Red Hat Security: Identity Management and Authentication

Create the finance user group and define Finance department as the description. For the group's member users, set a password policy that requires passwords to have at least eight characters and that blocks login attempts after two failed attempts. Set this policy as the highest priority password policy.

1. From workstation, log in to the idm machine as the student user. Authenticate to IdM as the admin user with RedHat123^ as the password.

   [student@workstation ~]$ ssh idm
   [student@idm ~]$ kinit admin
   Password for admin@LAB.EXAMPLE.COM: RedHat123^

2. Create the finance user group and specify Finance department as its description.

   [student@idm ~]$ ipa group-add finance \
     --desc "Finance department"
   ---------------------
   Added group "finance"
   ---------------------
     Group name: finance
     Description: Finance department
     GID: 771200004

3. Set the password policy for the user group finance to require a minimum of eight characters, and to prevent further login attempts after two failures. Make it the top policy if other password policies also pertain to this group.

   [student@idm ~]$ ipa pwpolicy-add finance \
     --minlength 8 --priority 0 --maxfail 2
     Group: finance
     Min length: 8
     Priority: 0
     Max failures: 2
     Grace login limit: -1

Create the Finance membership automatic group membership rule. This rule must add IdM users to the finance group if the username starts with the string operator.

1. Create the Finance membership group membership rule for the finance group.

   [student@idm ~]$ ipa automember-add finance \
     --type="group" --desc="Auto member rule for finance"
   -------------------------------
   Added automember rule "finance"
   -------------------------------
     Automember Rule: finance
     Description: Auto member rule for finance

2. Define an inclusive regular expression to automatically add members to the finance group. The expression includes all users with a username beginning with operator.

   [student@idm ~]$ ipa automember-add-condition
   Automember Rule: finance
   Attribute Key: uid
   Grouping Type: group
   [Inclusive Regex]: ^operator.*
   [Exclusive Regex]: Enter
   -------------------------------
   Added condition(s) to "finance"
   -------------------------------
     Automember Rule: finance
     Description: Auto member rule for finance
     Inclusive Regex: uid=^operator.*
   ----------------------------
   Number of conditions added 1
   ----------------------------

Create the operator10 user and set it as the manager of the finance group. Use RedHat123 as the password. Set Jane Doe as the first and last name, and jdoe@lab.example.com as the email address.

Grant the user management privilege to the operator10 user by creating the provisioner role. Set Role for Provisioning Users as the role description and add the User Administrators privilege to the role.

1. Create the operator10 user. Use RedHat123 as the password. Set Jane Doe as the first and last name, and jdoe@lab.example.com as the email address.

   [student@idm ~]$ ipa user-add operator10 \
     --email=jdoe@lab.example.com --password
   First name: Jane
   Last name: Doe
   Password: RedHat123
   Enter Password again to verify: RedHat123
   -----------------------
   Added user "operator10"
   -----------------------
     User login: operator10
     First name: Jane
     Last name: Doe
     Full name: Jane Doe
   ...output omitted...
     Password: True
     Member of groups: ipausers, finance
     Kerberos keys available: True

2. Set the operator10 user as manager of the finance group:

   [student@idm ~]$ ipa group-add-member-manager finance \
     --user operator10
     Group name: finance
     Description: Finance department
     GID: 771200004
     Member users: operator10
     Membership managed by users: operator10
   -------------------------
   Number of members added 1
   -------------------------

3. Create the provisioner role. Set Role for Provisioning Users as the role description.

   [student@idm ~]$ ipa role-add provisioner \
     --desc="Role for Provisioning Users"
   ------------------------
   Added role "provisioner"
   ------------------------
     Role name: provisioner
     Description: Role for Provisioning Users

4. Add the User Administrators privilege to the provisioner role:

   [student@idm ~]$ ipa role-add-privilege provisioner \
     --privileges="User Administrators"
     Role name: provisioner
     Description: Role for Provisioning Users
     Privileges: User Administrators
   ----------------------------
   Number of privileges added 1
   ----------------------------

5. Add the provisioner role to the operator10 user:

   [student@idm ~]$ ipa role-add-member provisioner \
     --users=operator10
     Role name: provisioner
     Description: Role for Provisioning Users
     Member users: operator10
     Privileges: User Administrators
   -------------------------
   Number of members added 1
   -------------------------

Ensure that the client machine creates the required home directories for IdM users.

As the operator user on the client machine, create the finance-dept key pair in the /home/operator10/keys directory. When logging in to the client machine, disable SSH public key authentication by using the -o PubkeyAuthentication=no option when you run the ssh command.

1. Configure the client machine to create home directories for the IdM users:

   [student@idm ~]$ exit
   logout
   Connection to idm closed.
   [student@workstation ~]$ ssh client
   [student@client ~]$ sudo authselect select sssd with-mkhomedir
   [sudo] password for student: student
   Profile "sssd" was selected.
   The following nsswitch maps are overwritten by the profile:
   - passwd
   - group
   - netgroup
   - automount
   - services
   
   Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
   
   - with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
     is present and oddjobd service is enabled and active
     - systemctl enable --now oddjobd.service

2. Start and enable the oddjobd service. Exit the client machine.

   [student@client ~]$ sudo systemctl start oddjobd
   [student@client ~]$ sudo systemctl enable oddjobd
   Created symlink /etc/systemd/system/multi-user.target.wants/oddjobd.service → /usr/lib/systemd/system/oddjobd.service.
   [student@client ~]$ exit
   logout
   Connection to client closed.

3. Log in to the client machine as the operator10 user. Use the -o PubkeyAuthentication=no option to the ssh command to disable public key authentication.

   [student@workstation ~]$ ssh -o PubkeyAuthentication=no operator10@client
   (operator10@client) Password: RedHat123
   [operator10@client ~]$

4. Create the keys directory and create the finance-dept key pair:

   [operator10@client ~]$ mkdir keys
   [operator10@client ~]$ cd keys/
   [operator10@client keys]$ ssh-keygen
   Generating public/private rsa key pair.
   Enter file in which to save the key (/home/operator10/.ssh/id_rsa): finance-dept
   Enter passphrase (empty for no passphrase): Enter
   Enter same passphrase again: Enter
   Your identification has been saved in finance-dept
   ...output omitted...
   [operator10@client keys]$ ls -l
   total 8
   -rw-------. 1 operator10 operator10 2622 Jul 17 00:59 finance-dept
   -rw-r--r--. 1 operator10 operator10  587 Jul 17 00:59 finance-dept.pub

Create the users described in the following table:

1. Create the operator11 user:

   [operator10@client keys]$ ipa user-add operator11 \
     --email hsabo@lab.example.com \
     --sshpubkey="$(cat finance-dept.pub)"
   First name: Houng
   Last name: Sabo
   -----------------------
   Added user "operator11"
   -----------------------
     User login: operator11
     First name: Houng
     Last name: Sabo
   ...output omitted...
     SSH public key: ssh-rsa AAAAB3Nza...
     SSH public key fingerprint: SHA256:0teX6PsyuPkxz1H5JmM63SrQfer1twQ/DZZNfytnzaM operator10@client.lab.example.com (ssh-rsa)
     Password: False
     Member of groups: ipausers, finance
     Kerberos keys available: False

2. Create the operator12 user:

   [operator10@client keys]$ ipa user-add operator12 \
     --email jpaluch@lab.example.com \
     --sshpubkey="$(cat finance-dept.pub)"
   First name: Jerlene
   Last name: Paluch
   -----------------------
   Added user "operator12"
   -----------------------
     User login: operator12
     First name: Jerlene
     Last name: Paluch
   ...output omitted...
     SSH public key: ssh-rsa AAAAB3Nza...
     SSH public key fingerprint: SHA256:0teX6PsyuPkxz1H5JmM63SrQfer1twQ/DZZNfytnzaM operator10@client.lab.example.com (ssh-rsa)
     Password: False
     Member of groups: ipausers, finance
     Kerberos keys available: False

3. Verify that the operator12 user can access the client machine using the finance-dept private key. Verify the user information and home directory.

   [operator10@client keys]$ ssh -i finance-dept operator12@client
   [operator12@client ~]$ id
   uid=771200008(operator12) gid=771200008(operator12) groups=771200008(operator12),771200004(finance) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   [operator12@client ~]$ pwd
   /home/operator12

4. Exit the client machine:

   [operator12@client ~]$ exit
   logout
   Connection to client closed.
   [operator10@client keys]$ exit
   logout
   Connection to client closed.
   [student@client ~]$ exit
   logout
   Connection to client closed.