Controls/gitea-pages
0
2
Fork 0
Code Pull Requests Actions Activity
Files
06ed1ee252f19cae2dffca20b7ce2d7e71d1153a
gitea-pages/admin-guide/puppet/profiles/aaa.rst

344 lines
9.9 KiB
ReStructuredText
Raw Blame History

``profile::aaa``
=====================
This module manages configuration related to authentication, authorization, and
auditing. In particular, it
- performs the Active Directory join (optional)
- configures login restrictions (e.g. :manpage:`pam_access(8)`)
- adds sudo rules for administrators
Parameters
----------
=============================== ======== ==============================================================
**Name** **Type** **Default**
------------------------------- -------- --------------------------------------------------------------
admins list hiera_array('aaa::admins')
allow_sudoers_d bool hiera('aaa::allow_sudoers_d')
bastions list hiera('aaa::bastions')
cache_creds bool hiera('aaa::cache_creds')
create_homes bool hiera('aaa::create_homes')
enable_ad bool hiera('aaa::enable_ad')
enable_eaccounts bool hiera('aaa::enable_eaccounts')
enable_slurm bool false
enable_ssh_allow bool hiera('aaa::enable_ssh_allow')
enable_tier3_ldap bool hiera('aaa::enable_tier3_ldap', false)
ldap_enabled bool hiera('aaa::ldap_enabled')
offline_creds_expiration string hiera('aaa::offline_creds_expiration')
override_homedir string hiera('aaa::override_homedir', undef)
ssh_authorized_keys hash hiera_hash('aaa::sshkeys', {})
sssd_debuglevel int hiera('aaa::sssd_debuglevel')
sudo_rules (Hiera only) list hiera_array('aaa::sudo_rules', [])
support_afs bool hiera('base::enable_afs'),
use_bastions bool hiera('aaa::use_bastions', $profile::networking::use_bastions)
users list hiera_array('aaa::users', [])
=============================== ======== ==============================================================
``admins``
~~~~~~~~~~
A list of user and/or group names. The users as well as the members of the groups
can log in on the system and have full root privileges via sudo.
Group names must be prefixed with ``%``.
Example::
aaa::admins:
- 'markushin'
- 'gsell'
- 'barabas'
- '%unx-linux_support'
Also see `users`_.
``allow_sudoers_d``
~~~~~~~~~~~~~~~~~~~
This boolean controls whether the files in ``/etc/sudoers.d`` are taken
into account by sudo.
``bastions``
~~~~~~~~~~~~
A list of FQDNs. If `use_bastions`_ is true, then root logins are only allowed
from the hosts on this list. *Note*: If the list is empty, login is unrestricted
again!
Example::
aaa::bastions:
- 'gpfs-node1.psi.ch'
- 'gpfs-node2.psi.ch'
- 'gpfs-node3.psi.ch'
- 'wmgt01.psi.ch'
- 'wmgt02.psi.ch'
``create_homes``
~~~~~~~~~~~~~~~~
This boolean controls whether home directories are created on login when
necessary. This only works if the underlying filesystem allows it. In
particular, it does not work on AFS.
Also see `override_homedir`_.
``cache_creds``
~~~~~~~~~~~~~~~~~~~~~
This boolean controls whether sssd caches credentials.
Also see `offline_creds_expiration`_.
``enable_ad``
~~~~~~~~~~~~~
Determines whether the system will be configured for Active Directory
authentication.
``enable_eaccounts``
~~~~~~~~~~~~~~~~~~~~
Setting this to ``true`` enables the Active Directory OU containing the
e-accounts.
``enable_slurm``
~~~~~~~~~~~~~~~~
When set to ``true``, we allow slurm users to login on computing nodes in where
their jobs are running. Otherwise, users are not allowed to login in the computing
nodes.
To enable this behaviour, someone needs to call directly the ``profile::aaa`` class
and enable this feature, but also needs to change the call of the ``role::base``
class by setting ``include_aaa`` to ``false``. For example::
class {
'role::base':
include_aaa => false;
'profile::aaa':
support_afs => hiera('base::enable_afs'),
enable_slurm => true;
'slurm::compute':
cluster => $cluster;
}
``enable_ssh_allow``
~~~~~~~~~~~~~~~~~~~~
Allow users to manage access to the system bypassing Puppet by adding usernames
to ``/etc/security/ssh.allow.user``. This file is never touched by Puppet.
Documentation can be found in :manpage:`pam_listfile(8)` or
``/etc/security/ssh.allow.README`` on the target system.
``enable_tier3_ldap``
~~~~~~~~~~~~~~~~~~~~~
When set to ``true``, sssd.conf is configured to support only OpenLDAP for
the Tier3. Other domains (Active Directory D.PSI.CH and LDAP SLS.PSI.CH) are
not included in the configuration file.
``ldap_enabled``
~~~~~~~~~~~~~~~~
This boolean controls whether LDAP (AD) is used for user information and
authentication.
In this case the following port have to be accessible from the host to the
domain controllers:
- 389/TCP
- 389/UDP
- 88/TCP
- 88/UDP
- 464/UDP
``offline_creds_expiration``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This integer controls for how many days cached credentials are valid after the
last successful online login. A value of 0 means that there is no limit.
Also see `cache_creds`_.
``override_homedir``
~~~~~~~~~~~~~~~~~~~~
This string defines the home directory path to use as expected by sssd's
``override_homedir`` option. See :manpage:`sssd.conf(5)` for details.
Example::
aaa::override_homedir: '/home/%u'
``sshkeys``
~~~~~~~~~~~
A hash of hashes, each of which contains the parameters as accepted by the
`ssh_authorized_key
<https://docs.puppet.com/puppet/latest/types/ssh_authorized_key.html>`_ resource
type.
Example::
aaa::sshkeys:
'root@ra':
user: 'root'
type: 'ssh-dss'
key: 'AAAAB3Nz...'
Keep in mind that this only works if the user's home directory is accessible to
root. In particular, it doesn't work if the home is on AFS.
``sssd_debuglevel``
~~~~~~~~~~~~~~~~~~~
This integer configures sssd's ``debug_level`` option (see
:manpage:`sssd.conf(5)`). It is rarely necessary to use this setting, as the
debug level can be changed at runtime using :manpage:`sss_debuglevel(8)`.
``sudo_rules``
~~~~~~~~~~~~~~
A list of strings taken from Hiera containing additional sudo rules.
Example::
aaa::sudo_rules:
- 'ALL ALL=(ALL) NOPASSWD: /usr/local/bin/add_eaccount.sh'
- 'DETGROUP ALL= NOPASSWD: /bin/systemctl'
- 'DETGROUP ALL=(ALL) NOPASSWD: /usr/sbin/tcpdump'
``support_afs``
~~~~~~~~~~~~~~~
Configure PAM and related tools which are necessary for running AFS.
``use_bastions``
~~~~~~~~~~~~~~~~
This parameter determines whether root logins are only possible from the hosts
listed in `bastions`_. Normally the value is taken from the network property of
the same name, but this parameter allows overriding the network setting through
Hiera or in Puppet manifests.
``users``
~~~~~~~~~
A list of user and/or group names. The users as well as the members of the
groups can log in on the system.
Group names must be prefixed with ``%``.
Also see `admins`_.
``ssh_authorized_key``
~~~~~~~~~~~~~~~~~~~~~~
A hash containing SSH public keys as expected by the ``ssh_authorized_key``
Puppet resource.
Examples
--------
The base role includes this profile by default. If you need to customize the
profile, do it like this::
class role::some_role () {
class {'role::base':
include_aaa => false,
...
}
class {'profile::aaa':
override_homedir => '/localhomes/%u',
create_homes => true,
...
}
...
Implementation Notes
--------------------
User/Group Enumeration
~~~~~~~~~~~~~~~~~~~~~~
User/group enumeration happens when using the ``{set,get,end}pwent`` and
``{set,get,ent}grent`` APIs to enumerate all users or groups. These are used by
``getent passwd`` and ``gentent group`` for example, when not providing a
specific user or group to query.
Enumeration would potentially be very slow and put a high load on the AD domain
controllers if it were to return all users/groups from AD. To prevent this, we
disable enumeration for AD accounts using the ``enumerate`` setting in
:manpage:`sssd.conf(5)`. This means that enumeration using the APIs/programs
above only returns local users and groups.
The ``min_id`` issue
~~~~~~~~~~~~~~~~~~~~
There are Unix groups in AD at PSI with very low GIDs, the lowest being 101
(``unx-fkt``). This leads to problems, because :manpage:`sssd(8)` ignores users
and groups with GIDs lower than ``min_id`` (from :manpage:`sssd.conf(5)`), which
has a value of 500 by default.
Therefore we set ``min_id`` to 100. One consequence is that there is overlap
between the IDs considered by sssd when querying AD, and the ID range for system
users and groups (``[SYS_]ID_{MIN,MAX}``) as defined in
:manpage:`login.defs(5)`.
When creating system groups, :manpage:`groupadd` scans **all** GIDs from
``SYS_GID_MAX`` to ``SYS_GID_MIN``. This causes a number of requests to AD,
which is usually not a problem but can be, if those take a long time to
complete. This used to happen without the ``ad_enabled_domains`` setting for
example. ``sssd`` would query ``d.ethz.ch`` in addition to ``d.psi.ch``, which
would time out after a few seconds.
PAM details
~~~~~~~~~~~
There have been discussions to move :manpage:`pam_access` to the ``auth``
section (from the ``account`` section) to prevent information leakage for
accounts that can't even log in: an attacker would get a different error message
depending on whether the password was wrong or whether :manpage:`pam_access`
didn't allow access.
The problem is that when using Kerberos authentication, sshd does not use PAM
for authentication, circumventing :manpage:`pam_access`. Hence, just moving the
latter from ``account`` to ``auth`` does not work.
Kerberos ticket/AFS token renewal
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Kerberos tickets and AFS tokens are automatically renewed for as long as
possible. This is done by running a :manpage:`krenew` for every session in the
background.
View Git Blame Copy Permalink