INFN wiki

User Tools

Site Tools

Trace:
cn:ccr:krb5:krb-slave

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
cn:ccr:krb5:krb-slave [2024/02/09 10:48] monducci@infn.itcn:ccr:krb5:krb-slave [2024/07/08 15:53] (current) enrico@infn.it
Line 1: Line 1:
 +====== Kerberos slave ======
 +
 +**EL9 (RockyLinux/AlmaLinux 9)**: installazione e configurazione di uno slave kerberos
 +
 +
 +Diasbilitato ipv6
 + 
 +
 +===== Installazione pacchetti =====
 + 
 +
 +  dnf install -y bind-utils  epel-release curl vim dnf-automatic checkpolicy gnutls-utils rsyslog-gnutls bash-completion 
 +  
 +  dnf install -y fail2ban fail2ban-firewalld  
 +  
 +  dnf install -y s-nail (mail-x è stato sostituito da s-nail) 
 +
 +===== Data, ora e timezone =====
 + 
 +  timedatectl set-timezone Europe/Rome 
 +
 +===== Configurazione servizio: chrony =====
 +
 +
 +In /etc/chrony.conf sostituire "pool 2.rocky.pool.ntp.org iburst" con 
 +
 +  server ntp-1.infn.it iburst 
 +  server ntp-2.infn.it iburst 
 +  server ntp-3.infn.it iburst 
 +
 +Far ripartire il servizio 
 +
 +  systemctl restart chronyd.service 
 +e controllare la configurazione
 + 
 +  [root@krb ~]# chronyc sources
 +  MS Name/IP address         Stratum Poll Reach LastRx Last sample
 +  ===============================================================================
 +  ^- dns1.ge.infn.it                10   377   579    +17us[  -72us] +/-   13ms
 +  ^- dns2.ge.infn.it                10   377   862   -969ns[  -87us] +/-   13ms
 +  ^* ntp.cnaf.infn.it              1  10   377   106    -68us[ -161us] +/- 1588us
 +
 +
 +===== Configurazione servizio: fail2ban  =====
 +
 +  mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local 
 +  cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local 
 +  chcon -u system_u /etc/fail2ban/jail.local 
 +  ll -Z /etc/fail2ban (verifica permessi con selinux)
 +
 +Modificare /etc/fail2ban/jail.local ed abilitare [sshd] e [selinux-ssh]  \\ 
 +e modificare banaction (commentare le IPTables e mettere firewalld) nel seguente modo: 
 +
 +  [sshd]
 +  # To use more aggressive sshd modes set filter parameter "mode" in jail.local:
 +  # normal (default), ddos, extra or aggressive (combines all).
 +  # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
 +  #mode   = normal
 +  port    = ssh
 +  logpath = %(sshd_log)s
 +  backend = %(sshd_backend)s
 +  enabled = true
 +  bantime = 30m
 +  findtime = 10m
 +  maxretry = 3
 +
 +-------
 +  [selinux-ssh]
 +  
 +  port     = ssh
 +  logpath  = %(auditd_log)s
 +  enabled = true
 +  bantime = 30m
 +
 +---------- 
 +
 +  # Default banning action (e.g. iptables, iptables-new,
 +  # iptables-multiport, shorewall, etc) It is used to define
 +  # action_* variables. Can be overridden globally or per
 +  # section within jail.local file
 +  ## banaction = iptables-multiport
 +  ## banaction_allports = iptables-allports
 +  banaction = firewallcmd-rich-rules[actiontype=]
 +  banaction_allports = firewallcmd-rich-rules[actiontype=]
 +
 +Abilitare a fare partire il servizio fail2ban 
 +
 +  systemctl enable fail2ban.service 
 +  systemctl start  fail2ban.service 
 +
 +  fail2ban-client status
 +  
 +  Status
 +  |- Number of jail:      2
 +  `- Jail list:   selinux-ssh, sshd
 +
 +Per vedere la lista di IP banditi 
 +
 +  fail2ban-client banned 
 +  [{'sshd': []}, {'selinux-ssh': []}] 
 +
 +===== Configurazione servizio: firewalld  =====
 +
 +  firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client 
 +  firewall-cmd --permanent --zone=public --remove-service=cockpit 
 +
 +  firewall-cmd --permanent --zone=public --add-service=kerberos 
 +  firewall-cmd --permanent --zone=public --add-service=kprop 
 +
 +  firewall-cmd --reload 
 +
 +Anche la configurazione del firewall per il servizio SSH deve essere modificata per accettare login solo da host certificati (non da tutta la LAN). \\
 +Ovviamente la configurazione specifica dipende dalla struttura. \\
 +Esempio
 +
 +  firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="www.xxx.yyy.zzz/32" service name=ssh accept' 
 +  
 +  firewall-cmd --permanent --zone=public --remove-service=ssh 
 +  
 +  systemctl restart firewalld.service 
 +  
 +  Per vedere lo stato del firewall: 
 +  
 +  firewall-cmd --list-all
 +
 +===== Configurazione mail =====
 +Configurare postfix/sendmail come da direttive della Sezione
 +
 +
 +
 +===== Kerberos =====
 +
 +=== Installazione dei pacchetti ===
 + 
 +
 +  dnf install -y krb5-libs krb5-server  krb5-workstation  krb5-devel 
 + 
 +
 +=== Configurazione === 
 +
 +  if [ -e /etc/krb5.conf ] ; then mv -f /etc/krb5.conf /etc/krb5.conf.saved-`date +%Y%m%d-%H:%M` ; fi 
 +  curl -o /etc/krb5.conf https://wiki.infn.it/_media/cn/ccr/aai/howto/krb5.conf.txt 
 +  chcon -u system_u /etc/krb5.conf 
 +
 +  ll -lZ /etc/krb5.conf*
 +  -rw-r--r--. 1 root root system_u:object_r:krb5_conf_t:s0 829 Dec 12 09:35 /etc/krb5.conf
 +  -rw-r--r--. 1 root root system_u:object_r:krb5_conf_t:s0 880 Nov 28  2022 /etc/krb5.conf.saved-20221207-14:44
 +
 +== Configurazione KDC ==
 +
 +Verificare i seguenti file:
 +/var/kerberos/krb5kdc/kadm5.acl
 +/var/kerberos/krb5kdc/kdc.conf
 +
 +
 +  ls -lZ /var/kerberos/krb5kdc/kadm5.acl
 +  -rw-------. 1 root root system_u:object_r:krb5kdc_conf_t:s0 22 Apr 18 14:15 /var/kerberos/krb5kdc/kadm5.acl
 +
 +  ls -lZ /var/kerberos/krb5kdc/kdc.conf
 +  -rw-------. 1 root root system_u:object_r:krb5kdc_conf_t:s0 481 Dec  7  2022 /var/kerberos/krb5kdc/kdc.conf
 +
 +Eseguire:
 +  if [ -e /var/kerberos/krb5kdc/kdc.conf ] ; then mv -f /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kdc.conf.saved-`date +%Y%m%d-%H:%M` ; fi 
 +  
 +  curl -o  /var/kerberos/krb5kdc/kdc.conf https://wiki.infn.it/_media/cn/ccr/aai/howto/kdc.conf.txt
 +  
 +  chcon -u system_u /var/kerberos/krb5kdc/kdc.conf 
 +  
 +  chmod 600 /var/kerberos/krb5kdc/kdc.conf 
 +
 +== Keytab ==
 +
 +Copiare il keytab dell'host in /etc/krb5.keytab e verificare i permessi e le label SELinux 
 +
 +  chcon -u system_u /etc/krb5.keytab 
 +  [root@krb ~]# ll -Z  /etc/krb5.keytab
 +  -rw-------. 1 root root system_u:object_r:krb5_keytab_t:s0 364 Dec  7  2022 /etc/krb5.keytab
 +
 +== Master Key ==
 +Farsi mandare la master key dai gestori del kerberos nazionale e copiarla in:
 +  
 +  /var/kerberos/krb5kdc/.k5.INFN.IT
 +  chcon -u system_u /var/kerberos/krb5kdc/.k5.INFN.IT 
 +
 +NON far partire il servizio KDC fino a quando non si riceve il DB dal master (altrimenti il KDC prova a generarne uno iniziale). 
 +
 +== Configurazione di kprop.service ==
 +A partire dalla RHEL9 xinetd non è più supportato e bisogna usare i servizi systemd. \\
 +Esiste un servizio predisposto che è il kprop.service che fa riferimento al file /etc/sysconfig/kprop \\
 +per la definizione di parametri specifici da passare al kpropd  
 +
 + 
 +
 +  cat /etc/sysconfig/kprop 
 +  KPROPD_ARGS= -r INFN.IT -P 754 -a /var/kerberos/krb5kdc/kpropd.acl 
 +
 +
 +  echo "host/k5.infn.it@INFN.IT" > /var/kerberos/krb5kdc/kpropd.acl 
 +  
 +  chcon -u system_u /var/kerberos/krb5kdc/kpropd.acl 
 +  
 +  chmod 600 /var/kerberos/krb5kdc/kpropd.acl 
 +  
 +  systemctl enable --now kprop.service 
 +  Created symlink /etc/systemd/system/multi-user.target.wants/kprop.service → /usr/lib/systemd/system/kprop.service. 
 +  
 +  systemctl status kprop.service
 +  ● kprop.service - Kerberos 5 Propagation
 +       Loaded: loaded (/usr/lib/systemd/system/kprop.service; enabled; preset: disabled)
 +       Active: active (running) since Mon 2023-05-29 10:23:47 CEST; 1 week 3 days ago
 +     Main PID: 1071 (kpropd)
 +        Tasks: 1 (limit: 22958)
 +       Memory: 14.5M
 +          CPU: 6min 53.622s
 +       CGroup: /system.slice/kprop.service
 +               └─1071 /usr/sbin/kpropd -r INFN.IT -P 754 -a /var/kerberos/krb5kdc/kpropd.acl
 +  
 +  Jun 08 10:24:32 krb kpropd[695441]: Connection from k5.infn.it
 +  Jun 08 10:24:35 krb kpropd[695443]: Connection from k5.infn.it
 +  Jun 08 10:24:38 krb kpropd[695445]: Connection from k5.infn.it
 +  Jun 08 10:24:41 krb kpropd[695447]: Connection from k5.infn.it
 +  Jun 08 10:24:44 krb kpropd[695449]: Connection from k5.infn.it
 +  Jun 08 10:24:47 krb kpropd[695451]: Connection from k5.infn.it
 +  Jun 08 10:24:50 krb kpropd[695453]: Connection from k5.infn.it
 +  Jun 08 10:24:53 krb kpropd[695455]: Connection from k5.infn.it
 +  Jun 08 10:24:57 krb kpropd[695457]: Connection from k5.infn.it
 +  Jun 08 10:25:00 krb kpropd[695459]: Connection from k5.infn.it
 +
 +
 +Avvisare gli amministratori di Kerberos inviando una mail a k5-admin@lists.infn.it  
 +
 +Una volta configurata la propagazione dal Master e ricevuto il DB dei principal 
 +
 +  # ls -laZ /var/kerberos/krb5kdc/principal*
 +  -rw-------. 1 root root system_u:object_r:krb5kdc_principal_t:s0 5857280 Jun  8 10:57 /var/kerberos/krb5kdc/principal
 +  -rw-------. 1 root root system_u:object_r:krb5kdc_principal_t:s0    8192 Jun  8 10:25 /var/kerberos/krb5kdc/principal.kadm5
 +  -rw-------. 1 root root system_u:object_r:krb5kdc_principal_t:s0       0 Dec 12 08:24 /var/kerberos/krb5kdc/principal.kadm5.lock
 +  -rw-------. 1 root root system_u:object_r:krb5kdc_lock_t:s0            0 Jun  8  2023 /var/kerberos/krb5kdc/principal.ok
 +
 +far partire il KDC 
 +
 +
 +  systemctl enable --now krb5kdc.service 
 +  Created symlink /etc/systemd/system/multi-user.target.wants/krb5kdc.service → /usr/lib/systemd/system/krb5kdc.service. 
 +
 +Verificare lo stato del servizio
 +  systemctl status krb5kdc.service
 +
 +===== Servizi attivi =====
 +
 +
 +  * postfix/sendmail
 +
 +  * firewalld
 +  * fail2ban
 +
 +  * kprop
 +  * krb5kdc
 +
 +
 + 
  
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki