Sometimes you need unattended authentication. Sometimes you are just lazy. Whatever the reason, if a user (human or otherwise) wants to fetch a Ticket Granting Ticket (TGT) from a Kerberos Key Distribution Center (KDC) automatically, the Global Security Services API (GSSAPI) library shipped with most recent distributions support it.
No matter what I changed, something kept setting the hostname on my vm to federate.cloudlab.freeipa.org.novalocal. Even forcing the /etc/hostname file to be uneditable did not prevent this change. Hunting this down took far too long, and here is the result of my journey.
Continue reading
Ansible provides management for a large array of servers using ssh as the access mechanism. This is a good match for FreeIPA. However, by default Ansible uses a flat file to store groups of hosts. How can we get that info from FreeIPA? Continue reading
Kerberos was slow when talking to my demo machine. As part of debugging it, I was making DNS changes, so I pointed my machine directly to the DNS server. It was at my hosting provider, and authoritative for my domain.
As I tend to do, I idly checked Facebook. Its a bad habit, like biting nails. Sometimes I’m not even aware that I am doing it. This time, however, a browser warning brought me up short:
The certificate reported that it was valid for a domain that ended in the same domain name as the nameserver I was pointing at.
Someone just like me had the ability to push up whatever they wanted to the DNS server. This is usually fine: only the Authoritative DNS server for a site is allowed to replicate changes. It did mean, however, that anyone that was looking at this particular DNS server would be directed to something they were hosting themselves. I’m guessing it was a Phishing attempt as I did not actually go to their site to check.
Most of us run laptops set up to DNS from the DHCP server we connect to. Which means that if we are at a Coffee Shop, the local library, or the Gym, we are running against an unknown DNS server. The less trusted the location, the less reason to trust the DHCP server.
This is a nasty problem to work around. There are things you can do to mitigate, such as whitelisting DNS servers. The onus, however, should not be up to the end users. DNSSec attempts to address the issues. Until we have that, however, use HTTPS where ever possible. And check the certificates.
I’m running FreeIPA in an OpenStack lab. I don’t control the DHCP server. When a host renews its lease, the dhclient code overwrites the nameserver values in /etc/resolv.conf. To avoid this, I modified /etc/dhcp/dhclient.conf
interface "eth0" {
prepend domain-name-servers 192.168.187.12;
}
This makes sure my custom nameserver stays at the top of the list. Its a small hack that is perfect for developer work.
“How can I integrate Kerberos in to a Keystone server and still maintain the UserId-Password based login.”
This is a fairly simple task, and works due to the fact that the AUTH_URL used to get a token does not need to match the other URLS returned by the service catalog for identity.
“Don’t repeat yourself.” This rule is such a core principal in programming it has been reduced to the acronym DRY. Yet, somehow, every web application framework out there ends up with a custom authorization framework; LDAP, SQL, and usually a Flat File authorization list.
Apache HTTPD can and should perform a cryptographic based authentication for your users. Even better, it should be able to return to you the user attributes necessary to perform accurate authorization. REMOTE_USER has been the standard ever since CGI first appeared for the web. Now we can extend that approach to a generic set of user attributes for authorization. mod_lookup_identity.
I’m starting on a proof-of-concept setup where, instead of using the LDAP backend for Keystone, I use mod_identity_lookup to fetch the data at the HTTPD layer. Here are the steps I went to configure the system.
Authentication is only the start of the Authorization process. A centralized user registry, enforced by strong cryptography must be enhanced by data local to the application in order to properly allow or deny access to specific operations on resources. Here is a real world example that should make things clearer: getting into a location in the USA that serves alcoholic beverages over the counter.
Line to get into the Club
Horizon is The OpenStack Dashboard. It is a DJango (Python) Web app. During a default installation, Horizon has resources at one level under the main Hostname in the URL scheme. For example, authentication is under http://hostname/auth.
Devstack performs single system deployments. Packstack has an “all-in-one” option that does the same thing. If these deployment tools are going to deploy other services via HTTPD, Horizon needs to be taught how to share the URL space. Fortunately, this is not hard to do.
Continue reading
While the Bugzilla command line tool does a lot of useful things, one feature it is missing is the ability to link a bug to an upstream bug in a remote tracker. Working with the Web UI can be slow. Martin Kozek, of FreeIPA fame, wrote a simple Python program to link them together for me using direct XML-API calls. Thanks Martin:
#!/usr/bin/python
#
# Authors:
# Martin Kosek: mkosek@redhat.com
#
# Copyright (C) 2013 Red Hat
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
import bugzilla
import sys
import xmlrpclib
URL = 'https://bugzilla.redhat.com/xmlrpc.cgi'
USER = 'user@redhat.com'
PASSWORD = 'bar'
try:
bz_id = int(sys.argv[1])
launchpad_id = int(sys.argv[2])
except Exception:
sys.exit("Usage: bz_lp_link bz_id lp_id")
proxy = bugzilla.RHBugzilla3(url=URL, user=USER, password=PASSWORD)
proxy.connect(URL)
LAUNCHPAD_TRACKER_ID = 29
try:
proxy._proxy.ExternalBugs.add_external_bug(
{'bug_ids':[bz_id],
'external_bugs': [{'ext_type_id': LAUNCHPAD_TRACKER_ID,
'ext_bz_bug_id': launchpad_id}]
})
except xmlrpclib.Fault, e:
sys.exit(e.faultString)