search

SSSD / sssd

A daemon to manage identity, authentication and authorization for centrally-managed systems.
https://sssd.io
GNU General Public License v3.0
604 stars 247 forks source link

any guide for sssd-ad ssh single sign on #6522

Closed wangyugui-e16 closed 1 year ago

wangyugui-e16 commented 1 year ago

Hi,

Is there any guide for sssd-ad ssh single sign on? just like https://wiki.samba.org/index.php/OpenSSH_Single_sign-on

There are 4 linux servers(rocky linux 9.1) connected to 1 windows ad. the 4 linux are configured as sssd/ad + ssh. and ssh login with ad account is OK now.

If I login into one linux server-1 with ssh client+ ad account +password, Can I ssh to server-2 from server-1 without password and without rsa public key?

https://wiki.samba.org/index.php/OpenSSH_Single_sign-on is based on krb5 and GSSAPIKeyExchange/GSSAPIDelegateCredentials ? but yet not work for winbind and sssd here. with 'GSSAPIStrictAcceptorCheck no' too

sumit-bose commented 1 year ago

Hi,

Is there any guide for sssd-ad ssh single sign on? just like https://wiki.samba.org/index.php/OpenSSH_Single_sign-on

There are 4 linux servers(rocky linux 9.1) connected to 1 windows ad. the 4 linux are configured as sssd/ad + ssh. and ssh login with ad account is OK now.

If I login into one linux server-1 with ssh client+ ad account +password, Can I ssh to server-2 from server-1 without password and without rsa public key?

Hi,

yes, this is possible. Most important on the server (server-2) side is GSSAPIAuthentication yes and and a proper keytab. On the client (server-1) side you have to make sure that you use the fully-qualified hostname with the ssh command because the ssh command will use this name to create the Kerberos service principal host/fully.qualified.name@AD.DOMAIN.

Feel free to send the ssh client and server side debug output for further investigations.

bye, Sumit

https://wiki.samba.org/index.php/OpenSSH_Single_sign-on is based on krb5 and GSSAPIKeyExchange/GSSAPIDelegateCredentials ? but yet not work for winbind and sssd here. with 'GSSAPIStrictAcceptorCheck no' too

wangyugui-e16 commented 1 year ago

info for debug.

1)windows | Active Directory Users and Computers
Computer Name (pre Windows 2000): T3610
DNS name:t3610.e16-tech.com

2) cat /etc/hostnamecat 
t3610.e16-tech.com

$ nslookup t3610
Server:         192.168.2.76
Address:        192.168.2.76#53

Name:   t3610.e16-tech.com
Address: 192.168.2.36

3) ssh/sshd config
+ grep -v '^#' /etc/ssh/sshd_config | uniq

Include /etc/ssh/sshd_config.d/*.conf

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

PermitRootLogin yes
MaxSessions 378

RSAAuthentication yes
PubkeyAuthentication yes

AuthorizedKeysFile      .ssh/authorized_keys

PasswordAuthentication yes

KerberosAuthentication yes

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes
GSSAPIStrictAcceptorCheck no
GSSAPIStoreCredentialsOnRekey yes
UsePAM yes

Subsystem       sftp    /usr/libexec/openssh/sftp-server

+ grep -v '^#' /etc/ssh/sshd_config.d/50-redhat.conf | uniq
Include /etc/crypto-policies/back-ends/opensshserver.config

SyslogFacility AUTHPRIV

ChallengeResponseAuthentication yes

X11Forwarding yes

PrintMotd no

+ grep -v '^#' /etc/ssh/ssh_config | uniq

Host *
        ServerAliveInterval 60
        GSSAPIAuthentication yes
        GSSAPIKeyExchange yes
        GSSAPIRenewalForcesRekey yes
        GSSAPITrustDNS no
Host *.e16-tech.com
        GSSAPIDelegateCredentials yes

Include /etc/ssh/ssh_config.d/*.conf
+ grep -v '^#' /etc/ssh/ssh_config.d/50-redhat.conf | uniq
Match final all
        # Follow system-wide Crypto Policy, if defined:
        Include /etc/crypto-policies/back-ends/openssh.config

        ForwardX11Trusted yes

4) id / klist
[u2001@e16-tech.com@t3610 ~]$ id
uid=2001(u2001@e16-tech.com) gid=2001(g2001@e16-tech.com) groups=2001(g2001@e16-tech.com),1920(domain users@e16-tech.com)
[u2001@e16-tech.com@t3610 ~]$ klist
Ticket cache: KCM:2001:14853
Default principal: u2001@E16-TECH.COM

Valid starting       Expires              Service principal
01/17/2023 10:24:55  01/17/2023 20:24:55  krbtgt/E16-TECH.COM@E16-TECH.COM
        renew until 01/24/2023 10:24:55
[u2001@e16-tech.com@t3610 ~]$

5) ssh / ssh -v
[u2001@e16-tech.com@t3610 ~]$ ssh t3610.e16-tech.com
(u2001@e16-tech.com@t3610.e16-tech.com) Password:
Last login: Tue Jan 17 18:24:55 2023 from 192.168.2.112
[u2001@e16-tech.com@t3610 ~]$ ssh -v t3610.e16-tech.com
OpenSSH_8.7p1, OpenSSL 3.0.1 14 Dec 2021
debug1: Connecting to t3610.e16-tech.com [192.168.2.36] port 22.
debug1: Connection established.
debug1: identity file /home/u2001/.ssh/id_rsa type -1
debug1: identity file /home/u2001/.ssh/id_rsa-cert type -1
debug1: identity file /home/u2001/.ssh/id_dsa type -1
debug1: identity file /home/u2001/.ssh/id_dsa-cert type -1
debug1: identity file /home/u2001/.ssh/id_ecdsa type -1
debug1: identity file /home/u2001/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/u2001/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/u2001/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/u2001/.ssh/id_ed25519 type -1
debug1: identity file /home/u2001/.ssh/id_ed25519-cert type -1
debug1: identity file /home/u2001/.ssh/id_ed25519_sk type -1
debug1: identity file /home/u2001/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/u2001/.ssh/id_xmss type -1
debug1: identity file /home/u2001/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7
debug1: compat_banner: match: OpenSSH_8.7 pat OpenSSH* compat 0x04000000
debug1: Authenticating to t3610.e16-tech.com:22 as 'u2001@e16-tech.com'
debug1: load_hostkeys: fopen /home/u2001/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:LiPgyfx6+oHUxi8rtzNC2nhZhI225c+79BKurQC2W3Y
debug1: load_hostkeys: fopen /home/u2001/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 't3610.e16-tech.com' is known and matches the ED25519 host key.
debug1: Found key in /home/u2001/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/u2001/.ssh/id_rsa
debug1: Will attempt key: /home/u2001/.ssh/id_dsa
debug1: Will attempt key: /home/u2001/.ssh/id_ecdsa
debug1: Will attempt key: /home/u2001/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/u2001/.ssh/id_ed25519
debug1: Will attempt key: /home/u2001/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/u2001/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/u2001/.ssh/id_rsa
debug1: Trying private key: /home/u2001/.ssh/id_dsa
debug1: Trying private key: /home/u2001/.ssh/id_ecdsa
debug1: Trying private key: /home/u2001/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/u2001/.ssh/id_ed25519
debug1: Trying private key: /home/u2001/.ssh/id_ed25519_sk
debug1: Trying private key: /home/u2001/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive
(u2001@e16-tech.com@t3610.e16-tech.com) Password:
Authenticated to t3610.e16-tech.com ([192.168.2.36]:22) using "keyboard-interactive".
debug1: pkcs11_del_provider: called, provider_id = (null)
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: filesystem full
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: client_input_hostkeys: searching /home/u2001/.ssh/known_hosts for t3610.e16-tech.com / (none)
debug1: client_input_hostkeys: searching /home/u2001/.ssh/known_hosts2 for t3610.e16-tech.com / (none)
debug1: client_input_hostkeys: hostkeys file /home/u2001/.ssh/known_hosts2 does not exist
debug1: client_input_hostkeys: no new or deprecated keys from server
Last login: Tue Jan 17 18:26:15 2023 from 192.168.2.36
[u2001@e16-tech.com@t3610 ~]$
sumit-bose commented 1 year ago

Hi,

can you send the output of

KRB5_TRACE=/dev/stdout ssh t3610.e16-tech.com

bye, Sumit

wangyugui-e16 commented 1 year ago

no addition trace output for 'KRB5_TRACE=/dev/stdout ssh t3610.e16-tech.com'

[u2001@e16-tech.com@t3610 ~]$ KRB5_TRACE=/dev/stdout ssh t3610.e16-tech.com
(u2001@e16-tech.com@t3610.e16-tech.com) Password:
Last login: Tue Jan 17 19:35:50 2023 from 192.168.2.36
[u2001@e16-tech.com@t3610 ~]$ cat /etc/krb5.conf
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    dns_canonicalize_hostname = fallback
    qualify_shortname = ""
#    default_realm = EXAMPLE.COM
    default_ccache_name = KEYRING:persistent:%{uid}
udp_preference_limit = 0
default_realm = E16-TECH.COM

[realms]
# EXAMPLE.COM = {
#     kdc = kerberos.example.com
#     admin_server = kerberos.example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
wangyugui-e16 commented 1 year ago

local /etc/sssd/sssd.conf

# cat /etc/sssd/sssd.conf

[sssd]
domains = e16-tech.com
config_file_version = 2
services = nss, pam

[domain/e16-tech.com]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = E16-TECH.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = e16-tech.com
use_fully_qualified_names = True
ldap_id_mapping = False
access_provider = ad
wangyugui-e16 commented 1 year ago

some 'ssh -vvv' info maybe useful.

gssapi-keyex is skipped, or 'keyboard-interactive' is before gssapi-keyex?

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
sumit-bose commented 1 year ago

Hi,

I would expect that the verbose output of the ssh client starts with some lines about reading the configuration:

# ssh  localhost -v
OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
...

but yours just start with Connecting ....

[u2001@e16-tech.com@t3610 ~]$ ssh -v t3610.e16-tech.com OpenSSH_8.7p1, OpenSSL 3.0.1 14 Dec 2021 debug1: Connecting to t3610.e16-tech.com [192.168.2.36] port 22. debug1: Connection established. debug1: identity file /home/u2001/.ssh/id_rsa type -1 debug1: identity file /home/u2001/.ssh/id_rsa-cert type -1 debug1: identity file /home/u2001/.ssh/id_dsa type -1 debug1: identity file /home/u2001/.ssh/id_dsa-cert type -1 debug1: identity file /home/u2001/.ssh/id_ecdsa type -1

I can only replicate this behavior when calling ssh with the -F none option so that no config file is read at all. Can you check if ssh on you system is maybe an alias and -F none is used? As an alternative you can try to call ssh with the full path like:

/usr/bin/ssh -v t3610.e16-tech.com

bye, Sumit

wangyugui-e16 commented 1 year ago

sssd-ad single sign works here now.

there is a long live stupid error here, /etc/ssh/ssh_config was setting to '-rw-------', it should be '-rw-r--r--'. so no ssh client config file is read at all.

sumit-bose commented 1 year ago

Hi,

good to hear it is working for you now. If you have no further questions feel free to close this ticket.

bye, Sumit

wangyugui-e16 commented 1 year ago

some note maybe useful

 (linux/OK) # ssh e16-tech\\u2001@T640
 (linux/FAIL) # ssh e16-tech\u2001@T640
 (windows/OK) > ssh.exe e16-tech\u2001@T640
 (windows/FAIL) > ssh.exe e16-tech\\u2001@T640
sumit-bose commented 1 year ago

some note maybe useful


 (linux/OK) # ssh e16-tech\\u2001@T640
 (linux/FAIL) # ssh e16-tech\u2001@T640

Hi,

this is most probably the shell which is treating \ as a special character and you have to use \\ so that the program (ssh) you are calling will get a single \. As an alternative you can use ssh 'e16-tech\u2001@T640' (please not the 's) to protect the single \ from the shell.

HTH

bye, Sumit

(windows/OK) > ssh.exe e16-tech\u2001@T640 (windows/FAIL) > ssh.exe e16-tech\u2001@T640