First, log into Foxpass and create an LDAP BinderLDAP Binder - A role account used for connecting Foxpass to other systems via LDAP. It uses a name and password for authentication and functions similarly to an API key. by following these steps:
- Note your Base DN on the dashboard page. Copy/paste it somewhere.
- Create an API key named 'sshd' on the API keys page. Copy/paste it somewhere.
- Create an LDAP Binder account with the name 'linux' on the LDAP binders page. Copy/paste the generated password! It is only displayed once.
- Create an LDAP Group with the name 'foxpass-sudo' on the LDAP groups page. Set it to be a 'posix' group and add yourself to the group.
The setup, install, and execution of Foxpass's scripts require permissions beyond the base scope given to it by CentOS. Thus, you'll probably want to run these commands as the root user. Additionally, default selinux permissions can prevent Foxpass from checking SSH keys correctly. We'll show you below how to properly whitelist Foxpass or disable selinux entirely.
Log in as the root user. This will simplify commands moving forward. If you're using an Amazon EC2 instance, the default command is below. You'll also want to install the wget and python3 package to more easily download and run our install script.
sudo su yum install wget python3
Then, download and run this script:
wget https://raw.githubusercontent.com/foxpass/foxpass-setup/master/linux/centos/8/foxpass_setup.py python3 foxpass_setup.py --base-dn <base dn> --bind-user <binder name> --bind-pw <binder password> --api-key <api key>
python3 foxpass_setup.py --base-dn dc=example,dc=com --bind-user linux --bind-pw efGHbD3aFq --api-key 5GC3NRI5goRBAGkrlsxzYedg0r8HPAO7
(Pro tip: Run the script on a fresh CentOS image, then create a new base AMI for your company.)
Now, your host is configured to talk to Foxpass LDAP and request SSH keys from Foxpass!
NOTE: If you have SELinux enabled, sshd might be unable to call 'curl' and fetch users' keys. In this case regular LDAP commands like 'getent passwd' and 'getent groups' would still work, but logging in via SSH key or running the SSH key script would fail.
You can have two options to get around SELinux restrictions, you can either disable SELinux entirely or selectively grant Foxpass permissions. First you should check the audit log after an SSH key request to make sure that SELinux is actually blocking it. Then, run the grep command below and check the output.
grep "denied" /var/log/audit/audit.log
If SELinux is blocking Foxpass, you should see lines that contain comm="curl" or comm="foxpass_ssh_key".
This is useful to get things working quickly, but may not be the best way to manage your security long term. To disable SELIinux, open /etc/selinux/config and set SELINUX=disabled. Then restart the host for the settings to take effect:
shutdown -r now
After the host restarts, log in and run sestatus to check the status of SELinux. It should say 'disabled.' Now, the Foxpass SSH key script and your SSH based logins should work as normal.
SELinux has tools that can automatically compile necessary permissions to unblock an application. However, these tools can only see the permissions missing from the most recent request, so you may have to run the tools multiple times to grant deeper levels of permissions. Generally, SELinux blocks the 'curl' and 'foxpass_ssh_key' commands.
To grant Foxpass appropriate permissions, you'll need to repeat this process as necessary.
- Generate an SSH key request. This can be done by attempting to log in to the host with an SSH key or running the get SSH key script using the command /usr/local/bin/foxpass_ssh_keys.sh .
- Check the audit logs. Run the grep command above. Check the timestamps to make sure that the denials line up with your most recent request. Make note of what commands (the variable inside comm="") SELinux is blocking.
- Grant the commands SELinux permissions. Run the two lines below as necessary for each command. The first line creates a file for SELinux to parse, and the second line loads the file into SELinux. Samples have been provided for granting curl or foxpass_ssh_key permissions as well as for generic commands. For each subsequent run, increase the trailing number to your .pp file.
ausearch -c 'curl' --raw | audit2allow -M my-curl-1 semodule -i my-curl-1.pp
ausearch -c 'foxpass_ssh_key' --raw | audit2allow -M foxpass-ssh-1 semodule -i foxpass-ssh-1.pp
ausearch -c '<command>' --raw | audit2allow -M my-<command>-1 semodule -i my-<command>-1.pp
Repeat these steps as necessary until your SSH login succeeds or the SSH key script runs successfully.
It may be necessary to increase the timeouts on the host for LDAP connections. This way, when a user is prompted for a password (for a login or sudo command), the client won't retry logins quickly and spam your 2FA. Try increasing the ldap_opt_timeout to something manageable like 60 seconds. You can read more about it here:
More problems? See our troubleshooting guide here: https://foxpass.readme.io/v1.0/docs/foxpass-linux-debugging
Updated over 1 year ago