use unix newlines everywhere

[debienna.git] / KerberosAuthenticationInfrastructure / index.mdwn

= central usermanagement =

...using ldap and kerberos



= motivation =

warum:
 * skaliert
 * sicherheit
 * komfort (single sign on)

warum nicht:
 * fehlerquelle komplexitaet
 * gefahr single point of failure / break in

-> infrastruktur!



= theorie =

recommended reading:
 * http://www.openinput.com/auth-howto/index.html
 * http://www.pdc.kth.se/heimdal/
 * http://www.openldap.org/doc/admin23/

architektur:
 * trusted third party, der KDC. hat gemeinsames secret mit allen
 hosts/services/usern. "principals". generiert auf anfrage ticket mit
 zeit, ip, und welcher user zu welchem service.

design decisions:
 * keine passwoerter im ldap, alles via kerberos, rueckwaertskompatibilitaet via pam_krb, nicht sasl oder pam_ldap.
 * kerberos datenbank im ldap, keine seperate replikation noetig (nur mit heimdal).
 * eigene ldap range fuer uid/groupid, root und systemuser bleiben
 lokal falls das netzwerk spinnt.



= required software =

zutaten am server:
 * heimdal kerberos (ldap), alternativen: mit, shishi
 * openldap, alternativ: mysql, postgresql
 * wohlgepflegtes dns und reverse-dns
 * schwer empfohlen: replikation und redundanz

{{{
sudo aptitude install slapd heimdal-kdc
}}}


zutaten am host:
 * libnss-ldap
 * pam-krb5
 * sasl mit gssapi provider
 * richtige zeit, zb. openntpd (kann aber nicht stratum faken fuer windows)
 * kerberized client/serversoftware (zb. openssh, apache2)

{{{
sudo aptitude install libnss-ldap libpam-krb5 libsasl2-gssapi-mit heimdal-clients
}}}



= vorbereitung: domain name service =

config im dns (da gibts uebrigens auch welche mit ldap/sql backend ;):

aka "srv records rock! - for kerberos but not for ldap :("

config file /etc/krb5.conf auf allen hosts ident!

was ist ein "canonical hostname"?

zonefile mm-karton.com (snippet):
{{{
$ORIGIN mm-karton.com.
kerberos                A       10.128.0.24
kerberos-1              A       10.128.0.25
ldap                    CNAME   srv-vie-26.vie.mm-karton.com.
ldap-1                  CNAME   srv-vie-27.vie.mm-karton.com.

_kerberos               TXT     "MM-KARTON.COM"
_kerberos-master._tcp   SRV     10 1 88 kerberos
_kerberos-master._udp   SRV     10 1 88 kerberos
_kpasswd._udp           SRV     10 1 464 kerberos
_kerberos-adm._tcp      SRV     10 1 749 kerberos
_kerberos._tcp          SRV     10 1 88 kerberos
_kerberos._udp          SRV     10 1 88 kerberos
_kerberos._tcp          SRV     20 1 88 kerberos-1
_kerberos._udp          SRV     20 1 88 kerberos-1

_ldap._tcp              SRV     10 1 88 ldap
_ldap._tcp              SRV     20 1 88 ldap-1
}}}

zonefile mm-karton.net (snippet), afaik heimdal specific:
{{{
_kerberos               TXT             "MM-KARTON.COM"
}}}



= config am server =

/etc/ldap/slapd.conf

{{{
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

#######################################################################
# Global Directives:

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema

include         /etc/ldap/schema/hdb.schema


TLSCACertificateFile /etc/ldap/ca_crt.pem
TLSCertificateFile /etc/ldap/ldap.mm-karton.com_crt.pem
TLSCertificateKeyFile /etc/ldap/ldap.mm-karton.com_key.pem
TLSCipherSuite HIGH:MEDIUM:+SSLv2


pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

loglevel        0

modulepath      /usr/lib/ldap
moduleload      back_bdb
moduleload      syncprov

# The maximum number of entries that is returned for a search operation
sizelimit 500




#######################################################################
# Specific Backend Directives for bdb:

backend         bdb
checkpoint 512 30



#######################################################################
# main database
database       bdb
suffix         "dc=mm-karton,dc=com"
rootdn         "cn=ldapmaster@mm-karton.com,dc=mm-karton,dc=com"

directory      "/var/lib/ldap"
dbconfig set_cachesize 0 33554432 0
lastmod         on


index objectClass eq
index   cn,uid,displayName eq,sub,pres
index   krb5PrincipalName eq
index associatedDomain pres,eq,sub
index entryUUID,default,entryCSN eq


# needed for syncrepl
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

limits dn.exact="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited






#######################################################################
# sasl config

sasl-secprops minssf=0
security simple_bind=64

sasl-regexp
    uid=(.+),cn=.+,cn=auth
    ldap:///dc=mm-karton,dc=com??sub?(|(uid=$1)(krb5PrincipalName=$1@MM-KARTON.COM))
sasl-regexp "=0" "cn=ldapmaster@mm-karton.com,dc=mm-karton,dc=com"




#######################################################################
# access control

# needed for certain auth stuff
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read

access to attrs=krb5PrincipalName
    by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
    by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
    by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
    by anonymous auth

access to attrs=userPassword
    by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
    by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
    by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
    by anonymous auth



# Kerberos attributes only accessible to root/ldapmaster and the superadmins
access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmName
    by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
    by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
    by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
    by * none



# user info readable for nssproxy user
access to dn.subtree="ou=users,dc=mm-karton,dc=com"
    by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
    by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
    by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
    by dn="uid=nssproxy,dc=mm-karton,dc=com" read
access to dn.subtree="ou=groups,dc=mm-karton,dc=com"
    by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
    by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
    by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
    by dn="uid=nssproxy,dc=mm-karton,dc=com" read
access to attrs=uid,uidNumber,gidNumber,gecos,homeDirectory,loginShell,memberUid
    by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
    by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
    by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
    by dn="uid=nssproxy,dc=mm-karton,dc=com" read



# all the rest
access to dn.subtree="dc=mm-karton,dc=com"
    by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
    by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
    by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
}}}

/etc/default/slapd
{{{
# Default location of the slapd.conf file
SLAPD_CONF=

# System account to run the slapd server under. If empty the server
# will run as root.
SLAPD_USER="openldap"

# System group to run the slapd server under. If empty the server will
# run in the primary group of its user.
SLAPD_GROUP="openldap"

# Path to the pid file of the slapd server. If not set the init.d script
# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf)
SLAPD_PIDFILE=

# Configure if the slurpd daemon should be started. Possible values: 
# - yes:   Always start slurpd
# - no:    Never start slurpd
# - auto:  Start slurpd if a replica option is found in slapd.conf (default)
SLURPD_START=auto

# slapd normally serves ldap only on all TCP-ports 389. slapd can also
# service requests on TCP-port 636 (ldaps) and requests via unix
# sockets.
# Example usage:
SLAPD_SERVICES="ldap://10.128.4.36/ ldapi:///"

# Additional options to pass to slapd and slurpd
SLAPD_OPTIONS=""
SLURPD_OPTIONS=""

export KRB5_KTNAME="FILE:/etc/ldap/ldap.keytab"

[ -L /var/run/ldapi ] || ln -s /var/run/slapd/ldapi /var/run/ldapi
}}}



/etc/heimdal-kdc/kadmin.acl
{{{
lefant/admin@MM-KARTON.COM all
}}}

/etc/heimdal-kdc/kdc.conf
{{{
[kdc]
   database = {
      realm = MM-KARTON.COM
      dbname = ldap:dc=mm-karton,dc=com
      mkey_file = /var/lib/heimdal-kdc/m-key
      acl_file = /etc/heimdal-kdc/kadmind.acl
   }
   addresses = 10.128.0.24
}}}

{{{
$ sudo kadmin -l
init MY.REALM
add lefant/admin
}}}



= config am host =

/etc/libnss-ldap.conf
{{{
BASE    dc=mm-karton, dc=com
URI     ldap://ldap.mm-karton.com/,ldap://ldap-1.mm-karton.com/

ldap_version 3
ssl start_tls
tls_cacertfile /etc/ssl/certs/mmagca_crt.pem

binddn uid=nssproxy,dc=mm-karton,dc=com
bindpw XXXXXXXX

scope sub
pam_filter objectClass=posixAccount
nss_base_passwd ou=users,dc=mm-karton,dc=com
nss_base_group ou=groups,dc=mm-karton,dc=com

# Search timelimit
timelimit 10

# Bind/connect timelimit
bind_timelimit 2

pam_min_uid 10000
pam_max_uid 11000

nss_reconnect_tries 1
nss_reconnect_sleeptime 1
nss_reconnect_maxsleeptime 2
nss_reconnect_maxconntries 3
nss_initgroups_ignoreusers arpwatch,asterisk,backup,bin,bind,clamav,cricket,daemon,Debian-exim,debianmirror,dovecot,fetchmail,ftp,games,gnats,identd,irc,list,lp,mail,man,messagebus,mysql,nagios,news,nobody,ntp,ntpd,nut,openvpn,pdns,proftpd,proxy,puppet,root,smmsp,smmta,smsd,snmp,snort,sshd,statd,sync,sys,uucp,www-data,zope
}}}

/etc/nsswitch.conf
{{{
passwd:         files ldap
group:          files ldap
shadow:         files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
}}}

/etc/krb5.conf
{{{
[libdefaults]
   default_realm = MM-KARTON.COM
   dns_lookup_realm = yes

[logging]
        default = SYSLOG:NOTICE:DAEMON
        kdc = FILE:/var/log/kdc.log
        kadmind = FILE:/var/log/kadmind.log

[appdefaults]
        pam = {
                ticket_lifetime = 10h
                renew_lifetime = 10h
                forwardable = true
                proxiable = false
                retain_after_close = false
                minimum_uid = 0
                debug = false
        }

[domain_realm]
   srv-pof-30.pof.mmk.mmdom.net = MM-KARTON.COM

[realms]
   MMK.MMDOM.NET = {
      kdc = DC-VIE-50
      kpasswd_server = DC-VIE-50
      auth_to_local_names = {
         lefant = invaliduser
         unki = invaliduser
      }
   }
   MM-KARTON.COM = {
      admin_server = kerberos.mm-karton.com
      auth_to_local = RULE:[1:$1@$0](^.*@MMK.MMDOM.NET$)s/@MMK.MMDOM.NET//
      auth_to_local = DEFAULT
   }
}}}


/etc/pam.d/common-account
{{{
account required        pam_access.so
account sufficient      pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000
account sufficient      pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000
account required        pam_unix.so
}}}

/etc/pam.d/common-auth
{{{
auth    optional        pam_group.so
auth    sufficient      pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000 try_first_pass
auth    sufficient      pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000 try_first_pass
auth    required        pam_unix.so try_first_pass
}}}

/etc/pam.d/common-session
{{{
session required pam_mkhomedir.so umask=0022 skel=/etc/mmskel
session sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000
session sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000
session required        pam_unix.so
}}}



restrict logins to certain users:

/etc/security/access.conf
{{{
# first, to avoid delays when network is still unavailable
+:ALL:LOCAL
+:root:ALL

# remote users and groups
+:bofh:ALL

# deny everything else
-:ALL:ALL
}}}



/etc/adduser.conf (snippet)
{{{
# FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically
# allocated user accounts/groups.
FIRST_UID=1000
LAST_UID=19999
}}}




ldap client config (administration):

/etc/ldap/ldap.conf
{{{
BASE    dc=mm-karton, dc=com
URI     ldap://ldap.mm-karton.com/
ssl start_tls
tls_cacert /etc/ssl/certs/ca_crt.pem
}}}

ldapwhoami, ldapsearch



sudo, nopasswd, weil solches haben wir ja nicht...

/etc/sudoers
{{{
lefant ALL=(ALL) NOPASSWD:ALL
}}}



= single sign on fuer applikationen (gssapi support, das grosse fragezeichen) =

/etc/ssh/sshd_config (snippet)
{{{
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
}}}

/etc/ssh/ssh_config (snippet)
{{{
host *
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes
    GSSAPITrustDns yes
}}}



firefox: out-of-the-box!

apache: (apt-get install libapache2-mod-auth-kerb)
config snippet
{{{
   <Location />
      AuthType Kerberos
      AuthName "MM Login (use windows login *without* mm\ prefix)"
      KrbServiceName HTTP
      Krb5Keytab /etc/apache2/keytab
      KrbAuthRealms MMK.MMDOM.NET MM-KARTON.COM
      AuthGroupFile /etc/wwwusers
      Require group NocUsers
      Order deny,allow
      Deny from all
      Allow from noc.mm-karton.com
      Satisfy any
   </Location>
}}}



= misc stuff =
 * tcpdump
 * strace
 * $HOME/.k5login