====== Kerberos slave ====== **EL9 (RockyLinux/AlmaLinux 9)**: installazione e configurazione di uno slave kerberos Diasbilitato ipv6 ===== Installazione pacchetti ===== dnf install -y bind-utils epel-release curl vim dnf-automatic checkpolicy gnutls-utils rsyslog-gnutls bash-completion dnf install -y fail2ban fail2ban-firewalld dnf install -y s-nail (mail-x è stato sostituito da s-nail) ===== Data, ora e timezone ===== timedatectl set-timezone Europe/Rome ===== Configurazione servizio: chrony ===== In /etc/chrony.conf sostituire "pool 2.rocky.pool.ntp.org iburst" con server ntp-1.infn.it iburst server ntp-2.infn.it iburst server ntp-3.infn.it iburst Far ripartire il servizio systemctl restart chronyd.service e controllare la configurazione [root@krb ~]# chronyc sources MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^- dns1.ge.infn.it 2 10 377 579 +17us[ -72us] +/- 13ms ^- dns2.ge.infn.it 2 10 377 862 -969ns[ -87us] +/- 13ms ^* ntp.cnaf.infn.it 1 10 377 106 -68us[ -161us] +/- 1588us ===== Configurazione servizio: fail2ban ===== mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local chcon -u system_u /etc/fail2ban/jail.local ll -Z /etc/fail2ban (verifica permessi con selinux) Modificare /etc/fail2ban/jail.local ed abilitare [sshd] e [selinux-ssh] \\ e modificare banaction (commentare le IPTables e mettere firewalld) nel seguente modo: [sshd] # To use more aggressive sshd modes set filter parameter "mode" in jail.local: # normal (default), ddos, extra or aggressive (combines all). # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. #mode = normal port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s enabled = true bantime = 30m findtime = 10m maxretry = 3 ------- [selinux-ssh] port = ssh logpath = %(auditd_log)s enabled = true bantime = 30m ---------- # Default banning action (e.g. iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file ## banaction = iptables-multiport ## banaction_allports = iptables-allports banaction = firewallcmd-rich-rules[actiontype=] banaction_allports = firewallcmd-rich-rules[actiontype=] Abilitare a fare partire il servizio fail2ban systemctl enable fail2ban.service systemctl start  fail2ban.service fail2ban-client status Status |- Number of jail: 2 `- Jail list: selinux-ssh, sshd Per vedere la lista di IP banditi fail2ban-client banned [{'sshd': []}, {'selinux-ssh': []}] ===== Configurazione servizio: firewalld ===== firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client firewall-cmd --permanent --zone=public --remove-service=cockpit firewall-cmd --permanent --zone=public --add-service=kerberos firewall-cmd --permanent --zone=public --add-service=kprop firewall-cmd --reload Anche la configurazione del firewall per il servizio SSH deve essere modificata per accettare login solo da host certificati (non da tutta la LAN). \\ Ovviamente la configurazione specifica dipende dalla struttura. \\ Esempio firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="www.xxx.yyy.zzz/32" service name=ssh accept' firewall-cmd --permanent --zone=public --remove-service=ssh systemctl restart firewalld.service Per vedere lo stato del firewall: firewall-cmd --list-all ===== Configurazione mail ===== Configurare postfix/sendmail come da direttive della Sezione ===== Kerberos ===== === Installazione dei pacchetti === dnf install -y krb5-libs krb5-server krb5-workstation krb5-devel === Configurazione === if [ -e /etc/krb5.conf ] ; then mv -f /etc/krb5.conf /etc/krb5.conf.saved-`date +%Y%m%d-%H:%M` ; fi curl -o /etc/krb5.conf https://wiki.infn.it/_media/cn/ccr/aai/howto/krb5.conf.txt chcon -u system_u /etc/krb5.conf ll -lZ /etc/krb5.conf* -rw-r--r--. 1 root root system_u:object_r:krb5_conf_t:s0 829 Dec 12 09:35 /etc/krb5.conf -rw-r--r--. 1 root root system_u:object_r:krb5_conf_t:s0 880 Nov 28 2022 /etc/krb5.conf.saved-20221207-14:44 == Configurazione KDC == Verificare i seguenti file: /var/kerberos/krb5kdc/kadm5.acl /var/kerberos/krb5kdc/kdc.conf ls -lZ /var/kerberos/krb5kdc/kadm5.acl -rw-------. 1 root root system_u:object_r:krb5kdc_conf_t:s0 22 Apr 18 14:15 /var/kerberos/krb5kdc/kadm5.acl ls -lZ /var/kerberos/krb5kdc/kdc.conf -rw-------. 1 root root system_u:object_r:krb5kdc_conf_t:s0 481 Dec 7 2022 /var/kerberos/krb5kdc/kdc.conf Eseguire: if [ -e /var/kerberos/krb5kdc/kdc.conf ] ; then mv -f /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kdc.conf.saved-`date +%Y%m%d-%H:%M` ; fi curl -o /var/kerberos/krb5kdc/kdc.conf https://wiki.infn.it/_media/cn/ccr/aai/howto/kdc.conf.txt chcon -u system_u /var/kerberos/krb5kdc/kdc.conf chmod 600 /var/kerberos/krb5kdc/kdc.conf == Keytab == Copiare il keytab dell'host in /etc/krb5.keytab e verificare i permessi e le label SELinux chcon -u system_u /etc/krb5.keytab [root@krb ~]# ll -Z /etc/krb5.keytab -rw-------. 1 root root system_u:object_r:krb5_keytab_t:s0 364 Dec 7 2022 /etc/krb5.keytab == Master Key == Farsi mandare la master key dai gestori del kerberos nazionale e copiarla in: /var/kerberos/krb5kdc/.k5.INFN.IT chcon -u system_u /var/kerberos/krb5kdc/.k5.INFN.IT NON far partire il servizio KDC fino a quando non si riceve il DB dal master (altrimenti il KDC prova a generarne uno iniziale). == Configurazione di kprop.service == A partire dalla RHEL9 xinetd non è più supportato e bisogna usare i servizi systemd. \\ Esiste un servizio predisposto che è il kprop.service che fa riferimento al file /etc/sysconfig/kprop \\ per la definizione di parametri specifici da passare al kpropd cat /etc/sysconfig/kprop KPROPD_ARGS= -r INFN.IT -P 754 -a /var/kerberos/krb5kdc/kpropd.acl echo "host/k5.infn.it@INFN.IT" > /var/kerberos/krb5kdc/kpropd.acl chcon -u system_u /var/kerberos/krb5kdc/kpropd.acl chmod 600 /var/kerberos/krb5kdc/kpropd.acl systemctl enable --now kprop.service Created symlink /etc/systemd/system/multi-user.target.wants/kprop.service → /usr/lib/systemd/system/kprop.service. systemctl status kprop.service ● kprop.service - Kerberos 5 Propagation Loaded: loaded (/usr/lib/systemd/system/kprop.service; enabled; preset: disabled) Active: active (running) since Mon 2023-05-29 10:23:47 CEST; 1 week 3 days ago Main PID: 1071 (kpropd) Tasks: 1 (limit: 22958) Memory: 14.5M CPU: 6min 53.622s CGroup: /system.slice/kprop.service └─1071 /usr/sbin/kpropd -r INFN.IT -P 754 -a /var/kerberos/krb5kdc/kpropd.acl Jun 08 10:24:32 krb kpropd[695441]: Connection from k5.infn.it Jun 08 10:24:35 krb kpropd[695443]: Connection from k5.infn.it Jun 08 10:24:38 krb kpropd[695445]: Connection from k5.infn.it Jun 08 10:24:41 krb kpropd[695447]: Connection from k5.infn.it Jun 08 10:24:44 krb kpropd[695449]: Connection from k5.infn.it Jun 08 10:24:47 krb kpropd[695451]: Connection from k5.infn.it Jun 08 10:24:50 krb kpropd[695453]: Connection from k5.infn.it Jun 08 10:24:53 krb kpropd[695455]: Connection from k5.infn.it Jun 08 10:24:57 krb kpropd[695457]: Connection from k5.infn.it Jun 08 10:25:00 krb kpropd[695459]: Connection from k5.infn.it Avvisare gli amministratori di Kerberos inviando una mail a k5-admin@lists.infn.it Una volta configurata la propagazione dal Master e ricevuto il DB dei principal # ls -laZ /var/kerberos/krb5kdc/principal* -rw-------. 1 root root system_u:object_r:krb5kdc_principal_t:s0 5857280 Jun 8 10:57 /var/kerberos/krb5kdc/principal -rw-------. 1 root root system_u:object_r:krb5kdc_principal_t:s0 8192 Jun 8 10:25 /var/kerberos/krb5kdc/principal.kadm5 -rw-------. 1 root root system_u:object_r:krb5kdc_principal_t:s0 0 Dec 12 08:24 /var/kerberos/krb5kdc/principal.kadm5.lock -rw-------. 1 root root system_u:object_r:krb5kdc_lock_t:s0 0 Jun 8 2023 /var/kerberos/krb5kdc/principal.ok far partire il KDC systemctl enable --now krb5kdc.service Created symlink /etc/systemd/system/multi-user.target.wants/krb5kdc.service → /usr/lib/systemd/system/krb5kdc.service. Verificare lo stato del servizio systemctl status krb5kdc.service ===== Servizi attivi ===== * postfix/sendmail * firewalld * fail2ban * kprop * krb5kdc