Chapter 6. Managing remote systems in the web console
You can connect to the remote systems and manage them in the RHEL 8 web console.
You learn:
- The optimal topology of connected systems.
- How to add and remove remote systems.
- When, why, and how to use SSH keys for remote system authentication.
-
How to configure a web console client to allow a user authenticated with a smart card to
SSH
to a remote host and access services on it.
Prerequisites
- The SSH service is running on remote systems.
6.1. Remote system manager in the web console
For security reasons, use the following network setup of remote systems managed by the the RHEL 8 web console:
- Configure one system with the web console as a bastion host. The bastion host is a system with opened HTTPS port.
- All other systems communicate through SSH.
With the web interface running on the bastion host, you can reach all other systems through the SSH protocol using port 22 in the default configuration.
6.2. Adding remote hosts to the web console
In the RHEL web console, you can manage remote systems after you add them with the corresponding credentials.
Prerequisites
You have installed the RHEL 8 web console.
For instructions, see Installing and enabling the web console.
Procedure
Log in to the RHEL 8 web console.
For details, see Logging in to the web console.
In the RHEL 8 web console, click your
<username>@<hostname>
in the top left corner of the Overview page.- From the drop-down menu, click .
- In the Add new host dialog box, specify the host you want to add.
Optional: Add the user name for the account to which you want to connect.
You can use any user account of the remote system. However, if you use the credentials of a user account without administration privileges, you cannot perform administration tasks.
If you use the same credentials as on your local system, the web console authenticates remote systems automatically every time you log in. Note that using the same credentials on more systems weakens the security.
- Optional: Click the Color field to change the color of the system.
- Click .
The web console does not save passwords used to log in to remote systems, which means that you must log in again after each system restart. Next time you log in, click
placed on the main screen of the disconnected remote system to open the login dialog.Verification
-
The new host is listed in the
<username>@<hostname>
drop-down menu.
6.3. Enabling SSH login for a new host
When you add a new host to the web console, you can also log in to the host with an SSH key. If you already have an SSH key on your system, the web console uses the existing one; otherwise, the web console can create a key.
Prerequisites
You have installed the RHEL 8 web console.
For instructions, see Installing and enabling the web console.
Procedure
Log in to the RHEL 8 web console.
For details, see Logging in to the web console.
In the RHEL 8 web console, click your
<username>@<hostname>
in the top left corner of the Overview page.- From the drop-down menu, click .
- In the Add new host dialog box, specify the host you want to add.
Add the user name for the account to which you want to connect.
You can use any user account of the remote system. However, if you use a user account without administration privileges, you cannot perform administration tasks.
- Optional: Click the Color field to change the color of the system.
Click
.A new dialog window appears asking for a password.
- Enter the user account password.
Check Authorize SSH key if you already have an SSH key.
Check Create a new SSH key and authorize it if you do not have an SSH key. The web console creates the key.
- Add a password for the SSH key.
- Confirm the password.
- Click .
Verification
- Log out.
- Log back in.
- Click Not connected to host screen. in the
Select SSH key as your authentication option.
- Enter your key password.
- Click .
Additional resources
6.4. Configuring a web console to allow a user authenticated with a smart card to SSH to a remote host without being asked to authenticate again
After you have logged in to a user account on the RHEL web console, as an Identity Management (IdM) system administrator you might need to connect to remote machines by using the SSH
protocol. You can use the constrained delegation feature to use SSH
without being asked to authenticate again.
Follow this procedure to configure the web console to use constrained delegation. In the example below, the web console session runs on the myhost.idm.example.com host and it is being configured to access the remote.idm.example.com host by using SSH
on behalf of the authenticated user.
Prerequisites
-
You have obtained an IdM
admin
ticket-granting ticket (TGT). -
You have
root
access to remote.idm.example.com. - The web console service is present in IdM.
- The remote.idm.example.com host is present in IdM.
The web console has created an
S4U2Proxy
Kerberos ticket in the user session. To verify that this is the case, log in to the web console as an IdM user, open theTerminal
page, and enter:$ klist Ticket cache: FILE:/run/user/1894000001/cockpit-session-3692.ccache Default principal: user@IDM.EXAMPLE.COM Valid starting Expires Service principal 07/30/21 09:19:06 07/31/21 09:19:06 HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM 07/30/21 09:19:06 07/31/21 09:19:06 krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM for client HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM
Procedure
Create a list of the target hosts that can be accessed by the delegation rule:
Create a service delegation target:
$ ipa servicedelegationtarget-add cockpit-target
Add the target host to the delegation target:
$ ipa servicedelegationtarget-add-member cockpit-target \ --principals=host/remote.idm.example.com@IDM.EXAMPLE.COM
Allow
cockpit
sessions to access the target host list by creating a service delegation rule and adding theHTTP
service Kerberos principal to it:Create a service delegation rule:
$ ipa servicedelegationrule-add cockpit-delegation
Add the web console client to the delegation rule:
$ ipa servicedelegationrule-add-member cockpit-delegation \ --principals=HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM
Add the delegation target to the delegation rule:
$ ipa servicedelegationrule-add-target cockpit-delegation \ --servicedelegationtargets=cockpit-target
Enable Kerberos authentication on the remote.idm.example.com host:
-
SSH
to remote.idm.example.com asroot
. -
Open the
/etc/ssh/sshd_config
file for editing. -
Enable
GSSAPIAuthentication
by uncommenting theGSSAPIAuthentication no
line and replacing it withGSSAPIAuthentication yes
.
-
Restart the
SSH
service on remote.idm.example.com so that the above changes take effect immediately:$ systemctl try-restart sshd.service
6.5. Using Ansible to configure a web console to allow a user authenticated with a smart card to SSH to a remote host without being asked to authenticate again
After you have logged in to a user account on the RHEL web console, as an Identity Management (IdM) system administrator you might need to connect to remote machines by using the SSH
protocol. You can use the constrained delegation feature to use SSH
without being asked to authenticate again.
Follow this procedure to use the servicedelegationrule
and servicedelegationtarget
ansible-freeipa
modules to configure a web console to use constrained delegation. In the example below, the web console session runs on the myhost.idm.example.com host and it is being configured to access the remote.idm.example.com host by using SSH
on behalf of the authenticated user.
Prerequisites
-
The IdM
admin
password. -
root
access to remote.idm.example.com. - The web console service is present in IdM.
- The remote.idm.example.com host is present in IdM.
The web console has created an
S4U2Proxy
Kerberos ticket in the user session. To verify that this is the case, log in to the web console as an IdM user, open theTerminal
page, and enter:$ klist Ticket cache: FILE:/run/user/1894000001/cockpit-session-3692.ccache Default principal: user@IDM.EXAMPLE.COM Valid starting Expires Service principal 07/30/21 09:19:06 07/31/21 09:19:06 HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM 07/30/21 09:19:06 07/31/21 09:19:06 krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM for client HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM
You have configured your Ansible control node to meet the following requirements:
- You are using Ansible version 2.14 or later.
-
You have installed the
ansible-freeipa
package on the Ansible controller. - The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
-
The example assumes that the secret.yml Ansible vault stores your
ipaadmin_password
.
-
The target node, that is the node on which the
ansible-freeipa
module is executed, is part of the IdM domain as an IdM client, server or replica.
Procedure
Navigate to your ~/MyPlaybooks/ directory:
$ cd ~/MyPlaybooks/
Create a
web-console-smart-card-ssh.yml
playbook with the following content:Create a task that ensures the presence of a delegation target:
--- - name: Playbook to create a constrained delegation target hosts: ipaserver vars_files: - /home/user_name/MyPlaybooks/secret.yml tasks: - name: Ensure servicedelegationtarget web-console-delegation-target is present ipaservicedelegationtarget: ipaadmin_password: "{{ ipaadmin_password }}" name: web-console-delegation-target
Add a task that adds the target host to the delegation target:
- name: Ensure servicedelegationtarget web-console-delegation-target member principal host/remote.idm.example.com@IDM.EXAMPLE.COM is present ipaservicedelegationtarget: ipaadmin_password: "{{ ipaadmin_password }}" name: web-console-delegation-target principal: host/remote.idm.example.com@IDM.EXAMPLE.COM action: member
Add a task that ensures the presence of a delegation rule:
- name: Ensure servicedelegationrule delegation-rule is present ipaservicedelegationrule: ipaadmin_password: "{{ ipaadmin_password }}" name: web-console-delegation-rule
Add a task that ensures that the Kerberos principal of the web console client service is a member of the constrained delegation rule:
- name: Ensure the Kerberos principal of the web console client service is added to the servicedelegationrule web-console-delegation-rule ipaservicedelegationrule: ipaadmin_password: "{{ ipaadmin_password }}" name: web-console-delegation-rule principal: HTTP/myhost.idm.example.com action: member
Add a task that ensures that the constrained delegation rule is associated with the web-console-delegation-target delegation target:
- name: Ensure a constrained delegation rule is associated with a specific delegation target ipaservicedelegationrule: ipaadmin_password: "{{ ipaadmin_password }}" name: web-console-delegation-rule target: web-console-delegation-target action: member
- Save the file.
Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file:
$ ansible-playbook --vault-password-file=password_file -v -i inventory web-console-smart-card-ssh.yml
Enable Kerberos authentication on remote.idm.example.com:
-
SSH
to remote.idm.example.com asroot
. -
Open the
/etc/ssh/sshd_config
file for editing. -
Enable
GSSAPIAuthentication
by uncommenting theGSSAPIAuthentication no
line and replacing it withGSSAPIAuthentication yes
.
-
Additional resources
- Logging in to the web console with smart cards
- Constrained delegation in Identity Management
-
README-servicedelegationrule.md
andREADME-servicedelegationtarget.md
in the/usr/share/doc/ansible-freeipa/
directory -
Sample playbooks in the
/usr/share/doc/ansible-freeipa/playbooks/servicedelegationtarget
and/usr/share/doc/ansible-freeipa/playbooks/servicedelegationrule
directories