Setting up iRODS
PAM Authentication
Dan Bedard
Interim Executive Director
The iRODS Consortium
RENCI at the University of North Carolina
Major Steps
1) Set up SSL
2) Test PAM
3) Set up PAM Module
These instructions derived from
Diagram
iRODS Server
PAM Plugin
PAM Module
iRODS Client
SSL
Diagram
iRODS Server
iRODS Client
SSL
SSL
iRODS Server
Summary
1) Generate an RSA Key
2) Obtain a Certificate
a) For production, purchase a certificate from a CA
b) For testing, generate a self-signed certificate
3) Create a chain file of server and CA certificates
4) Generate Diffie-Hellman parameters
5) Copy files where iRODS server can read them
6) Set iRODS server environment variables
7) Restart iRODS server
SSL
iRODS Server
$ openssl genrsa -out server.key
1) Generate an RSA Key:
This key will be used to encrypt your server certificate, whether it is issued by a CA or self-signed.
SSL
iRODS Server
$ openssl req -new -x509 -key server.key -out server.crt -days 365 You are about to be asked to enter information... [omitted] ----- Country Name (2 letter code) [AU]:NL State or Province Name (full name) [Some-State]:Utrecht Locality Name (eg, city) []:Utrecht Organization Name (eg, company) [Internet Widgits Pty Ltd]:Utrecht University Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:ec2-52-0-100-96.compute-1.amazonaws.com Email Address []:info@irods.org
2b) Generate a self-signed certificate:
SSL
iRODS Server
$ openssl req -new -key server.key -out server.csr You are about to be asked to enter information... [omitted] ----- Country Name (2 letter code) [AU]:NL State or Province Name (full name) [Some-State]:Utrecht Locality Name (eg, city) []:Utrecht Organization Name (eg, company) [Internet Widgits Pty Ltd]:Utrecht University Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:ec2-52-0-100-96.compute-1.amazonaws.com Email Address []:info@irods.org
2a) Alternatively, if you are obtaining a certificate from a CA, generate a Certificate Signing Request (CSR)
SSL
iRODS Server
$ cat irods.crt DomainValidationCA.crt AddTrustCA.crt ExternalCARoot.crt >> chain.pem
3) Create a chain file. This is a concatenation of the iRODS server certificate and certificates of the chain of CAs leading to the root CA.
This is effectively done for self-signed certs. For consistency, just rename server.crt.
$ mv server.crt chain.pem
For CA-derived certificates, you will type something like...
SSL
iRODS Server
$ openssl dhparam -2 -out dhparams.pem 2048
4) Generate Diffie-Hellman parameters. These are random seed parameters used to generate session keys.
SSL
iRODS Server
$ sudo mkdir /etc/irods/ssl
$ sudo cp {server.key,chain.pem,dhparams.pem} /etc/irods/ssl
$ sudo chown -R irods:irods /etc/irods/ssl
5) Copy the files where iRODS can read them.
SSL
iRODS Server
$ sudo nano ~irods/.irods/irods_environment.json
6) Update the iRODS server environment.
"irods_ssl_certificate_chain_file": "/etc/irods/ssl/chain.pem",
"irods_ssl_certificate_key_file": "/etc/irods/ssl/server.key",
"irods_ssl_dh_params_file": "/etc/irods/ssl/dhparams.pem"
SSL
iRODS Server
$ sudo service irods restart
7) Restart the iRODS server.
NOT SO FAST!
SSL
iRODS Client
If you're using a self-signed certificate (or a lesser-known CA), the iRODS client won't trust the server's certificate.
We need to tell the client to explicitly trust this certificate by...
1) Copying the CA's certificate to a place the client can read it.
2) Updating the client environment to tell iRODS to trust the certificate.
SSL
iRODS Client
$ scp chain.pem <client user>@<client host>:/home/<client user>/.irods
1) Copy the CA's certificate to a place the client can read it.
SSL
iRODS Client
$ nano ~/.irods/irods_environment.json
2) Update the client environment. From the client:
"irods_ssl_ca_certificate_file": "/home/<client user>/.irods/chain.pem"
Diagram
iRODS Server
PAM Plugin
iRODS Client
SSL
PAM Plugin
We are going to test the SSL connection between the client and the server. To do this, we will set up an overly permissive PAM configuration using the pam_permit.so module.
Summary of instructions
1) On the server, set up the iRODS PAM plugin to use pam_permit.so
2) Edit the client environment to use PAM authentication
3) iinit from the client to test
PAM Plugin
iRODS Server
$ sudo su - root -c 'echo "auth sufficient pam_permit.so" > /etc/pam.d/irods'
1) Set up the iRODS PAM plugin to use pam_permit.so
$ /var/lib/irods/iRODS/server/bin/PamAuthCheck nobody
Authenticated
You can test the PAM configuration using PamAuthCheck
PAM Plugin
iRODS Client
$ nano ~/.irods/irods_environment.json
2) Edit the client iRODS environment
{
"irods_host": "<server hostname>",
"irods_port": 1247,
"irods_user_name": "admin",
"irods_zone_name": "<server zonename>",
"irods_ssl_ca_certificate_file": "/home/admin/.irods/chain.pem",
"irods_authentication_scheme": "PAM"
}
Change the authentication scheme to PAM
PAM Plugin
iRODS Client
$ irods_log_level=LOG_NOTICE iinit
Enter your current PAM password:
3) iinit with an elevated log level
Any username and password should be successful.
Now let's fix that...
Diagram
iRODS Server
PAM Plugin
PAM Module
iRODS Client
SSL
PAM Module
The authentication mechanism is determined by entries in /etc/pam.d/irods
The pam.conf man page explains the syntax of the PAM configuration file in detail.
iRODS Server
The file is made up of a list of rules... The format of each rule is a pace-separated collection of tokens:
service type control module-path module-arguments
Note that in practice, the "service" field is absent, represented by the filename of each entry in /etc/pam.d.
The iRODS PAM service is called "irods"
(i.e., the appropriate filename is /etc/pam.d/irods)
PAM Module Example: using pam_unix.so
iRODS Server
auth sufficient pam_unix.so
PAM Module Example: using pam_google_authenticator.so
iRODS Server
auth [success=3 new_authtok_reqd=ok default=ignore] pam_policycache.so action=check
auth [success=ok default=1] pam_google_authenticator.so forward_pass
auth [success=1 default=ignore] pam_unix.so use_first_pass
auth requisite pam_deny.so
auth [default=ignore] pam_policycache.so action=update
auth required pam_permit.so
PAM Module Example: pam_ldap.so
iRODS Server
auth sufficient pam_ldap.so
Questions?
Thank you!
Dan Bedard
danb@renci.org
+1-919-445-0632
iRODS PAM Authentication
By beppodb
