EuroPython 2017: Identity management, single sign-on and certificates with FreeIPA

Transcript

1. Identity management, single sign-on and certificates with FreeIPA EuroPython 2017

   / Rimini Christian Heimes Senior Software Engineer [email protected] / [email protected] @ChristianHeimes

2. FreeIPA, EuroPython 2017 2 Who am I • from Hamburg

   / Germany • Python core developer since 2008 • PEP 370, 454, 456, 543 • maintainer of ssl and hashlib module • I put bytes and b'' into Python 2

3. FreeIPA, EuroPython 2017 3 By Henry Kellner (Own work) [CC

   BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons

4. FreeIPA, EuroPython 2017 4 Source: https://twitter.com/Ceylanim55/status/883433766374526976

5. FreeIPA, EuroPython 2017 5 Professional Life • Senior Software Engineer

   at Red Hat • Security Engineer & Identity Management • FreeIPA IdM • Dogtag PKI • Custodia Secrets Management

6. FreeIPA, EuroPython 2017 6

7. FreeIPA, EuroPython 2017 7

8. Agenda

9. FreeIPA, EuroPython 2017 9 Agenda • Scenario • Identity Management

   • FreeIPA • Integration • Installation • Demo • Summary

10. Scenario

11. FreeIPA, EuroPython 2017 11 “Simple” case Company internal bulletin board

    • login / password • user database: full name, email, phone number • permission • certificate for TLS/SSL • cert renewal and revocation • SSH access and SUDO rules for deployment

12. FreeIPA, EuroPython 2017 12 Don't worry, be happy • Human

    Resources (HR) Manage new hires and metadata in a single, company-wide database • Admins / DevOps / SecOps Centralized access control, easy-to-use certificate management, 2FA • Developers Use Kerberos/SAML/OpenIDC/LDAP without writing specific code • Users One account and password for all services

13. FreeIPA, EuroPython 2017 13 Déjà vu? “External authentication for Django

    projects” Jan Pazdziora, EuroPython 2015

14. Identity Management?

15. FreeIPA, EuroPython 2017 15 Wikipedia definition: Identity Management – (noun)

    “Identity management (IdM) describes the management of individual principals, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks.”

16. FreeIPA, EuroPython 2017 16 Terminology • Principal user, service, machine

    • Authentication password, 2FA, smartcard, Kerberos keytab, token, certificate, … • Authorization access control (ACL, RBAC, HBAC) • Privileges permission, roles, groups, delegation

17. FreeIPA, EuroPython 2017 17 Teaser from www.freeipa.org Identity Manage Linux

    users and client hosts in your realm from one central location with CLI, Web UI or RPC access. Enable Single Sign On authentication for all your systems, services and applications. Policy Define Kerberos authentication and authorization policies for your identities. Control services like DNS, SUDO, SELinux or autofs. Trust Create mutual trust with other Identity Management systems like Microsoft Active Directory.

18. FreeIPA, EuroPython 2017 18 Should I use FreeIPA? • Public

    web site? • Convenient login for users? Go for Let's Encrypt and Social Login (GitHub, Twitter, Google, Facebook)!

19. FreeIPA, EuroPython 2017 19 Should I use FreeIPA? • Do

    you have non-trivial amount of users and admins? • Do you want to reuse accounts in web services, mail, ssh, …? • Do you need an internal CA for TLS/SSL? • Do you manage multiple Linux machines? • Do you hate maintaining SUDO rules and copying SSH keys? • Do you like to have convenient SSO? • Do you plan to scale from 10 users/machines to >10k?

20. What is FreeIPA?

21. FreeIPA, EuroPython 2017 21 KDC LDAP PKI DNS CLI/UI

22. FreeIPA, EuroPython 2017 22 FreeIPA fabric • MIT Kerberos •

    389-DS LDAP server • Dogtag PKI • Bind DNS • SSSD • Apache HTTPD • Python Identity management solution built on top of well-known Open Source components

23. FreeIPA, EuroPython 2017 23 Kerberos (GSSAPI) Single-Sign-on • Kerberos Realm:

    RIMINI.IT • User principal: [email protected] • Host: [email protected] • Service: shuttlebus/[email protected] • Authentication Server (AS) issues Ticket Granting Ticket (TGT) • Credential Cache (ccache) • Ticket Granting Server (TGS) issues Service Ticket (ST) • Service verifies Service Ticket with its keytab

24. FreeIPA, EuroPython 2017 24 389-DS LDAP • database server with

    hierarchical structure • standardized protocol • standardized database schema • heavily optimized for reading and replication • fine-grained access control • delegated authentication with Kerberos/GSSAPI • master/master replication with topology directory server 389 port389.org

25. FreeIPA, EuroPython 2017 25

26. FreeIPA, EuroPython 2017 26 389-DS replication

27. FreeIPA, EuroPython 2017 27

28. FreeIPA, EuroPython 2017 28 BIND DNS server • hostnames and

    reverse zone • service discovery and fail-over • DNS location • SSHFP (SSH public key fingerprint) • DNSSEC

29. FreeIPA, EuroPython 2017 29 DNS $ host -t TXT _kerberos.ipa.example

    _kerberos.ipa.example descriptive text "IPA.EXAMPLE" $ host -t SRV _ldap._tcp.ipa.example _ldap._tcp.ipa.example has SRV record 0 100 389 master.ipa.example. $ host -t SSHFP master.ipa.example master.ipa.example has SSHFP record 4 1 93196304DD07A93020A990C68C7420F841AB942E master.ipa.example has SSHFP record 1 2 80569F6F066294AB74583749E34C2C6EC535… … $ ssh -o 'VerifyHostKeyDNS yes' \ -o 'StrictHostKeyChecking ask' [email protected] The authenticity of host 'demo.ipa.example (192.168.121.7)' can't be established. ECDSA key fingerprint is SHA256:+qGavrtycn3+28wXmWxu64DdpmoOShD+375ElT5u27E. Matching host key fingerprint found in DNS.

30. FreeIPA, EuroPython 2017 30 Dogtag Certificate System • Certification Authority

    System • CA, Sub-CAs • Certificate issuance and revocation • Certificate profiles • CRL, OCSP • Simple Certificate Enrollment Protocol (SCEP) • Encrypted key archival and escrow (vault) • smartcard life cycle managenet, HSM (n/a with FreeIPA)

31. FreeIPA, EuroPython 2017 31 System Security Services Daemon (SSSD) •

    Pluggable authentication module (PAM) • Name Service Switch (NSS) • Caching • … and much more • Daemon on IPA clients

32. FreeIPA, EuroPython 2017 32 System Security Services Daemon (SSSD) IdM

    DNS LDAP KDC Linux System Policies SSSD Authentication Identities Name Resolution sudo HBAC automount SELinux SSH public keys Certificates/Keys PKI

33. FreeIPA, EuroPython 2017 33 User interface • Web UI •

    installer • management • command line tools • RPC server

34. FreeIPA, EuroPython 2017 34 More • certmonger • kdcproxy (MS-KKDCP)

    • ipa-otp • Yubikey • NTP • Apache HTTPD modules • NGinx modules • Samba • FreeOTP app (Android, Apple)

35. Integration

36. FreeIPA, EuroPython 2017 36 3rd party integration • Email: Postfix,

    Dovecot, Exim, Cyrus LDAP, … • Thunderbird address book • Apache HTTPD, NGinx • GitLab, Jenkins, MediaWiki, Trac, Pagure, Confluence, Jira, … • Jabber (Wildfire, ejabberd) • Radius WPA-Enterprise • Kerberized NFS with AutoFS, Samba • VPN (IPSec, OpenConnect) • OpenStack

37. Installation

38. FreeIPA, EuroPython 2017 38 Demo setup • OS: Fedora 25

    • FreeIPA: 4.5.2 (from COPR) • Kerberos realm: IPA.EXAMPLE • Domain: ipa.example • configuration • hostname: $name.ipa.example • DNS resolver: IPA's DNS server • SELinux booleans: httpd_mod_auth_pam, httpd_dbus_sssd • Firewall: HTTP(S), LDAP(S), DNS, Kerberos, NTP, SSH

39. FreeIPA, EuroPython 2017 39 Install a FreeIPA server $ sudo

    dnf install freipa-server $ sudo ipa-server-install \ --realm IPA.EXAMPLE \ --domain ipa.example \ --setup-dns \ --auto-forwarders \ ... $ sudo dnf install freipa-server $ sudo ipa-server-install \ --realm IPA.EXAMPLE \ --domain ipa.example \ --setup-dns \ --auto-forwarders \ ...

40. FreeIPA, EuroPython 2017 40 Enroll a FreeIPA client (manual) $

    sudo dnf install freipa-client $ sudo ipa-client-install \ --principal admin \ --password $PASSWORD \ --mkhomedir \ --ssh-trust-dns \ --configure-firefox \ --enable-dns-updates $ sudo dnf install freipa-client $ sudo ipa-client-install \ --principal admin \ --password $PASSWORD \ --mkhomedir \ --ssh-trust-dns \ --configure-firefox \ --enable-dns-updates

41. FreeIPA, EuroPython 2017 41 $ ipa-client-install ... Discovery was successful!

    Client hostname: demo.ipa.example Realm: IPA.EXAMPLE DNS Domain: ipa.example IPA Server: master.ipa.example BaseDN: dc=ipa,dc=example Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.EXAMPLE Issuer: CN=Certificate Authority,O=IPA.EXAMPLE Valid From: Fri Jun 23 11:55:56 2017 UTC Valid Until: Tue Jun 23 11:55:56 2037 UTC Enrolled in IPA realm IPA.EXAMPLE Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm IPA.EXAMPLE trying https://master.ipa.example/ipa/json Forwarding 'ping' to json server 'https://master.ipa.example/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://master.ipa.example/ipa/json' Systemwide CA database updated. Hostname (demo.ipa.example) does not have A/AAAA record. Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to json server 'https://master.ipa.example/ipa/json' SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Firefox sucessfully configured. Configuring ipa.example as NIS domain. Client configuration complete.

42. FreeIPA, EuroPython 2017 42 Unattended enrollment (1) $ kinit admin

    $ ipa host-add --random demo.ipa.example ------------------------------------ Added host "demo.ipa.example" ------------------------------------ Host name: demo.ipa.example Random password: 1Ii.2A6a;:I+6PVvHQt{D/ Password: True Keytab: False Managed by: demo.ipa.example $ kinit admin $ ipa host-add --random demo.ipa.example ------------------------------------ Added host "demo.ipa.example" ------------------------------------ Host name: demo.ipa.example Random password: 1Ii.2A6a;:I+6PVvHQt{D/ Password: True Keytab: False Managed by: demo.ipa.example Create host record with one-time-password

43. FreeIPA, EuroPython 2017 43 Unattended enrollment (2) $ hostname --fqdn

    demo.ipa.example $ sudo ipa-client-install \ --password '1Ii.2A6a;:I+6PVvHQt{D/' \ --ca-cert-file=/root/ca.crt \ --unattended \ ... $ hostname --fqdn demo.ipa.example $ sudo ipa-client-install \ --password '1Ii.2A6a;:I+6PVvHQt{D/' \ --ca-cert-file=/root/ca.crt \ --unattended \ ... Enroll host with OTP and CA cert

44. FreeIPA, EuroPython 2017 44 Install master/master replica $ sudo ipa-replica-install

    --setup-ca --setup-dns $ sudo ipa-replica-install --setup-ca --setup-dns Machine must be an IPA client $ ipa hostgroup-add-member ipaservers \ --hosts=replica.ipa.example $ ipa hostgroup-add-member ipaservers \ --hosts=replica.ipa.example

45. Demo

46. FreeIPA, EuroPython 2017 46

47. FreeIPA, EuroPython 2017 47 Apache HTTPD example • mod_auth_gssapi +

    ipa-getkeytab • mod_ssl + certmonger + ipa-getcert • mod_authnz_pam • mod_lookup_identity • mod_intercept_form_submit

48. FreeIPA, EuroPython 2017 48 Setup • users: admin, cheimes, bob

    • user groups: admins, webadmins, webusers • hosts: master, demo • host groups: ipaservers, webservers • HBAC rules: allow_admin, allow_webadmins, allow_webusers • PAM service: websvc • SUDO rule: sudo_webadmins • RBAC: Service Admin

49. FreeIPA, EuroPython 2017 49 mod_auth_gssapi $ kinit admin $ ipa

    service-add HTTP/demo.ipa.example <Location “/”> AuthType GSSAPI GssapiCredStore keytab:/etc/httpd/demo.ipa.example.keytab Require valid-user </Location> $ kinit -kt /etc/krb5.keytab $ ipa-getkeytab -p HTTP/demo.ipa.example \ -k /etc/httpd/demo.ipa.example.keytab

50. FreeIPA, EuroPython 2017 50 mod_ssl $ ipa-getcert request -w \

    -k /etc/pki/tls/private/demo.ipa.example.key \ -f /etc/pki/tls/certs/demo.ipa.example.crt \ -D demo.ipa.example \ -K HTTP/demo.ipa.example \ -C 'systemctl reload httpd.service' SSLEngine on SSLProtocol all -SSLv3 SSLCipherSuite PROFILE=SYSTEM # cert / private key SSLCertificateFile /etc/pki/tls/certs/demo.ipa.example.crt SSLCertificateKeyFile /etc/pki/tls/private/demo.ipa.example.key # OCSP SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt SSLUseStapling on

51. FreeIPA, EuroPython 2017 51 mod_lookup_identity LookupUserGroups REMOTE_USER_GROUPS : LookupUserAttr uidNumber

    REMOTE_USER_UID LookupUserAttr mail REMOTE_USER_EMAIL LookupUserAttr sn REMOTE_USER_SN LookupUserAttr givenname REMOTE_USER_GIVENNAME # /etc/sssd/sssd.conf [domain/ipa.example] ldap_user_extra_attrs = mail, givenname, sn [sssd] services = …, ifp [ifp] allowed_uids = apache, root user_attributes = +mail, +givenname, +s

52. FreeIPA, EuroPython 2017 52 mod_authnz_pam Require pam-account websvc # /etc/pam.d/websvc

    auth required pam_sss.so account required pam_sss.so

53. FreeIPA, EuroPython 2017 53 mod_intercept_form_submit <Location "/login/intercept"> Require all granted

    InterceptFormPAMService websvc InterceptFormLogin username InterceptFormPassword password </Location>

54. SAML OpenID Connect

55. FreeIPA, EuroPython 2017 55 SAML / OpenIDC Identity Providers ipsilonproject.org

    www.keycloak.org • mod_auth_mellon (SAML) • mod_auth_openidc

56. FreeIPA, EuroPython 2017 56 Application Framework Linux System Apache with

    modules SSSD Authentication Kerberos SSO SAML, OpenID,... Identity Identity Source Application User attributes

57. Containers?

58. FreeIPA, EuroPython 2017 58

59. Summary

60. FreeIPA, EuroPython 2017 60 FreeIPA Summary • Account management for

    users, groups, machines, and services • Central management of access control and policies • Single Sign-On with Kerberos • SAML and OpenIDC integration • Certificate Authority

61. Questions? [email protected] [email protected] @ChristianHeimes

62. FreeIPA, EuroPython 2017 62 Links • FreeIPA: https://www.freeipa.org • Public

    FreeIPA demo instance: https://ipa.demo1.freeipa.org/ • Ansible + Vagrant playbook: • git: https://github.com/tiran/pki-vagans • tag: europython2017 • directory: ipademo • Apache modules: https://www.adelton.com/apache/ • EuroPython 2015 talk by Jan Pazdziora External authentication for Django projects: https://youtu.be/62_jD-8zV4M

63. THANK YOU plus.google.com/+RedHat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHatNews linkedin.com/company/red-hat