FreeIPA
FreeIPA is an open-source Identity, Policy and Audit (IPA) suite, sponsored by Red Hat, which provides services similar to Microsoft's Active Directory
Manual configuration as IPA client
Make sure your clocks are synchronized. Kerberos will not work otherwise. NTP is recommended.
Instead of using ipa-client-install script for automated client configuration and enrollment, the following sections describe a manual procedure for enrolling the client client.example.com to the FreeIPA server ipaserver.example.com in the example.com domain.
Configure SSSD and Kerberos
Follow the LDAP auth instructions to setup SSSD. Use a SSSD configuration similar to the following, substituting the requisite fields:
/etc/sssd/sssd.conf
[sssd] config_file_version = 2 services = nss, pam, sudo, ssh domains = EXAMPLE.COM #debug_level = 9 [domain/EXAMPLE.COM] #debug_level = 9 cache_credentials = true krb5_store_password_if_offline = true id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa #ipa_domain=example.com # Optional if you set SRV records in DNS #ipa_server=ipaserver.example.com # Optional if you set SRV records in DNS ipa_hostname=client.example.com
Configure pam in similar way to LDAP, replacing pam_ldap.so with pam_sss.so.
Create an /etc/krb5.conf file for your domain:
/etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
#allow_weak_crypto = yes # Only if absolutely necessary. Currently FreeIPA supports strong crypto.
[realms]
EXAMPLE.COM = {
admin_server = freeipaserver.example.com
kdc = freeipaserver.example.com:749
default_admin = example.com
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
Enroll the client
On FreeIPA server, add the client to the IPA server (From Fedora documentation[dead link 2023-04-23 ⓘ]):
- Login and request and admin session
$ kinit admin
- Create a host entry
$ ipa host-add --force --ip-address=192.168.166.31 client.example.com
if the host does not have a static IP, use$ ipa host-add client.example.com
- Set the client to be managed by IPA
$ ipa host-add-managedby --hosts=ipaserver.example.com client.example.com
- Generate keytab for the client
# ipa-getkeytab -s ipaserver.example.com -p host/client.example.com -k /tmp/client1.keytab
Install the keytab on the client:
$ scp user@ipaserver.example.com:/tmp/client1.keytab krb5.keytab # mv krb5.keytab /etc/krb5.keytab
SSH integration
authorized_keys
You can configure SSHD to fetch users SSH public key from the LDAP directory by uncommenting those lines in /etc/ssh/sshd_config:
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody
Then restart sshd.service.
You can add your ssh key to your FreeIPA user account through the web interface or use the -sshpubkey='ssh-rsa AAAA...' argument to the ipa user-mod or ipa user-create commands.
Test it:
$ sudo -u nobody sss_ssh_authorizedkeys <username>
You should see your ssh public key on standard output and no error message on standard error.
known_hosts
You can configure SSH to fetch hosts public key information from their directory entries in FreeIPA by adding those lines in /etc/ssh/ssh_config:
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
Kerberos/GSS API Authentication
You can enabled Kerberos / GSS API Authentication for the SSH Client to FreeIPA member hosts by uncommenting and changing the following lines in /etc/ssh/ssh_config:
GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
See also
- Wikipedia:FreeIPA
- Manually Configuring a Linux Client[dead link 2023-04-23 ⓘ] from the FreeIPA user guide
- Freeipa30_SSSD_OpenSSH_integration.pdf[dead link 2023-07-30 ⓘ]