Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 53. Using constrained delegation in IdM

The constrained delegation enables one service to access other services on your behalf. You grant only limited authority for one service instead of giving full access to all your credentials.

53.1. Constrained delegation in Identity Management
Copiar o link

The Service for User to Proxy (S4U2proxy) extension provides a service that obtains a service ticket to another service on behalf of a user. This feature is known as constrained delegation. The second service is typically a proxy performing some work on behalf of the first service, under the authorization context of the user. Using constrained delegation eliminates the need for the user to delegate their full ticket-granting ticket (TGT).

Identity Management (IdM) traditionally uses the Kerberos S4U2proxy feature to allow the web server framework to obtain an LDAP service ticket on the user’s behalf. The IdM-AD trust system also uses constrained delegation to obtain a cifs principal.

You can use the S4U2proxy feature to configure a web console client to allow an IdM user that has authenticated with a smart card to achieve the following:

  • Run commands with superuser privileges on the RHEL host on which the web console service is running without being asked to authenticate again.
  • Access a remote host using SSH and access services on the host without being asked to authenticate again.

53.2. Configuring smart-card authentication for SSH logins in the web console
Copiar o link

After logging in to a user account on the RHEL web console, you can connect to remote machines by using the SSH protocol. You can use the constrained delegation feature to use SSH without being asked to authenticate again.

In the example procedure, the web console session runs on the myhost.idm.example.com host, and you configure the console to access the remote.idm.example.com host by using SSH on behalf of the authenticated user.

Prerequisites

  • You have obtained an IdM admin ticket-granting ticket (TGT) on myhost.idm.example.com.
  • You have root access to remote.idm.example.com.
  • The host that runs the web console is a member of an IdM domain.

Procedure

  1. In the Terminal page, verify that the web console has created a Service for User to Proxy (S4U2proxy) Kerberos ticket in the user session: 

    $ klist
…
Valid starting     Expires            Service principal
05/20/25 09:19:06 05/21/25 09:19:06 HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

  2. Create a list of the target hosts that the delegation rule can access:

    1. Create a service delegation target: 

      $ ipa servicedelegationtarget-add cockpit-target
      Copy to Clipboard Toggle word wrap

    2. Add the target host to the delegation target: 

      $ ipa servicedelegationtarget-add-member cockpit-target \
  --principals=host/remote.idm.example.com@IDM.EXAMPLE.COM
      Copy to Clipboard Toggle word wrap

  3. Allow cockpit sessions to access the target host list by creating a service delegation rule and adding the HTTP service Kerberos principal to it:

    1. Create a service delegation rule: 

      $ ipa servicedelegationrule-add cockpit-delegation
      Copy to Clipboard Toggle word wrap

    2. Add the web console client to the delegation rule: 

      $ ipa servicedelegationrule-add-member cockpit-delegation \
  --principals=HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM
      Copy to Clipboard Toggle word wrap

    3. Add the delegation target to the delegation rule: 

      $ ipa servicedelegationrule-add-target cockpit-delegation \
  --servicedelegationtargets=cockpit-target
      Copy to Clipboard Toggle word wrap

  4. Enable Kerberos authentication on the remote.idm.example.com host:

    1. Connect through SSH to remote.idm.example.com as root.
    2. Add the GSSAPIAuthentication yes line to the /etc/ssh/sshd_config file.

  5. Restart the sshd service on remote.idm.example.com so that the changes take effect immediately: 

    $ systemctl try-restart sshd.service
    Copy to Clipboard Toggle word wrap

After logging in to a user account on the RHEL web console, you can connect to remote machines by using the SSH protocol. You can use the servicedelegationrule and servicedelegationtarget Ansible modules to configure the web console for the constrained delegation feature, which enables SSH connections without being asked to authenticate again.

In the example procedure, the web console session runs on the myhost.idm.example.com host and you configure it to access the remote.idm.example.com host by using SSH on behalf of the authenticated user.

Prerequisites

  • You have obtained an IdM admin ticket-granting ticket (TGT) on myhost.idm.example.com.
  • You have root access to remote.idm.example.com.
  • The host that runs the web console is a member of an IdM domain.

  • You have configured your Ansible control node to meet the following requirements:

    • You have installed the ansible-freeipa package.
    • The example assumes you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server in the ~/MyPlaybooks/ directory.
    • The example assumes that the secret.yml Ansible vault stores the admin password in the ipaadmin_password variable.
  • The target node, that is the node on which the ansible-freeipa module runs, is part of the IdM domain as an IdM client, server, or replica.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Store your sensitive variables in an encrypted file:

    1. Create the vault: 

      $ ansible-vault create secret.yml
New Vault password: <vault_password>
Confirm New Vault password: <vault_password>
      Copy to Clipboard Toggle word wrap

    2. After the ansible-vault create command opens an editor, enter the sensitive data in the <key>: <value> format: 

      ipaadmin_password: <admin_password>
      Copy to Clipboard Toggle word wrap
    3. Save the changes, and close the editor. Ansible encrypts the data in the vault.

  3. In the Terminal page, verify that the web console has created a Service for User to Proxy (S4U2proxy) Kerberos ticket in the user session: 

    $ klist
…
Valid starting     Expires            Service principal
05/20/25 09:19:06 05/21/25 09:19:06 HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

  4. Create a web-console-smart-card-ssh.yml playbook with the following content:

    1. Create a task that ensures the presence of a delegation target: 

      ---
- name: Playbook to create a constrained delegation target
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure servicedelegationtarget web-console-delegation-target is present
    ipaservicedelegationtarget:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: web-console-delegation-target
      Copy to Clipboard Toggle word wrap

    2. Add a task that adds the target host to the delegation target: 

        - name: Ensure servicedelegationtarget web-console-delegation-target member principal host/remote.idm.example.com@IDM.EXAMPLE.COM is present
    ipaservicedelegationtarget:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: web-console-delegation-target
      principal: host/remote.idm.example.com@IDM.EXAMPLE.COM
      action: member
      Copy to Clipboard Toggle word wrap

    3. Add a task that ensures the presence of a delegation rule: 

        - name: Ensure servicedelegationrule delegation-rule is present
    ipaservicedelegationrule:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: web-console-delegation-rule
      Copy to Clipboard Toggle word wrap

    4. Add a task that ensures that the Kerberos principal of the web console client service is a member of the constrained delegation rule: 

        - name: Ensure the Kerberos principal of the web console client service is added to the servicedelegationrule web-console-delegation-rule
    ipaservicedelegationrule:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: web-console-delegation-rule
      principal: HTTP/myhost.idm.example.com
      action: member
      Copy to Clipboard Toggle word wrap

    5. Add a task that ensures that the constrained delegation rule is associated with the web-console-delegation-target delegation target: 

        - name: Ensure a constrained delegation rule is associated with a specific delegation target
    ipaservicedelegationrule:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: web-console-delegation-rule
      target: web-console-delegation-target
      action: member
      Copy to Clipboard Toggle word wrap

    6. Add a task that enable Kerberos authentication on remote.idm.example.com: 

        - name: Enable Kerberos authentication
    hosts: remote.idm.example.com
    vars:
      sshd_config:
        GSSAPIAuthentication: true
    roles:
      - role: rhel-system-roles.sshd
      Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory web-console-smart-card-ssh.yml
    Copy to Clipboard Toggle word wrap

After you have logged in to a user account on the RHEL web console, as an Identity Management (IdM) system administrator you might need to run commands with superuser privileges. You can use the constrained delegation feature to run sudo on the system without being asked to authenticate again.

Follow this procedure to configure a web console to use constrained delegation. In the example below, the web console session runs on the myhost.idm.example.com host.

Prerequisites

  • You have obtained an IdM admin ticket-granting ticket (TGT).
  • The web console service is present in IdM.
  • The myhost.idm.example.com host is present in IdM.
  • You have enabled admin sudo access to domain administrators on the IdM server.

  • The web console has created an S4U2Proxy Kerberos ticket in the user session. To verify that this is the case, log in to the web console as an IdM user, open the Terminal page, and enter: 

    $ klist
Ticket cache: FILE:/run/user/1894000001/cockpit-session-3692.ccache
Default principal: user@IDM.EXAMPLE.COM

Valid starting     Expires            Service principal
07/30/21 09:19:06 07/31/21 09:19:06 HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM
07/30/21 09:19:06  07/31/21 09:19:06  krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM
        for client HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

Procedure

  1. Create a list of the target hosts that can be accessed by the delegation rule:

    1. Create a service delegation target: 

      $ ipa servicedelegationtarget-add cockpit-target
      Copy to Clipboard Toggle word wrap

    2. Add the target host to the delegation target: 

      $ ipa servicedelegationtarget-add-member cockpit-target \
  --principals=host/myhost.idm.example.com@IDM.EXAMPLE.COM
      Copy to Clipboard Toggle word wrap

  2. Allow cockpit sessions to access the target host list by creating a service delegation rule and adding the HTTP service Kerberos principal to it:

    1. Create a service delegation rule: 

      $ ipa servicedelegationrule-add cockpit-delegation
      Copy to Clipboard Toggle word wrap

    2. Add the web console service to the delegation rule: 

      $ ipa servicedelegationrule-add-member cockpit-delegation \
  --principals=HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM
      Copy to Clipboard Toggle word wrap

    3. Add the delegation target to the delegation rule: 

      $ ipa servicedelegationrule-add-target cockpit-delegation \
  --servicedelegationtargets=cockpit-target
      Copy to Clipboard Toggle word wrap

  3. Enable pam_sss_gss, the PAM module for authenticating users over the Generic Security Service Application Program Interface (GSSAPI) in cooperation with the System Security Services Daemon (SSSD):

    1. Open the /etc/sssd/sssd.conf file for editing.

    2. Specify that pam_sss_gss can provide authentication for the sudo and sudo -i commands in IdM your domain: 

      [domain/idm.example.com]
pam_gssapi_services = sudo, sudo-i
      Copy to Clipboard Toggle word wrap
    3. Save and exit the file.
    4. Open the /etc/pam.d/sudo file for editing.

    5. Insert the following line to the top of the #%PAM-1.0 list to allow, but not require, GSSAPI authentication for sudo commands: 

      auth sufficient pam_sss_gss.so
      Copy to Clipboard Toggle word wrap
    6. Save and exit the file.

  4. Restart the SSSD service so that the above changes take effect immediately: 

    $ systemctl restart sssd
    Copy to Clipboard Toggle word wrap

After you have logged in to a user account on the RHEL web console, as an Identity Management (IdM) system administrator you might need to run commands with superuser privileges. You can use the constrained delegation feature to run sudo on the system without being asked to authenticate again.

Follow this procedure to use the ipaservicedelegationrule and ipaservicedelegationtarget ansible-freeipa modules to configure a web console to use constrained delegation. In the example below, the web console session runs on the myhost.idm.example.com host.

Prerequisites

  • You have obtained an IdM admin ticket-granting ticket (TGT) by authenticating to the web console session with a smart card..
  • The web console service has been enrolled into IdM.
  • The myhost.idm.example.com host is present in IdM.
  • You have enabled admin sudo access to domain administrators on the IdM server.

  • The web console has created an S4U2Proxy Kerberos ticket in the user session. To verify that this is the case, log in to the web console as an IdM user, open the Terminal page, and enter: 

    $ klist
Ticket cache: FILE:/run/user/1894000001/cockpit-session-3692.ccache
Default principal: user@IDM.EXAMPLE.COM

Valid starting     Expires            Service principal
07/30/21 09:19:06 07/31/21 09:19:06 HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM
07/30/21 09:19:06  07/31/21 09:19:06  krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM
        for client HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.15 or later.
    • You have installed the freeipa.ansible_freeipa collection.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you have access to a file that stores the password protecting the secret.yml file.
  • The target node, that is the node on which the freeipa.ansible_freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. On your Ansible control node, navigate to your ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Create a web-console-smart-card-sudo.yml playbook with the following content:

    1. Create a task that ensures the presence of a delegation target: 

      ---
- name: Playbook to create a constrained delegation target
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure servicedelegationtarget named sudo-web-console-delegation-target is present
    freeipa.ansible_freeipa.ipaservicedelegationtarget:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: sudo-web-console-delegation-target
      Copy to Clipboard Toggle word wrap

    2. Add a task that adds the target host to the delegation target: 

        - name: Ensure that a member principal named host/myhost.idm.example.com@IDM.EXAMPLE.COM is present in a service delegation target named sudo-web-console-delegation-target
    freeipa.ansible_freeipa.ipaservicedelegationtarget:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: sudo-web-console-delegation-target
      principal: host/myhost.idm.example.com@IDM.EXAMPLE.COM
      action: member
      Copy to Clipboard Toggle word wrap

    3. Add a task that ensures the presence of a delegation rule: 

        - name: Ensure servicedelegationrule named sudo-web-console-delegation-rule is present
    freeipa.ansible_freeipa.ipaservicedelegationrule:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: sudo-web-console-delegation-rule
      Copy to Clipboard Toggle word wrap

    4. Add a task that ensures that the Kerberos principal of the web console service is a member of the constrained delegation rule: 

        - name: Ensure the Kerberos principal of the web console service is added to the service delegation rule named sudo-web-console-delegation-rule
    freeipa.ansible_freeipa.ipaservicedelegationrule:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: sudo-web-console-delegation-rule
      principal: HTTP/myhost.idm.example.com
      action: member
      Copy to Clipboard Toggle word wrap

    5. Add a task that ensures that the constrained delegation rule is associated with the sudo-web-console-delegation-target delegation target: 

        - name: Ensure a constrained delegation rule is associated with a specific delegation target
    freeipa.ansible_freeipa.ipaservicedelegationrule:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: sudo-web-console-delegation-rule
      target: sudo-web-console-delegation-target
      action: member
      Copy to Clipboard Toggle word wrap

  3. Save the file.

    For details about variables and example playbooks in the FreeIPA Ansible collection, see the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/README-servicedelegationrule.md file and the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/servicedelegationtarget directory on the control node.

  4. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory web-console-smart-card-sudo.yml
    Copy to Clipboard Toggle word wrap

  5. Enable pam_sss_gss, the PAM module for authenticating users over the Generic Security Service Application Program Interface (GSSAPI) in cooperation with the System Security Services Daemon (SSSD):

    1. Open the /etc/sssd/sssd.conf file for editing.

    2. Specify that pam_sss_gss can provide authentication for the sudo and sudo -i commands in IdM your domain: 

      [domain/idm.example.com]
pam_gssapi_services = sudo, sudo-i
      Copy to Clipboard Toggle word wrap
    3. Save and exit the file.
    4. Open the /etc/pam.d/sudo file for editing.

    5. Insert the following line to the top of the #%PAM-1.0 list to allow, but not require, GSSAPI authentication for sudo commands: 

      auth sufficient pam_sss_gss.so
      Copy to Clipboard Toggle word wrap
    6. Save and exit the file.

  6. Restart the SSSD service so that the above changes take effect immediately: 

    $ systemctl restart sssd
    Copy to Clipboard Toggle word wrap
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat