GSSAPIAuthentication yes
|
||||
GSSAPIKeyExchange yes
|
||||
GSSAPICleanupCredentials yes
|
||||
GSSAPIStrictAcceptorCheck no
|
||||
|
||||
# public key authentication with authorized_keys
|
||||
PubkeyAuthentication yes
|
||||
|
||||
# no single sign-on via hosts.equiv; we use kerberos
|
||||
HostbasedAuthentication no
|
||||
IgnoreRhosts yes
|
||||
|
||||
# no builtin kerberos auth with password, we do the same via pam_krb5
|
||||
KerberosAuthentication no
|
||||
|
||||
# allow X forwarding
|
||||
X11Forwarding yes
|
||||
X11DisplayOffset 10
|
||||
|
||||
# PAM prints these already
|
||||
PrintMotd no
|
||||
PrintLastLog no
|
||||
|
||||
# Allow client to pass locale environment variables
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
|
@ -0,0 +1,28 @@
|
|||
[sssd]
|
||||
config_file_version = 2
|
||||
services = nss, pam, sudo
|
||||
domains = {{ base_domain }}
|
||||
|
||||
[domain/{{ base_domain }}]
|
||||
cache_credentials = true
|
||||
enumerate = true
|
||||
|
||||
id_provider = ldap
|
||||
auth_provider = krb5
|
||||
sudo_provider = ldap
|
||||
entry_cache_timeout = 600
|
||||
|
||||
ldap_uri = ldap://ldap1.{{ base_domain }}
|
||||
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
|
||||
#ldap_tls_reqcert = demand
|
||||
ldap_search_base = {{ ldap_base }}
|
||||
ldap_schema = rfc2307bis
|
||||
ldap_group_member = uniqueMember
|
||||
|
||||
ldap_user_search_base = ou=People,{{ ldap_base }}
|
||||
ldap_group_search_base = ou=Group,{{ ldap_base }}
|
||||
ldap_sudo_search_base = ou=SUDOers,{{ ldap_base }}
|
||||
|
||||
krb5_realm = {{ krb_realm }}
|
||||
krb5_server = kdc1.{{ base_domain }}
|
||||
krb5_kpasswd = kadmin.{{ base_domain }}
|
|
@ -15,3 +15,4 @@
|
|||
nameserver {{ dns_ipv4_addr }}
|
||||
dest: /etc/resolv.conf
|
||||
when: ansible_host != 'dns'
|
||||
- meta: flush_handlers
|
||||
|
|
Loading…
Reference in New Issue