Red Hat Summit5.4. Enabling passwordless sudo authentication for smart-card users
You can configure passwordless authentication to sudo and other services for smart card users in the web console.
As an alternative, if you use RHEL Identity Management, you can declare the initial web console certificate authentication as trusted for authenticating to sudo, SSH, or other services. For that purpose, the web console automatically creates an S4U2Proxy Kerberos ticket in the user session.
Prerequisites
- Identity Management is installed.
- Active Directory connected in the cross-forest trust with Identity Management.
- Your smart card is set up to log in to the web console. See Configuring smart card authentication with the web console for centrally managed users for more information.
Procedure
Set up constraint delegation rules to list which hosts the ticket can access.
예 5.1. Setting up constraint delegation rules
The web console session runs host
host.example.comand should be trusted to access its own host withsudo. Additionally, we are adding second trusted host -remote.example.com.Create the following delegation:
Run the following commands to add a list of target machines a particular rule can access:
# ipa servicedelegationtarget-add cockpit-target # ipa servicedelegationtarget-add-member cockpit-target \ --principals=host/host.example.com@EXAMPLE.COM \ --principals=host/remote.example.com@EXAMPLE.COMTo allow the web console sessions (HTTP/principal) to access that host list, use the following commands:
# ipa servicedelegationrule-add cockpit-delegation # ipa servicedelegationrule-add-member cockpit-delegation \ --principals=HTTP/host.example.com@EXAMPLE.COM # ipa servicedelegationrule-add-target cockpit-delegation \ --servicedelegationtargets=cockpit-target
Enable GSS authentication in the corresponding services:
For sudo, enable the
pam_sss_gssmodule in the/etc/sssd/sssd.conffile:As root, add an entry for your domain to the
/etc/sssd/sssd.confconfiguration file.[domain/example.com] pam_gssapi_services = sudo, sudo-iEnable the module in the
/etc/pam.d/sudofile on the first line.auth sufficient pam_sss_gss.so
-
For SSH, update the
GSSAPIAuthenticationoption in the/etc/ssh/sshd_configfile toyes.
The delegated S4U ticket is not forwarded to remote SSH hosts when connecting to them from the web console. Authenticating to sudo on a remote host with your ticket will not work.
Verification
- Log in to the web console using a smart card.
-
Click the
Limited accessbutton. - Authenticate using your smart card.
Alternatively:
- Try to connect to a different host with SSH.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}