SSH User Management with FreeIPA

In this article, I’ll be explaining the concepts on how a workstation can securely tunnel into a dedicated server using FreeIPA, which is an integrated identity management solution specially built for Linux systems. I will discuss theories behind various protocols being used, so we could build a solid understanding.

About FreeIPA

FreeIPA has been built especially for Linux to manage accounts and provide centralized authentications. This is something similar to the role of Active Directory in Microsoft systems. This can be regarded as an integration of various open source projects like Kerberos, 389 Directory Server (which is enterprise-class Open Source LDAP server for Linux) and SSSD.

First, What is LDAP?

LDAP or the Lightweight Directory Access Protocol, is used to consolidate organizational information in a centralized directory which is meant to be accessed by various applications, without getting the information stored inside it.

LDAP follows a client/server architecture to keep its directories in various types of databases, while giving support for replication which results in better redundancy and availability. It is also optimized for fast, high-volume read operations, as the majority of requests that come in are for read only operations. LDAP has confirmed the security of its data by supporting Secure Connection Layer (SSL) and Transport Layer Security (TLS).

What is Kerberos?

The intention behind the Kerberos protocol is to prevent passwords being eavesdropped, while they are being passed through unsecure networks.

When Kerberos was being designed, the problem that people were trying to address is, how workstations can access various servers through a network which cannot be trusted (Figure 1)

Figure 1

The solution — It was found that all workstations can rely on one server (which is the Kerberos server) which can be trusted (Figure 2).

Figure 2

Today, the Kerberos server is called KDC or Key Distribution Center. It comprises of two servers (or interfaces according to the Kerberos terminology) which are the Authentication Server (AS) and the Ticket Granting Server (TGS).

Figure 3

As shown in Figure 3, the Kerberos protocol works like:

1. User sends a request asking for a ticket to the server which is encrypted by his password. Here the user uses his password as an encrypted key.
2. Next, the Authentication Server decrypts that with the key of the user and issues a ticket which is encrypted by a key that is shared between the Ticket Granting Server and itself.
3. The User sends that ticket (which is encrypted by the shared key of AS and TGS) to the Ticket Granting Server.
4. Then the Ticket Granting Server sends a token which is encrypted by the Key of the server.
5. The user sends the token (which is encrypted by the Key of the server) to the server.
6. Finally, the server decrypts the token and grants access for the user for a certain period of time.

Now Lets Put Everything Together

So, how does a user get the capability of accessing a given server by FreeIPA?

As shown in the Figure 4 the workflow is:

1. An admin creates a user in FreeIPA (It should be assumed that FreeIPA clients have been pre configured).
2. The User says the he needs to SSH into the required server by entering his password.
3. The FreeIPA client sends a ticket request to the KDC of FreeIPA server.
4. KDC identifies the user and sends a ticket granting ticket to the FreeIPA client of the user machine.
5. The FreeIPA client of the user machine sends a ticket granting ticket to the Ticket Granting Server of KDC.
6. The Ticket Granting Server looks for user privileges in the LDAP server.
7. The Ticket Granting Server sends the token for accessing the required server.
8. The FreeIPA client of the user machine sends the token to the FreeIPA client of the server.

After completing the above steps, an SSH connection can be successfully established between the client machine and the server.