SpanKey Client

To use Spankey authentication for OpenSSH, you need to configure both
your OpenSSH server and the SpanKey client.

1) SpanKey client

The SpanKey client provides a helper command for OpenSSH server.
The helper command is intended to replace the usual authorized
keys' files in $HOME/.ssh/authrized_keys.

The SpanKey client configuration file is /etc/spankey/spankey.conf.
You need to edit the configuration file and set the 'server_url' to
the the SpanKey service URL(s). Please go to your WebADM server under
the Applications menu. Choose the Authentication tab and the SpanKey
URL should be dispayed and looks like https://yourserver:8443/spankey/.

You may need to adjust the other settings of your SpanKey client.
These settings are documented in the /etc/spankey.conf.default file.

Note about SELinux

The SpanKey client requires some addition SELinux rules for sshd.
You can run /etc/spankey/selinux/addpolicy to create the necessary
SELinux policy rules for SpanKey.

You may experiment issues with SELinux where the helper command does not
manage to send the SOAP requests to the SpanKey server(s). It you have
SELinux enabled, check your audit files. If SELinux is blocking socket
connection for the SpanKey client then use the audit2allow command to
create a custom SELinux module for SpanKey.

2) OpenSSH server

Edit your OpenSSH server configuration file. On RedHat/CentOS the OpenSSH
server configuration file is /etc/ssh/sshd_config.

Locate the 'AuthorizedKeysCommand' and the 'AuthorizedKeysCommandRunAs'
parameters and uncomment both of them. The 'AuthorizedKeysCommandRunAs'
may be replaced by 'AuthorizedKeysCommandUser' dedending on your Linux
distribution. If they are not present in the configuration file, then add
them at the end of the file.
Set AuthorizedKeysCommand to '/usr/libexec/spankey/authorized_keys' and
set AuthorizedKeysCommandUser or AuthorizedKeysCommandRunAs to 'root'

    AuthorizedKeysCommand /usr/libexec/spankey/authorized_keys
    AuthorizedKeysCommandRunAs root
    AuthorizedKeysCommandUser root

You need to restart your OpenSSH service:
- On RHEL6, run /etc/init.d/sshd restart
- On RHEL7, run service sshd restart

3) Use SpanKey as NSS provider

Linux uses /etc/passwd and /etc/groups to get NSS information about users
and groups. LDAP repositories are used to centralize user / group data,
provided that the user accounts and groups in your LDAP are extended with
the POSIX object classes (ie. posixAccount and posixGroup). These classes
provide the additional attributes such as uidNumber, homeDirectory or
loginShell which are required by UNIX / Linux systems.
To use POSIX accounts from LDAP, you need to setup NSS-LDAP for Linux.
And the configuration of NSS-LDAP is quite complex. Hopefully, SpanKey
provides its own NSS plugin which does not need the NSS-LDAP dependency
in order to use LDAP accounts under Linux.

To enable SpanKey NSS, edit your /etc/nsswitch.conf file and set:

    passwd: files spankey ...
    group: files spankey ...

Note that 'spankey' MUST be listed after 'files'!

You will also need to change the default PAM configuration.
Edit the file /etc/pam.d/password-auth and replace the line:

    account required
    account required broken_shadow

You need to restart your NSCD service:
- On RHEL6, run /etc/init.d/nsdd restart
- On RHEL7, run service nscd restart
Download this File  back to Documentations