fasClient replacement

[nirik]

Not sure this should be ticket, but not sure where else to file it.

With the old fas setup, we had a client called 'fasClient' that runs on servers. It fetches user ssh keys and information and makes nssdb passwd/shadow files, a homedirectory and ssh authorized_keys. It added only those users that were in allowed groups for that host.

I know there were a number of replacements suggested for this setup, but I don't know if we decided on one or still need to.

Basically the requirements would be:

• allow ssh access to groups to specific machines
• ideally allow that access to keep working if the machine wasn't able to query the noggin server
• allow ssh access to the 'accepted cla + 1' group

I think freeipa ties into sssd for it's ssh access. Is that an option for us?

Or we also talked about a small service/scripting that would query noggin and generate ssh certs for access. There's some apps out there that already do this, although they might be too complex for our needs. (ex https://github.com/Netflix/bless )

So, we should try and figure out the story here. Perhaps we should discuss more on list or have a meeting or two to discuss requirements.

[Conan-Kudo]

Wouldn't sssd work for this? iirc, it could be configured to do these things...

[nirik]

Possibly. I think sssd needs to talk directly to freeipa? So, not sure how that would work for our machines that are external to the network that the ipa servers are running on could handle this (which is why perhaps noggin would need to mediate that access)? I've not used sssd much, so I could be wrong there.

[Conan-Kudo]

Isn't FreeIPA already directly accessible over the internet? At least, I thought that's how the kerberos thing worked...

[nirik]

you can expose it, but that gives you a pretty large attach surface. We currently do not, and use https://github.com/latchset/kdcproxy so all outside requests go in and out via https to the proxy. There's no direct query of the ldap servers done.

[arrfab]

@nirik : For CentOS we never used any fasclient (as nobody had shell access apart from same very small group, all that configured with puppet and then ansible). We still don't plan on using IPA for that, as our nodes wouldn't be enrolled in IPA either. But if you really want to have that feature, I don't think that rewriting a client to do what IPA (and so ipa-client) does automatically would make sense ? :) I always thought (what I heard but what do I know from Fedora infra) that such external machines were automatically on a vpn ? (as that would solve the issue of having to expose - and I'm all with you on that one - kdc to the wild world)

[nirik]

I was not saying we should re-write fasClient. ;) I was simply saying we need something to move to... if sssd will do everything we need great. If it will not, perhaps we need something that talks to noggin and issues ssh certs for shell access. All our machines are not on the vpn. Most of them are in 1 datacenter and some in others are on vpn, but not all of them. Anyhow, I guess this is on me to try and look at sssd and come up with a plan and see if anything here is needed from noggin.

[abompard]

I think it's basically about enrolling the servers in IPA with ipa-client-install, this would setup sssd and thus SSH access. Is it correct @tiran ?

[tiran]

I think it's basically about enrolling the servers in IPA with ipa-client-install, this would setup sssd and thus SSH access. Is it correct @tiran ?

Yes, that's correct. ipa-client-install will configure SSSD, PAM, and NSS. This will also configure and allow SSH access. You can create more fine-tuned HBAC rules to restrict SSH access by host, hostgroup, user, and user group.

[abompard]

I'll close this ticket then, if your questions are answered @nirik. @tiran you wouldn't happen to know a way to do what ipa-client-install does but with Ansible, would you? I guess we could set an Ansible task to run the command and set creates to a file that it would create, but if there was an equivalent in native Ansible our sysadmin would likely prefer. No?

[abompard]

This is going to be a subject again, so I wanted to paste here the documentation I've found:

• Ensuring the presence of host-based access control rules in IdM using Ansible playbooks
• Granting sudo access to an IdM user on an IdM client