authentication « My pensieve

Tag: authentication

March 18, 2014

Configuring LDAP authentication for Ubuntu as client and Debian as server

by viggy — Categories: debian, FOSS, linux, tech, ubuntu — Tags: active, authentication, directory, LDAP, login, slapd — Leave a comment

Recently there was some request to see if a University can completely migrate to Ubuntu. One of their requirement was that their login for windows was getting managed by using Active Directory. I knew that LDAP is an alternative and hence I wanted to try this before I could commit anything to them.

I decided to make my home debian desktop system to be the server and my ubuntu laptop to be the client. following are the rough points that I needed to follow to get the LDAP authentication for Ubuntu working. There is already good enough documentation, but I still had to look for multiple sites and tits and bits of information from various sites helped me.

For Preparing the Server which was my debian system:

1) install slapd, migrationtools
2) run dpkg-reconfigure slapd and choose options
3) Then make changes in migrate_common.ph
4) Ou=People and ou=group is not added and hence have to be manually created and added.
5) Run migrate_passwd.pl and migrate_group.pl and add to ldap

Here mainly when I was referring Debian Wiki page, I was asked to use migrate_all_online.pl script which always used to fail for me for some or other reason. Having spent considerable time just to get past through that script, Thanks to this post, http://www.debuntu.org/how-to-set-up-a-ldap-server-and-its-clients/ , I realized that I actually didnt need to migrate all accounts to ldap and just had to use migrate_passwd.pl and migrate_group.pl.

One important thing to remember is that I had same username password for my users in my desktop and laptop, my server and client. If you dont have it, then you may have to create custom ldif files adding all data of users and then use ldapadd to add them to LDAP directory.

Use ldapsearch using:
ldapsearch -D “cn=admin,dc=viggy,dc=loc” -W -b “dc=viggy,dc=loc” “uid=root”
BaseDN is important to mention using -b switch

On the client side,

1) Install ldap-auth-client and nscd.

as per https://help.ubuntu.com/community/LDAPClientAuthentication

2) Add my_mkhomedir and my_groups in /usr/share/pam-configs and also make changes in /etc/security/group.conf

3) Finally also edit the /etc/nssswitch.conf to make it use ldap and then files/compat. If you want the system to rely only on LDAP, then remove the existing option and let only ldap be present.

It should look like this

passwd:         ldap compat
group:          ldap compat
shadow:         ldap compat

Now restart the nscd service, /etc/init.d/nscd restart

4) To check if the ldap authentication is working, just try to do sudo to a user and check in the /var/log/auth.log file if it mentions connecting to the ldap server.

ToDo:

1) I have not been able to understand how to add logging capability to slapd in the new cn=config configuration

2) Need to verify how to get all data from Active Directory and migrate to ldap.

July 7, 2009

OpenSSH Public Key authentication

by viggy — Categories: Uncategorized — Tags: authentication, ssh, ssh-key — Leave a comment

Please refer to man pages of SSH command for latest updates.

This is method is used usually when you are a server administrator and usually work by logging through SSH in to the server. You will not like to enter the password everytime you want to log in. For this you can follow this method.

Host-based authentication works as follows: If the machine the user logs
in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote
machine, and the user names are the same on both sides, or if the files
~/.rhosts or ~/.shosts exist in the user’s home directory on the remote
machine and contain a line containing the name of the client machine and
the name of the user on that machine, the user is considered for login.
Additionally, the server must be able to verify the client’s host key
(see the description of /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts,
below) for login to be permitted. This authentication method closes se-
curity holes due to IP spoofing, DNS spoofing, and routing spoofing.
[Note to the administrator: /etc/hosts.equiv, ~/.rhosts, and the
rlogin/rsh protocol in general, are inherently insecure and should be
disabled if security is desired.]

Public key authentication works as follows: The scheme is based on pub-
lic-key cryptography, using cryptosystems where encryption and decryption
are done using separate keys, and it is unfeasible to derive the decryp-
tion key from the encryption key. The idea is that each user creates a
public/private key pair for authentication purposes. The server knows
the public key, and only the user knows the private key. ssh implements
public key authentication protocol automatically, using either the RSA or
DSA algorithms. Protocol 1 is restricted to using only RSA keys, but
protocol 2 may use either. The HISTORY section of ssl(8) contains a
brief discussion of the two algorithms.

The file ~/.ssh/authorized_keys lists the public keys that are permitted
for logging in. When the user logs in, the ssh program tells the server
which key pair it would like to use for authentication. The client
proves that it has access to the private key and the server checks that
the corresponding public key is authorized to accept the account.

The user creates his/her key pair by running ssh-keygen(1). This stores
the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol
2 DSA), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in
~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA), or
~/.ssh/id_rsa.pub (protocol 2 RSA) in the user’s home directory. The us-
er should then copy the public key to ~/.ssh/authorized_keys in his/her
home directory on the remote machine. The authorized_keys file corre-
sponds to the conventional ~/.rhosts file, and has one key per line,
though the lines can be very long. After this, the user can log in with-
out giving the password.

The most convenient way to use public key authentication may be with an
authentication agent. See ssh-agent(1) for more information.

Challenge-response authentication works as follows: The server sends an
arbitrary “challenge” text, and prompts for a response. Protocol 2 al-
lows multiple challenges and responses; protocol 1 is restricted to just
one challenge/response. Examples of challenge-response authentication
include BSD Authentication (see login.conf(5)) and PAM (some non-OpenBSD
systems).

Finally, if other authentication methods fail, ssh prompts the user for a
password. The password is sent to the remote host for checking; however,
since all communications are encrypted, the password cannot be seen by
someone listening on the network.

ssh automatically maintains and checks a database containing identifica-
tion for all hosts it has ever been used with. Host keys are stored in
~/.ssh/known_hosts in the user’s home directory. Additionally, the file
/etc/ssh/ssh_known_hosts is automatically checked for known hosts. Any
new hosts are automatically added to the user’s file. If a host’s iden-
tification ever changes, ssh warns about this and disables password au-
thentication to prevent server spoofing or man-in-the-middle attacks,
which could otherwise be used to circumvent the encryption. The
StrictHostKeyChecking option can be used to control logins to machines
whose host key is not known or has changed.

When the user’s identity has been accepted by the server, the server ei-
ther executes the given command, or logs into the machine and gives the
user a normal shell on the remote machine. All communication with the
remote command or shell will be automatically encrypted.

M	T	W	T	F	S	S
« Apr
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30