X-Git-Url: https://git.deb.at/?a=blobdiff_plain;f=KerberosAuthenticationInfrastructure%2Findex.mdwn;fp=KerberosAuthenticationInfrastructure%2Findex.mdwn;h=0000000000000000000000000000000000000000;hb=af633461199436d94bbb9c64c5604198c40ef915;hp=266675d78b3ad7ee35a5cfc979878ece1e139eef;hpb=0071ac91d5e1137b1074d3a51c0d4410213b7acd;p=debienna.git diff --git a/KerberosAuthenticationInfrastructure/index.mdwn b/KerberosAuthenticationInfrastructure/index.mdwn deleted file mode 100644 index 266675d..0000000 --- a/KerberosAuthenticationInfrastructure/index.mdwn +++ /dev/null @@ -1,492 +0,0 @@ - - -# central usermanagement - -...using ldap and kerberos - - -# motivation - -warum: - -* skaliert -* sicherheit -* komfort (single sign on) -warum nicht: - -* fehlerquelle komplexitaet -* gefahr single point of failure / break in --> infrastruktur! - - -# theorie - -recommended reading: - -* [[http://www.openinput.com/auth-howto/index.html|http://www.openinput.com/auth-howto/index.html]] -* [[http://www.pdc.kth.se/heimdal/|http://www.pdc.kth.se/heimdal/]] -* [[http://www.openldap.org/doc/admin23/|http://www.openldap.org/doc/admin23/]] -architektur: - -* trusted third party, der KDC. hat gemeinsames secret mit allen hosts/services/usern. "principals". generiert auf anfrage ticket mit zeit, ip, und welcher user zu welchem service. -design decisions: - -* keine passwoerter im ldap, alles via kerberos, rueckwaertskompatibilitaet via pam_krb, nicht sasl oder pam_ldap. -* kerberos datenbank im ldap, keine seperate replikation noetig (nur mit heimdal). -* eigene ldap range fuer uid/groupid, root und systemuser bleiben lokal falls das netzwerk spinnt. - -# required software - -zutaten am server: - -* heimdal kerberos (ldap), alternativen: mit, shishi -* openldap, alternativ: mysql, postgresql -* wohlgepflegtes dns und reverse-dns -* schwer empfohlen: replikation und redundanz - -[[!format txt """ -sudo aptitude install slapd heimdal-kdc -"""]] -zutaten am host: - -* libnss-ldap -* pam-krb5 -* sasl mit gssapi provider -* richtige zeit, zb. openntpd (kann aber nicht stratum faken fuer windows) -* kerberized client/serversoftware (zb. openssh, apache2) - -[[!format txt """ -sudo aptitude install libnss-ldap libpam-krb5 libsasl2-gssapi-mit heimdal-clients -"""]] - -# vorbereitung: domain name service - -config im dns (da gibts uebrigens auch welche mit ldap/sql backend ;): - -aka "srv records rock! - for kerberos but not for ldap :(" - -config file /etc/krb5.conf auf allen hosts ident! - -was ist ein "canonical hostname"? - -zonefile mm-karton.com (snippet): -[[!format txt """ -$ORIGIN mm-karton.com. -kerberos A 10.128.0.24 -kerberos-1 A 10.128.0.25 -ldap CNAME srv-vie-26.vie.mm-karton.com. -ldap-1 CNAME srv-vie-27.vie.mm-karton.com. - -_kerberos TXT "MM-KARTON.COM" -_kerberos-master._tcp SRV 10 1 88 kerberos -_kerberos-master._udp SRV 10 1 88 kerberos -_kpasswd._udp SRV 10 1 464 kerberos -_kerberos-adm._tcp SRV 10 1 749 kerberos -_kerberos._tcp SRV 10 1 88 kerberos -_kerberos._udp SRV 10 1 88 kerberos -_kerberos._tcp SRV 20 1 88 kerberos-1 -_kerberos._udp SRV 20 1 88 kerberos-1 - -_ldap._tcp SRV 10 1 88 ldap -_ldap._tcp SRV 20 1 88 ldap-1 -"""]] -zonefile mm-karton.net (snippet), afaik heimdal specific: -[[!format txt """ -_kerberos TXT "MM-KARTON.COM" -"""]] - -# config am server - -/etc/ldap/slapd.conf - - -[[!format txt """ -# This is the main slapd configuration file. See slapd.conf(5) for more -# info on the configuration options. - -####################################################################### -# Global Directives: - -include /etc/ldap/schema/core.schema -include /etc/ldap/schema/cosine.schema -include /etc/ldap/schema/nis.schema -include /etc/ldap/schema/inetorgperson.schema - -include /etc/ldap/schema/hdb.schema - - -TLSCACertificateFile /etc/ldap/ca_crt.pem -TLSCertificateFile /etc/ldap/ldap.mm-karton.com_crt.pem -TLSCertificateKeyFile /etc/ldap/ldap.mm-karton.com_key.pem -TLSCipherSuite HIGH:MEDIUM:+SSLv2 - - -pidfile /var/run/slapd/slapd.pid -argsfile /var/run/slapd/slapd.args - -loglevel 0 - -modulepath /usr/lib/ldap -moduleload back_bdb -moduleload syncprov - -# The maximum number of entries that is returned for a search operation -sizelimit 500 - - - - -####################################################################### -# Specific Backend Directives for bdb: - -backend bdb -checkpoint 512 30 - - - -####################################################################### -# main database -database bdb -suffix "dc=mm-karton,dc=com" -rootdn "cn=ldapmaster@mm-karton.com,dc=mm-karton,dc=com" - -directory "/var/lib/ldap" -dbconfig set_cachesize 0 33554432 0 -lastmod on - - -index objectClass eq -index cn,uid,displayName eq,sub,pres -index krb5PrincipalName eq -index associatedDomain pres,eq,sub -index entryUUID,default,entryCSN eq - - -# needed for syncrepl -overlay syncprov -syncprov-checkpoint 100 10 -syncprov-sessionlog 100 - -limits dn.exact="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited - - - - - - -####################################################################### -# sasl config - -sasl-secprops minssf=0 -security simple_bind=64 - -sasl-regexp - uid=(.+),cn=.+,cn=auth - ldap:///dc=mm-karton,dc=com??sub?(|(uid=$1)(krb5PrincipalName=$1@MM-KARTON.COM)) -sasl-regexp "=0" "cn=ldapmaster@mm-karton.com,dc=mm-karton,dc=com" - - - - -####################################################################### -# access control - -# needed for certain auth stuff -access to dn.base="" by * read -access to dn.base="cn=Subschema" by * read - -access to attrs=krb5PrincipalName - by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write - by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write - by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read - by anonymous auth - -access to attrs=userPassword - by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write - by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write - by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read - by anonymous auth - - - -# Kerberos attributes only accessible to root/ldapmaster and the superadmins -access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmName - by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write - by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write - by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read - by * none - - - -# user info readable for nssproxy user -access to dn.subtree="ou=users,dc=mm-karton,dc=com" - by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write - by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write - by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read - by dn="uid=nssproxy,dc=mm-karton,dc=com" read -access to dn.subtree="ou=groups,dc=mm-karton,dc=com" - by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write - by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write - by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read - by dn="uid=nssproxy,dc=mm-karton,dc=com" read -access to attrs=uid,uidNumber,gidNumber,gecos,homeDirectory,loginShell,memberUid - by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write - by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write - by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read - by dn="uid=nssproxy,dc=mm-karton,dc=com" read - - - -# all the rest -access to dn.subtree="dc=mm-karton,dc=com" - by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write - by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write - by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read -"""]] -/etc/default/slapd -[[!format txt """ -# Default location of the slapd.conf file -SLAPD_CONF= - -# System account to run the slapd server under. If empty the server -# will run as root. -SLAPD_USER="openldap" - -# System group to run the slapd server under. If empty the server will -# run in the primary group of its user. -SLAPD_GROUP="openldap" - -# Path to the pid file of the slapd server. If not set the init.d script -# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf) -SLAPD_PIDFILE= - -# Configure if the slurpd daemon should be started. Possible values: -# - yes: Always start slurpd -# - no: Never start slurpd -# - auto: Start slurpd if a replica option is found in slapd.conf (default) -SLURPD_START=auto - -# slapd normally serves ldap only on all TCP-ports 389. slapd can also -# service requests on TCP-port 636 (ldaps) and requests via unix -# sockets. -# Example usage: -SLAPD_SERVICES="ldap://10.128.4.36/ ldapi:///" - -# Additional options to pass to slapd and slurpd -SLAPD_OPTIONS="" -SLURPD_OPTIONS="" - -export KRB5_KTNAME="FILE:/etc/ldap/ldap.keytab" - -[ -L /var/run/ldapi ] || ln -s /var/run/slapd/ldapi /var/run/ldapi -"""]] -/etc/heimdal-kdc/kadmin.acl -[[!format txt """ -lefant/admin@MM-KARTON.COM all -"""]] -/etc/heimdal-kdc/kdc.conf -[[!format txt """ -[kdc] - database = { - realm = MM-KARTON.COM - dbname = ldap:dc=mm-karton,dc=com - mkey_file = /var/lib/heimdal-kdc/m-key - acl_file = /etc/heimdal-kdc/kadmind.acl - } - addresses = 10.128.0.24 -"""]] - -[[!format txt """ -$ sudo kadmin -l -init MY.REALM -add lefant/admin -"""]] - -# config am host - -/etc/libnss-ldap.conf -[[!format txt """ -BASE dc=mm-karton, dc=com -URI ldap://ldap.mm-karton.com/,ldap://ldap-1.mm-karton.com/ - -ldap_version 3 -ssl start_tls -tls_cacertfile /etc/ssl/certs/mmagca_crt.pem - -binddn uid=nssproxy,dc=mm-karton,dc=com -bindpw XXXXXXXX - -scope sub -pam_filter objectClass=posixAccount -nss_base_passwd ou=users,dc=mm-karton,dc=com -nss_base_group ou=groups,dc=mm-karton,dc=com - -# Search timelimit -timelimit 10 - -# Bind/connect timelimit -bind_timelimit 2 - -pam_min_uid 10000 -pam_max_uid 11000 - -nss_reconnect_tries 1 -nss_reconnect_sleeptime 1 -nss_reconnect_maxsleeptime 2 -nss_reconnect_maxconntries 3 -nss_initgroups_ignoreusers arpwatch,asterisk,backup,bin,bind,clamav,cricket,daemon,Debian-exim,debianmirror,dovecot,fetchmail,ftp,games,gnats,identd,irc,list,lp,mail,man,messagebus,mysql,nagios,news,nobody,ntp,ntpd,nut,openvpn,pdns,proftpd,proxy,puppet,root,smmsp,smmta,smsd,snmp,snort,sshd,statd,sync,sys,uucp,www-data,zope -"""]] -/etc/nsswitch.conf -[[!format txt """ -passwd: files ldap -group: files ldap -shadow: files - -hosts: files dns -networks: files - -protocols: db files -services: db files -ethers: db files -rpc: db files - -netgroup: nis -"""]] -/etc/krb5.conf -[[!format txt """ -[libdefaults] - default_realm = MM-KARTON.COM - dns_lookup_realm = yes - -[logging] - default = SYSLOG:NOTICE:DAEMON - kdc = FILE:/var/log/kdc.log - kadmind = FILE:/var/log/kadmind.log - -[appdefaults] - pam = { - ticket_lifetime = 10h - renew_lifetime = 10h - forwardable = true - proxiable = false - retain_after_close = false - minimum_uid = 0 - debug = false - } - -[domain_realm] - srv-pof-30.pof.mmk.mmdom.net = MM-KARTON.COM - -[realms] - MMK.MMDOM.NET = { - kdc = DC-VIE-50 - kpasswd_server = DC-VIE-50 - auth_to_local_names = { - lefant = invaliduser - unki = invaliduser - } - } - MM-KARTON.COM = { - admin_server = kerberos.mm-karton.com - auth_to_local = RULE:[1:$1@$0](^.*@MMK.MMDOM.NET$)s/@MMK.MMDOM.NET// - auth_to_local = DEFAULT - } -"""]] -/etc/pam.d/common-account -[[!format txt """ -account required pam_access.so -account sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000 -account sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000 -account required pam_unix.so -"""]] -/etc/pam.d/common-auth -[[!format txt """ -auth optional pam_group.so -auth sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000 try_first_pass -auth sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000 try_first_pass -auth required pam_unix.so try_first_pass -"""]] -/etc/pam.d/common-session -[[!format txt """ -session required pam_mkhomedir.so umask=0022 skel=/etc/mmskel -session sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000 -session sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000 -session required pam_unix.so -"""]] -restrict logins to certain users: - -/etc/security/access.conf -[[!format txt """ -# first, to avoid delays when network is still unavailable -+:ALL:LOCAL -+:root:ALL - -# remote users and groups -+:bofh:ALL - -# deny everything else --:ALL:ALL -"""]] -/etc/adduser.conf (snippet) -[[!format txt """ -# FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically -# allocated user accounts/groups. -FIRST_UID=1000 -LAST_UID=19999 -"""]] -ldap client config (administration): - -/etc/ldap/ldap.conf -[[!format txt """ -BASE dc=mm-karton, dc=com -URI ldap://ldap.mm-karton.com/ -ssl start_tls -tls_cacert /etc/ssl/certs/ca_crt.pem -"""]] -ldapwhoami, ldapsearch - -sudo, nopasswd, weil solches haben wir ja nicht... - -/etc/sudoers -[[!format txt """ -lefant ALL=(ALL) NOPASSWD:ALL -"""]] - -# single sign on fuer applikationen (gssapi support, das grosse fragezeichen) - -/etc/ssh/sshd_config (snippet) -[[!format txt """ -GSSAPIAuthentication yes -GSSAPIKeyExchange yes -"""]] -/etc/ssh/ssh_config (snippet) -[[!format txt """ -host * - GSSAPIAuthentication yes - GSSAPIDelegateCredentials yes - GSSAPITrustDns yes -"""]] -firefox: out-of-the-box! - -apache: (apt-get install libapache2-mod-auth-kerb) config snippet -[[!format txt """ - - AuthType Kerberos - AuthName "MM Login (use windows login *without* mm\ prefix)" - KrbServiceName HTTP - Krb5Keytab /etc/apache2/keytab - KrbAuthRealms MMK.MMDOM.NET MM-KARTON.COM - AuthGroupFile /etc/wwwusers - Require group NocUsers - Order deny,allow - Deny from all - Allow from noc.mm-karton.com - Satisfy any - -"""]] - -# misc stuff - -* tcpdump -* strace -* $HOME/.k5login \ No newline at end of file