EL9 (RockyLinux/AlmaLinux 9): installazione e configurazione di uno slave kerberos
Diasbilitato ipv6
dnf install -y bind-utils epel-release curl vim dnf-automatic checkpolicy gnutls-utils rsyslog-gnutls bash-completion dnf install -y fail2ban fail2ban-firewalld dnf install -y s-nail (mail-x è stato sostituito da s-nail)
timedatectl set-timezone Europe/Rome
In /etc/chrony.conf sostituire "pool 2.rocky.pool.ntp.org iburst" con
server ntp-1.infn.it iburst server ntp-2.infn.it iburst server ntp-3.infn.it iburst
Far ripartire il servizio
systemctl restart chronyd.service
e controllare la configurazione
[root@krb ~]# chronyc sources
MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^- dns1.ge.infn.it 2 10 377 579 +17us[ -72us] +/- 13ms ^- dns2.ge.infn.it 2 10 377 862 -969ns[ -87us] +/- 13ms ^* ntp.cnaf.infn.it 1 10 377 106 -68us[ -161us] +/- 1588us
mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local chcon -u system_u /etc/fail2ban/jail.local ll -Z /etc/fail2ban (verifica permessi con selinux)
Modificare /etc/fail2ban/jail.local ed abilitare [sshd] e [selinux-ssh]
e modificare banaction (commentare le IPTables e mettere firewalld) nel seguente modo:
[sshd] # To use more aggressive sshd modes set filter parameter "mode" in jail.local: # normal (default), ddos, extra or aggressive (combines all). # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. #mode = normal port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s enabled = true bantime = 30m findtime = 10m maxretry = 3
[selinux-ssh] port = ssh logpath = %(auditd_log)s enabled = true bantime = 30m
# Default banning action (e.g. iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file ## banaction = iptables-multiport ## banaction_allports = iptables-allports banaction = firewallcmd-rich-rules[actiontype=] banaction_allports = firewallcmd-rich-rules[actiontype=]
Abilitare a fare partire il servizio fail2ban
systemctl enable fail2ban.service systemctl start fail2ban.service
fail2ban-client status Status |- Number of jail: 2 `- Jail list: selinux-ssh, sshd
Per vedere la lista di IP banditi
fail2ban-client banned
[{'sshd': []}, {'selinux-ssh': []}]
firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client firewall-cmd --permanent --zone=public --remove-service=cockpit
firewall-cmd --permanent --zone=public --add-service=kerberos firewall-cmd --permanent --zone=public --add-service=kprop
firewall-cmd --reload
Anche la configurazione del firewall per il servizio SSH deve essere modificata per accettare login solo da host certificati (non da tutta la LAN).
Ovviamente la configurazione specifica dipende dalla struttura.
Esempio
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="www.xxx.yyy.zzz/32" service name=ssh accept' firewall-cmd --permanent --zone=public --remove-service=ssh systemctl restart firewalld.service Per vedere lo stato del firewall: firewall-cmd --list-all
Configurare postfix/sendmail come da direttive della Sezione
dnf install -y krb5-libs krb5-server krb5-workstation krb5-devel
if [ -e /etc/krb5.conf ] ; then mv -f /etc/krb5.conf /etc/krb5.conf.saved-`date +%Y%m%d-%H:%M` ; fi curl -o /etc/krb5.conf https://wiki.infn.it/_media/cn/ccr/aai/howto/krb5.conf.txt chcon -u system_u /etc/krb5.conf
ll -lZ /etc/krb5.conf* -rw-r--r--. 1 root root system_u:object_r:krb5_conf_t:s0 829 Dec 12 09:35 /etc/krb5.conf -rw-r--r--. 1 root root system_u:object_r:krb5_conf_t:s0 880 Nov 28 2022 /etc/krb5.conf.saved-20221207-14:44
Verificare i seguenti file: /var/kerberos/krb5kdc/kadm5.acl /var/kerberos/krb5kdc/kdc.conf
ls -lZ /var/kerberos/krb5kdc/kadm5.acl -rw-------. 1 root root system_u:object_r:krb5kdc_conf_t:s0 22 Apr 18 14:15 /var/kerberos/krb5kdc/kadm5.acl
ls -lZ /var/kerberos/krb5kdc/kdc.conf -rw-------. 1 root root system_u:object_r:krb5kdc_conf_t:s0 481 Dec 7 2022 /var/kerberos/krb5kdc/kdc.conf
Eseguire:
if [ -e /var/kerberos/krb5kdc/kdc.conf ] ; then mv -f /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kdc.conf.saved-`date +%Y%m%d-%H:%M` ; fi curl -o /var/kerberos/krb5kdc/kdc.conf https://wiki.infn.it/_media/cn/ccr/aai/howto/kdc.conf.txt chcon -u system_u /var/kerberos/krb5kdc/kdc.conf chmod 600 /var/kerberos/krb5kdc/kdc.conf
Copiare il keytab dell'host in /etc/krb5.keytab e verificare i permessi e le label SELinux
chcon -u system_u /etc/krb5.keytab [root@krb ~]# ll -Z /etc/krb5.keytab -rw-------. 1 root root system_u:object_r:krb5_keytab_t:s0 364 Dec 7 2022 /etc/krb5.keytab
Farsi mandare la master key dai gestori del kerberos nazionale e copiarla in:
/var/kerberos/krb5kdc/.k5.INFN.IT chcon -u system_u /var/kerberos/krb5kdc/.k5.INFN.IT
NON far partire il servizio KDC fino a quando non si riceve il DB dal master (altrimenti il KDC prova a generarne uno iniziale).
A partire dalla RHEL9 xinetd non è più supportato e bisogna usare i servizi systemd.
Esiste un servizio predisposto che è il kprop.service che fa riferimento al file /etc/sysconfig/kprop
per la definizione di parametri specifici da passare al kpropd
cat /etc/sysconfig/kprop KPROPD_ARGS= -r INFN.IT -P 754 -a /var/kerberos/krb5kdc/kpropd.acl
echo "host/k5.infn.it@INFN.IT" > /var/kerberos/krb5kdc/kpropd.acl
chcon -u system_u /var/kerberos/krb5kdc/kpropd.acl
chmod 600 /var/kerberos/krb5kdc/kpropd.acl
systemctl enable --now kprop.service
Created symlink /etc/systemd/system/multi-user.target.wants/kprop.service → /usr/lib/systemd/system/kprop.service.
systemctl status kprop.service
● kprop.service - Kerberos 5 Propagation
Loaded: loaded (/usr/lib/systemd/system/kprop.service; enabled; preset: disabled)
Active: active (running) since Mon 2023-05-29 10:23:47 CEST; 1 week 3 days ago
Main PID: 1071 (kpropd)
Tasks: 1 (limit: 22958)
Memory: 14.5M
CPU: 6min 53.622s
CGroup: /system.slice/kprop.service
└─1071 /usr/sbin/kpropd -r INFN.IT -P 754 -a /var/kerberos/krb5kdc/kpropd.acl
Jun 08 10:24:32 krb kpropd[695441]: Connection from k5.infn.it
Jun 08 10:24:35 krb kpropd[695443]: Connection from k5.infn.it
Jun 08 10:24:38 krb kpropd[695445]: Connection from k5.infn.it
Jun 08 10:24:41 krb kpropd[695447]: Connection from k5.infn.it
Jun 08 10:24:44 krb kpropd[695449]: Connection from k5.infn.it
Jun 08 10:24:47 krb kpropd[695451]: Connection from k5.infn.it
Jun 08 10:24:50 krb kpropd[695453]: Connection from k5.infn.it
Jun 08 10:24:53 krb kpropd[695455]: Connection from k5.infn.it
Jun 08 10:24:57 krb kpropd[695457]: Connection from k5.infn.it
Jun 08 10:25:00 krb kpropd[695459]: Connection from k5.infn.it
Avvisare gli amministratori di Kerberos inviando una mail a k5-admin@lists.infn.it
Una volta configurata la propagazione dal Master e ricevuto il DB dei principal
# ls -laZ /var/kerberos/krb5kdc/principal* -rw-------. 1 root root system_u:object_r:krb5kdc_principal_t:s0 5857280 Jun 8 10:57 /var/kerberos/krb5kdc/principal -rw-------. 1 root root system_u:object_r:krb5kdc_principal_t:s0 8192 Jun 8 10:25 /var/kerberos/krb5kdc/principal.kadm5 -rw-------. 1 root root system_u:object_r:krb5kdc_principal_t:s0 0 Dec 12 08:24 /var/kerberos/krb5kdc/principal.kadm5.lock -rw-------. 1 root root system_u:object_r:krb5kdc_lock_t:s0 0 Jun 8 2023 /var/kerberos/krb5kdc/principal.ok
far partire il KDC
systemctl enable --now krb5kdc.service Created symlink /etc/systemd/system/multi-user.target.wants/krb5kdc.service → /usr/lib/systemd/system/krb5kdc.service.
Verificare lo stato del servizio
systemctl status krb5kdc.service