1

Simply put: I want to ensure that my authentication path is encrypted along the entire path.

(e.g. encrypted from laptop->SSH host; from SSH host->authentication server; and from SSH host->other hosts)

I am running

  • FreeIPA on Centos 7 as the central authentication server.
  • Ubuntu 14.04 clients running the freeipa-client Ubuntu package 3.3.4-0ubuntu3.1

This is configured to use Kerberos tickets to authenticate to servers within our environment, once one connects to a login server. i.e. SSH from login server to other servers in environment.

The login server is the component I'm least sure about. It is configured as follows:

[domain/mydom.example.com]

cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = MYDOM.EXAMPLE.COM
ipa_domain = mydom.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = loginhost.mydom.example.com
chpass_provider = ipa
ipa_server = _srv_, ipaserver.mydom.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2

domains = mydom.example.com
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]
JDS
  • 2,598
  • 4
  • 30
  • 49

2 Answers2

3

An easiest way is to start capturing packets on ipaserver.mydom.example.com, listening for the traffic coming from loginhost.mydom.example.com.

For example, with tshark (console version of wireshark) you can do both interception and analysis at the same time:

tshark -w /tmp/t.pcapng -W n -P -V -x host loginhost.mydom.example.com | tee /tmp/t.log

Once you have t.log, you can look in it. Apart from several initial LDAP exchanges where SSSD does discovery of LDAP server capabilities, the rest of LDAP communication should not be parsed by tshark as it would be encrypted after LDAP bind with SASL GSSAPI. Once SSSD starts using SASL GSSAPI, all the traffic in LDAP communication will be encrypted and sealed.

That's for LDAP traffic. SSH traffic analysis can be done in a similar way.

abbra
  • 1,085
  • 5
  • 8
1

To expand on abbra's answer - SSSD does NOT allow authentication through an unencrypted stream at all. So while your identity data (name, UID, shell, homedir, ..) could technically be unencrypted, you can be sure sssd won't ever send your credentials over the wire in the clear.

jhrozek
  • 1,370
  • 6
  • 5