9.9 KiB
profile::aaa
This module manages configuration related to authentication, authorization, and auditing. In particular, it
- performs the Active Directory join (optional)
- configures login restrictions (e.g.
pam_access(8)) - adds sudo rules for administrators
Parameters
| Name | Type | Default |
|---|---|---|
| admins | list | hiera_array('aaa::admins') |
| allow_sudoers_d | bool | hiera('aaa::allow_sudoers_d') |
| bastions | list | hiera('aaa::bastions') |
| cache_creds | bool | hiera('aaa::cache_creds') |
| create_homes | bool | hiera('aaa::create_homes') |
| enable_ad | bool | hiera('aaa::enable_ad') |
| enable_eaccounts | bool | hiera('aaa::enable_eaccounts') |
| enable_slurm | bool | false |
| enable_ssh_allow | bool | hiera('aaa::enable_ssh_allow') |
| enable_tier3_ldap | bool | hiera('aaa::enable_tier3_ldap', false) |
| ldap_enabled | bool | hiera('aaa::ldap_enabled') |
| offline_creds_expiration | string | hiera('aaa::offline_creds_expiration') |
| override_homedir | string | hiera('aaa::override_homedir', undef) |
| ssh_authorized_keys | hash | hiera_hash('aaa::sshkeys', {}) |
| sssd_debuglevel | int | hiera('aaa::sssd_debuglevel') |
| sudo_rules (Hiera only) | list | hiera_array('aaa::sudo_rules', []) |
| support_afs | bool | hiera('base::enable_afs'), |
| use_bastions | bool | hiera('aaa::use_bastions', $profile::networking::use_bastions) |
| users | list | hiera_array('aaa::users', []) |
admins
A list of user and/or group names. The users as well as the members of the groups can log in on the system and have full root privileges via sudo.
Group names must be prefixed with %.
Example:
aaa::admins:
- 'markushin'
- 'gsell'
- 'barabas'
- '%unx-linux_support'Also see users.
allow_sudoers_d
This boolean controls whether the files in
/etc/sudoers.d are taken into account by sudo.
bastions
A list of FQDNs. If use_bastions is true, then root logins are only allowed from the hosts on this list. Note: If the list is empty, login is unrestricted again!
Example:
aaa::bastions:
- 'gpfs-node1.psi.ch'
- 'gpfs-node2.psi.ch'
- 'gpfs-node3.psi.ch'
- 'wmgt01.psi.ch'
- 'wmgt02.psi.ch'create_homes
This boolean controls whether home directories are created on login when necessary. This only works if the underlying filesystem allows it. In particular, it does not work on AFS.
Also see override_homedir.
cache_creds
This boolean controls whether sssd caches credentials.
Also see offline_creds_expiration.
enable_ad
Determines whether the system will be configured for Active Directory authentication.
enable_eaccounts
Setting this to true enables the Active Directory OU
containing the e-accounts.
enable_slurm
When set to true, we allow slurm users to login on
computing nodes in where their jobs are running. Otherwise, users are
not allowed to login in the computing nodes.
To enable this behaviour, someone needs to call directly the
profile::aaa class and enable this feature, but also needs
to change the call of the role::base class by setting
include_aaa to false. For example:
class {
'role::base':
include_aaa => false;
'profile::aaa':
support_afs => hiera('base::enable_afs'),
enable_slurm => true;
'slurm::compute':
cluster => $cluster;
}enable_ssh_allow
Allow users to manage access to the system bypassing Puppet by adding
usernames to /etc/security/ssh.allow.user. This file is
never touched by Puppet. Documentation can be found in pam_listfile(8) or
/etc/security/ssh.allow.README on the target system.
enable_tier3_ldap
When set to true, sssd.conf is configured to support
only OpenLDAP for the Tier3. Other domains (Active Directory D.PSI.CH
and LDAP SLS.PSI.CH) are not included in the configuration file.
ldap_enabled
This boolean controls whether LDAP (AD) is used for user information and authentication.
In this case the following port have to be accessible from the host to the domain controllers:
- 389/TCP
- 389/UDP
- 88/TCP
- 88/UDP
- 464/UDP
offline_creds_expiration
This integer controls for how many days cached credentials are valid after the last successful online login. A value of 0 means that there is no limit.
Also see cache_creds.
override_homedir
This string defines the home directory path to use as expected by
sssd's override_homedir option. See sssd.conf(5) for
details.
Example:
aaa::override_homedir: '/home/%u'sshkeys
A hash of hashes, each of which contains the parameters as accepted by the ssh_authorized_key resource type.
Example:
aaa::sshkeys:
'root@ra':
user: 'root'
type: 'ssh-dss'
key: 'AAAAB3Nz...'Keep in mind that this only works if the user's home directory is accessible to root. In particular, it doesn't work if the home is on AFS.
sssd_debuglevel
This integer configures sssd's debug_level option (see
sssd.conf(5)). It
is rarely necessary to use this setting, as the debug level can be
changed at runtime using sss_debuglevel(8).
sudo_rules
A list of strings taken from Hiera containing additional sudo rules. Example:
aaa::sudo_rules:
- 'ALL ALL=(ALL) NOPASSWD: /usr/local/bin/add_eaccount.sh'
- 'DETGROUP ALL= NOPASSWD: /bin/systemctl'
- 'DETGROUP ALL=(ALL) NOPASSWD: /usr/sbin/tcpdump'support_afs
Configure PAM and related tools which are necessary for running AFS.
use_bastions
This parameter determines whether root logins are only possible from the hosts listed in bastions. Normally the value is taken from the network property of the same name, but this parameter allows overriding the network setting through Hiera or in Puppet manifests.
users
A list of user and/or group names. The users as well as the members of the groups can log in on the system.
Group names must be prefixed with %.
Also see admins.
ssh_authorized_key
A hash containing SSH public keys as expected by the
ssh_authorized_key Puppet resource.
Examples
The base role includes this profile by default. If you need to customize the profile, do it like this:
class role::some_role () {
class {'role::base':
include_aaa => false,
...
}
class {'profile::aaa':
override_homedir => '/localhomes/%u',
create_homes => true,
...
}
...Implementation Notes
User/Group Enumeration
User/group enumeration happens when using the
{set,get,end}pwent and {set,get,ent}grent APIs
to enumerate all users or groups. These are used by
getent passwd and gentent group for example,
when not providing a specific user or group to query.
Enumeration would potentially be very slow and put a high load on the
AD domain controllers if it were to return all users/groups from AD. To
prevent this, we disable enumeration for AD accounts using the
enumerate setting in sssd.conf(5). This means that enumeration using
the APIs/programs above only returns local users and groups.
The min_id issue
There are Unix groups in AD at PSI with very low GIDs, the lowest
being 101 (unx-fkt). This leads to problems, because sssd(8) ignores users and
groups with GIDs lower than min_id (from sssd.conf(5)), which has
a value of 500 by default.
Therefore we set min_id to 100. One consequence is that
there is overlap between the IDs considered by sssd when querying AD,
and the ID range for system users and groups
([SYS_]ID_{MIN,MAX}) as defined in login.defs(5).
When creating system groups, groupadd scans all GIDs from
SYS_GID_MAX to SYS_GID_MIN. This causes a
number of requests to AD, which is usually not a problem but can be, if
those take a long time to complete. This used to happen without the
ad_enabled_domains setting for example. sssd
would query d.ethz.ch in addition to d.psi.ch,
which would time out after a few seconds.
PAM details
There have been discussions to move pam_access to the auth section (from
the account section) to prevent information leakage for
accounts that can't even log in: an attacker would get a different error
message depending on whether the password was wrong or whether pam_access didn't allow
access.
The problem is that when using Kerberos authentication, sshd does not
use PAM for authentication, circumventing pam_access. Hence, just moving the latter from
account to auth does not work.
Kerberos ticket/AFS token renewal
Kerberos tickets and AFS tokens are automatically renewed for as long
as possible. This is done by running a krenew for every session in the background.