Login interattivo su Ubuntu 16.04
Partendo dal template Ubuntu 16.04, installiamo i seguenti pacchetti:
# apt install libpam-krb5 libpam-afs-session
Modifichiamo in /etc/pam.d/
i file common-auth
, common-account
, common-password
, common-session
:
# vi /etc/pam.d/common-auth auth sufficient pam_krb5.so try_first_pass minimum_uid=500 auth sufficient pam_unix.so nullok try_first_pass auth required pam_deny.so auth optional pam_afs_session.so
# vi /etc/pam.d/common-account account sufficient pam_krb5.so minimum_uid=500 account required pam_unix.so account required pam_permit.so
# vi /etc/pam.d/common-password password sufficient pam_krb5.so minimum_uid=500 password sufficient pam_unix.so nullok use_authtok try_first_pass sha512 password required pam_deny.so
# vi /etc/pam.d/common-session session optional pam_krb5.so minimum_uid=500 session optional pam_afs_session.so session required pam_unix.so
Verifichiamo che siano impostate le seguenti direttive in /etc/ssh/ssh_config
:
GSSAPIAuthentication yes GSSAPIKeyExchange yes GSSAPIDelegateCredentials yes ForwardX11Trusted yes
e le seguenti le direttive in /etc/ssh/sshd_config
:
GSSAPIAuthentication yes GSSAPICleanupCredentials yes
Riavviamo il servizio sshd
# systemctl restart sshd.service # systemctl status sshd.service
Verifichiamo che il file /etc/krb5.conf
sia configurato nel seguente modo:
[libdefaults] default_realm = LNF.INFN.IT [domain_realm] .lnf.infn.it = LNF.INFN.IT lnf.infn.it = LNF.INFN.IT [realms] LNF.INFN.IT = { kdc = kdc5s3.lnf.infn.it:88 kdc = kdc5s2.lnf.infn.it:88 kdc = kdc5s1.lnf.infn.it:88 kdc = kdc5s0.lnf.infn.it:88 kdc = kdc5p.lnf.infn.it:88 admin_server = kdc5p.lnf.infn.it:749 default_domain = lnf.infn.it } INFN.IT = { kdc = k5.infn.it:88 kdc = afscnaf.infn.it:88 kdc = afsrm1.roma1.infn.it:88 kdc = afsna.na.infn.it:88 admin_server = k5.infn.it:749 default_domain = infn.it } [appdefaults] aklog_homedir = true pam-afs-session = { minimum_uid = 1000 ignore_root = true debug = true } pam = { minimum_uid = 1000 ticket_lifetime = 259200 renew_lifetime = 604800 forwardable = true krb4_convert = false ccache_dir = /tmp tokens = true krb4_convert_524 = false krb4_use_as_req = false #afs_cells = lnf.infn.it=afs@LNF.INFN.IT afs_cells = lnf.infn.it=afs/lnf.infn.it@LNF.INFN.IT #existing_ticket = true #validate = true validate = false #keytab = FILE:/etc/krb5.keytab #debug = false debug = true }
Per utilizzare l'autenticazione con ticket bisogna creare in /etc/
il file krb5.keytbab
e decommentare in /etc/krb5.conf
nella sezione [appdefaults] pam
le direttive:
validate = true keytab = FILE:/etc/krb5.keytab
Configuriamo il client LDAP per recuperare le informazioni sugli utenti che possono effettuare l'accesso. Istalliamo il pacchetto ldap-auth-client
# apt install ldap-auth-client
Durante l'istallazione verranno richiesti alcuni parametri di configurazione.
Inseriamo l'URI ldaps://ds1.infn.it
del server LDAP:
+---------------------| Configuring ldap-auth-config |----------------------+ | Please enter the URI of the LDAP server to use. This is a string in the | | form of ldap://<hostname or IP>:<port>/. ldaps:// or ldapi:// can also | | be used. The port number is optional. | | | | Note: It is usually a good idea to use an IP address because it reduces | | risks of failure in the event name service problems. | | | | LDAP server Uniform Resource Identifier: | | | | ldaps://ds1.infn.it/_________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------------+
Specificare dc=lnf,dc=infn,dc=it
come radice della directory LDAP
+---------------------| Configuring ldap-auth-config |----------------------+ | Please enter the distinguished name of the LDAP search base. Many sites | | use the components of their domain names for this purpose. For example, | | the domain "example.net" would use "dc=example,dc=net" as the | | distinguished name of the search base. | | | | Distinguished name of the search base: | | | | dc=lnf,dc=infn,dc=it__________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------------+
Specificare la versioe di LDAP (3)
+---------------------| Configuring ldap-auth-config |---------------------+ | Please enter which version of the LDAP protocol should be used by | | ldapns. It is usually a good idea to set this to the highest available | | version. | | | | LDAP version to use: | | | | * 3 | | 2 | | | | | | <Ok> | | | +--------------------------------------------------------------------------+
Selezioniamo <No>
+---------------------| Configuring ldap-auth-config |----------------------+ | | | This option will allow you to make password utilities that use pam to | | behave like you would be changing local passwords. | | | | The password will be stored in a separate file which will be made | | readable to root only. | | | | If you are using NFS mounted /etc or any other custom setup, you should | | disable this. | | | | Make local root Database admin: | | | | <Yes> *<No> | | | +---------------------------------------------------------------------------+
Selezioniamo <No>
+-------------------| Configuring ldap-auth-config |-------------------+ | | | Choose this option if you are required to login to the database to | | retrieve entries. | | | | Note: Under a normal setup, this is not needed. | | | | Does the LDAP database require login? | | | | <Yes> *<No> | | | +----------------------------------------------------------------------+
Configuriamo /etc/nsswitch.conf
per consentire la ricerca degli utenti su LDAP oltre che in locale:
auth-client-config -t nss -p lac_ldap
Recuperiamo informazioni su un utente con il comando id
per verificare che tutto sia stato configurato in modo corretto:
id <username>
Installiamo la TENEX C Shell:
# apt install tcsh
Creiamo il file lnf.login
in /etc/csh/login.d/
con il seguente contenuto:
setenv ORIPATH $PATH ######################################################################### # # Generic lnf system login. # if ( -x /afs/lnf.infn.it/system/userenv/common/lnf.csh.login ) then source /afs/lnf.infn.it/system/userenv/common/lnf.csh.login endif # ######################################################################### setenv PATH "${ORIPATH}:${PATH}"
e modifichiamo il file /etc/csh.logout
aggiungendo:
# /etc/csh.logout: system-wide .logout file for csh(1) and tcsh(1) ######################################################################### # # Log logout # if ( -x /afs/lnf.infn.it/system/userenv/common/lnf.csh.logout ) then source /afs/lnf.infn.it/system/userenv/common/lnf.csh.logout endif kdestroy # # eof #
Infine creiamo i seguenti link simbolici:
ln -s /afs/lnf.infn.it/system/lnflocal/@sys /usr/lnf ln -s /usr /usr/afsws