add auth_setup role

README.md

@@ -134,6 +134,7 @@ to setup the DNS container, run the following **as root**:
 ```
 lxc-create -t download -n dns -- -d debian -r buster -a amd64
 chroot /var/lib/lxc/dns/rootfs
+echo 'nameserver 1.1.1.1' > /etc/resolv.conf
 apt update
 apt install -y python3
 exit

auth1/README.md

@@ -0,0 +1,75 @@
+# auth1
+This container provides authentication services to other containers
+(LDAP and Kerberos).
+
+## LDAP
+Here are some recommended readings for LDAP:
+* https://wiki.csclub.uwaterloo.ca/LDAP
+* https://wiki.debian.org/LDAP/OpenLDAPSetup
+* https://wiki.debian.org/LDAP/NSS
+* https://www.openldap.org/doc/admin24/
+* https://www.digitalocean.com/community/tutorials/how-to-manage-and-use-ldap-servers-with-openldap-utilities
+
+It is a good idea to become familiar with the `ldapsearch(1)` utility. Here's
+a good resource to get started:
+https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/examples-of-common-ldapsearches
+
+For example, on the CSC servers, you can query information about yourself:
+```
+ldapsearch -x uid=your_username
+```
+
+You can query the UW LDAP servers to see your student info:
+```
+ldapsearch -x -h uwldap.uwaterloo.ca -b dc=uwaterloo,dc=ca uid=your_username
+```
+
+You can also see your Active Directory information:
+```
+ldapsearch -x -h mixta.teaching.ds.uwaterloo.ca -b 'dc=teaching,dc=ds,dc=uwaterloo,dc=ca' sAMAccountName=your_username
+```
+
+Note that we do not use LDAP for authentication; we only use it for NSS
+(specifically, passwd and shadow information). For authentication, we use...
+
+## Kerberos
+Here are some recommended readings for Kerberos:
+https://wiki.csclub.uwaterloo.ca/Kerberos
+https://en.wikipedia.org/wiki/Kerberos\_(protocol)
+https://web.mit.edu/kerberos/krb5-1.12/doc/index.html
+
+Kerberos is an old, yet still widely-used, protocol for authentication and
+single sign-on. You should be familiar with kinit(1), as well as the basic
+commands for kadmin(1) (e.g. addprinc, modprinc, ktadd, etc.).
+
+When you login to any of the CSC servers, you should acquire a Kerberos ticket
+with kinit(1). This ticket allows you to login to any of the other CSC
+machines without having to re-enter your password, as well as a few other
+services like using ldapsearch(1) with SASL, sending email, etc.
+
+All of the passwords for the Kerberos principals in this dev environment
+are "krb5" (no quotes).
+
+Once you have run the playbook for the auth1 container, make sure you can
+login using Kerberos credentials:
+```
+lxc-attach -n auth1
+login
+(enter "ctdalek" for username, "krb5" for password)
+id
+(should show "syscom" as one of the supplementary groups)
+kinit
+(enter "krb5")
+klist
+```
+The commands above should the Kerberos ticket you just acquired for the
+user "ctdalek". You should also be able run sudo, since sudo is configured
+via LDAP. Try SSH'ing into some of the other containers using your
+Kerberos ticket; you should not be prompted for your password.
+
+### Side note
+I've noticed that none of the containers can SSH into auth1 via GSSAPI.
+I've also noticed that sudo doesn't work in auth1 via lxc-attach
+(it does work with lxc-console, though). Not sure if those are related.
+Anyways, if you're having the same problem and you figure out a solution,
+please document it here.

auth1/kerberos/krb5.conf.j2

@@ -37,8 +37,8 @@
 	}
 
 [domain_realm]
-        .csclub.internal = {{ krb_realm }}
-        csclub.internal = {{ krb_realm }}
+        .{{ base_domain }} = {{ krb_realm }}
+        {{ base_domain }} = {{ krb_realm }}
 
 [logging]
       kdc = SYSLOG:INFO:AUTH    

auth1/ldap/ldap.conf.j2

@@ -8,7 +8,7 @@
 #BASE   dc=example,dc=com
 #URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
 BASE {{ ldap_base }}
-URI ldap://{{ auth1_ipv4_addr }}
+URI ldap://ldap1.{{ base_domain }}
 
 #SIZELIMIT      12
 #TIMELIMIT      15
@@ -16,5 +16,3 @@ URI ldap://{{ auth1_ipv4_addr }}
 
 # TLS certificates (needed for GnuTLS)
 TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
-
-SUDOERS_BASE    ou=SUDOers,dc=csclub,dc=internal

auth1/main.yml

@@ -1,15 +1,11 @@
 ---
 - hosts: auth1
-  vars:
-    ldap_base: "{{ base_domain.split('.') | map('regex_replace', '^(.*)$', 'dc=\\1') | join(',') }}"
-    krb_realm: "{{ base_domain.upper() }}"
   tasks:
     - name: setup networking
       import_role:
         name: ../roles/network_setup
       vars:
         ipv4_addr: "{{ auth1_ipv4_addr }}"
-    - meta: flush_handlers
     # LDAP
     - name: install LDAP packages
       apt:
@@ -83,6 +79,10 @@
       notify:
         - restart nslcd
         - restart nscd
+    - name: add SUDOERS_BASE to ldap.conf
+      lineinfile:
+        path: /etc/ldap/ldap.conf
+        line: "SUDOERS_BASE ou=SUDOers,{{ ldap_base }}"
     - name: add member->uniqueMember map
       lineinfile:
         line: map group member uniqueMember
@@ -154,6 +154,7 @@
           addprinc sysadmin/admin
           krb5
           krb5
+    # TODO: add more users
     - name: add user principals
       command:
         cmd: kadmin.local
@@ -164,14 +165,12 @@
       loop:
         - ctdalek
         - regular1
-    # TODO: add more hosts
     - name: add host principals
       command:
         cmd: kadmin.local
         stdin: |
           addprinc -randkey host/auth1.{{ base_domain }}
           addprinc -randkey ldap/auth1.{{ base_domain }}
-    # TODO: create an Ansible role for this
     - name: copy keytab to host
       command:
         cmd: kadmin.local
@@ -214,6 +213,9 @@
           value: '"kerberos5"'
       notify:
         - restart saslauthd
+    - name: add miscellaneous auth-related configs
+      import_role:
+        name: ../roles/auth_setup
   handlers:
     - name: restart slapd
       systemd:

coffee/main.yml

@@ -6,7 +6,9 @@
         name: ../roles/network_setup
       vars:
         ipv4_addr: "{{ coffee_ipv4_addr }}"
-    - meta: flush_handlers
+    - name: setup auth
+      import_role:
+        name: ../roles/auth_setup
     - name: install MariaDB
       apt:
         name: default-mysql-server

hosts.sample

@@ -8,7 +8,10 @@ outsider ansible_lxc_host=outsider
 [containers:vars]
 ansible_connection = lxc
 ansible_python_interpreter = python3
-base_domain        = csclub.internal
+base_domain = csclub.internal
+ldap_base = "{{ base_domain.split('.') | map('regex_replace', '^(.*)$', 'dc=\\1') | join(',') }}"
+krb_realm = "{{ base_domain.upper() }}"
+csc_hosts = ["dns", "mail", "coffee", "auth1"]
 
 # the subnet for the containers
 ipv4_subnet        = 192.168.100.0/24

mail/main.yml

@@ -6,7 +6,9 @@
         name: ../roles/network_setup
       vars:
         ipv4_addr: "{{ mail_ipv4_addr }}"
-    - meta: flush_handlers
+    - name: setup auth
+      import_role:
+        name: ../roles/auth_setup
     - name: install packages for email server
       apt:
         name: "{{ item }}"

roles/auth_setup/handlers/main.yml

@@ -0,0 +1,8 @@
+- name: restart sssd
+  systemd:
+    name: sssd
+    state: restarted
+- name: restart sshd
+  systemd:
+    name: ssh
+    state: restarted

roles/auth_setup/tasks/main.yml

@@ -0,0 +1,48 @@
+- name: install auth packages
+  apt:
+    name: "{{ item }}"
+  loop:
+    - krb5-user
+    - sssd
+    - sssd-tools
+    - sudo
+  when: ansible_host != 'auth1'
+- name: install SSH server
+  apt:
+    name: openssh-server
+- name: copy ldap.conf
+  template:
+    src: ../../auth1/ldap/ldap.conf.j2
+    dest: /etc/ldap/ldap.conf
+  notify: restart sssd
+  when: ansible_host != 'auth1'
+- name: copy krb5.conf
+  template:
+    src: ../../auth1/kerberos/krb5.conf.j2
+    dest: /etc/krb5.conf
+  notify: restart sssd
+  when: ansible_host != 'auth1'
+- name: copy sssd.conf
+  template:
+    src: templates/sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    mode: 0600
+  notify: restart sssd
+  when: ansible_host != 'auth1'
+- name: add host principals
+  command:
+    cmd: kadmin -p sysadmin/admin
+    stdin: |
+      krb5
+      addprinc -randkey host/{{ ansible_fqdn }}
+      ktadd host/{{ ansible_fqdn }}
+  when: ansible_host != 'auth1'
+- name: add ssh config files
+  copy:
+    src: "templates/{{ item }}"
+    dest: "/etc/ssh/{{ item }}"
+  loop:
+    - sshd_config
+    - ssh_config
+  notify: restart sshd
+- meta: flush_handlers

roles/auth_setup/templates/ssh_config

@@ -0,0 +1,25 @@
+# This is the ssh client system-wide configuration file.  See
+# ssh_config(5) for more information.  This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+#  1. command line options
+#  2. user-specific file
+#  3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for some commonly used options.  For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
+
+Host *
+    SendEnv LANG LC_*
+    GSSAPITrustDns yes
+    GSSAPIKeyExchange yes
+
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials yes
+    UseRoaming no

roles/auth_setup/templates/sshd_config

@@ -0,0 +1,65 @@
+# Package generated configuration file
+# See the sshd(8) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+
+# Use only protocol version 2
+Protocol 2
+
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+
+# Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication
+UsePAM yes
+StrictModes yes
+PermitRootLogin yes
+LoginGraceTime 120
+MaxStartups 25:30:100
+
+# password authentication via PAM (single sign-on initial case)
+PasswordAuthentication yes
+PermitEmptyPasswords no
+
+# keyboard-interactive authentication (like password, works with +needchange)
+ChallengeResponseAuthentication yes
+
+# kerberos (single sign-on already authenticated case)
+GSSAPIAuthentication yes
+GSSAPIKeyExchange yes
+GSSAPICleanupCredentials yes
+GSSAPIStrictAcceptorCheck no
+
+# public key authentication with authorized_keys
+PubkeyAuthentication yes
+
+# no single sign-on via hosts.equiv; we use kerberos
+HostbasedAuthentication no
+IgnoreRhosts yes
+
+# no builtin kerberos auth with password, we do the same via pam_krb5
+KerberosAuthentication no
+
+# allow X forwarding
+X11Forwarding yes
+X11DisplayOffset 10
+
+# PAM prints these already
+PrintMotd no
+PrintLastLog no
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server

roles/auth_setup/templates/sssd.conf.j2

@@ -0,0 +1,28 @@
+[sssd]
+config_file_version = 2
+services = nss, pam, sudo
+domains = {{ base_domain }}
+
+[domain/{{ base_domain }}]
+cache_credentials = true
+enumerate = true
+
+id_provider = ldap
+auth_provider = krb5
+sudo_provider = ldap
+entry_cache_timeout = 600
+
+ldap_uri = ldap://ldap1.{{ base_domain }}
+ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
+#ldap_tls_reqcert = demand
+ldap_search_base = {{ ldap_base }}
+ldap_schema = rfc2307bis
+ldap_group_member = uniqueMember
+
+ldap_user_search_base = ou=People,{{ ldap_base }}
+ldap_group_search_base = ou=Group,{{ ldap_base }}
+ldap_sudo_search_base = ou=SUDOers,{{ ldap_base }}
+
+krb5_realm = {{ krb_realm }}
+krb5_server = kdc1.{{ base_domain }}
+krb5_kpasswd = kadmin.{{ base_domain }}

roles/network_setup/tasks/main.yml

@@ -15,3 +15,4 @@
       nameserver {{ dns_ipv4_addr }}
     dest: /etc/resolv.conf
   when: ansible_host != 'dns'
+- meta: flush_handlers