-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Both InnoDB and PostgreSQL - as well as many other databases - use a technique called multi-version concurrency control (MVCC) to provide transaction isolation: transactions should not see the work of other, uncommitted transactions. MVCC means that, when a row is updated, the database stores both the old and new versions of the row.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Tuesday, March 13, 2012

STORE SSH KEYS IN LDAP


We need password less ssh login, so here i have tried to make the keys centralized by storing them in LDAP


LDAP Server Setup


[root@ldap]#  yum install openldap{,-clients,-devel,} nss_ldap


make entry in /etc/hosts

192.168.1.3    directory.domain.com


Run this Command and copy output

[root@ldap]#  slappasswd

Note:  Enter desired password here

pass:

confirm:

Output will like this, copy it

{SSHA}AuOU1S01Nj+gQ9FIHf8gCompENETugiT


Now edit slapd.conf

[root@ldap]#  vi /etc/openldap/slapd.conf

check for this similar entry and edit as follows

database       bdb

suffix           "dc=directory,dc=domain,dc=com"

rootdn          "cn=Manager,dc=directory,dc=domain,dc=com"

rootpw                     {SSHA}AuOU1S01Nj+gQ9FIHf8gCompENETugiT   #(paste the encrypted password here)

directory       /var/lib/ldap


[root@ldap]#  service ldap start


Create a file named /etc/openldap/init.ldif and below line


dn: cn=Manager,dc=directory,dc=domain,dc=com

ou: People

description: All People in Organisation

objectClass: organizationalUnit


dn: ou=People,dc=directory,dc=domain,dc=com

ou: People

objectclass: organizationalUnit


dn: ou=Groups,dc=directory,dc=domain,dc=com

ou: Groups

description: All People in Organisation

objectClass: organizationalUnit


now you have to add that file in LDAP server

[root@ldap]#  ldapadd -x -D "cn=Manager,dc=directory,dc=domain,dc=com" -W -f /etc/openldap/init.ldif

It will now ask for password, paste or type the password that you typed for "slappasswd"



Now import any user from linux passwd file

[root@ldap]#  useradd manish

[root@ldap]#  passwd manish


[root@ldap]#  grep manish /etc/passwd > passwd.manish

[root@ldap]# /usr/share/openldap/migration/migrate_passwd.pl passwd.manish manish.ldif


[root@ldap]# ldapadd -x -D "cn=Manager,dc=directory,dc=domain,dc=com" -W -f manish.ldif

It will ask for the rootdn passwd, provide that.



TEST LDAP SERVER: On LDAP Server

[root@ldap]# ldapsearch -x -b "dc=directory,dc=domain,dc=com"

------------------------------------------------------------------------------------------
LDAP Client Setup


[root@ldap-client]# yum install nss_ldap openldap-clients


 make entry in /etc/hosts

192.168.1.3    directory.domain.com


now run this command: (This is to enable client authentication on SSH logins using LDAP server)

[root@ldap-client]# authconfig --useshadow --usemd5 --enableldap --enableldapauth --ldapserver=directory.domain.com --ldapbasedn="dc=directory,dc=domain,dc=com" --enablemkhomedir --updateall



Edit /etc/ldap.conf and add below lines

ssl no

tls_cacertdir /etc/openldap/cacerts

pam_password md5

uri ldap://directory.ibnlive.com/

base dc=directory,dc=ibnlive,dc=com


edit /etc/openldap/ldap.conf and add below lines

ssl no

tls_cacertdir /etc/openldap/cacerts

pam_password md5

uri ldap://directory.ibnlive.com/

base dc=directory,dc=ibnlive,dc=com


Now Test LDAP Client for auth:

1: ldapsearch -x (if successful the also run 2 one)

2: getent passwd | grep manish (though the user manish do not exists in client system, you should get answer for this)

3: ssh -l manish 192.168.1.3

4: su - manish  (though the user manish do not exists in client system, you should get login for this)



TLS (LDAP Server) – Secure LDAP Server


[root@ldap]#  mkdir /etc/ssl/openldap/

[root@ldap]# cd /etc/ssl/openldap/

[root@ldap]# openssl genrsa -out ldap.key 2048

[root@ldap]# openssl req -new -key ldap.key -out ldap.csr

[root@ldap]# openssl genrsa -out ca.key 2048


[root@ldap]# openssl req -new -x509 -days 3650 -key ca.key -out ca.cert  

[root@ldap]# openssl x509 -req -in ldap.csr -out ldap.cert -CA ca.cert -CAkey ca.key -CAcreateserial -days 3650


[root@ldap]# openssl x509 -in ldap.cert -text -noout


Edit /etc/openldap/slapd.conf on LDAP Server, append these lines: (If there is already below entries, comment that)


TLSCertificateFile /etc/ssl/openldap/ldap.cert

TLSCertificateKeyFile /etc/ssl/openldap/ldap.key

TLSCACertificateFile /etc/ssl/openldap/ca.cert


Now edit /etc/openldap/ldap.conf on LDAP CLIENT: remove all lines... and enter these

HOST  directory.domain.com

PORT 636

tls_cacertdir /etc/openldap/cacerts

TLS_REQCERT demand

pam_password md5

uri ldap://directory.domain.com/ ldaps://directory.domain.com:636

base dc=directory,dc=domain,dc=com


[root@ldap]# rm -rf /etc/ldap.conf

[root@ldap]# ln -s /etc/openldap/ldap.conf /etc/ldap.conf



------------------------------------------------------------------------------------------


Replication: LDAP Server to LDAP Standby Client Server


On Second Server: (Standby)

1. Follow the same above procedure for LDAP.


2. Create /etc/rsyncd.conf and enter below lines


log file = /var/log/rsyncd.log

pid file = /var/run/rsyncd.pid

lock file = /var/run/rsync.lock



[ldap_standby]

path=/var/lib/ldap/

comment=ldap sync

uid = root

gid = root

read only = no

list = no

auth users = root

secrets file = /etc/ldap-admin

strict modes = false


Save and exit


Now create a file /etc/ldap-admin

[root@ldap-standby]# echo "root:syncldapadmin" > /etc/ldap-admin


[root@ldap-standby]# rsync --daemon

Now add this in /etc/rc.local at end

[root@ldap-standby]# vi /etc/rc.local

rsync --daemon


Now edit /etc/sysconfig/iptables and add below line before "COMMIT"


[root@ldap-standby]#  vi /etc/sysconfig/iptables

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 873 -j ACCEPT

save and exit


[root@ldap-standby]# /etc/init.d/iptables restart


This is done


 

Now on LDAP Server.

create a file under /etc/ by name pass-ldap

[root@ldap]# echo "syncldapadmin" > /etc/pass-ldap

[root@ldap]# chmod 700 /etc/pass-ldap


now add a line in crontab

[root@ldap]# crontab -e

* * * * * /usr/bin/rsync -az /var/lib/ldap/ root@::ldap_standby/


save and exit

 ------------------------------------------------------------------------------------------


SSH Keys – LDAP Store


[root@ldap]#yum -y install gcc openldap-devel pam-devel zlib-devel openssl-devel


[root@ldap]#wget -qO - http://ftp.jaist.ac.jp/pub/OpenBSD/OpenSSH/portable/openssh-5.4p1.tar.gz | tar zxf -

[root@ldap]#cd openssh-5.4p1

[root@ldap]#wget -q http://openssh-lpk.googlecode.com/svn/trunk/patch/contrib/contrib-openssh-lpk-5.4p1-0.3.13.patch 

[root@ldap]#patch < contrib-openssh-lpk-5.4p1-0.3.13.patch

[root@ldap]#./configure --with-ldap --sysconfdir=/etc/ssh --prefix=/usr --with-pam

If error comes for pam, the issue this command

[root@ldap]#yum install pam-devel

[root@ldap]#make

Now take backup of /etc/init.d/sshd and /etc/ssh/

[root@ldap]#mkdir –p /opt/sshback

[root@ldap]#mv /etc/init.d/sshd /opt/sshnack/

[root@ldap]#mv /etc/ssh /opt/sshback/

[root@ldap]#yum -y erase openssh-server

[root@ldap]#make install


[root@ldap]#cp /opt/sshback/sshd /etc/init.d/


Now edit the “sshd_config

[root@ldap]#vi /etc/ssh/sshd_config

UseLPK yes

LpkLdapConf /etc/openldap/ldap.conf

LpkServers  ldap://localhost/

LpkUserDN   ou=People,dc=domain,dc=com

LpkGroupDN  ou=Groups,dc=domain,dc=com

LpkBindDN cn=Manager,dc=domain,dc=com

LpkBindPw controlman

LpkServerGroup tech

LpkForceTLS no

LpkSearchTimelimit 3

LpkBindTimelimit 3

LpkPubKeyAttr sshPublicKey


Now add a group in ldap

Create a file maingroup.ldif and add below lines, and add all users in that file as below

dn: cn=tech,ou=Groups dc=domain,dc=com

cn: tech

gidnumber: 504 

memberuid: user1

memberuid: user2

memberuid: user3

memberuid: user4

objectclass: posixGroup


[root@ldap]#ldapadd -x -D "cn=Manager,dc=domain,dc=com " -w -f maingroup.ldif

It should display like this:

adding new entry "cn=web18,ou=Groups,dc=domain,dc=com"


[root@ldap]#mkdir -p /var/empty/sshd/etc




Now edit the slapd.conf

[root@ldap]#vi /etc/openldap/slapd.conf


Include            /etc/openldap/schema/openssh-lpk_openldap.schema


Save and exit


------------------------------------------------------------------------------------------


PHPLDAPADMIN (frontend for LDAP Management)


Download phpldapadmin from
[root@ldap]#wget http://downloads.sourceforge.net/project/phpldapadmin/phpldapadmin-php5/1.2.2/phpldapadmin-1.2.2.tgz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fphpldapadmin%2Ffiles%2Fphpldapadmin-php5%2F1.2.2%2F&ts=1331543024&use_mirror=nchc
[root@ldap]#unzip phpldapadmin-1.2.2.zip
[root@ldap]#mv phpldapadmin  /var/www/html/
[root@ldap]#chown wwwrun:www /var/www/html/phpldapadmin
Now go to phpldapadmin/config/
[root@ldap]#mv config.php.example config.php
now access that from browser:
http:///phpldapadmin/

user: cn=Manager,dc=domain,dc=com
pass:

------------------------------------------------------------------------------------------

 


Now log into phpLDAPadmin and browse to the user you want to attach an SSH key to:









Now, under the user's "objectClass" entry, click "Add Value":




 

You should now see the following screen:






















Select "ldapPublicKey" from the list and then hit "Add new ObjectClass".

Now that the ldapPublicKey ObjectClass is available to this user, you can add the sshPublicKey attribute to the user and paste their key in. Just hit "Add new attribute" as shown below, and you will get a dropdown menu.



 







In the dropdown menu, select "sshPublicKey" and you will see the dropdown change into the following:

 


 

 

Paste the user's key in here, then hit "Update Object", and that's it! You're done...the user now has their Public SSH key stored in your LDAP directory, and as long as their companion private key is available on the machine they're connecting from, they will never need to use a password to log into any machine that's pointed at your LDAP server.



Now restart SSHD and ldap app.

# /etc/init.d/sshd restart

#/etc/init.d/ldap restart


Generate public keys:  (do not provide any password)

# ssh-keygen -q -f ~/.ssh/id_rsa -t rsa

Enter passphrase (empty for no passphrase): …

Enter same passphrase again: …


# cat ~/.ssh/id_rsa.pub


Expecting:  like below

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAoLpYk/1bOPiQC8tP0aB7g5YfcmniEAdEEitGwRrjc3XZptLQm3syl11bXdGbBCXb8JT1r3R8OVsnN3Ml/zTy3f7GBIWDH47ytyBxhQcMaCYk9Kk6pG6jbJCoikkxYggD0BexeVCK8qNyi9uohLh6PWCWRX29wF2zqiRjWyy5t8WK8oBgahdx18nqRoQRxyLsk0YIiff8n/WFQ3lWW2H2AlHWRus5cLVZ6J1safgLChOX5BIGt4A/UHsKdXHJd/zcSt+xkEXO7WqzIlMF/hh62NdfV2oR2AQuhAvGcYeDJhMLqbf3GqBdhL/zBF+pxhu8IU/7wPBjpJV865XRI0/JTQ== root@vm-machine


Above line has to copy in sshpublic keys.

10 comments:

  1. sir my ldapadmin dont have the option ldappublic key option in the list
    i m trying to set active dir using ldap and kerberos .
    can u pls help me
    blazetango@gmail.com

    ReplyDelete
  2. have you downloaded the schema
    openssh-lpk_openldap.schema

    download that, include in slapd.conf and restart ldap service

    ReplyDelete
  3. I do not have idea... have to check this...

    ReplyDelete
  4. no worries, thank you, i will test it too and share it what is the result

    ReplyDelete
  5. yes, it can be implemented on centos ds as well...
    i share it on my blog :
    http://sugizo.wordpress.com/2012/05/09/centos-store-ssh-key-in-centos-ds-directory-server/

    ReplyDelete
  6. Steve van: The link about centos ds seems to be private,Please is it possible to view that link

    ReplyDelete
  7. Manish

    Thanks much for sharing this article.

    The mentioned LDAP authentication in the article seems good for linux servers and actually I want to implement SSO(Single Sign On) in my office network where currently we have Windows Active Directory(AD) server authenticating windows login and we have obsolete RCS (Revision Control System) server where we will update group,shadow,password files for every linux users and this will replicated on all linux servers(preferably Redhat Linux servers) plus we have also key based authentication instead of using regular password.

    These windows/linux Production servers are located in diversified Datacenters.

    In the above scenario probably we are thinking like while creating the users in the Windows AD server itself we should have some mechanism which says that users should access to linux servers as well and the same login needs to be used for both windows and linux logins and on top of this we need to have key based authentication for the linux users alone.

    May I please ask for any help / suggestions in this scenario.

    Thanks
    Karthik

    ReplyDelete