X-Git-Url: https://git.deb.at/?p=debienna.git;a=blobdiff_plain;f=KerberosAuthenticationInfrastructure%2Findex.mdwn;h=266675d78b3ad7ee35a5cfc979878ece1e139eef;hp=dbf51bfccef5f50337f5017e24b37a7d225cd1cb;hb=0c24fec7e226eb937bb5bc2b876bca6834a7c4fb;hpb=20a0f23c68ffa5790d886d4efa3152bd3a21966f diff --git a/KerberosAuthenticationInfrastructure/index.mdwn b/KerberosAuthenticationInfrastructure/index.mdwn index dbf51bf..266675d 100644 --- a/KerberosAuthenticationInfrastructure/index.mdwn +++ b/KerberosAuthenticationInfrastructure/index.mdwn @@ -2,58 +2,58 @@ # central usermanagement -...using ldap and kerberos +...using ldap and kerberos # motivation -warum: +warum: -* skaliert -* sicherheit -* komfort (single sign on) -warum nicht: +* skaliert +* sicherheit +* komfort (single sign on) +warum nicht: -* fehlerquelle komplexitaet -* gefahr single point of failure / break in --> infrastruktur! +* fehlerquelle komplexitaet +* gefahr single point of failure / break in +-> infrastruktur! # theorie -recommended reading: +recommended reading: -* [[http://www.openinput.com/auth-howto/index.html|http://www.openinput.com/auth-howto/index.html]] -* [[http://www.pdc.kth.se/heimdal/|http://www.pdc.kth.se/heimdal/]] -* [[http://www.openldap.org/doc/admin23/|http://www.openldap.org/doc/admin23/]] -architektur: +* [[http://www.openinput.com/auth-howto/index.html|http://www.openinput.com/auth-howto/index.html]] +* [[http://www.pdc.kth.se/heimdal/|http://www.pdc.kth.se/heimdal/]] +* [[http://www.openldap.org/doc/admin23/|http://www.openldap.org/doc/admin23/]] +architektur: -* trusted third party, der KDC. hat gemeinsames secret mit allen hosts/services/usern. "principals". generiert auf anfrage ticket mit zeit, ip, und welcher user zu welchem service. -design decisions: +* trusted third party, der KDC. hat gemeinsames secret mit allen hosts/services/usern. "principals". generiert auf anfrage ticket mit zeit, ip, und welcher user zu welchem service. +design decisions: -* keine passwoerter im ldap, alles via kerberos, rueckwaertskompatibilitaet via pam_krb, nicht sasl oder pam_ldap. -* kerberos datenbank im ldap, keine seperate replikation noetig (nur mit heimdal). -* eigene ldap range fuer uid/groupid, root und systemuser bleiben lokal falls das netzwerk spinnt. +* keine passwoerter im ldap, alles via kerberos, rueckwaertskompatibilitaet via pam_krb, nicht sasl oder pam_ldap. +* kerberos datenbank im ldap, keine seperate replikation noetig (nur mit heimdal). +* eigene ldap range fuer uid/groupid, root und systemuser bleiben lokal falls das netzwerk spinnt. # required software -zutaten am server: +zutaten am server: -* heimdal kerberos (ldap), alternativen: mit, shishi -* openldap, alternativ: mysql, postgresql -* wohlgepflegtes dns und reverse-dns -* schwer empfohlen: replikation und redundanz +* heimdal kerberos (ldap), alternativen: mit, shishi +* openldap, alternativ: mysql, postgresql +* wohlgepflegtes dns und reverse-dns +* schwer empfohlen: replikation und redundanz [[!format txt """ sudo aptitude install slapd heimdal-kdc """]] -zutaten am host: +zutaten am host: -* libnss-ldap -* pam-krb5 -* sasl mit gssapi provider -* richtige zeit, zb. openntpd (kann aber nicht stratum faken fuer windows) -* kerberized client/serversoftware (zb. openssh, apache2) +* libnss-ldap +* pam-krb5 +* sasl mit gssapi provider +* richtige zeit, zb. openntpd (kann aber nicht stratum faken fuer windows) +* kerberized client/serversoftware (zb. openssh, apache2) [[!format txt """ sudo aptitude install libnss-ldap libpam-krb5 libsasl2-gssapi-mit heimdal-clients @@ -61,15 +61,15 @@ sudo aptitude install libnss-ldap libpam-krb5 libsasl2-gssapi-mit heimdal-client # vorbereitung: domain name service -config im dns (da gibts uebrigens auch welche mit ldap/sql backend ;): +config im dns (da gibts uebrigens auch welche mit ldap/sql backend ;): -aka "srv records rock! - for kerberos but not for ldap :(" +aka "srv records rock! - for kerberos but not for ldap :(" -config file /etc/krb5.conf auf allen hosts ident! +config file /etc/krb5.conf auf allen hosts ident! -was ist ein "canonical hostname"? +was ist ein "canonical hostname"? -zonefile mm-karton.com (snippet): +zonefile mm-karton.com (snippet): [[!format txt """ $ORIGIN mm-karton.com. kerberos A 10.128.0.24 @@ -90,14 +90,14 @@ _kerberos._udp SRV 20 1 88 kerberos-1 _ldap._tcp SRV 10 1 88 ldap _ldap._tcp SRV 20 1 88 ldap-1 """]] -zonefile mm-karton.net (snippet), afaik heimdal specific: +zonefile mm-karton.net (snippet), afaik heimdal specific: [[!format txt """ _kerberos TXT "MM-KARTON.COM" """]] # config am server -/etc/ldap/slapd.conf +/etc/ldap/slapd.conf [[!format txt """ @@ -243,7 +243,7 @@ access to dn.subtree="dc=mm-karton,dc=com" by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read """]] -/etc/default/slapd +/etc/default/slapd [[!format txt """ # Default location of the slapd.conf file SLAPD_CONF= @@ -260,7 +260,7 @@ SLAPD_GROUP="openldap" # will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf) SLAPD_PIDFILE= -# Configure if the slurpd daemon should be started. Possible values: +# Configure if the slurpd daemon should be started. Possible values: # - yes: Always start slurpd # - no: Never start slurpd # - auto: Start slurpd if a replica option is found in slapd.conf (default) @@ -280,11 +280,11 @@ export KRB5_KTNAME="FILE:/etc/ldap/ldap.keytab" [ -L /var/run/ldapi ] || ln -s /var/run/slapd/ldapi /var/run/ldapi """]] -/etc/heimdal-kdc/kadmin.acl +/etc/heimdal-kdc/kadmin.acl [[!format txt """ lefant/admin@MM-KARTON.COM all """]] -/etc/heimdal-kdc/kdc.conf +/etc/heimdal-kdc/kdc.conf [[!format txt """ [kdc] database = { @@ -304,7 +304,7 @@ add lefant/admin # config am host -/etc/libnss-ldap.conf +/etc/libnss-ldap.conf [[!format txt """ BASE dc=mm-karton, dc=com URI ldap://ldap.mm-karton.com/,ldap://ldap-1.mm-karton.com/ @@ -336,7 +336,7 @@ nss_reconnect_maxsleeptime 2 nss_reconnect_maxconntries 3 nss_initgroups_ignoreusers arpwatch,asterisk,backup,bin,bind,clamav,cricket,daemon,Debian-exim,debianmirror,dovecot,fetchmail,ftp,games,gnats,identd,irc,list,lp,mail,man,messagebus,mysql,nagios,news,nobody,ntp,ntpd,nut,openvpn,pdns,proftpd,proxy,puppet,root,smmsp,smmta,smsd,snmp,snort,sshd,statd,sync,sys,uucp,www-data,zope """]] -/etc/nsswitch.conf +/etc/nsswitch.conf [[!format txt """ passwd: files ldap group: files ldap @@ -352,7 +352,7 @@ rpc: db files netgroup: nis """]] -/etc/krb5.conf +/etc/krb5.conf [[!format txt """ [libdefaults] default_realm = MM-KARTON.COM @@ -392,30 +392,30 @@ netgroup: nis auth_to_local = DEFAULT } """]] -/etc/pam.d/common-account +/etc/pam.d/common-account [[!format txt """ account required pam_access.so account sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000 account sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000 account required pam_unix.so """]] -/etc/pam.d/common-auth +/etc/pam.d/common-auth [[!format txt """ auth optional pam_group.so auth sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000 try_first_pass auth sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000 try_first_pass auth required pam_unix.so try_first_pass """]] -/etc/pam.d/common-session +/etc/pam.d/common-session [[!format txt """ session required pam_mkhomedir.so umask=0022 skel=/etc/mmskel session sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000 session sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000 session required pam_unix.so """]] -restrict logins to certain users: +restrict logins to certain users: -/etc/security/access.conf +/etc/security/access.conf [[!format txt """ # first, to avoid delays when network is still unavailable +:ALL:LOCAL @@ -427,48 +427,48 @@ restrict logins to certain users: # deny everything else -:ALL:ALL """]] -/etc/adduser.conf (snippet) +/etc/adduser.conf (snippet) [[!format txt """ # FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically # allocated user accounts/groups. FIRST_UID=1000 LAST_UID=19999 """]] -ldap client config (administration): +ldap client config (administration): -/etc/ldap/ldap.conf +/etc/ldap/ldap.conf [[!format txt """ BASE dc=mm-karton, dc=com URI ldap://ldap.mm-karton.com/ ssl start_tls tls_cacert /etc/ssl/certs/ca_crt.pem """]] -ldapwhoami, ldapsearch +ldapwhoami, ldapsearch -sudo, nopasswd, weil solches haben wir ja nicht... +sudo, nopasswd, weil solches haben wir ja nicht... -/etc/sudoers +/etc/sudoers [[!format txt """ lefant ALL=(ALL) NOPASSWD:ALL """]] # single sign on fuer applikationen (gssapi support, das grosse fragezeichen) -/etc/ssh/sshd_config (snippet) +/etc/ssh/sshd_config (snippet) [[!format txt """ GSSAPIAuthentication yes GSSAPIKeyExchange yes """]] -/etc/ssh/ssh_config (snippet) +/etc/ssh/ssh_config (snippet) [[!format txt """ host * GSSAPIAuthentication yes GSSAPIDelegateCredentials yes GSSAPITrustDns yes """]] -firefox: out-of-the-box! +firefox: out-of-the-box! -apache: (apt-get install libapache2-mod-auth-kerb) config snippet +apache: (apt-get install libapache2-mod-auth-kerb) config snippet [[!format txt """ AuthType Kerberos @@ -487,6 +487,6 @@ apache: (apt-get install libapache2-mod-auth-kerb) config snippet # misc stuff -* tcpdump -* strace -* $HOME/.k5login \ No newline at end of file +* tcpdump +* strace +* $HOME/.k5login \ No newline at end of file