#166 Add pkinit config and ipa certs
Merged 5 months ago by mohanboddu. Opened 5 months ago by ryanlerch.
ryanlerch/fedora-packager noggin-pkinit  into  main

file modified
+6
@@ -74,3 +74,9 @@ 

  krb5conf_DATA = $(srcdir)/krb-configs/fedoraproject_org \

  	$(srcdir)/krb-configs/stg_fedoraproject_org

  krb5confdir = $(sysconfdir)/krb5.conf.d

+ 

+ EXTRA_DIST += ipa_ca/fedoraproject_ipa_ca.crt \

+ 	ipa_ca/stg_fedoraproject_ipa_ca.crt

+ ipaca_DATA = $(srcdir)/ipa_ca/fedoraproject_ipa_ca.crt \

+ 	$(srcdir)/ipa_ca/stg_fedoraproject_ipa_ca.crt

+ ipacadir = $(sysconfdir)/pki/ipa

file modified
+5 -1
@@ -32,6 +32,7 @@ 

  Requires:       krb5-workstation

  %endif

  %endif

+ Requires:       krb5-pkinit

  Recommends:     fedora-packager-yubikey

  

  BuildArch:      noarch
@@ -72,7 +73,10 @@ 

  %exclude %{python3_sitelib}/fedora_cert

  

  %config(noreplace) %{_sysconfdir}/koji.conf.d/*

- %config(noreplace) %{_sysconfdir}/krb5.conf.d/*

+ %config %{_sysconfdir}/krb5.conf.d/*

+ 

+ %{_sysconfdir}/pki/ipa/*

+ 

  

  %files yubikey

  %license COPYING

@@ -0,0 +1,22 @@ 

+ -----BEGIN CERTIFICATE-----

+ MIIDpDCCAoygAwIBAgIBATANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKDBFGRURP

+ UkFQUk9KRUNULk9SRzEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X

+ DTE2MTAxMzEzMDQ0NloXDTM2MTAxMzEzMDQ0NlowPDEaMBgGA1UECgwRRkVET1JB

+ UFJPSkVDVC5PUkcxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIw

+ DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALLFCPrsPD3YW/yzvId7UsWCq/Ac

+ cD7IOtlt46slTa490TvfpwzB1IwA3H0LTEYV7LONMIxJIT8H4H2P7A/S4eDtA6sZ

+ s26Qp+3YLj+jHOwvNiONG5YBIn6vgUKc1SdwyuQsNwcGsH1nV2vXrKYz4ccMud1P

+ tzzwRMSWgwZLXcLvMMXYpDCxu4pVmgEtTnYz7Dii7MJ2aJsWEuslzjL6HjaegfGD

+ JjXCrqmNKcgbgD7fQq05wiYw8AbArjhfObDO626b4naB0VxLb9vGTDBaRbIeL7Or

+ nM11BWVqYAFFRZPL1jXkeb9Bpr9oj4PduRq6+tSZPa3wgtnoowAN2AqLHKMCAwEA

+ AaOBsDCBrTAfBgNVHSMEGDAWgBQVrijBhrLB6xwkwjZroAlWJGIpvDAPBgNVHRMB

+ Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUFa4owYaywescJMI2

+ a6AJViRiKbwwSgYIKwYBBQUHAQEEPjA8MDoGCCsGAQUFBzABhi5odHRwOi8vaXBh

+ MDEucGh4Mi5mZWRvcmFwcm9qZWN0Lm9yZzo4MC9jYS9vY3NwMA0GCSqGSIb3DQEB

+ CwUAA4IBAQAZE5ZVf2MROtRR2O00ecXwl3vBE72xw87EQdAQ6J9sDjug5YrVW6OU

+ OfaRoVLyBSi5uPgj2RZ9VePdGNSDZ66DhspPtmbWcW0M1X2QPXwWQ/Idj3MfKE33

+ b+V4A6T55p1kxXniNl0KZHlDVMECltwRBkd9mjr3LgWzk/EgqyiP56xrWEsvKUyv

+ ZMvoyFky2/BaNTN8KOposjDQZwR5sqE/CJzm/QJPg/6zQ4/tkFDOc7ZqIVkfIqoY

+ sycNYLLakqCV59xuJ2uDbV8Sn8LbH5+e3Px0mapnVxn8fJAPcCqDOmXJ5TVkVYlH

+ nYYOskqEw5stHYuEwujR2uXo8vfmIMpZ

+ -----END CERTIFICATE-----

@@ -0,0 +1,27 @@ 

+ -----BEGIN CERTIFICATE-----

+ MIIEqTCCAxGgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMR4wHAYDVQQKDBVTVEcu

+ RkVET1JBUFJPSkVDVC5PUkcxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0

+ eTAeFw0yMDA3MjAyMDQyMDlaFw00MDA3MjAyMDQyMDlaMEAxHjAcBgNVBAoMFVNU

+ Ry5GRURPUkFQUk9KRUNULk9SRzEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9y

+ aXR5MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAt2rbCLecKusi67NA

+ DiWMOTjeCwpTsDZ8gCS6m2+QfyOdKJOz1+Oorwy1q6f0nGl15pbH2617gNPG+R4U

+ d7XjFU8sCN2CZlt9xVf0MO5zDdE3awP39nOBsBCh/SOi2xf/RtPKi6dnsIsLQAfD

+ GmdOPo43Bvd8Krwqu1qOSTi4lR7lz3SCmnxolj1JQ7D+u6UysL6GbQnQszibwfMd

+ CtKKW+LqpAjFRt1qmNH9uTPfjuJrX1Mr09dte+KaV096JSl9yWRHCbVmoglGeSK4

+ KjHX5hovO6tGla8rQktpDHDUfn+pF78qorKN1qnuw/ZfuyGtAJgfFMhOt7X614HT

+ rciDZQKjjtaV+XhWgKJjLW0DU8qayriHWI8w8Z7Ts3LV55qK2eQFi7kJ6WNOXNLb

+ jWwDKOhyiVYII3RCgkFSNGtiIBlWQQKrIsvyrGqkLWIVtc+fv0PIe7snG90uVCY4

+ oqcrbWe23ncte3GXzZlkSQp654EqOsf6QsoS3SmR7BEFPw4PAgMBAAGjga0wgaow

+ HwYDVR0jBBgwFoAUd1vnwpeynEyrmlfhfXDYlFUjnpMwDwYDVR0TAQH/BAUwAwEB

+ /zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFHdb58KXspxMq5pX4X1w2JRVI56T

+ MEcGCCsGAQUFBwEBBDswOTA3BggrBgEFBQcwAYYraHR0cDovL2lwYS1jYS5zdGcu

+ ZmVkb3JhcHJvamVjdC5vcmcvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEAQCM2

+ 5ewm8zejLr3FGTQRjxr8CoddDd8WBSKgCKeNgpCHZeEO9+SThC0UQJg7EIJ774EY

+ hEHSWIM2bIwVI/zR12KjtXFOwElQkcvyaX+VpCedVr9v3MbYHcz36+wJA/LYYmoI

+ i9bDGzXDTqh1Mdd73PIMYfBmFwZsw8x5WpOyF4Nt9ADqZy1JDEq13kktqdbAPB6P

+ r0W/FJQoM/5a2o2dO44pW6zNTXJwtKCkomK/XE+Fl17x0uOytV6AMEZP+mJ/A6Xp

+ 8gdAq2U24N4IBAVt9OAjkG1fCIl/L2/mUuEKgp+oT9ALBJAkayIHoUu6XskIyNiw

+ YTKEz/HJ87uyG0jatqOkbg7rzbz6KHOnutVUYnpWWwJUZs2/kvaY870DLTDtW7VF

+ euyf2c8xt3hPd/ZTwMGV3rZE0k2x9u4L+3qs7doDCuGBg0R0QKNrCNH/KOcn5tjW

+ OxUPDIJF3XvrT9GlHRWDK9NoO1cxMvgRqsgOrlXyxEvzWQob0dn2HPVIerwS

+ -----END CERTIFICATE-----

@@ -1,6 +1,7 @@ 

  [realms]

   FEDORAPROJECT.ORG = {

          kdc = https://id.fedoraproject.org/KdcProxy

+         pkinit_anchors = FILE:/etc/pki/ipa/fedoraproject_ipa_ca.crt

   }

  [domain_realm]

   .fedoraproject.org = FEDORAPROJECT.ORG

@@ -1,6 +1,7 @@ 

  [realms]

   STG.FEDORAPROJECT.ORG = {

          kdc = https://id.stg.fedoraproject.org/KdcProxy

+         pkinit_anchors = FILE:/etc/pki/ipa/stg_fedoraproject_ipa_ca.crt

   }

  [domain_realm]

   .stg.fedoraproject.org = STG.FEDORAPROJECT.ORG

In the FAS replacement being rolled out in 2021, that uses freeipa and noggin, if a user has 2FA enabled, they need some extra configuration to get kinit working with 2FA.

Note that the commit message has a little more information, and there is also a docs PR in progress that covers for users how to use this. https://github.com/fedora-infra/fedora-accounts-docs/pull/1/files (this will need to be changed to remove the steps that this PR implements)

https://github.com/fedora-infra/fedora-accounts-docs/pull/1 has a bit more information on the reasons for doing this this way too.

2 new commits added

  • Add pkinit config and ipa certs
  • Fix version and specfile
5 months ago

rebased onto 7d80679

5 months ago

So, with this, what is the process? ie, how much does this automate it? :)

After this the user will have to do an anonymous kinit to get the ticket cache then use that cache to kinit as themselves and enter pass+token. It could even be done in a clunky one liner something like

 kinit user@FEDORAPROJECT.ORG - T $(kinit - n @FEDORAPROJECT.ORG) 

The more elegant fleshed out solution is in this PR

I think there are extra spaces provided for the options

kinit user@FEDORAPROJECT.ORG -T $(kinit -n @FEDORAPROJECT.ORG) 

Or it should be spaces?

I think there are extra spaces provided for the options

kinit user@FEDORAPROJECT.ORG -T $(kinit -n @FEDORAPROJECT.ORG)

Or it should be spaces?

Yep, you are right :) I typed it on my phone so it got autocorrected

LGTM but two questions:

  1. What happens if people run kinit user@FEDORAPROJECT.ORG before noggin is deployed but newer version with the newer krb config is installed?
  2. What happens if people run kinit user@FEDORAPROJECT.ORG after noggin is deployed either with this newer version is installed or not?

LGTM but two questions:

  1. What happens if people run kinit user@FEDORAPROJECT.ORG before noggin is deployed but newer version with the newer krb config is installed?

Should have no effect as the cert is from ipa currently in prod. This only effects people with 2fa set. I've run kinit in password only mode in stage with this setup and it worked as normal

  1. What happens if people run kinit user@FEDORAPROJECT.ORG after noggin is deployed either with this newer version is installed or not?

If they don't have an OTP token it will work as before. If they do have an OTP token it will error with kinit: Pre-authentication failed: Invalid argument while getting initial credentials

Also I just realised that I never pasted the link to the docs PR I was referring to in my earlier comment. https://github.com/fedora-infra/fedora-accounts-docs/pull/1/files

@mohanboddu @kevin @mobrien is there anything else needed for this one?

Pull-Request has been merged by mohanboddu

5 months ago