SSH Keys vs Kerberos Ticket

[cowreth]

Hi,

After a successful login on Aker server via SSH Keys, no Kerberos ticket is generated. This is a normal behaviour as in this case, Auth is delegated to the authkey mechanism of SSH.

Scenario :

• FreeIPA (ipa.example.com, CentOS7) used as Kerberos server
• Aker (aker.example.com, CentOS7), client of the FreeIPA
• srv1 (srv1.example.com, CentOS7), client of the FreeIPA too
• Aker is configured with IPA, not JSON

I make a connexion to aker with a SSH Key. Access granted, but the aker.py crashes :

Traceback (most recent call last):
  File "/usr/bin/aker/aker.py", line 152, in <module>
    Aker().build_tui()
  File "/usr/bin/aker/aker.py", line 117, in __init__
    self.user = User(self.posix_user)
  File "/usr/bin/aker/aker.py", line 75, in __init__
    self.hosts = Hosts(config,self.name,gateway_hostgroup,idp)
  File "/usr/bin/aker/hosts.py", line 59, in __init__
    self.idp = IdPFactory.getIdP(idp)(config,username,gateway_hostgroup)
  File "/usr/bin/aker/idp/IPA.py", line 34, in __init__
    api.Backend.rpcclient.connect()
  File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect
    conn = self.create_connection(*args, **kw)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 931, in create_connection
    raise errors.KerberosError(message=unicode(krberr))
ipalib.errors.KerberosError: did not receive Kerberos credentials
Connection to bastion-aker closed.

There's no standard way that I know of generating a kerberos ticket after a successful SSH.

Two ideas :

• catch this error and ask the user for its Kerberos password
• on first login, get a keytab from the IPA server and use it to kinit the user

Any thought on this ?

[cowreth]

Note : the crash happens as Aker is trying the build the hosts list from FreeIPA API, while having no kerberos ticket.

If with JSon I'ld have a list of servers, the problem would remain : the connexion to the target server would not be possible via Kerberos, and would require either :

• My key (and 500+ users keys) to be put on the Aker server so we can use it to auth against target server
• Agent forwarding which we agree is all but a good solution

Seb

[anazmy]

Hi @cowreth ,

Aker utilizes paramiko to handle ssh connectivity, paramiko had an issue[1] with handling kerberos tickets, that's why I didn't use it, I see that now there is a proposed fix for this paramiko issue, maybe its worth testing again with this fix.

Now to the error posted above, do you have users public ssh key added to FreeIPA ? And private key available under /home/$username/.ssh/ ?

I think from what you mentioned you dont have the private key copied in user homedir, right ?

[1] https://github.com/paramiko/paramiko/issues/584

[anazmy]

Also to make sure I'm understating the situation correctly, how did you login to Aker server itself, via ssh key?

[cowreth]

Yes, the connexion from my client to the Aker Gateway is made via SSH Keys (no password except the SSH passphrase ;)).

So :

• Laptop -> SSH Key -> Aker = SUCCESS
• Aker tries to bind my user to IPA to get target hosts list = FAIL

Note : Aker is a FreeIPA client, and my Pubkey is registered in my IPA, so Aker gets my Public Key via IPA to authenticate me when I connect to the gateway. This goes well, by the way ;)

My SSH Private Key is not on the Aker server. I don't want to have to put it on, because it would mean that I have to manually put the SSH Key on the Aker server for each new admin.

Goal : connect to Aker via SSH Key, then get a Kerberos Ticket used to connect to target hosts.

Let me know if you need me to rephrase ;)

[anazmy]

@cowreth no its clear, I just missed it in my first reply :)

I see your point, and getting a kerberos ticket is via password challenge or a keytab file, on first thought I think a possible ways to handle this situation is :

1- Don't advertise ssh-keys as an authentication method on Aker, but that might be annoying .

2- Like you mentioned handle ipalib.errors.KerberosError error, prompt user for a password to pull list of servers from IPA and/or to obtain a valid kerbreos ticket.

3- Use keytab file to obtain kerberos ticket upon login regardless of your method of authentication. I don't like this option from the first glance but I have to weigh the odds here.

What do you think ?

[cowreth]

I think you nailed the potential solutions.

I've got the very same feeling about Solution 3, but like you I may need to dig a bit more to understad what it implies (security-wise). Solution 2 may be the "easiest" one, as it consist on a Catch block, but it requires to generate a Kerberos Ticket in Python (or make a syscall to kinit), which could also be tricky.

And obviously, same conclusion for Solution 1 ;)

[anazmy]

Let me explore further if there is are further options, and see what to apply here. And thanks for bringing this up !

[cowreth]

(sorry, wrong clik :D)