[PrivacyIdea] Problem SSH Key Management with PrivacyIdea and some cosmetic bugs + questions
61 views
Skip to first unread message
Der PCFreak
Mar 30, 2015, 4:02:47 AM3/30/15
to priva...@googlegroups.com
Hi all,
I am currently trying to use PrivacyIdea for SSH Keys.
I read http://privacyidea.readthedocs.org/en/v2.1/machines/index.html
but somehow I cannot get it working.
What I did:
1. created a machine-resolver (HOSTS resolver)
Name: localresolver
Filename: /etc/mysshhosts
Content of /etc/mysshhosts
10.11.12.13 privacyidea01
2. created a passwd resolver
Resolver name: privacyidea01_passwd
File name: /etc/passwd
3. created a user resolver
Name: privacyidea01_passwd
pointing to privacyidea01_passwd ( passwdresolver )
4. Enrolled a ssh token
SSHK00005BD7 sshkey active adm@privacyidea01 0 adm privacyidea01_passwd
5. Assigned token to machine
Tokens and Applications for machine 10.11.12.13
Serial Application Options
SSHK00005BD7 (sshkey) ssh User: adm
6. created /etc/privacyidea/authorizedkeyscommand
[Default]
url=https://10.110.180.51
admin=admin
password=changeme
nosslcheck=true
Hint: The nosslcheck parameter is not mentioned in the documentation!
7. Changed /etc/ssh/sshd_config and added AuthorizedKeysCommand and AuthorizedKeysCommandUser
#AuthorizedKeysFile %h/.ssh/authorized_keys
AuthorizedKeysCommand privacyidea-authorizedkeys
AuthorizedKeysCommandUser liadm
8. Test with
privacyidea-authorizedkeys adm
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5vIFudt5qUoQyPgrgjBbat/yCb4U+b......adm@privacyidea01
! Seems ok !
9. Tried login with SSH and the corresponding private key
FAIL!
It would be nice if someone could give me a detailed step-by-step advice how to do it correctly
I also found something like this in an old (1.x) documentation for /etc/privacyidea/authorizedkeyscommand
[Default]
url = https://your.privacyidea.server
admin = low_rights_admin
adminrealm = admin_realm
password = secret
and the information:
Please be sure to restrict the access rights of this file. In a productive environment you should also
ensure, that the token administrator mentioned in this config file is not allowed to perform any additional
task like deleteing or creating tokens.
Is this still needed to have proper security? How to crate a low_rights_admin?
I also ran into the following problem which could be a bug or at least cosemetic:
When managing Tokens, the Info field of an SSH-Token is very long so to be able to see the buttons like
"DELETE" "DISABLE" "EDIT"... you have to find the scrollbar and move it rightmost to be able to see and click the buttons.
Thanks in advance
Kind regards
Peter aka PCFreak
I am currently trying to use PrivacyIdea for SSH Keys.
I read http://privacyidea.readthedocs.org/en/v2.1/machines/index.html
but somehow I cannot get it working.
What I did:
1. created a machine-resolver (HOSTS resolver)
Name: localresolver
Filename: /etc/mysshhosts
Content of /etc/mysshhosts
10.11.12.13 privacyidea01
2. created a passwd resolver
Resolver name: privacyidea01_passwd
File name: /etc/passwd
3. created a user resolver
Name: privacyidea01_passwd
pointing to privacyidea01_passwd ( passwdresolver )
4. Enrolled a ssh token
SSHK00005BD7 sshkey active adm@privacyidea01 0 adm privacyidea01_passwd
5. Assigned token to machine
Tokens and Applications for machine 10.11.12.13
Serial Application Options
SSHK00005BD7 (sshkey) ssh User: adm
6. created /etc/privacyidea/authorizedkeyscommand
[Default]
url=https://10.110.180.51
admin=admin
password=changeme
nosslcheck=true
Hint: The nosslcheck parameter is not mentioned in the documentation!
7. Changed /etc/ssh/sshd_config and added AuthorizedKeysCommand and AuthorizedKeysCommandUser
#AuthorizedKeysFile %h/.ssh/authorized_keys
AuthorizedKeysCommand privacyidea-authorizedkeys
AuthorizedKeysCommandUser liadm
8. Test with
privacyidea-authorizedkeys adm
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5vIFudt5qUoQyPgrgjBbat/yCb4U+b......adm@privacyidea01
! Seems ok !
9. Tried login with SSH and the corresponding private key
FAIL!
It would be nice if someone could give me a detailed step-by-step advice how to do it correctly
I also found something like this in an old (1.x) documentation for /etc/privacyidea/authorizedkeyscommand
[Default]
url = https://your.privacyidea.server
admin = low_rights_admin
adminrealm = admin_realm
password = secret
and the information:
Please be sure to restrict the access rights of this file. In a productive environment you should also
ensure, that the token administrator mentioned in this config file is not allowed to perform any additional
task like deleteing or creating tokens.
Is this still needed to have proper security? How to crate a low_rights_admin?
I also ran into the following problem which could be a bug or at least cosemetic:
When managing Tokens, the Info field of an SSH-Token is very long so to be able to see the buttons like
"DELETE" "DISABLE" "EDIT"... you have to find the scrollbar and move it rightmost to be able to see and click the buttons.
Thanks in advance
Kind regards
Peter aka PCFreak
Todd F
Apr 12, 2015, 2:21:07 PM4/12/15
to priva...@googlegroups.com
I'm trying to do this as well on version 2.2 and have the same questions.
Thanks,
Todd
Thanks,
Todd
Reply all
Reply to author
Forward
0 new messages