| Summary: | Context needed for adding Kerberos SSH keys | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Alex Dellapenta <adellape> | ||||||
| Component: | Documentation | Assignee: | brice <bfallonf> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | ecs-bugs | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 2.0.0 | CC: | jkeck, jokerman, libra-onpremise-devel, mheslin, mmccomas, perobins, rmainz | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: |
Build Name: 20822, Administration Guide-2-1.0
Build Date: 10-12-2013 12:23:02
Topic ID: 24313-567535 [Latest]
|
|||||||
| Last Closed: | 2015-08-20 05:10:39 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Attachments: |
|
||||||||
|
Description
Alex Dellapenta
2013-12-19 22:14:35 UTC
Created attachment 882758 [details]
Mail thread Mark-Brice
Folks - just wanted to update the bug.
I've added my conversations with Brice. It's up to you to decide whether or not you need the configuration details but I'm including them just in case you do. I've also tried to clarify a few points about Kerberos, Active Directory,e tc. as appropriate.
I've included the broker config file (/var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user.conf) and how it would be modified for use with Kerberos (mod_auth_kerb.so) to talk to AD.
Please note that this requires the use of a keytab file and I have not configured this with OpenShift and confirmed it in the lab. I have configured keytabs like this in an earlier version (v1.4) of the RHEL-AD Reference Architecture (pgs. 62-64) so it should behave identically. I have configured OpenShift to use keytabs with IdM using this broker config file so in theory there is no reason OpenShift brokers (as RHEL clients) wouldn't work with it.
I'll attach v1.4 of the Refrence Architecturte as a folllow up.
-m
Created attachment 882760 [details]
RHEL-AD Reference Architecture - v1.4
Attaching for reference purposes. Pages 62-64 detail how to configure Kerberos service principal (SPN) on Windows/AD side and then use as a RHEL keytab.
Mark, apologies for the delay on this. I've been distracted and also been trying to get the thumbs up that we're heading in the right direction. I'm currently trying to find a way to test this process for accuracy. I have a few things I can do, but if you have a way you can suggest to me I'd be all ears. B Brice,
The original context was for three separate but somewhat related issues:
1. Adding a Kerberos Principal SSH Key [OSE Admin Guide]
2. Creating a Specific SSH Key Type [OSE User Guide]
3. Kerberos Authentication [OSE Deploy Guide]
I don't see 1. above in the Admin Guide link above but I do see 1. and 2.
in the User Guide (sectuon 3.2.3.1) so is that the correct context for them?
If so, then is the goal to be able to use these against an existing AD environment or just to demonstrate in general how they would be used?
Here are a some things to think about - this can impact how you
would want to test these out:
- SSH keys: These are typically created on a local host then copied to the
remote host(s) that you want to access. If you have a lot of
remotes hosts then this can be cumbersome. In looking at the
text description in the User Guide (section 3.2.2) it appears
that the context is basically pretty generic and geared towards
RHC clients. AD has nothing to do with this but if you want
bring AD into the picture then this is where keytabs come
into play and those are configured as I mentioned earlier
and as documented in the Reference Architecture.
With IdM you can centrally store the keys so that all the IdM
domain members have access to the (public part) of the key which
eliminates the need to create the key locally and then copy out
to all of remote hosts. For each host to be able to use the
keys they must be clients of the IdM domain.
*** To Test***
- create local key, copy to an OSE broker or node as documented:
$ rhc sshkey add KeyName KeyPath
- Key Types:
As far as SSH key types, this is fairly new and started with
the work Mark Lamourine did last year to have a Kerberos
Principal be used as an SSH key type. Jordan Liggit on the
OSE team handled the back-end OSE portion.
To use this, you have to have an existing Kerberos realm in place
- this could be provided by AD, IdM or any Kerberos server
supporting Kerberos clients and Kerberos Single Sign-On (SSO)
capabilities.
*** To Test ***
- create local key, copy to an OSE broker or node as documented:
$ rhc sshkey add KeyName --type KeyType --content KeyContent
...or if a Kerberos realm is in place ...
$ rhc sshkey add KeyName --type krb5-principal --content Principal
Example:
$ rhc sshkey MyKey --type krb5-principal --content user
btw - KeyPath is optional (default is $HOME/.k5login
- Kerberos Auth:
This is already detailed in the included the broker config file (/var/www/openshift/broker/httpd/conf.d/).
Keep in mind that this does not have to authenticate to Kerberos
on AD, it could be any Kerberos server but obviously you must
have Kerberos in place.
*** To Test ***
Configure openshift-origin-auth-remote-user.conf on broker as
per attached thread.
Brice - I hope this is more helpful. If you need more clarity let me know.
Perhaps we can just set up a time for a phone chat early morning/late evening
to accomodate our time zones.
-m
Closing this BZ. The focus of the documentation team is going to shift from OpenShift v2 to v3, and only the remaining v2 doc BZs that feature actual errors in the docs will be worked on. If there are any oppositions for any specific BZs, please contact me or the docs team. Specifically, the majority of the work for this BZ has been updated, and released sometime in the past. Links can be found in Comment 3 above. |