SSH + Kerberos

Vamos a utilizar el servidor Kerberos de mickey como sistema de autenticación para nuestros usuarios para que puedan acceder de un equipo a otro por ssh.

  • Comprueba que todos los equipos de tu subdominio estén correctamente definidos en el DNS
  • Verifica que todos los equipos resuelven correctamente su propio FQDN
  • Comprueba que estén bien sincronizados los relojes de todos los equipos utilizando ntp
  • Crea principales para los dos equipos en kerberos
  • Exporta el keytab del principal de minnie
  • Verifica los permisos del keytab de minnie
  • Realiza las modificaciones necesarias para kerberizar el servicio ssh
  • Configura el cliente ssh de mickey y minnie para que el usuario “usuario” pueda acceder de forma transparente de uno a otro sin volver a autenticarse (al acceder por ssh el usuario no necesitará autenticarse si lo ha hecho previamente frente a kerberos)

Comprueba que todos los equipos de tu subdominio estén correctamente definidos en el DNS

debian@mickey:~$ cat /var/cache/bind/db.maria.gonzalonazareno.org
$ORIGIN maria.gonzalonazareno.org.
$TTL 86400 ; 1 day
@      IN SOA mickey.maria.gonzalonazareno.org. admin.maria.gonzalonazareno.org. (
       1 ; serial
       21600 ; refresh (6 hours)
       3600 ; retry (1 hour)
       604800 ; expire (1 week)
       21600 ; minimum (6 hours)
)
@           IN   NS    mickey
@           IN   MX    10 correo
mickey      IN   A     10.0.0.12
            IN   A     172.22.200.40
minnie      IN   A     10.0.0.6
            IN   A     172.22.200.36
donald      IN   A     10.0.0.3
            IN   A     172.22.200.54
grafana     IN   A     172.22.200.200
correo      IN   A     172.22.200.103
www         IN   CNAME donald
informatica IN   CNAME donald
bbdd        IN   CNAME minnie
imap        IN   CNAME correo
pop         IN   CNAME correo
smtp        IN   CNAME correo

Verifica que todos los equipos resuelven correctamente su propio FQDN

debian@mickey:~$ hostname -f
mickey.maria.gonzalonazareno.org
ubuntu@minnie:~$ hostname -f
minnie.maria.gonzalonazareno.org

Comprueba que estén bien sincronizados los relojes de todos los equipos utilizando ntp

Instalamos ntp en los equipos que lo necesiten (minnie en este caso) y ntpdate

root@mickey:/home/debian# apt install ntpdate
ubuntu@minnie:~$ sudo apt install ntp ntpdate

A continuación le indicamos que use como servidor de hora a papion:

debian@mickey:~$ sudo ntpdate -u papion.gonzalonazareno.org
21 Feb 11:31:48 ntpdate[5690]: adjust time server 192.168.102.2 offset 0.333699 sec

ubuntu@minnie:~$ sudo ntpdate -u papion.gonzalonazareno.org
21 Feb 11:31:34 ntpdate[2539]: step time server 192.168.102.2 offset -26.608624 sec

Comprobamos que se han sincronizado:

debian@mickey:~$ date
Wed Feb 21 11:32:23 UTC 2018

ubuntu@minnie:~$ date
Wed Feb 21 11:32:26 UTC 2018

Crea principales para los dos equipos en kerberos

En mickey:

Primero instalamos los paquetes necesarios:

debian@mickey:~$ sudo apt install krb5-kdc krb5-admin-server

123

Ahora editamos el fichero /etc/krb5kdc/kdc.conf y quitamos lo referente al puerto 750

[kdcdefaults]
 kdc_ports = 88

[realms]
 MARIA.GONZALONAZARENO.ORG = {
 database_name = /var/lib/krb5kdc/principal
 admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
 acl_file = /etc/krb5kdc/kadm5.acl
 key_stash_file = /etc/krb5kdc/stash
 kdc_ports = 88
 max_life = 10h 0m 0s
 max_renewable_life = 7d 0h 0m 0s
 master_key_type = des3-hmac-sha1
 #supported_enctypes = aes256-cts:normal aes128-cts:normal
 default_principal_flags = +preauth
 }

Ahora en el fichero /etc/default/krb5-kdc  añadimos:

KRB4_MODE=disable
RUN_KRB524D=false

Al archivo /etc/krb5.conf le añadimos:

[domain_realm]
 .maria.gonzalonazareno.org = MARIA.GONZALONAZARENO.ORG
 maria.gonzalonazareno.org = MARIA.GONZALONAZARENO.ORG

Lo siguiente es definir nuestro realm:

debian@mickey:~$ sudo krb5_newrealm
This script should be run on the master KDC/admin server to initialize
a Kerberos realm. It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash. You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered. However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'MARIA.GONZALONAZARENO.ORG',
master key name 'K/M@MARIA.GONZALONAZARENO.ORG'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify:




Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers. Kerberos admin
principals usually belong to a single user and end in /admin. For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.

Don't forget to set up DNS information so your clients can find your
KDC and admin servers. Doing so is documented in the administration
guide.

Lo siguiente es modificar el acl en el fichero  /etc/krb5kdc/kadm5.acl:

 */admin *
usuario@MARIA.GONZALONAZARENO.ORG *

Reiniciamos los servicios para aplicar los cambios:

debian@mickey:~$ sudo systemctl start krb5-admin-server
 debian@mickey:~$ sudo systemctl start krb5-kdc

Ahora creamos el usuario y los principales:

debian@mickey:~$ sudo kadmin.local
Authenticating as principal root/admin@MARIA.GONZALONAZARENO.ORG with password.

kadmin.local: add_principal usuario@MARIA.GONZALONAZARENO.ORG
WARNING: no policy specified for usuario@MARIA.GONZALONAZARENO.ORG; defaulting to no policy
Enter password for principal "usuario@MARIA.GONZALONAZARENO.ORG": 
Re-enter password for principal "usuario@MARIA.GONZALONAZARENO.ORG": 
Principal "usuario@MARIA.GONZALONAZARENO.ORG" created.


kadmin.local: add_principal -randkey host/mickey.maria.gonzalonazareno.org@MARIA.GONZALONAZARENO.ORG
WARNING: no policy specified for host/mickey.maria.gonzalonazareno.org@MARIA.GONZALONAZARENO.ORG; defaulting to no policy
Principal "host/mickey.maria.gonzalonazareno.org@MARIA.GONZALONAZARENO.ORG" created.


kadmin.local: add_principal -randkey host/minnie.maria.gonzalonazareno.org@MARIA.GONZALONAZARENO.ORG
WARNING: no policy specified for host/minnie.maria.gonzalonazareno.org@MARIA.GONZALONAZARENO.ORG; defaulting to no policy
Principal "host/minnie.maria.gonzalonazareno.org@MARIA.GONZALONAZARENO.ORG" created.

En minnie:

Instalamos los paquetes:

ubuntu@minnie:~$ sudo apt install krb5-user krb5-config

Lo siguiente es modificar el archivo /etc/krb5.conf añadiendo:

[domain_realm]
 .maria.gonzalonazareno.org = MARIA.GONZALONAZARENO.ORG
 maria.gonzalonazareno.org = MARIA.GONZALONAZARENO.ORG

Comprobamos que nos podemos loguear

ubuntu@minnie:~$ sudo kinit usuario/usuario
Password for usuario/usuario@MARIA.GONZALONAZARENO.ORG:

Exporta el keytab del principal de minnie

En mickey:

Exportamos los keytab:

kadmin.local: ktadd host/mickey.maria.gonzalonazareno.org
Entry for principal host/mickey.maria.gonzalonazareno.org with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/mickey.maria.gonzalonazareno.org with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
kadmin.local: ktadd -k /tmp/krb5.keytab host/minnie.maria.gonzalonazareno.org
Entry for principal host/minnie.maria.gonzalonazareno.org with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/krb5.keytab.
Entry for principal host/minnie.maria.gonzalonazareno.org with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/krb5.keytab.

Ahora le damos los permisos y propietarios adecuados a /etc/krb5.keytab

debian@mickey:~$ sudo chmod 640 /etc/krb5.keytab 
debian@mickey:~$ sudo chown sshd:ssh /etc/krb5.keytab

En el fichero  /etc/ssh/sshd_config  descomentamos y modifcamos las siguientes líneas:

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Reiniciamos ssh para aplicar los cambios:

debian@mickey:~$ sudo systemctl restart ssh

Copiamos el fichero /tmp/krb5.keytab a minnie con scp

En minnie

Cambiamos los premisos al keyatb

ubuntu@minnie:~$ sudo mv krb5.keytab /etc/
ubuntu@minnie:~$ sudo chmod 400 /etc/krb5.keytab 
ubuntu@minnie:~$ sudo chown sshd:ssh /etc/krb5.keytab

Modificamos las siguientes líneas del fichero /etc/ssh/ssh_config  para que queden así:

 GSSAPIAuthentication yes
 GSSAPIDelegateCredentials yes

Reiniciamos ssh para aplicar los cambios:

ubuntu@minnie:~$ sudo systemctl restart ssh

Verifica los permisos del keytab de minnie

ubuntu@minnie:~$ ls -l /etc/krb5.keytab 
-r-------- 1 sshd ssh 394 Feb 21 12:56 /etc/krb5.keytab

Realiza las modificaciones necesarias para kerberizar el servicio ssh

Se han realizado en los pasos anteriores.

Configura el cliente ssh de mickey y minnie para que el usuario “usuario” pueda acceder de forma transparente de uno a otro sin volver a autenticarse (al acceder por ssh el usuario no necesitará autenticarse si lo ha hecho previamente frente a kerberos)

Añadimos el usuario con useradd en los dos equipos:

debian@mickey:~$ sudo useradd -m -s /bin/bash usuario
ubuntu@minnie:~$ sudo useradd -m -s /bin/bash usuario

Nos logueamos frente a kerberos:

ubuntu@minnie:~$ kinit usuario
Password for usuario@MARIA.GONZALONAZARENO.ORG:

Para ver los tickets asignados:

debian@mickey:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: usuario@MARIA.GONZALONAZARENO.ORG

Valid starting Expires Service principal
02/21/2018 16:34:38 02/22/2018 02:34:38 krbtgt/MARIA.GONZALONAZARENO.ORG@MARIA.GONZALONAZARENO.ORG
 renew until 02/22/2018 16:34:35
02/21/2018 16:43:25 02/22/2018 02:34:38 host/minnie.maria.gonzalonazareno.org@MARIA.GONZALONAZARENO.ORG
 renew until 02/22/2018 16:34:35
ubuntu@minnie:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: usuario@MARIA.GONZALONAZARENO.ORG

Valid starting Expires Service principal
02/21/2018 13:16:53 02/21/2018 23:16:53 krbtgt/MARIA.GONZALONAZARENO.ORG@MARIA.GONZALONAZARENO.ORG
 renew until 02/22/2018 13:16:51
02/21/2018 13:16:58 02/21/2018 23:16:53 host/mickey.maria.gonzalonazareno.org@MARIA.GONZALONAZARENO.ORG
 renew until 02/22/2018 13:16:51

Comprobaciones

De mickey a minnie con nombre corto

debian@mickey:~$ ssh usuario@minnie
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-112-generic x86_64)

* Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

Get cloud support with Ubuntu Advantage Cloud Guest:
 http://www.ubuntu.com/business/services/cloud

67 packages can be updated.
2 updates are security updates.




Last login: Wed Feb 21 16:43:47 2018 from 10.0.0.12
usuario@minnie:~$

De mickey a minnie con nombre largo

debian@mickey:~$ ssh usuario@minnie.maria.gonzalonazareno.org
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-112-generic x86_64)

* Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

Get cloud support with Ubuntu Advantage Cloud Guest:
 http://www.ubuntu.com/business/services/cloud

67 packages can be updated.
2 updates are security updates.




Last login: Wed Feb 21 16:43:29 2018 from 10.0.0.12
usuario@minnie:~$

De minnie a mickey con nombre corto

ubuntu@minnie:~$ ssh usuario@mickey
Creating directory '/home/users/pruebausuario'.
Linux mickey.maria.gonzalonazareno.org 4.9.0-4-amd64 #1 SMP Debian 4.9.51-1 (2017-09-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
usuario@mickey:~$

De minnie a mickey con nombre largo

ubuntu@minnie:~$ ssh usuario@mickey.maria.gonzalonazareno.org
The authenticity of host 'mickey.maria.gonzalonazareno.org (10.0.0.12)' can't be established.
ECDSA key fingerprint is SHA256:1qGhQLWJeJ21ZxB8ssG/p/1YjJfTsCZCcSz1b3YBD4k.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'mickey.maria.gonzalonazareno.org' (ECDSA) to the list of known hosts.
Linux mickey.maria.gonzalonazareno.org 4.9.0-4-amd64 #1 SMP Debian 4.9.51-1 (2017-09-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Feb 21 12:59:57 2018 from 10.0.0.6
usuario@mickey:~$

De mickey a minnie y de vuelta a mickey

debian@mickey:~$ ssh usuario@minnie
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-112-generic x86_64)

* Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

Get cloud support with Ubuntu Advantage Cloud Guest:
 http://www.ubuntu.com/business/services/cloud

67 packages can be updated.
0 updates are security updates.




*** System restart required ***
Last login: Wed Feb 21 16:44:18 2018 from 10.0.0.12
usuario@minnie:~$ ssh usuario@mickey
The authenticity of host 'mickey (10.0.0.12)' can't be established.
ECDSA key fingerprint is SHA256:1qGhQLWJeJ21ZxB8ssG/p/1YjJfTsCZCcSz1b3YBD4k.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'mickey,10.0.0.12' (ECDSA) to the list of known hosts.
Linux mickey.maria.gonzalonazareno.org 4.9.0-4-amd64 #1 SMP Debian 4.9.51-1 (2017-09-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Feb 21 16:50:56 2018 from 10.0.0.6
usuario@mickey:~$

De minnie a mickey y de vuelta a minnie

ubuntu@minnie:~$ ssh usuario@mickey
Linux mickey.maria.gonzalonazareno.org 4.9.0-4-amd64 #1 SMP Debian 4.9.51-1 (2017-09-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 23 08:08:23 2018 from 10.0.0.6
usuario@mickey:~$ ssh usuario@minnie
The authenticity of host 'minnie (10.0.0.6)' can't be established.
ECDSA key fingerprint is SHA256:i2RubB4mbS6lki/4Gar1hZX9/wYZJ6LTUzM0Xbn6Isc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'minnie,10.0.0.6' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-112-generic x86_64)

* Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

Get cloud support with Ubuntu Advantage Cloud Guest:
 http://www.ubuntu.com/business/services/cloud

67 packages can be updated.
0 updates are security updates.




*** System restart required ***
Last login: Fri Feb 23 08:08:23 2018 from 10.0.0.12
usuario@minnie:~$

En caso de que queramos acceder y nos de un fallo del tipo:

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Hay que renovar los tickets:

ubuntu@minnie:~$ sudo kdestroy

ubuntu@minnie:~$ kinit usuario
Password for usuario@MARIA.GONZALONAZARENO.ORG:

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *