Using OTP Tokens and 2FA with FreeIPA 4.0

On 2014-07-08 FreeIPA 4.0 was released. One of the most interesting new features is the support of two factor authentication (2FA). I was curious about how to set it up and get it running. Unfortunately the documentation does not tell much about the OTP setup. What is OTP and 2FA? An overview OTP stands for One Time Password and 2FA for two factor authentication. OTP is available since long time, in the beginning usually as a list of passwords printed ….Read More

Providing SRV and TXT records for Kerberos and LDAP with dnsmasq

What if you have an application such as OVirt/RHEV-M that relies on DNS services records and you dont have the possibility to add them to the DNS servers because the DNS admins do not like to do its job? Fake them! DNSMasq is your friend 🙂 Install dnsmasq on the server in question and configure /etc/resolv.conf to query first dnsmask on localhost. yum -y install dnsmasq chkconfig dnsmasq on Assuming your subdomain is called example.com and your ldap and kerberos ….Read More

Centrally manage sudoers rules with IPA Part I – Preparation

One of the features of IPA is its facility to centrally manage sudoers rules. This rules can be based on user, group memberships etc. and be constrained to one or more servers. One of the benefits you get is: You are able to define stricter sudoers rules without annoying the users. At the end your systems are more secure and more convenient for the users. Lets start. Preparation Unfortunately, sudoers via LDAP does not just work out of the box, ….Read More

Host based access control with IPA

Host based access control is easy with IPA/FreeIPA, very easy. Lets assume you want to have a host group called rhel-prod, a usergroup called prod-admins and you want to let them access the servers in the rhel-prod group by ssh from any host that can reach the servers. Lets call the HBAC rule prod-admins. You can either user the web GUI or use the command line interface. Lets create the user group: [root@ipa1 ~]# ipa group-add prod-admins –desc=”Production System Admins” ….Read More

How to recover from a lost Kerberos password for admin

Ever lost your password for the admin principle on your Linux Kerberos server? It is quite easy to recover by just setting a new one. You just need to log in to your KDC and proceed as follows: [root@ipa1 ~]# kadmin.local Authenticating as principal admin/admin@EXAMPLE.COM with password. kadmin.local: change_password admin@EXAMPLE.COM Enter password for principal “admin@EXAMPLE.COM”: Re-enter password for principal “admin@EXAMPLE.COM”: Password for “admin@EXAMPLE.COM” changed. kadmin.local: q [root@ipa1 ~]# Now enter kinit to get a Kerberos ticket. Have fun 🙂

PAM and IPA authentication for RHN Satellite

If you have a larger installation on your site, you may wish to have a single source of credentials not only for common system services, but for your RHN Satellite too. This will show you how to configure your RHN Satellite Server to use PAM with SSSD. SSSD, the System Security Services Daemon is a common framework to provide authentication services. Needless to say that IPA is supported as well. Assumptions: You have a RHN Satellite running on RHEL6 You ….Read More

Identity Management with IPA Part II – Kerberized NFS service

In part one I was writing how to set up an IPA server for basic user authentication. One reason NFSv4 is not that widespreaded yet, is it needs Kerberos for proper operation. Of course this is now much easier thanks to IPA. Goal for the part of the guide Configure IPA to serve the NFS principle Configure NFS to use IPA Configure some IPA clients to use Kerberos for the NFS service Requirements A runing IPA service like discussed in ….Read More

Identity Management with IPA Part I

Red Hat released RHEL 6.2 on December 6th. From my point of view, the greatest news in the release is that IPA (or now called Identity Management) is now fully supported and available in the RHEL 6 base channel without additional subscription costs. Upstream project is freeIPA and is available trough the default Fedora repos. About central Identity Management IPA stands for Identification, Auditing, Policy. The focus in this article is on identification of users. In the past, there have ….Read More