Open LDAP and SSH Public key in CentOS6.2

Author: Kevin Zhang
Thanks Guide in CentOS 6.2 : http://blog.johnalvero.com/2012/03/ldap-server-installation-for-openssh.html (Centralize the administration of linux accounts/Centralize the administration of sudo access)
Thanks everyone in Open Source Community.


#edit CentOS network
vi /etc/resolv.conf //DNS
vi vi /etc/sysconfig/network-scripts/ifcfg-eth0 //NIC IP
vi /etc/networks //Route
#restart network service
/etc/init.d/network restart
#stop security services
setenforce permissive
getenforce
service iptables stop


#Update software repository.
yum -y update


#Install LDAP packages
yum install openldap-servers openldap-clients -y


#Generate the ldap admin password
slappasswd -s mysecret
{SSHA}cFJqdWOeG4b1p3bJFGSds5QKGw8faPd7       //copy string as password by following steps
Note: mysecret will now be your Manager password. You will use this password to execute administrative commands. Displayed after is the corresponding hash. Use the hash in succeeding steps.


#TLS settings
sed -i ‘s/dc=my-domain,dc=com/dc=netbrain,dc=com/g’ /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
# Also, add the password and TLS settings in the file
cat <> /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
olcRootPW: {SSHA}cFJqdWOeG4b1p3bJFGSds5QKGw8faPd7
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem
EOF


#Also add a password for “cn=admin,cn=config” user
cat <> /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif
olcRootPW: {SSHA}cFJqdWOeG4b1p3bJFGSds5QKGw8faPd7
EOF


#Monitor configuration
sed -i ‘s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=netbrain,dc=com/g’ /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif


#DB config
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/


#Generate SSL keys
openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365
chown -Rf root.ldap /etc/pki/tls/certs/slapdcert.pem
chown -Rf root.ldap /etc/pki/tls/certs/slapdkey.pem


#Schemas: Add openssh-lpk shema
cat < /etc/openldap/slapd.d/cn=config/cn=schema/cn={21}openssh-lpk.ldif
dn: cn={21}openssh-lpk
objectClass: olcSchemaConfig
cn: {21}openssh-lpk
olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME ‘sshPublicKey’ DES
C ‘MANDATORY: OpenSSH Public key’ EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.
1.1466.115.121.1.40 )
olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME ‘ldapPublicKey’ DESC
 ‘MANDATORY: OpenSSH LPK objectclass’ SUP top AUXILIARY MAY ( sshPublicKey $
uid ) )
structuralObjectClass: olcSchemaConfig
entryUUID: 135574f4-bda0-102f-9362-0b01757f31d8
creatorsName: cn=config
createTimestamp: 20110126135819Z
entryCSN: 20110126135819.712350Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110126135819Z
EOF


Make initial for base.ldif , e.g. : create  base.ldif by command : vi base.ldif ,then enter:
dn: dc=netbrain,dc=com
dc: netbrain
objectClass: top
objectClass: domain


#We can now start the services and add the entries:
chkconfig slapd on
service slapd start
ldapadd -x -W -D “cn=Manager,dc=netbrain,dc=com” -f base.ldif
ldapadd -x -W -D “cn=Manager,dc=netbrain,dc=com” -f newsudoers.ldif


#Try searching to verify
ldapsearch -x -b “dc=netbrain,dc=com”
ldapsearch -H “ldap://127.0.0.1.com” -x -b “dc=netbrain,dc=com”


#Configuring ssh-lpk Clients
yum install openssh-ldap nss-pam-ldapd


#Setup LDAP config. This will modify various LDAP files including that of PAM
authconfig –disablenis –enablemkhomedir –enableshadow –enablelocauthorize –enableldap –ldapserver=ldap://127.0.0.1 –enablemd5 –ldapbasedn=dc=netbrain,dc=com –updateall
# Or, you can use a curses-based application. Enable necessary options based on the above command but –enablemkhomedir is not available in authconfig-tui
authconfig-tui


#Allow SSH public-key login
cat < /etc/ssh/ldap.conf
uri ldap://127.0.0.1/
base dc=netbrain,dc=com
ssl no
EOF
cat <> /etc/ssh/sshd_config
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
AuthorizedKeysCommandRunAs nobody
EOF


#Tell system to lookup sudoers info from ldap or files respectively
echo ‘sudoers: ldap files’ >> /etc/nsswitch.conf
cat <> /etc/nslcd.conf
ou=sudoers,dc=netbrain,dc=com
sudoers_base ou=sudoers,dc=netbrain,dc=com
EOF


#Restart sshd
service sshd restart


#install phpldapadmin for LAM (ldap account manager, an excellent web-based LDAP manage tool), just add epel repo and ask yum to install it
//Click this link to search a higher version when wget run failed
rpm -ivh epel-release-6-5.noarch.rpm
#start Apache
service httpd restart


Install http://www.ldap-account-manager.org/ its alternative to phpldapadmin, just download rpm for CentOS/fedora and install it. Following is LAM instruction.
  • Address for ldap-account-manager is http://yourip/lam/ , you can manage your LDAP accounts by this now.  
  • Edit server profiles for LAM and LDAP connection
  • Enter LAM default password: lam , and click ‘Ok’
  • Modify server address, Tree suffix, List of valid users
  • Modify LDAP suffix of Users and Groups
Remove Hosts、Samba domain option by red ‘x’
  • Remove ‘Samba 3’ items from Users and Groups
Add ‘SSH Public Key’ to Users from Available module to extent LAM capability to manage SSH public key
  • Return to login page after you click ‘Save’ button; Login by LDAP root password : mysecret 
     
  • Create Groups 1st
  • Create users
  • Public key setting in User
Notice: PuTTYGen generated key format like :
—- BEGIN SSH2 PUBLIC KEY —-
Comment: “rsa-key-20121022”
AAAAB3NzaC1yc2EAAAABJQAAAIEAhGF6GIuMY8FJ1+CNApnSY1N2YSlkYz72Yvwu
a6N1nFpBklz1+dsIMg4rcTLcF34M/tW5Yz+NUDAw2AEbxQ32FPgw7sAOIXktkYOH
tr7mmimiTjkoSCrJh1kqalPSpi8rglT/Bp67Ql2SZwvUFfMzHISryR0EZC4rXP/u
vObrJe8=
—- END SSH2 PUBLIC KEY —-


But change the text to:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAhGF6GIuMY8FJ1+CNApnSY1N2YSlkYz72Yvwua6N1nFpBklz1+dsIMg4rcTLcF34M/tW5Yz+NUDAw2AEbxQ32FPgw7sAOIXktkYOHtr7mmimiTjkoSCrJh1kqalPSpi8rglT/Bp67Ql2SZwvUFfMzHISryR0EZC4rXP/uvObrJe8=


———————————————————————————————————————————
#Debug LDAP in CentOS:
more  /var/log/secure
find . –name slapd
path/slapd –V –d debuglevel


Ubuntu check authentication log:
more /var/log/auth.log


#Actions after you boot up:
setenforce permissive
getenforce
service iptables stop
/etc/init.d/slapd start
authconfig –disablenis –enablemkhomedir –enableshadow –enablelocauthorize –enableldap –ldapserver=ldap://127.0.0.1 –enablemd5 –ldapbasedn=dc=netbrain,dc=com –updateall
service httpd start


——————————————————————————————————————
Thanks Guide in Ubuntu:  
I failed run ldap with openssh-lpk in it because can’t download openssh source code to enable AuthorizedKeysCommand option in sshd.conf
1st of all when you start ldap installation under Ubuntu, Configure /etc/hosts, modify 127.0.0.1 item to FDNQ format:
127.0.0.1 ldap.netbrain.com ldap
openldap get dc from this item automatically.


You got the error msg:
$ sudo slapindex
   
   WARNING!
   Runnig as root!
   There’s a fair chance slapd will fail to start.
   Check file permissions!
Try : sudo –u openldap slapindex

Advertisements

Cisco IOS device configure SSH public-key authentication

Author: Kevin Zhang
概念说明:
SSH public Key类型:
-RSA key use with SSH1 and SSH2 protocol
-DSA key use with SSH2 protocol
*Note: DSA的安全性较RSA的弱
Key格式:
公钥 :SSH.com使用的RFC 4716指定的公钥格式,而OpenSSH使用了另外的格式
私钥 : SSH v1私钥只有一种标准格式,但SSH v2私钥格式很多,OpenSSH、ssh.com、puty、winscp格式不同且不兼容
一、key的生成
1. 通过Secure CRT生成key


密钥类型有两种: DSA、RSA. Secure CRT提示多种服务器不支持RSA, Cisco IOS只支持RSA
通行短语为对私钥加密的密码,注释为提示输入密码时的提示,两项均为可为空。


为了更好的兼容性和适用性,选择了 OpenSSH 密钥格式,选择保存私钥的位置:
点击’Finish’后会弹出对话框:
如果选择’Yes’,会影响’快速连接’中的公钥指向保存的文件:
2. 使用PuTTYgen生成key (guide from winscp)


key passphrase : 输入对密钥加密的密码
key comment: 提示输入密码时的提示
*Note: 默认生成的是PuTTY’s native format (*.PPK), 通过Conversions菜单保存为ssh.com或openssh格式的private key
二、配置Cisco设备
1. Enable SSH
ip domain-name publickey.com //配置domain name
crypto key generate rsa //通过配置生成SSH key
line vty 0 4 //设置vty的login mode
   transport input ssh //Cisco与3com的认证方式差异,3com可以设置telnet或ssh用户,而Cisco是基于session的
2. IOS 15 SSH使用public-key (Similar with 12.4T)
ip domain-name publickey.com
ip ssh version 2

crypto key generate rsa label ssh module 1024
ip ssh rsa keypair-name ssh
line vty 0 4
transport input ssh
  exit

ip ssh pubkey-chain
username kzhang //配置使用证书的登陆的用户名
key-string //回车后,是类似banner的配置方式,直到输入exit才结束key配置
xxxxxx //复制CRT、PuTTY生成的RSA的public key,复制的内容有误会被提示: ‘%SSH: Failed to decode the Key Value’;CRT:直接将整个文本内容复制过来即可,PuTTY:只copy文本的一部分:
exit //通过exit退出public key设置
三、验证
1. ‘show ip ssh’ in IOS 15


R2#show ip ssh


SSH Enabled - version 2.0


Authentication timeout: 120 secs; Authentication retries: 3


Minimum expected Diffie Hellman key size : 1024 bits


IOS Keys in SECSH format(ssh-rsa, base64 encoded):


ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCkhc93+j/D2RdJFhRn9NWkfoW+LE8WvERSX9wnygVp


bVMxjlov+PP6Fe4OlppueLtRtdrAVIwROeyE4hxf/bCMf8efUylIqMGx4aI64m+V/l2rbFKEECdDXUHU


LI/cNkdwu12h1C0fw4asGuhq4RQkjH53AgVgdQvk3yi37Rf4fQ==

2.  SecureCRT

以SSH的’快速连接’为例:
  • 首先设置username
  • Step 1: 设置’公钥’项为高优先级
  • Step 2: 点击’属性’配置登陆的公钥
  • Step 3: 点击’使用会话公钥设置’
  • Step 4: 点击 … 指定私钥文件,CRT支持openssh格式,不支持ssh.com格式
设置好后,点击连接
3. PuTTY
Session页面指定device IP:
Connection -> SSH -> Auth项指定私钥
*Note: PuTTY只支持ppk格式,不支持openssh和ssh.com格式

    问题: 15.0 IOS配置完成后,尝试使用putty登录时出现Error “Server refused our key”,在设备执行 “Debug ip ssh detail”,发现有error :


invalid old access type configured - 0x01

尝试配置:

configure terminal


line vty 0 4


login local


exit

后,问题解决。