Authentication
Table of Contents
Lab Ethernet Network
Connect in SSH to auth@130.136.201.253
- Enter your
@studio.unibo.itemail - Enter your unibo password
- Check if your mac address is the same as the one proposed
- Enter the number of hours you want to be connected
N.B. If disconnected for more than 10 minutes the authentication is lost
Cluster
The bastion saragozza and all proxmox nodes pve{n} allow
access via the internal LDAP system, either via password or via ssh keys. The root user on all these machines has the ssh keys available for all users.
Proxmox machines are also not accessible in any way other than
passing through the bastion. As a result, you always need to SSH Jump
to saragozza to connect to a node.
We can give aliases to machines using SSH Config. In this way,
we can connect by jumping using a simobilic name (i.e. pve1).
Furthermore, the config also specifies a set of LocalForward for all
ports of the services present on saragozza and the various pve{n}.
This is an example of a recommended SSH config.
Host adm-saragozza
HostName saragozza.students.cs.unibo.it
User mario
Host adm-pve1
ProxyJump adm-saragozza
HostName pve1.students.cs.unibo.it
User mario
LocalForward 8006 localhost:8006
Host adm-pve2
ProxyJump adm-saragozza
HostName pve2.students.cs.unibo.it
User mario
LocalForward 8006 localhost:8006
Host adm-pve3
ProxyJump adm-saragozza
HostName pve3.students.cs.unibo.it
User mario
LocalForward 8006 localhost:8006
Host adm-pve4
ProxyJump adm-saragozza
HostName pve4.students.cs.unibo.it
User mario
LocalForward 8006 localhost:8006
Host adm-pve5
ProxyJump adm-saragozza
HostName pve5.students.cs.unibo.it
User mario
LocalForward 8006 localhost:8006
Host adm-salvatore
ProxyJump adm-saragozza
HostName salvatore.students.cs.unibo.it
User mario
LocalForward 8007 localhost:8007
Remember to replace every occurrence of user with the name of
own user on LDAP.
For example, if my username is not mario but luca, I need to use:
$ sed -i 's/mario/luca/g' ~/.ssh/config
The cluster authentication
When someone tries to login with ssh on saragozza, pve or salvatore, the ssh daemon tries to fetch the ssh key in the ldap server for the user. If a key is present and match the login public key, the user is allow to login in, otherwise the connection is refused. For the more technical details read the base/tasks/pam.yaml ansible and the base/files/ldap_ssh_key.j2 script.
If LDAP is not working the script will try to use a cache ssh key for the user. The cache will expire in 1 week if the user does not authenticate again with LDAP working.
Users under the proxmox group on FreeIPA will be able to login but do not have sudo. Users under adm group will have full permissions.
In order to login in proxmox, the ldap server must be added as realm. This could be only done by root and it’s done in the web ui. Please refer to the proxmox guide
Ldap certificate
In order to install the ldap certificate:
curl https://ldap.students.cs.unibo.it/ipa/config/ca.crt > /usr/local/share/ca-certificates/ipa.crt && update-ca-certificates