Cliente FreeIPA no acesso sshd do contêiner LXC negado

1

No Proxmox 4.4, instalei o Centos 7 VM com o servidor FreeIPA:

ipa-server-install --idstart 10000 --setup-dns

Eu posso usar usuários IPA e fazer login em outras VMs no Proxmox, mas quando eu tento mesmo para o contêiner Centos 7 LXC, recebo erros:

May  6 13:15:50 aaaaaa sshd[424]: Authorized to user, krb5 principal [email protected] (ssh_gssapi_krb5_cmdok)
May  6 13:15:50 aaaaaa sshd[424]: pam_sss(sshd:account): Access denied for user user: 4 (System error)
May  6 13:15:50 aaaaaa sshd[424]: fatal: Access denied for user user by PAM account configuration [preauth]

Mas:

[root@aaaaaa ~]# su - user
Creating home directory for user.
[user@aaaaaa ~]$

E agora existe esse usuário em /etc/passwd neste servidor, por isso é do IPA.

[user@aaaaaa ~]$ id
uid=10001(user) gid=10000(admins) groups=10000(admins)
[user@aaaaaa ~]$ getent passwd user
user:*:10001:10000:Name Surename:/home/user:/bin/bash

Além disso, não consigo fazer login como usuário root nesse contêiner depois que o inscrevi no servidor FreeIPA.

[root@aaaaaa ~]# kinit admin
Password for [email protected]:
[root@aaaaaa ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_rirBgUU
Default principal: [email protected]

Valid starting       Expires              Service principal
05/06/2017 14:56:21  05/07/2017 14:56:19  krbtgt/[email protected]

Então, o kerberos funcionou, mas o único problema que tenho é o ssh. Eu mudo em Proxmox /etc/subgid e /etc/subuid (como proposto aqui ) para obter mais IDs, mas foi um movimento desesperado. O intervalo de IDs do meu IPA não é alto, começando em 10000 e posso fazer su - user , então não é o caso.

Acho que verifiquei tudo, incluindo remove sssd db, mas isso não muda nada.

Aqui está meu sssd.conf :

[domain/homelab.local]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = homelab.local
id_provider = ipa
auth_provider = ipa
access_provider = permit
ipa_hostname = aaaaaa.homelab.local
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, ipa.homelab.local
dyndns_iface = eth0
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh

domains = homelab.local
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

E meu system-auth :

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

E meu arquivo sshd_config :

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
UsePrivilegeSeparation sandbox          # Default for new installations.
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem       sftp    /usr/libexec/openssh/sftp-server

e abaixo é a saída de ssh onde eu posso conectar ao contêiner LXC:

 ssh -vvv user@aaaaaa
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 60: Applying options for *
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 aaaaaa
debug1: permanently_drop_suid: 10001
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug2: fd 6 setting O_NONBLOCK
debug2: fd 5 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "aaaaaa" from file "/home/user/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug3: load_hostkeys: loading entries for host "aaaaaa" from file "/var/lib/sss/pubconf/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /var/lib/sss/pubconf/known_hosts:2
debug3: load_hostkeys: found key type RSA in file /var/lib/sss/pubconf/known_hosts:4
debug3: load_hostkeys: found key type DSA in file /var/lib/sss/pubconf/known_hosts:6
debug3: load_hostkeys: found key type ED25519 in file /var/lib/sss/pubconf/known_hosts:8
debug3: load_hostkeys: loaded 4 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss,
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup [email protected]
debug1: kex: server->client aes128-ctr [email protected] none
debug2: mac_setup: setup [email protected]
debug1: kex: client->server aes128-ctr [email protected] none
debug1: kex: [email protected] need=16 dh_need=16
debug1: kex: [email protected] need=16 dh_need=16
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 4f:71:72:5c:46:e5:58:3b:cf:17:75:c9:52:35:38:e9
debug3: load_hostkeys: loading entries for host "aaaaaa" from file "/home/user/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug3: load_hostkeys: loading entries for host "aaaaaa" from file "/var/lib/sss/pubconf/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /var/lib/sss/pubconf/known_hosts:2
debug3: load_hostkeys: found key type RSA in file /var/lib/sss/pubconf/known_hosts:4
debug3: load_hostkeys: found key type DSA in file /var/lib/sss/pubconf/known_hosts:6
debug3: load_hostkeys: found key type ED25519 in file /var/lib/sss/pubconf/known_hosts:8
debug3: load_hostkeys: loaded 4 keys
debug1: Host 'aaaaaa' is known and matches the ECDSA host key.
debug1: Found key in /var/lib/sss/pubconf/known_hosts:2
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/user/.ssh/id_rsa ((nil)),
debug2: key: /home/user/.ssh/id_dsa ((nil)),
debug2: key: /home/user/.ssh/id_ecdsa ((nil)),
debug2: key: /home/user/.ssh/id_ed25519 ((nil)),
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
Connection closed by UNKNOWN

Claro que no servidor user não é o login real que eu uso.

Mais algum conselho que posso verificar? Eu luto com isso há alguns dias e não consigo encontrar nenhuma pista sobre como resolver isso. Espero que alguém aqui possa me ajudar.

ATUALIZAÇÃO:

Eu cometi um erro ao escrever que não consigo fazer login como usuário root. Eu posso. Mas ainda não consegue logar via ssh como outro usuário do IPA. Além disso, quando eu su - user não posso fazer sudo deste usuário, mas em outras VMs esse usuário do IPA pode executar qualquer comando via sudo .

UPDATE2: Eu acho que no container quando executo kinit user e, em seguida, klist tenho:

Ticket cache: KEYRING:persistent:0:0

Mas o mesmo na VM se parece com:

Ticket cache: KEYRING:persistent:10001:krb_ccache_K1JScvu
    
por heniekk 06.05.2017 / 17:15

2 respostas

0

Acho que resolvi parcialmente esse problema. Após o comentário @abbra, comecei a verificar todos os logs da pasta /var/log/sssd/ e quando verifiquei o selinux_child.log que encontrei:

(Mon May  8 21:20:29 2017) [[sssd[selinux_child[694]]]] [unpack_buffer] (0x2000): username: user
(Mon May  8 21:20:29 2017) [[sssd[selinux_child[694]]]] [main] (0x0400): performing selinux operations
(Mon May  8 21:20:29 2017) [[sssd[selinux_child[694]]]] [sss_semanage_init] (0x0020): SELinux policy not managed
(Mon May  8 21:20:29 2017) [[sssd[selinux_child[694]]]] [get_seuser] (0x0020): Cannot create SELinux handle
(Mon May  8 21:20:29 2017) [[sssd[selinux_child[694]]]] [seuser_needs_update] (0x2000): get_seuser: ret: 5 seuser: unknown mls: unknown
(Mon May  8 21:20:29 2017) [[sssd[selinux_child[694]]]] [sss_semanage_init] (0x0020): SELinux policy not managed
(Mon May  8 21:20:29 2017) [[sssd[selinux_child[694]]]] [set_seuser] (0x0020): Cannot init SELinux management
(Mon May  8 21:20:29 2017) [[sssd[selinux_child[694]]]] [main] (0x0020): Cannot set SELinux login context.
(Mon May  8 21:20:29 2017) [[sssd[selinux_child[694]]]] [main] (0x0020): selinux_child failed!

Primeiro eu desativei o Selinux, mas isso não resolve meu problema. Depois disso, na seção /etc/sssd/sssd.conf in domain , coloquei: selinux_provider=none . Depois de reiniciar o contêiner, posso fazer o login como usuário do IPA via ssh e também posso usar o sudo. Eu não mencionei como usar o SeLinux e login via ssh para contêiner, mas por enquanto eu acho que está tudo ok para mim.

ATUALIZAÇÃO:

Também desativei os keyrings em krb5.conf .

    
por 08.05.2017 / 21:37
0

su - user normalmente evita a autenticação real porque /etc/pam.d/su contém auth sufficient pam_rootok.so como uma primeira linha que causa curto-circuito em qualquer autenticação para raiz. Então, o SSSD não se envolve de forma alguma.

Não use armazenamento de cache de chaves dentro de containers, pois o keyring não é namespaced. Remova default_ccache_name = KEYRING:persistent:%{uid} de /etc/krb5.conf no contêiner. O padrão libkrb5 será FILE:... ccache em /tmp .

Por fim, quando o SSSD relata 'erro de sistema', você deve usar o guia de solução de problemas para aumentar o nível de depuração da seção de domínio para 9 e analisar os logs no contêiner. Consulte o link para obter detalhes. O projeto SSSD migrou recentemente para pagure.io e ainda não regenerou sua documentação depois que a infraestrutura do Fedora Hosted foi desativada, portanto, um link para uma máquina de wayback.

    
por 08.05.2017 / 08:32