EL9 (RockyLinux/AlmaLinux 9): installazione e configurazione di uno slave kerberos

Diasbilitato ipv6

dnf install -y bind-utils  epel-release curl vim dnf-automatic checkpolicy gnutls-utils rsyslog-gnutls bash-completion 

dnf install -y fail2ban fail2ban-firewalld  

dnf install -y s-nail (mail-x è stato sostituito da s-nail) 

timedatectl set-timezone Europe/Rome

In /etc/chrony.conf sostituire "pool 2.rocky.pool.ntp.org iburst" con

server ntp-1.infn.it iburst 
server ntp-2.infn.it iburst 
server ntp-3.infn.it iburst 

Far ripartire il servizio

systemctl restart chronyd.service 

e controllare la configurazione

[root@krb ~]# chronyc sources

MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^- dns1.ge.infn.it               2  10   377   579    +17us[  -72us] +/-   13ms
^- dns2.ge.infn.it               2  10   377   862   -969ns[  -87us] +/-   13ms
^* ntp.cnaf.infn.it              1  10   377   106    -68us[ -161us] +/- 1588us

mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local 
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local 
chcon -u system_u /etc/fail2ban/jail.local 
ll -Z /etc/fail2ban (verifica permessi con selinux)

Modificare /etc/fail2ban/jail.local ed abilitare [sshd] e [selinux-ssh]
e modificare banaction (commentare le IPTables e mettere firewalld) nel seguente modo:

[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = true
bantime = 30m
findtime = 10m
maxretry = 3

[selinux-ssh]

port     = ssh
logpath  = %(auditd_log)s
enabled = true
bantime = 30m

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
## banaction = iptables-multiport
## banaction_allports = iptables-allports
banaction = firewallcmd-rich-rules[actiontype=]
banaction_allports = firewallcmd-rich-rules[actiontype=]

Abilitare a fare partire il servizio fail2ban

systemctl enable fail2ban.service 
systemctl start  fail2ban.service 

fail2ban-client status

Status
|- Number of jail:      2
`- Jail list:   selinux-ssh, sshd

Per vedere la lista di IP banditi

fail2ban-client banned 
[{'sshd': []}, {'selinux-ssh': []}] 

firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client 
firewall-cmd --permanent --zone=public --remove-service=cockpit 

firewall-cmd --permanent --zone=public --add-service=kerberos 
firewall-cmd --permanent --zone=public --add-service=kprop 

firewall-cmd --reload 

Anche la configurazione del firewall per il servizio SSH deve essere modificata per accettare login solo da host certificati (non da tutta la LAN).
Ovviamente la configurazione specifica dipende dalla struttura.
Esempio

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="www.xxx.yyy.zzz/32" service name=ssh accept' 

firewall-cmd --permanent --zone=public --remove-service=ssh 

systemctl restart firewalld.service 

Per vedere lo stato del firewall: 

firewall-cmd --list-all

Configurare postfix/sendmail come da direttive della Sezione

dnf install -y krb5-libs krb5-server  krb5-workstation  krb5-devel 

if [ -e /etc/krb5.conf ] ; then mv -f /etc/krb5.conf /etc/krb5.conf.saved-`date +%Y%m%d-%H:%M` ; fi 
curl -o /etc/krb5.conf https://wiki.infn.it/_media/cn/ccr/aai/howto/krb5.conf.txt 
chcon -u system_u /etc/krb5.conf 

ll -lZ /etc/krb5.conf*
-rw-r--r--. 1 root root system_u:object_r:krb5_conf_t:s0 829 Dec 12 09:35 /etc/krb5.conf
-rw-r--r--. 1 root root system_u:object_r:krb5_conf_t:s0 880 Nov 28  2022 /etc/krb5.conf.saved-20221207-14:44

Verificare i seguenti file: /var/kerberos/krb5kdc/kadm5.acl /var/kerberos/krb5kdc/kdc.conf

ls -lZ /var/kerberos/krb5kdc/kadm5.acl
-rw-------. 1 root root system_u:object_r:krb5kdc_conf_t:s0 22 Apr 18 14:15 /var/kerberos/krb5kdc/kadm5.acl

ls -lZ /var/kerberos/krb5kdc/kdc.conf
-rw-------. 1 root root system_u:object_r:krb5kdc_conf_t:s0 481 Dec  7  2022 /var/kerberos/krb5kdc/kdc.conf

Eseguire:

if [ -e /var/kerberos/krb5kdc/kdc.conf ] ; then mv -f /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kdc.conf.saved-`date +%Y%m%d-%H:%M` ; fi 

curl -o  /var/kerberos/krb5kdc/kdc.conf https://wiki.infn.it/_media/cn/ccr/aai/howto/kdc.conf.txt

chcon -u system_u /var/kerberos/krb5kdc/kdc.conf 

chmod 600 /var/kerberos/krb5kdc/kdc.conf 

Copiare il keytab dell'host in /etc/krb5.keytab e verificare i permessi e le label SELinux

chcon -u system_u /etc/krb5.keytab 
[root@krb ~]# ll -Z  /etc/krb5.keytab
-rw-------. 1 root root system_u:object_r:krb5_keytab_t:s0 364 Dec  7  2022 /etc/krb5.keytab

Farsi mandare la master key dai gestori del kerberos nazionale e copiarla in:

/var/kerberos/krb5kdc/.k5.INFN.IT
chcon -u system_u /var/kerberos/krb5kdc/.k5.INFN.IT 

NON far partire il servizio KDC fino a quando non si riceve il DB dal master (altrimenti il KDC prova a generarne uno iniziale).

A partire dalla RHEL9 xinetd non è più supportato e bisogna usare i servizi systemd.
Esiste un servizio predisposto che è il kprop.service che fa riferimento al file /etc/sysconfig/kprop
per la definizione di parametri specifici da passare al kpropd

cat /etc/sysconfig/kprop 
KPROPD_ARGS= -r INFN.IT -P 754 -a /var/kerberos/krb5kdc/kpropd.acl 

echo "host/k5.infn.it@INFN.IT" > /var/kerberos/krb5kdc/kpropd.acl 

chcon -u system_u /var/kerberos/krb5kdc/kpropd.acl 

chmod 600 /var/kerberos/krb5kdc/kpropd.acl 

systemctl enable --now kprop.service 
Created symlink /etc/systemd/system/multi-user.target.wants/kprop.service → /usr/lib/systemd/system/kprop.service. 

systemctl status kprop.service
● kprop.service - Kerberos 5 Propagation
     Loaded: loaded (/usr/lib/systemd/system/kprop.service; enabled; preset: disabled)
     Active: active (running) since Mon 2023-05-29 10:23:47 CEST; 1 week 3 days ago
   Main PID: 1071 (kpropd)
      Tasks: 1 (limit: 22958)
     Memory: 14.5M
        CPU: 6min 53.622s
     CGroup: /system.slice/kprop.service
             └─1071 /usr/sbin/kpropd -r INFN.IT -P 754 -a /var/kerberos/krb5kdc/kpropd.acl

Jun 08 10:24:32 krb kpropd[695441]: Connection from k5.infn.it
Jun 08 10:24:35 krb kpropd[695443]: Connection from k5.infn.it
Jun 08 10:24:38 krb kpropd[695445]: Connection from k5.infn.it
Jun 08 10:24:41 krb kpropd[695447]: Connection from k5.infn.it
Jun 08 10:24:44 krb kpropd[695449]: Connection from k5.infn.it
Jun 08 10:24:47 krb kpropd[695451]: Connection from k5.infn.it
Jun 08 10:24:50 krb kpropd[695453]: Connection from k5.infn.it
Jun 08 10:24:53 krb kpropd[695455]: Connection from k5.infn.it
Jun 08 10:24:57 krb kpropd[695457]: Connection from k5.infn.it
Jun 08 10:25:00 krb kpropd[695459]: Connection from k5.infn.it

Avvisare gli amministratori di Kerberos inviando una mail a k5-admin@lists.infn.it

Una volta configurata la propagazione dal Master e ricevuto il DB dei principal

# ls -laZ /var/kerberos/krb5kdc/principal*
-rw-------. 1 root root system_u:object_r:krb5kdc_principal_t:s0 5857280 Jun  8 10:57 /var/kerberos/krb5kdc/principal
-rw-------. 1 root root system_u:object_r:krb5kdc_principal_t:s0    8192 Jun  8 10:25 /var/kerberos/krb5kdc/principal.kadm5
-rw-------. 1 root root system_u:object_r:krb5kdc_principal_t:s0       0 Dec 12 08:24 /var/kerberos/krb5kdc/principal.kadm5.lock
-rw-------. 1 root root system_u:object_r:krb5kdc_lock_t:s0            0 Jun  8  2023 /var/kerberos/krb5kdc/principal.ok

far partire il KDC

systemctl enable --now krb5kdc.service 
Created symlink /etc/systemd/system/multi-user.target.wants/krb5kdc.service → /usr/lib/systemd/system/krb5kdc.service. 

Verificare lo stato del servizio

systemctl status krb5kdc.service

• postfix/sendmail

• firewalld
• fail2ban

• kprop
• krb5kdc