Agenda: ex2-kerberos-host.txt

File ex2-kerberos-host.txt, 10.0 KB (added by admin, 8 years ago)
Line 
1Exercise2 : enable Kerberos logins to a host
2============================================
3
4This is to connect a server to an existing Kerberos/LDAP infrastructure.  In
5part 1 we'll just enable Kerberos authentication, and in part 2 we'll enable
6LDAP authorization for uid/gid mapping.
7
8Part 1: Kerberos authentication
9===============================
10
11Your machine must already be working as a Kerberos client (i.e.
12`/etc/krb5.conf` is setup correctly)
13
14Sync your clock
15---------------
16
17Kerberos only works if your clocks are in close sync (certainly within 5
18minutes). You can do a one-off clock sync like this:
19
20    # ntpdate ntp.ubuntu.com
21
22But it's better to install the ntp daemon, which will continuously keep your
23clock in accurate sync.
24
25    # apt-get install ntp
26
27Enable kerberos for sshd
28------------------------
29
30In the `sshd_config` file, uncomment the `GSSAPIAuthentication` line and
31set it to `yes`; also add `GSSAPIKeyExchange yes`. Then restart sshd.
32
33    # editor /etc/ssh/sshd_config
34    ...
35    # GSSAPI options
36    GSSAPIAuthentication yes
37    GSSAPIKeyExchange yes
38    ....
39
40    # service ssh restart
41
42You're also going to add some extra lines to the end of krb5.conf, because
43of a current limitation in the kadmin utility.
44
45    # editor /etc/krb5.conf
46    ...
47
48    [realms]
49    WS.NSRC.ORG = {
50        admin_server = kdc1.ws.nsrc.org
51    }
52
53Now you need to set up a shared key between the KDC and the host's keytab.
54Call over an instructor to do this for you (because we're not letting you
55have admin access to the workshop Kerberos server :-) Here's what they will
56do:
57
58    # kadmin -p nsrc/admin
59    ... enter secret instructor password
60    addprinc -randkey host/pcN.ws.nsrc.org
61    ktadd host/pcN.ws.nsrc.org
62    ^D
63
64This has (1) created the principal on the KDC, and (2) has copied the key
65into a local keytab file.
66
67You can examine your own keytab using either `klist -k` for a summary, or
68`ktutil` for more detailled information. Inside `ktutil` use '?' for help
69and ^D (ctrl-D) to exit.
70
71    # ktutil
72    rkt /etc/krb5.keytab
73    list -e
74    ^D
75
76(The key will be listed multiple times, for use with different encryption
77algorithms)
78
79Now you're going to allow ssh logins for 'testuser'. Because we don't have
80LDAP configured yet, we'll have to create a local account - but there's no
81need to set a password.
82
83    # useradd -m -s /bin/bash testuser
84
85Now you're ready to test it. You can try logging in from your own machine to
86yourself, and you can get someone else to login to your machine.
87
88    $ kinit testuser         # use password from exercise 1
89    $ ssh testuser@pcN.ws.nsrc.org
90
91If instead of logging straight in you see a password prompt from ssh, then
92there's a problem which needs investigating.
93
94Debugging
95---------
96
97The first things to check are:
98
99* Is your system clock at the correct time?
100* Does your host have working forward and reverse DNS?
101* Did you get a ticket? (klist)
102* Did you restart sshd after setting `GSSAPIAuthentication yes`?
103
104If those are correct, then in another window you can start a new instance of
105sshd in debug mode on a different port:
106
107    # /usr/sbin/sshd -d -p99
108
109Then try to connect to it:
110
111    $ ssh -v -p99 testuser@pcN.ws.nsrc.org
112
113You will see logs at both the client and server side.
114
115---------------------------------------------------------------------------
116
117Part 2: LDAP authorization
118==========================
119
120This centralises your user/uid/gid/homedir management, and removes the need
121to add local users.
122
123We're going to configure it manually. In practice you'd probably just make a
124tarball containing all the preconfigured files and drop them onto each
125server which needed it.
126
127Install LDAP utils
128------------------
129
130    # apt-get install ldap-utils libsasl2-modules-gssapi-mit
131
132    # editor /etc/ldap/ldap.conf
133    BASE    dc=ws,dc=nsrc,dc=org
134    URI     ldap://ldap.ws.nsrc.org
135
136Now this is configured, you should be able to query the LDAP directory - but
137the server is set up only to allow read access if you have a Kerberos ticket.
138
139    $ kinit testuser
140    $ ldapsearch
141    ... should list everything in ldap
142    $ ldapsearch "(cn=*test*)"
143    ... should list only entries matching the search query
144
145Automated Kerberos ticket
146-------------------------
147
148For security, the LDAP server only permits connections which are Kerberos
149authenticated and encrypted.  This means that the host itself needs a
150Kerberos ticket when doing LDAP lookups.  (We could instead have used TLS
151security, but that would involve setting up a Certificate Authority, and we
152may as well leverage our Kerberos setup)
153
154We will run a cronjob every hour, using our existing keytab entry to
155obtain a ticket for `host/pcN.ws.nsrc.org`
156
157    # editor /etc/cron.hourly/kerberos
158    #!/bin/sh
159    /usr/bin/kinit -k host/`hostname` -c /tmp/krb5cc_host
160
161Make it executable, and then run it once manually:
162
163    # chmod +x /etc/cron.hourly/kerberos
164    # /etc/cron.hourly/kerberos
165
166You can use this keytab to be able to do 'ldapsearch' when logged in as
167root:
168
169    # KRB5CCNAME=/tmp/krb5cc_host ldapsearch
170
171Note: our LDAP queries will come from the caching daemon (nscd) which runs
172as root, and so this is all we need.  If you wanted to run nscd as a
173different user, you would have to extend the cron script to make the
174ticket readable to that user. e.g.
175
176    #!/bin/sh
177    /usr/bin/kinit -k host/`hostname` -c /tmp/krb5cc_host
178
179    umask 077
180    cp /tmp/krb5cc_host /tmp/krb5cc_nscd
181    chown nscd /tmp/krb5cc_nscd
182
183Install nss_ldap
184----------------
185
186This is the library which intercepts password/group lookups and redirects
187them to LDAP.
188
189    # apt-get install libnss-ldap nscd
190
191(Beware: there is an alternative package `libnss-ldapd` with a trailing "d".
192These exercises have been tested using `libnss-ldap`)
193
194Answer prompted questions as:
195
196    LDAP server                            [ldap://ldap.ws.nsrc.org]
197    Distinguished name of search base      [dc=ws,dc=nsrc,dc=org]
198    LDAP version to use                    [3]
199    Make local root database admin         [No]
200    Does the LDAP database require login?  [No]
201
202NOTE: The LDAP server starts with ldap:// not ldapi:// !
203
204The configuration file is `/etc/ldap.conf`. We're going to replace it with
205a simple one which uses Kerberos authentication:
206
207    # mv /etc/ldap.conf /etc/ldap.conf.example
208    # editor /etc/ldap.conf
209    krb5_ccname /tmp/krb5cc_host
210    use_sasl on
211    rootuse_sasl on
212    base dc=ws,dc=nsrc,dc=org
213    uri ldap://ldap.ws.nsrc.org
214    ldap_version 3
215    sasl_secprops minssf=56
216    nss_initgroups_ignoreusers backup,bin,bind,daemon,games,gnats,irc,libuuid,list,lp,mail,man,news,nslcd,ntp,openldap,proxy,root,sshd,sync,sys,syslog,uucp,www-data
217
218We are also going to tweak `nscd.conf` to reduce caching of group
219information from 3600 to 600 seconds.
220
221    # editor /etc/nscd.conf
222    ...
223    positive-time-to-live   group           600
224    ...
225
226Configure nsswitch
227------------------
228
229This is the point where we actually start to use LDAP for lookups.
230
231    # editor /etc/nsswitch.conf
232    ...
233    passwd:         compat ldap
234    group:          compat ldap
235    shadow:         compat ldap
236    ...
237
238    # service nscd restart
239
240At this point you're ready to test: you should be able to map a username
241to a uid over LDAP, even though it doesn't exist in your local
242`/etc/passwd` file
243
244    # id ldapuser
245    uid=10004(ldapuser) gid=100(users) groups=100(users)
246
247If it fails, places to look are:
248
249* /var/log/auth.log
250* has root got a kerberos ticket? Use the following commands as root:
251        # KRB5CCNAME=/tmp/krb5cc_host klist
252        # KRB5CCNAME=/tmp/krb5cc_host ldapsearch
253* after any changes which might fix the problem, remember to restart nscd
254  because it has both positive and negative caching
255* try stopping nscd, then try `id ldapuser` as root - there will be no
256  caching, so it will make a separate LDAP query for each request. You
257  can look at tcpdump, and logs on the LDAP server side.
258* if you control the LDAP server, run it in debug mode:
259
260    # /etc/init.d/slapd stop
261    # KRB5_KTNAME=/etc/ldap/krb5/krb5.keytab slapd -d 255 -u openldap -g openldap
262
263Home directory creation
264-----------------------
265
266When a user first logs into a machine, you can create their home directory
267automatically via PAM (Pluggable Authentication Modules).
268
269    # editor /etc/pam.d/common-session
270    ...
271    session required        pam_mkhomedir.so umask=0022 skel=/etc/skel/
272    ...
273
274---------------------------------------------------------------------------
275
276Miscellaneous Notes
277-------------------
278
279Using kadmin to extract the key on the target host itself is almost always
280the best way to set up the shared host/service key.
281
282If joining a Microsoft Active Directory domain: you will need a third-party
283tool such as css_adkadmin (or it may be possible to use bits from samba).
284This may be a starting point:
285
286    kinit Administrator
287    css_adkadmin -r AD.NSRC.ORG -s dc1.ad.nsrc.org -q "ank -k -attr description=$HOSTNAME +randkey host/$HOSTNAME"
288    css_adkadmin -r AD.NSRC.ORG -s dc1.ad.nsrc.org -q "xst +randkey host/$HOSTNAME"
289
290The alternative is to set a manual password on a host principal and then use
291ktutil to create a keytab with the same password.  This is awkward, because
292(1) you need to use the right kvno, and (2) you need to repeat it for each
293encryption type which might be used on your network.
294
295    [KDC side]
296    kadmin
297    addprinc host/pcX.ws.nsrc.org
298    ... you are prompted for password
299    getprinc host/pcX.ws.nsrc.org
300    ... make a note of the kvno
301
302    [host side]
303    # ktutil
304    ktutil:  addent -password -p host/pcX.ws.nsrc.org -k 4 -e aes256-cts
305    Password for host/pcX.ws.nsrc.org@WS.NSRC.ORG:
306    ktutil:  addent -password -p host/pcX.ws.nsrc.org -k 4 -e arcfour-hmac
307    Password for host/pcX.ws.nsrc.org@WS.NSRC.ORG:
308    ktutil:  addent -password -p host/pcX.ws.nsrc.org -k 4 -e des3-hmac-sha1
309    Password for host/pcX.ws.nsrc.org@WS.NSRC.ORG:
310    ktutil:  list
311    slot KVNO Principal
312    ---- ---- ---------------------------------------------------------------------
313       1    4         host/pcX.ws.nsrc.org@WS.NSRC.ORG
314       2    4         host/pcX.ws.nsrc.org@WS.NSRC.ORG
315       3    4         host/pcX.ws.nsrc.org@WS.NSRC.ORG
316    ktutil:  wkt /etc/krb5.keytab
317