CCMWithKerberos

From T2B Wiki
Revision as of 12:28, 26 August 2015 by Maintenance script (talk | contribs) (Created page with " === Goal === The main idea here is to find a solution to secure machine profiles with Kerberos using Apache + mod_kerb on the AII server. For the moment, ccm-fetch is don...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Goal

The main idea here is to find a solution to secure machine profiles with Kerberos using Apache + mod_kerb on the AII server.

For the moment, ccm-fetch is done through SSL on the server side, with authentication of machines by their SSL certificate on the client side.

We could simplify a bit the profile fetching process by allowing machines to authenticate thanks to their own Kerberos keytab. This would eliminate the need for machines to have an SSL certificate.

Configuring the Apache server

We were inspired by these pages :

http://www.microhowto.info/howto/configure_apache_to_use_kerberos_authentication.html

http://www.microhowto.info/howto/add_a_host_or_service_principal_to_a_keytab_using_mit_kerberos.html

Defining an HTTP directory protected by Kerberos

Create a file /etc/httpd/conf.d/auth_kerb.conf with the following content :

LoadModule auth_kerb_module modules/mod_auth_kerb.so
<Location /private>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbAuthRealms WN.IIHE.AC.BE
  Krb5KeyTab /etc/httpd/conf/aiisrv.keytab
  require valid-user
</Location>

In the Apache location, create a simple text file (file.txt) that will be used during tests.

Creation of a service principal for HTTP on the AII server

To do this, use the FreeIPA web interface (tab "Indentity" > "Services"). The HTTP service principal should be :

HTTP/aiisrv.wn.iihe.ac.be@WN.IIHE.AC.BE

Creation of a keytab for the Apache service

Use the freeipa command "ipa-getkeytab" :

ipa-getkeytab -s freeipa.wn.iihe.ac.be  -k /etc/httpd/conf/aiisrv.keytab -p HTTP/aiisrv.wn.iihe.ac.be@WN.IIHE.AC.BE

Testing

Of course, these tests must done from a machine that is already in the Kerberos realm.

Using curl

First, you need to create a valid Kerberos ticket. As root, you can always do this with the command :

kinit -k -t /etc/krb5.keytab

Now, try this :

curl --negotiate http://aiisrv.wn.iihe.ac.be/private/test.txt

Using ccm-fetch

For ccm to be able to download profiles with "negotiate", you need first to install the following Perl module and copy it in the right place :

wget http://search.cpan.org/~agrolms/LWP-Authen-Negotiate-0.06/lib/LWP/Authen/Negotiate.pm
cp -a Negotiate.pm /usr/share/perl5/LWP/Authen/

On the AII server, copy the machine profile to the /private HTTP location, and on the machine where you will do your test, modify the /etc/ccm.conf file so that it contains the following line :

profile http://qclig.wn.iihe.ac.be/private/profile_node19-1.wn.iihe.ac.be.xml

And then, run ccm-fetch.

Remarks

In the solution we have described on this page, we have removed SSL from the server side for the sake of simplicity, but doing this, the communication between the client and the server is not encrypted anymore !

There is a discussion in the Quattor GitHub, about Kerberos and CCM. One interesting solution (that is used by MS) would be to encrypt the profile in such a way that a machine can only decrypt its own profile, and not others...


Template:TracNotice