Kerberose authentication
To use kerberose authentication we need to set up server with all the needed principle and their passwords.and we must configure the client to use the proper kerberpse server as needed.
Server Configuration
server:virtual19.virtual.com
IP:192.168.100.19
client:virtual21.virtual.com
IP:192.168.100.21
Packages needed are
yum install -y krb5-server
yum install -y krb5-libs
yum install -y readline-devel
vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = VIRTUAL.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
VIRTUAL.COM = {
kdc = virtual19.virtual.com
admin_server = virtual19.virtual.com
}
[domain_realm]
virtual19.virtual.com = VIRTUAL.COM
virtual21.virtual.com = VIRTUAL.COM
[appdefault]
validate=true
vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
VIRTUAL.COM = {
master_key_type = aes256-cts
default_principle_flags = +preauth
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
kdb5_util create -r VIRTUAL.COM -s
kadmin.local
kadmin: listprincs
kadmin: addprinc root/admin
kadmin: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin
kadmin: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
kadmin: addprinc -randkey host/virtual19.virtual.com
kadmin: ktadd -k /etc/krb5.keytab host/virtual19.virtual.com
vim /var/kerberos/krb5kdc/kadm5.acl
*/admin@VIRTUAL.COM *
service krb5kdc restart
chkconfig krb5kdc on
service kadmin restart
chkconfig kadmin on
----------------------------------------------------------
Client side configuration
----------------------------------------------------------
copy the /etc/krb5.conf from server to client
authconfig-tui
select the kerberised password authentication then they will ask for kdc and krb5 server and releam name to which we need to enter the correct entry .When closing the utils the system will configure itself for connection to kerberose server
Now we need to add that machine to kerberose server database
kadmin
kadmin: addprinc -randkey host/virtual21.virtual.com
kadmin: ktadd -k /etc/krb5.keytab host/virtual21.virtual.com
now the client machine is added to server and now the tickets will be issued as normal and to check that
klist to list the tickets got from server
-------------------------------------------------------------------.
Now adding nis user to kerberose
At server make a principle for the nis users and that is it
kadmin.local
kadmin: addprinc nisuser1
now will be prompted for kerberose password which at client will enable the user to login as user using kerberised security .
Friday, October 26, 2012
Tuesday, October 23, 2012
NIS server-client configuration
NIS Network Information System is one of the centralized way to use the user through-out the network.
At Server
Install the nis server package
----->yum install -y ypserv
Add the needed users ,make sure that u give an uid that is normally not used ..go for 5000 + uids here i will be using ids at range of 6000 . This is may to avoid confilt with the local user uids
----->useradd -u 60000 nisuser1
----->passwd nisuser1
----->useradd -u 60001 nisuser2
----->passwd nisuser2
Give the nisdoamin name in /etc/sysconfig/network and we can make nis services use the port we say by giving following arguments
---->echo "
NISDOMAIN=virtual19
YPSERV_ARGS="-p 900"
YPPASSWRD_ARGS="-p 901"
YPXFRD_ARGS="-p 902"
" >> /etc/sysconfig/network
the -p argument will make the service use that port
Now to make the master nis server
----->service ypserv restart
----->/usr/lib64/yp/ypinit -m
will make the nis server and and make the needed changes
to make those changes permanent
------>make -C /var/yp
------>service ypserv restart
we can check the users by
getent passwd
-----------------------------
AT Client
-----------------------------
we neet to configure the authconfig-tui to nis
------->authconfig-tui
Now a window will be opened and we need to select the nis option,system will automatically start the needed service..you will be asked the nisdomain name and server ip we should provide that and when the window close the clinet configuration is complete
Now at client side if we do
------->getent passwd
we would be able to see the users...
to just see the nis users we need to use ypcat
------->ypcat passwd
this will only show the nis uses from passwd file
switch to the user just like we switch to normal users
at client ------->su nisuser1
Basically nis is not that much secure we can make its client restriction in file /var/yp/securenets .the ips or network given in that file only will have entry to nis server
To change passwd of the user from client we need to use yppasswdd sevice at server and same command at client side.
At Server
Install the nis server package
----->yum install -y ypserv
Add the needed users ,make sure that u give an uid that is normally not used ..go for 5000 + uids here i will be using ids at range of 6000 . This is may to avoid confilt with the local user uids
----->useradd -u 60000 nisuser1
----->passwd nisuser1
----->useradd -u 60001 nisuser2
----->passwd nisuser2
Give the nisdoamin name in /etc/sysconfig/network and we can make nis services use the port we say by giving following arguments
---->echo "
NISDOMAIN=virtual19
YPSERV_ARGS="-p 900"
YPPASSWRD_ARGS="-p 901"
YPXFRD_ARGS="-p 902"
" >> /etc/sysconfig/network
the -p argument will make the service use that port
Now to make the master nis server
----->service ypserv restart
----->/usr/lib64/yp/ypinit -m
will make the nis server and and make the needed changes
to make those changes permanent
------>make -C /var/yp
------>service ypserv restart
we can check the users by
getent passwd
-----------------------------
AT Client
-----------------------------
we neet to configure the authconfig-tui to nis
------->authconfig-tui
Now a window will be opened and we need to select the nis option,system will automatically start the needed service..you will be asked the nisdomain name and server ip we should provide that and when the window close the clinet configuration is complete
Now at client side if we do
------->getent passwd
we would be able to see the users...
to just see the nis users we need to use ypcat
------->ypcat passwd
this will only show the nis uses from passwd file
switch to the user just like we switch to normal users
at client ------->su nisuser1
Basically nis is not that much secure we can make its client restriction in file /var/yp/securenets .the ips or network given in that file only will have entry to nis server
To change passwd of the user from client we need to use yppasswdd sevice at server and same command at client side.
Monday, October 22, 2012
More about DNS and Security in Zone sharing
More about DNS
Bogus servers which give wrong information can be blocked or to make our server not to accept any information from them
server IP {bogus yes ;};
we can also create blackhole in dns where the server will not even acknowledge the other ip
blackhole {ips;};
version bind
this can be used to make the details of dns version IE bind version safe from the outsider
version "INFORMATION ....";
chrooting the bind
By installing the bind-chroot the dns configuration file will be moved to space where only root and named group has permission to edit those files
Making DNS Zone sharing safe
we could share a key between slave and master to make sure that update are send to only correct slaves.
This method in called TSIG transaction signature configuration
1.first start from client making the key
----->dnssec-keygen -a hmac-md5 -b 128 -n HOST virtual_key
----->cat Kvirtual_key.+157+56451.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: yzkKqIIa4sUPXm+Oz7VNgg==
Bits: AAA=
Created: 20121022004959
Publish: 20121022004959
Activate: 20121022004959
**copy the key part and create a key file as follows
------->vim /etc/rndc.key
key "virtual_key"
{
algorithm HMAC-MD5;
secret "yzkKqIIa4sUPXm+Oz7VNgg==";
};
------->chgrp named /etc/rndc.key
**inside /etc/named.conf add
include "/etc/rndc.key" ;
server 192.168.100.1 {
keys { virtual_key ; };
};
**and
allow-transfer { key virtul_key ;};
this forces the client to use the key we generate..
Now copy the rndc.key file to server
change the group to named at server
and include the file to /etc/named.conf and give allow-transfer at needed zones to make it more secure
at server /etc/named.conf
include "/etc/rndc.key" ;
allow-transfer { key virtual_key ;};
----------------------------------------------------------------------
master configuration
----------------------------------------------------------------------
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl "example" { 192.168.122.0/24 ; 127/8 ; };
acl "virtual" { 192.168.100.0/24 ; 127/8 ; };
include "/etc/rndc.key" ;
options {
listen-on port 53 { 127.0.0.1; example ; virtual ;};
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; example; virtual; };
allow-transfer { key virtual_key ;};
recursion yes;
# dnssec-enable yes;
# dnssec-validation yes;
# dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view mixed {
match-clients { 192.168.122.2; 192.168.100.1; };
zone "example.com" IN {
type master;
file "forward.zone";
allow-update { none; };
};
zone "122.168.192.in-addr.arpa" IN {
type master;
file "reverse.zone";
allow-update { none; };
};
zone "virtual.com" IN {
type master;
file "forwardvir.zone";
allow-update { none; };
};
zone "100.168.192.in-addr.arpa" IN {
type master;
file "reversevir.zone";
allow-update { none; };
};
};
view internal {
match-clients { example; };
zone "example.com" IN {
type master;
file "forward.zone";
allow-update { none; };
};
zone "122.168.192.in-addr.arpa" IN {
type master;
file "reverse.zone";
allow-update { none; };
};
};
view external {
match-clients { virtual; };
zone "virtual.com" IN {
type master;
file "forwardvir.zone";
allow-update {none; };
};
zone "100.168.192.in-addr.arpa" IN {
type master;
file "reversevir.zone";
allow-update {none ;};
};
};
#include "/etc/named.rfc1912.zones";
----------------------------------------------------------------------------
slave configuration
----------------------------------------------------------------------------
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
include "/etc/rndc.key" ;
server 192.168.100.1 {
keys { virtual_key ; };
};
options {
listen-on port 53 { 127.0.0.1; 192.168.100.0/24 ;};
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost;192.168.100.0/24; };
allow-transfer { key virtul_key ;};
recursion yes;
# dnssec-enable yes;
# dnssec-validation yes;
# dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view external {
match-clients { 192.168.100.0/24; };
allow-transfer { key virtual_key ;};
zone "virtual.com" IN {
type slave;
file "slaves/forwardvir.zone";
masters {192.168.100.1 ; };
#allow-update {none;};
};
zone "100.168.192.in-addr.arpa" IN {
type slave;
file "slaves/reversevir.zone";
masters {192.168.100.1 ; };
#allow-update {none;};
};
};
Bogus servers which give wrong information can be blocked or to make our server not to accept any information from them
server IP {bogus yes ;};
we can also create blackhole in dns where the server will not even acknowledge the other ip
blackhole {ips;};
version bind
this can be used to make the details of dns version IE bind version safe from the outsider
version "INFORMATION ....";
chrooting the bind
By installing the bind-chroot the dns configuration file will be moved to space where only root and named group has permission to edit those files
Making DNS Zone sharing safe
we could share a key between slave and master to make sure that update are send to only correct slaves.
This method in called TSIG transaction signature configuration
1.first start from client making the key
----->dnssec-keygen -a hmac-md5 -b 128 -n HOST virtual_key
----->cat Kvirtual_key.+157+56451.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: yzkKqIIa4sUPXm+Oz7VNgg==
Bits: AAA=
Created: 20121022004959
Publish: 20121022004959
Activate: 20121022004959
**copy the key part and create a key file as follows
------->vim /etc/rndc.key
key "virtual_key"
{
algorithm HMAC-MD5;
secret "yzkKqIIa4sUPXm+Oz7VNgg==";
};
------->chgrp named /etc/rndc.key
**inside /etc/named.conf add
include "/etc/rndc.key" ;
server 192.168.100.1 {
keys { virtual_key ; };
};
**and
allow-transfer { key virtul_key ;};
this forces the client to use the key we generate..
Now copy the rndc.key file to server
change the group to named at server
and include the file to /etc/named.conf and give allow-transfer at needed zones to make it more secure
at server /etc/named.conf
include "/etc/rndc.key" ;
allow-transfer { key virtual_key ;};
----------------------------------------------------------------------
master configuration
----------------------------------------------------------------------
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl "example" { 192.168.122.0/24 ; 127/8 ; };
acl "virtual" { 192.168.100.0/24 ; 127/8 ; };
include "/etc/rndc.key" ;
options {
listen-on port 53 { 127.0.0.1; example ; virtual ;};
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; example; virtual; };
allow-transfer { key virtual_key ;};
recursion yes;
# dnssec-enable yes;
# dnssec-validation yes;
# dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view mixed {
match-clients { 192.168.122.2; 192.168.100.1; };
zone "example.com" IN {
type master;
file "forward.zone";
allow-update { none; };
};
zone "122.168.192.in-addr.arpa" IN {
type master;
file "reverse.zone";
allow-update { none; };
};
zone "virtual.com" IN {
type master;
file "forwardvir.zone";
allow-update { none; };
};
zone "100.168.192.in-addr.arpa" IN {
type master;
file "reversevir.zone";
allow-update { none; };
};
};
view internal {
match-clients { example; };
zone "example.com" IN {
type master;
file "forward.zone";
allow-update { none; };
};
zone "122.168.192.in-addr.arpa" IN {
type master;
file "reverse.zone";
allow-update { none; };
};
};
view external {
match-clients { virtual; };
zone "virtual.com" IN {
type master;
file "forwardvir.zone";
allow-update {none; };
};
zone "100.168.192.in-addr.arpa" IN {
type master;
file "reversevir.zone";
allow-update {none ;};
};
};
#include "/etc/named.rfc1912.zones";
----------------------------------------------------------------------------
slave configuration
----------------------------------------------------------------------------
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
include "/etc/rndc.key" ;
server 192.168.100.1 {
keys { virtual_key ; };
};
options {
listen-on port 53 { 127.0.0.1; 192.168.100.0/24 ;};
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost;192.168.100.0/24; };
allow-transfer { key virtul_key ;};
recursion yes;
# dnssec-enable yes;
# dnssec-validation yes;
# dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view external {
match-clients { 192.168.100.0/24; };
allow-transfer { key virtual_key ;};
zone "virtual.com" IN {
type slave;
file "slaves/forwardvir.zone";
masters {192.168.100.1 ; };
#allow-update {none;};
};
zone "100.168.192.in-addr.arpa" IN {
type slave;
file "slaves/reversevir.zone";
masters {192.168.100.1 ; };
#allow-update {none;};
};
};
Subscribe to:
Posts (Atom)