Difference between revisions of "Charity admin"

From ProgClub
Jump to: navigation, search
Line 345: Line 345:
  
 
[http://www.google.com.au/search?q=kadmin%3A%20Client%20not%20found%20in%20Kerberos%20database%20while%20initializing%20kadmin%20interface&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&source=hp&channel=np Google that].
 
[http://www.google.com.au/search?q=kadmin%3A%20Client%20not%20found%20in%20Kerberos%20database%20while%20initializing%20kadmin%20interface&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&source=hp&channel=np Google that].
 +
 +
root@charity:/var/lib/krb5kdc# kadmin.local
 +
Authenticating as principal root/admin@PROGCLUB.ORG with password.
 +
kadmin.local:  addprinc jj5/admin@PROGCLUB.ORG
 +
WARNING: no policy specified for jj5/admin@PROGCLUB.ORG; defaulting to no policy
 +
Enter password for principal "jj5/admin@PROGCLUB.ORG":
 +
Re-enter password for principal "jj5/admin@PROGCLUB.ORG":
 +
Principal "jj5/admin@PROGCLUB.ORG" created.
 +
kadmin.local:  quit
 +
root@charity:/var/lib/krb5kdc# kadmin -p jj5/admin
 +
Authenticating as principal jj5/admin with password.
 +
Password for jj5/admin@PROGCLUB.ORG:
 +
kadmin: ?
 +
Available kadmin requests:
 +
 +
add_principal, addprinc, ank
 +
                          Add principal
 +
delete_principal, delprinc
 +
                          Delete principal
 +
modify_principal, modprinc
 +
                          Modify principal
 +
change_password, cpw    Change password
 +
get_principal, getprinc  Get principal
 +
list_principals, listprincs, get_principals, getprincs
 +
                          List principals
 +
add_policy, addpol      Add policy
 +
modify_policy, modpol    Modify policy
 +
delete_policy, delpol    Delete policy
 +
get_policy, getpol      Get policy
 +
list_policies, listpols, get_policies, getpols
 +
                          List policies
 +
get_privs, getprivs      Get privileges
 +
ktadd, xst              Add entry(s) to a keytab
 +
ktremove, ktrem          Remove entry(s) from a keytab
 +
lock                    Lock database exclusively (use with extreme caution!)
 +
unlock                  Release exclusive database lock
 +
list_requests, lr, ?    List available requests.
 +
quit, exit, q            Exit program.
 +
kadmin:  listprincs
 +
K/M@PROGCLUB.ORG
 +
jj5/admin@PROGCLUB.ORG
 +
kadmin/admin@PROGCLUB.ORG
 +
kadmin/changepw@PROGCLUB.ORG
 +
kadmin/charity.progclub.org@PROGCLUB.ORG
 +
kadmin/history@PROGCLUB.ORG
 +
krbtgt/PROGCLUB.ORG@PROGCLUB.ORG
 +
kadmin:  quit
 +
 +
 +
root@charity:/etc# cat krb5.conf
 +
[logging]
 +
        default = FILE:/var/log/krb5.log
 +
 +
[libdefaults]
 +
        default_realm = PROGCLUB.ORG
 +
 +
# The following krb5.conf variables are only for MIT Kerberos.
 +
        krb4_config = /etc/krb.conf
 +
        krb4_realms = /etc/krb.realms
 +
        kdc_timesync = 1
 +
        ccache_type = 4
 +
        forwardable = true
 +
        proxiable = true
 +
 +
# The following encryption type specification will be used by MIT Kerberos
 +
# if uncommented.  In general, the defaults in the MIT Kerberos code are
 +
# correct and overriding these specifications only serves to disable new
 +
# encryption types as they are added, creating interoperability problems.
 +
#
 +
# Thie only time when you might need to uncomment these lines and change
 +
# the enctypes is if you have local software that will break on ticket
 +
# caches containing ticket encryption types it doesn't know about (such as
 +
# old versions of Sun Java).
 +
 +
#      default_tgs_enctypes = des3-hmac-sha1
 +
#      default_tkt_enctypes = des3-hmac-sha1
 +
#      permitted_enctypes = des3-hmac-sha1
 +
 +
# The following libdefaults parameters are only for Heimdal Kerberos.
 +
        v4_instance_resolve = false
 +
        v4_name_convert = {
 +
                host = {
 +
                        rcmd = host
 +
                        ftp = ftp
 +
                }
 +
                plain = {
 +
                        something = something-else
 +
                }
 +
        }
 +
        fcc-mit-ticketflags = true
 +
 +
[realms]
 +
        PROGCLUB.ORG = {
 +
                kdc = kerberos.progclub.org:88
 +
                admin_server = kerberos.progclub.org
 +
                default_domain = progclub.org
 +
        }
 +
 +
[domain_realm]
 +
        .progclub.org = PROGCLUB.ORG
 +
        progclub.org = PROGCLUB.ORG
 +
        .progclub.com = PROGCLUB.ORG
 +
        progclub.com = PROGCLUB.ORG
 +
        .progclub.info = PROGCLUB.ORG
 +
        progclub.info = PROGCLUB.ORG
 +
        .progclub.net = PROGCLUB.ORG
 +
        progclub.net = PROGCLUB.ORG
 +
        .progclub.co = PROGCLUB.ORG
 +
        progclub.co = PROGCLUB.CO
 +
        .progclub.mobi = PROGCLUB.MOBI
 +
        progclub.mobi = PROGCLUB.MOBI
 +
 +
[login]
 +
        krb4_convert = true
 +
        krb4_get_tickets = false
  
 
= [[User:John|John]] 2011-08-03 07:42 =
 
= [[User:John|John]] 2011-08-03 07:42 =

Revision as of 23:28, 4 August 2011

This page chronicles the administrative changes to charity.progclub.org. If you make an administrative change you should document the change here. Changes are logged he in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the Administrative reference for other information.

John 2011-08-04 21:21

Installing Kerberos

Following these instructions.

jj5@charity:~$ sudo -s
[sudo] password for jj5:
root@charity:~# nslookup charity.progclub.org
bash: nslookup: command not found
root@charity:~# apt-get install nslookup
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package nslookup
root@charity:~# apt-cache search nslookup
dnsutils - Clients provided with BIND
root@charity:~# apt-get install dnsutils
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  bind9-host geoip-database libbind9-60 libdns64 libgeoip1 libisc60 libisccc60
  libisccfg60 liblwres60
Suggested packages:
  rblcheck geoip-bin
The following NEW packages will be installed:
  bind9-host dnsutils geoip-database libbind9-60 libdns64 libgeoip1 libisc60
  libisccc60 libisccfg60 liblwres60
0 upgraded, 10 newly installed, 0 to remove and 2 not upgraded.
Need to get 2,024kB of archives.
After this operation, 4,866kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libgeoip1 1.4.6.dfsg-17 [109kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libisc60 1:9.7.0.dfsg.P1-1ubuntu0.3 [170kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libdns64 1:9.7.0.dfsg.P1-1ubuntu0.3 [692kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libisccc60 1:9.7.0.dfsg.P1-1ubuntu0.3 [29.9kB]
Get:5 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libisccfg60 1:9.7.0.dfsg.P1-1ubuntu0.3 [53.1kB]
Get:6 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libbind9-60 1:9.7.0.dfsg.P1-1ubuntu0.3 [34.7kB]
Get:7 http://archive.ubuntu.com/ubuntu/ lucid-updates/main liblwres60 1:9.7.0.dfsg.P1-1ubuntu0.3 [48.5kB]
Get:8 http://archive.ubuntu.com/ubuntu/ lucid-updates/main bind9-host 1:9.7.0.dfsg.P1-1ubuntu0.3 [68.6kB]
Get:9 http://archive.ubuntu.com/ubuntu/ lucid-updates/main dnsutils 1:9.7.0.dfsg.P1-1ubuntu0.3 [162kB]
Get:10 http://archive.ubuntu.com/ubuntu/ lucid/main geoip-database 1.4.6.dfsg-17 [658kB]
Fetched 2,024kB in 8s (227kB/s)
Selecting previously deselected package libgeoip1.
(Reading database ... 17754 files and directories currently installed.)
Unpacking libgeoip1 (from .../libgeoip1_1.4.6.dfsg-17_amd64.deb) ...
Selecting previously deselected package libisc60.
Unpacking libisc60 (from .../libisc60_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ...
Selecting previously deselected package libdns64.
Unpacking libdns64 (from .../libdns64_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ...
Selecting previously deselected package libisccc60.
Unpacking libisccc60 (from .../libisccc60_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ...
Selecting previously deselected package libisccfg60.
Unpacking libisccfg60 (from .../libisccfg60_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ...
Selecting previously deselected package libbind9-60.
Unpacking libbind9-60 (from .../libbind9-60_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ...
Selecting previously deselected package liblwres60.
Unpacking liblwres60 (from .../liblwres60_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ...
Selecting previously deselected package bind9-host.
Unpacking bind9-host (from .../bind9-host_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ...
Selecting previously deselected package dnsutils.
Unpacking dnsutils (from .../dnsutils_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ...
Selecting previously deselected package geoip-database.
Unpacking geoip-database (from .../geoip-database_1.4.6.dfsg-17_all.deb) ...
Processing triggers for man-db ...
Setting up libgeoip1 (1.4.6.dfsg-17) ...

Setting up libisc60 (1:9.7.0.dfsg.P1-1ubuntu0.3) ...

Setting up libdns64 (1:9.7.0.dfsg.P1-1ubuntu0.3) ...

Setting up libisccc60 (1:9.7.0.dfsg.P1-1ubuntu0.3) ...

Setting up libisccfg60 (1:9.7.0.dfsg.P1-1ubuntu0.3) ...

Setting up libbind9-60 (1:9.7.0.dfsg.P1-1ubuntu0.3) ...

Setting up liblwres60 (1:9.7.0.dfsg.P1-1ubuntu0.3) ...

Setting up bind9-host (1:9.7.0.dfsg.P1-1ubuntu0.3) ...
Setting up dnsutils (1:9.7.0.dfsg.P1-1ubuntu0.3) ...

Setting up geoip-database (1.4.6.dfsg-17) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
root@charity:~# nslookup charity.progclub.org
Server:         67.207.128.4
Address:        67.207.128.4#53

Non-authoritative answer:
Name:   charity.progclub.org
Address: 67.207.128.184
root@charity:~# nslookup 67.207.128.184
Server:         67.207.128.4
Address:        67.207.128.4#53

Non-authoritative answer:
184.128.207.67.in-addr.arpa     name = charity.progclub.org.

Authoritative answers can be found from:
128.207.67.in-addr.arpa nameserver = NS2.SLICEHOST.NET.
128.207.67.in-addr.arpa nameserver = NS1.SLICEHOST.NET.
NS1.SLICEHOST.NET       internet address = 67.23.4.57
NS2.SLICEHOST.NET       internet address = 173.45.224.132
root@charity:~# apt-get install krb5-kdc krb5-admin-server
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  krb5-config krb5-user libgssrpc4 libkadm5clnt-mit7 libkadm5srv-mit7
  libkdb5-4
Suggested packages:
  openbsd-inetd inet-superserver krb5-kdc-ldap krb5-doc
The following NEW packages will be installed:
  krb5-admin-server krb5-config krb5-kdc krb5-user libgssrpc4
  libkadm5clnt-mit7 libkadm5srv-mit7 libkdb5-4
0 upgraded, 8 newly installed, 0 to remove and 2 not upgraded.
Need to get 777kB of archives.
After this operation, 2,187kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libgssrpc4 1.8.1+dfsg-2ubuntu0.9 [82.2kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libkadm5clnt-mit7 1.8.1+dfsg-2ubuntu0.9 [62.8kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libkdb5-4 1.8.1+dfsg-2ubuntu0.9 [62.3kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libkadm5srv-mit7 1.8.1+dfsg-2ubuntu0.9 [76.8kB]
Get:5 http://archive.ubuntu.com/ubuntu/ lucid/main krb5-config 2.2 [23.0kB]
Get:6 http://archive.ubuntu.com/ubuntu/ lucid-updates/main krb5-user 1.8.1+dfsg-2ubuntu0.9 [137kB]
Get:7 http://archive.ubuntu.com/ubuntu/ lucid-updates/universe krb5-kdc 1.8.1+dfsg-2ubuntu0.9 [219kB]
Get:8 http://archive.ubuntu.com/ubuntu/ lucid-updates/universe krb5-admin-server 1.8.1+dfsg-2ubuntu0.9 [113kB]
Fetched 777kB in 1s (560kB/s)
Preconfiguring packages ...
Selecting previously deselected package libgssrpc4.
(Reading database ... 17824 files and directories currently installed.)
Unpacking libgssrpc4 (from .../libgssrpc4_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ...
Selecting previously deselected package libkadm5clnt-mit7.
Unpacking libkadm5clnt-mit7 (from .../libkadm5clnt-mit7_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ...
Selecting previously deselected package libkdb5-4.
Unpacking libkdb5-4 (from .../libkdb5-4_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ...
Selecting previously deselected package libkadm5srv-mit7.
Unpacking libkadm5srv-mit7 (from .../libkadm5srv-mit7_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ...
Selecting previously deselected package krb5-config.
Unpacking krb5-config (from .../krb5-config_2.2_all.deb) ...
Selecting previously deselected package krb5-user.
Unpacking krb5-user (from .../krb5-user_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ...
Selecting previously deselected package krb5-kdc.
Unpacking krb5-kdc (from .../krb5-kdc_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ...
Selecting previously deselected package krb5-admin-server.
Unpacking krb5-admin-server (from .../krb5-admin-server_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up libgssrpc4 (1.8.1+dfsg-2ubuntu0.9) ...

Setting up libkadm5clnt-mit7 (1.8.1+dfsg-2ubuntu0.9) ...

Setting up libkdb5-4 (1.8.1+dfsg-2ubuntu0.9) ...

Setting up libkadm5srv-mit7 (1.8.1+dfsg-2ubuntu0.9) ...

Setting up krb5-config (2.2) ...

Setting up krb5-user (1.8.1+dfsg-2ubuntu0.9) ...
Setting up krb5-kdc (1.8.1+dfsg-2ubuntu0.9) ...
krb5kdc: cannot initialize realm PROGCLUB.ORG - see log file for details

Setting up krb5-admin-server (1.8.1+dfsg-2ubuntu0.9) ...
kadmind: No such file or directory while initializing, aborting 

Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
modified .etckeeper
added krb5.conf
added krb5kdc
added default/krb5-admin-server
added default/krb5-kdc
added init.d/krb5-admin-server
added init.d/krb5-kdc
added krb5kdc/kdc.conf
added rc0.d/K18krb5-admin-server
added rc0.d/K18krb5-kdc
added rc1.d/K18krb5-admin-server
added rc1.d/K18krb5-kdc
added rc2.d/S18krb5-admin-server
added rc2.d/S18krb5-kdc
added rc3.d/S18krb5-admin-server
added rc3.d/S18krb5-kdc
added rc4.d/S18krb5-admin-server
added rc4.d/S18krb5-kdc
added rc5.d/S18krb5-admin-server
added rc5.d/S18krb5-kdc
added rc6.d/K18krb5-admin-server
added rc6.d/K18krb5-kdc
Committed revision 27.
Package configuration


 âââââââââââââââââââââ⤠Configuring krb5-admin-server âââââââââââââââââââââââ
 â                                                                          â
 â Setting up a Kerberos Realm                                              â
 â                                                                          â
 â This package contains the administrative tools required to run the       â
 â Kerberos master server.                                                  â
 â                                                                          â
 â However, installing this package does not automatically set up a         â
 â Kerberos realm.  This can be done later by running the "krb5_newrealm"   â
 â command.                                                                 â
 â                                                                          â
 â Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the     â
 â administration guide found in the krb5-doc package.                      â
 â                                                                          â
 â                                  <Ok>                                    â
 â                                                                          â
 ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
root@charity:~# dpkg-reconfigure krb5-kdc
Package configuration



ââââââââââââââââââââââââââ⤠Configuring krb5-kdc ââââââââââââââââââââââââââââ
â                                                                           â
â The Kerberos Key Distribution Center (KDC) configuration files, in        â
â /etc/krb5kdc, may be created automatically.                               â
â                                                                           â
â By default, an example template will be copied into this directory with   â
â local parameters filled in.                                               â
â                                                                           â
â Administrators who already have infrastructure to manage their Kerberos   â
â configuration may wish to disable these automatic configuration changes.  â
â                                                                           â
â Create the Kerberos KDC configuration automatically?                      â
â                                                                           â
â                    <Yes>                       <No>                       â
â                                                                           â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
<Yes>
krb5kdc: cannot initialize realm PROGCLUB.ORG - see log file for details
root@charity:~# cd /var/log
root@charity:/var/log# ls
apache2        dmesg           kern.log    mysql.log       syslog.2.gz
apt            dmesg.0         kern.log.1  mysql.log.1.gz  syslog.3.gz
auth.log       dmesg.1.gz      lastlog     mysql.log.2.gz  syslog.4.gz
auth.log.1     dmesg.2.gz      lpr.log     mysql.log.3.gz  syslog.5.gz
boot           dmesg.3.gz      mail.err    mysql.log.4.gz  syslog.6.gz
bootstrap.log  dmesg.4.gz      mail.info   mysql.log.5.gz  syslog.7.gz
btmp           dpkg.log        mail.log    mysql.log.6.gz  udev
btmp.1         dpkg.log.1      mail.warn   mysql.log.7.gz  user.log
daemon.log     fail2ban.log    messages    news            wtmp
daemon.log.1   fail2ban.log.1  messages.1  pycentral.log   wtmp.1
debug          faillog         mysql       syslog
debug.1        fsck            mysql.err   syslog.1

Where is the KBR log!?

root@charity:/etc# cat krb5kdc/kdc.conf
[kdcdefaults]
   kdc_ports = 750,88
   default_realm = PROGCLUB.ORG

[realms]
   PROGCLUB.ORG = {
       database_name = /var/lib/krb5kdc/principal
       admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
       acl_file = /etc/krb5kdc/kadm5.acl
       key_stash_file = /etc/krb5kdc/stash
       kdc_ports = 750,88
       max_life = 10h 0m 0s
       max_renewable_life = 7d 0h 0m 0s
       master_key_type = des3-hmac-sha1
       supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
       default_principal_flags = +preauth
   }
root@charity:/etc# reboot

Broadcast message from jj5@charity
       (/dev/pts/0) at 11:49 ...

The system is going down for reboot NOW!
root@charity:/etc/krb5kdc# vim kadm5.acl
# This file is the access control list for krb5 administration.
# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin  is given full administrative rights.
# To enable this, uncomment the following line:
*/admin@PROGCLUB.ORG    *
root@charity:/etc/krb5kdc# krb5_newrealm
This script should be run on the master KDC/admin server to initialize
a Kerberos realm.  It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash.  You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered.  However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'PROGCLUB.ORG',
master key name 'K/M@PROGCLUB.ORG'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify: 


Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers.  Kerberos admin
principals usually belong to a single user and end in /admin.  For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.

Don't forget to set up DNS information so your clients can find your
KDC and admin servers.  Doing so is documented in the administration
guide.
root@charity:/etc/krb5kdc# kadmin -p admin/admin
Authenticating as principal admin/admin with password.
kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface
root@charity:/etc# /etc/init.d/k
killprocs          krb5-admin-server  krb5-kdc
root@charity:/etc# /etc/init.d/krb5-kdc restart
 * Restarting Kerberos KDC krb5kdc
   ...done.
root@charity:/etc# /etc/init.d/krb5-admin-server restart
 * Restarting Kerberos administrative servers kadmind
root@charity:/etc#
root@charity:/var/lib/krb5kdc# kadmin -p admin/admin
Authenticating as principal admin/admin with password.
kadmin: Client not found in Kerberos database while initializing kadmin interface

Google that.

root@charity:/var/lib/krb5kdc# kadmin.local
Authenticating as principal root/admin@PROGCLUB.ORG with password.
kadmin.local:  addprinc jj5/admin@PROGCLUB.ORG
WARNING: no policy specified for jj5/admin@PROGCLUB.ORG; defaulting to no policy
Enter password for principal "jj5/admin@PROGCLUB.ORG":
Re-enter password for principal "jj5/admin@PROGCLUB.ORG":
Principal "jj5/admin@PROGCLUB.ORG" created.
kadmin.local:  quit
root@charity:/var/lib/krb5kdc# kadmin -p jj5/admin
Authenticating as principal jj5/admin with password.
Password for jj5/admin@PROGCLUB.ORG:
kadmin: ?
Available kadmin requests:

add_principal, addprinc, ank
                         Add principal
delete_principal, delprinc
                         Delete principal
modify_principal, modprinc
                         Modify principal
change_password, cpw     Change password
get_principal, getprinc  Get principal
list_principals, listprincs, get_principals, getprincs
                         List principals
add_policy, addpol       Add policy
modify_policy, modpol    Modify policy
delete_policy, delpol    Delete policy
get_policy, getpol       Get policy
list_policies, listpols, get_policies, getpols
                         List policies
get_privs, getprivs      Get privileges
ktadd, xst               Add entry(s) to a keytab
ktremove, ktrem          Remove entry(s) from a keytab
lock                     Lock database exclusively (use with extreme caution!)
unlock                   Release exclusive database lock
list_requests, lr, ?     List available requests.
quit, exit, q            Exit program. 
kadmin:  listprincs
K/M@PROGCLUB.ORG
jj5/admin@PROGCLUB.ORG
kadmin/admin@PROGCLUB.ORG
kadmin/changepw@PROGCLUB.ORG
kadmin/charity.progclub.org@PROGCLUB.ORG
kadmin/history@PROGCLUB.ORG
krbtgt/PROGCLUB.ORG@PROGCLUB.ORG
kadmin:  quit


root@charity:/etc# cat krb5.conf
[logging]
        default = FILE:/var/log/krb5.log

[libdefaults]
        default_realm = PROGCLUB.ORG

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[realms]
        PROGCLUB.ORG = {
                kdc = kerberos.progclub.org:88
                admin_server = kerberos.progclub.org
                default_domain = progclub.org
        }

[domain_realm]
        .progclub.org = PROGCLUB.ORG
        progclub.org = PROGCLUB.ORG
        .progclub.com = PROGCLUB.ORG
        progclub.com = PROGCLUB.ORG
        .progclub.info = PROGCLUB.ORG
        progclub.info = PROGCLUB.ORG
        .progclub.net = PROGCLUB.ORG
        progclub.net = PROGCLUB.ORG
        .progclub.co = PROGCLUB.ORG
        progclub.co = PROGCLUB.CO
        .progclub.mobi = PROGCLUB.MOBI
        progclub.mobi = PROGCLUB.MOBI

[login]
        krb4_convert = true
        krb4_get_tickets = false

John 2011-08-03 07:42

Adding user friggles

jj5@charity:~$ sudo adduser friggles
[sudo] password for jj5:
Adding user `friggles' ...
Adding new group `friggles' (1005) ...
Adding new user `friggles' (1005) with group `friggles' ...
Creating home directory `/home/friggles' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for friggles
Enter the new value, or press ENTER for the default
        Full Name []: <full name>
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n]
jj5@charity:~$ sudo gpasswd -a friggles sudo
Adding user friggles to group sudo

John 2011-08-01 00:12

Configured /wiki URLs

Decided that 'wiki' rather than 'pc' is more appropriate in the URLs for ProgClub. Updated the Apache web-site configuration files, patched LocalSettings.php in the pcwiki directory, and updated the root redirection script. The old 'pc' links will remain functional.

John 2011-07-31 19:47

Adding user jav

jj5@charity:~$ sudo adduser jav
[sudo] password for jj5:
Adding user `jav' ...
Adding new group `jav' (1004) ...
Adding new user `jav' (1004) with group `jav' ...
Creating home directory `/home/jav' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for jav
Enter the new value, or press ENTER for the default
       Full Name []: <full name>
       Room Number []:
       Work Phone []:
       Home Phone []:
       Other []:
Is the information correct? [Y/n]

John 2011-07-30 17:15

Configuring IPSec

jj5@charity:~$ sudo -s
[sudo] password for jj5:
root@charity:~# apt-get install racoon
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  racoon
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 0B/433kB of archives.
After this operation, 1,217kB of additional disk space will be used.
Committing to: /etc/
modified ipsec-tools.conf
modified iptables.up.rules
Committed revision 22.
Preconfiguring packages ...
Selecting previously deselected package racoon.
(Reading database ... 17754 files and directories currently installed.)
Unpacking racoon (from .../racoon_1%3a0.7.1-1.6ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up racoon (1:0.7.1-1.6ubuntu1) ...
Starting IKE (ISAKMP/Oakley) server: racoon.
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
root@charity:~# cd /etc/network/if-pre-up.d/
root@charity:/etc/network/if-pre-up.d# ll
total 16
drwxr-xr-x 2 root root 4096 2011-07-26 17:49 ./
drwxr-xr-x 6 root root 4096 2010-04-22 19:09 ../
-rwxr-xr-x 1 root root  344 2011-05-17 07:41 ethtool*
-rwxr-xr-x 1 root root   58 2011-07-26 17:49 iptables*
root@charity:/etc/network/if-pre-up.d# cat iptables
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules
root@charity:/etc/network/if-pre-up.d# vim ip
#!/bin/sh
# Hope
ip route add 67.207.130.204 dev eth0 advmss 200
# Honesty
ip route add 67.207.129.103 dev eth0 advmss 200
root@charity:/etc/network/if-pre-up.d# chmod +x ip
root@charity:/etc/network/if-pre-up.d# cd /etc/
root@charity:/etc# vim iptables.up.rules
*filter
# Allow all loopback (lo0) traffic
-A INPUT -i lo -j ACCEPT
# Drop all traffic to 127/8 that does use lo0
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Accept anything from hope
-A INPUT -s 67.207.130.204 -j ACCEPT
# Accept anything from honesty
-A INPUT -s 67.207.129.103 -j ACCEPT
# Allow MySQL connections from John's house
-A INPUT -s 60.240.67.126/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# Allow MySQL connections from localhost
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# Allow IPSec traffic
#-A INPUT -p 50 -j ACCEPT
#-A INPUT -p 51 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
#-A INPUT -j LOG --log-prefix "iptables debug: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
root@charity:/etc# vim ipsec-tools.conf
#!/usr/sbin/setkey -f
# Charity/Hope security policy
spdadd 67.207.128.184 67.207.130.204 any -P out ipsec
       esp/transport//require
       ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P in ipsec
       esp/transport//require
       ah/transport//require;
# Charity/Honesty security policy
spdadd 67.207.128.184 67.207.129.103 any -P out ipsec
       esp/transport//require
       ah/transport//require;
spdadd 67.207.129.103 67.207.128.184 any -P in ipsec
       esp/transport//require
       ah/transport//require;
root@charity:/etc# vim racoon/psk.txt
# Hope
67.207.130.204 <secret>
# Honesty
67.207.129.103 <secret>
root@charity:/etc# vim racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote anonymous {
       exchange_mode main,aggressive;
       proposal {
               encryption_algorithm aes;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group modp1024;
       }
       generate_policy off;
}
sainfo anonymous {
       pfs_group modp768;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}
#log debug2;
root@charity:/etc# /etc/init.d/racoon stop
Stopping IKE (ISAKMP/Oakley) server: racoon.
root@charity:/etc# /etc/init.d/setkey restart
Reloading IPsec SA/SP database: done.
root@charity:/etc# /etc/init.d/racoon start
Starting IKE (ISAKMP/Oakley) server: racoon.
root@charity:/etc# ll racoon/psk.txt
-rw------- 1 root root 92 2011-07-30 07:37 racoon/psk.txt
root@charity:/etc# etckeeper commit "Configured IPSec"
Committing to: /etc/
modified ipsec-tools.conf
modified ipsec-tools.conf.bak
modified iptables.up.rules
added network/if-pre-up.d/ip
modified racoon/psk.txt
modified racoon/racoon.conf
Committed revision 23.
root@charity:/etc/racoon# /etc/network/if-pre-up.d/ip
RTNETLINK answers: File exists

Now off to configure hope and...

...damn, it didn't work. Oh well, no racoon for you!

root@charity:~# apt-get remove racoon
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  racoon
0 upgraded, 0 newly installed, 1 to remove and 2 not upgraded.
After this operation, 1,217kB disk space will be freed.
Do you want to continue [Y/n]?
(Reading database ... 17818 files and directories currently installed.)
Removing racoon ...
Stopping IKE (ISAKMP/Oakley) server: racoon.
Processing triggers for ureadahead ...
Processing triggers for man-db ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
root@charity:~# cp /etc/ipsec-tools.conf.bak /etc/ipsec-tools.conf
root@charity:~# dd if=/dev/random count=24 bs=1 | xxd -ps
root@charity:~# dd if=/dev/random count=24 bs=1 | xxd -ps
root@charity:~# dd if=/dev/random count=24 bs=1 | xxd -ps
root@charity:~# dd if=/dev/random count=24 bs=1 | xxd -ps
root@charity:~# dd if=/dev/random count=20 bs=1 | xxd -ps
root@charity:~# dd if=/dev/random count=20 bs=1 | xxd -ps
root@charity:~# dd if=/dev/random count=20 bs=1 | xxd -ps
root@charity:~# dd if=/dev/random count=20 bs=1 | xxd -ps
root@charity:~# vim /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
# Flush the SAD and SPD
flush;
spdflush;
# Charity/Hope configuration
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.128.184 67.207.130.204 esp 1 -E aes-cbc
        0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
add 67.207.130.204 67.207.128.184 esp 2 -E aes-cbc
        0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
# AH SAs using 160 bit long keys
add 67.207.128.184 67.207.130.204 ah 3 -A hmac-sha1
        0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
add 67.207.130.204 67.207.128.184 ah 4 -A hmac-sha1
        0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
# Security policies
spdadd 67.207.128.184 67.207.130.204 any -P out ipsec
        esp/transport//require
        ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P in ipsec
        esp/transport//require
        ah/transport//require;
# Charity/Honesty configuration
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.128.184 67.207.129.103 esp 5 -E aes-cbc
        0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
add 67.207.129.103 67.207.128.184 esp 6 -E aes-cbc
        0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
# AH SAs using 160 bit long keys
add 67.207.128.184 67.207.129.103 ah 7 -A hmac-sha1
        0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
add 67.207.129.103 67.207.128.184 ah 8 -A hmac-sha1
        0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
# Security policies
spdadd 67.207.128.184 67.207.129.103 any -P out ipsec
        esp/transport//require
        ah/transport//require;
spdadd 67.207.129.103 67.207.128.184 any -P in ipsec
        esp/transport//require
        ah/transport//require;
root@charity:~# /etc/init.d/setkey restart
Reloading IPsec SA/SP database: done.
root@charity:~# cd /etc/network
root@charity:/etc/network# mv if-pre-up.d/ip if-up.d/
root@charity:/etc/network# if-up.d/ip
root@charity:/etc# etckeeper commit "Configured IPSec"
Committing to: /etc/
modified ipsec-tools.conf
missing network/if-pre-up.d/ip
modified network/if-pre-up.d/ip
added network/if-up.d/ip
Committed revision 24.

That should do it. Off to configure the other end...

...works!

John 2011-07-30 09:38

Configuring racoon

See this article for a run-down.

# vim /etc/racoon/psk.txt
# Hope
67.207.130.204  <secret>
# vim /etc/racoon/racoon.conf
remote 67.207.130.204 {
       exchange_mode main,aggressive;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group modp1024;
       }
       generate_policy off;
}
sainfo address 67.207.130.204[any] any address 67.207.130.204/32[any] any {
       pfs_group modp768;
       encryption_algorithm 3des;
       authentication_algorithm hmac_md5;
       compression_algorithm deflate;
}
# vim /etc/ipsec-tools.conf
# Security policies
spdadd 67.207.128.184 67.207.130.204 any -P out ipsec
       esp/transport//require
       ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P in ipsec
       esp/transport//require
       ah/transport//require;
root@charity:/etc/racoon# /etc/init.d/racoon stop
Stopping IKE (ISAKMP/Oakley) server: racoon.
root@charity:/etc/racoon# /etc/init.d/setkey restart
Reloading IPsec SA/SP database: done.
root@charity:/etc/racoon# /etc/init.d/racoon start
Starting IKE (ISAKMP/Oakley) server: racoon.

Still no dice... :(

John 2011-07-29 23:59

Installing racoon

Having trouble getting IPSec to work, gonna try installing racoon and giving that a go.

root@charity:/etc# apt-get install racoon
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  racoon
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 433kB of archives.
After this operation, 1,217kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main racoon 1:0.7.1-1.6ubuntu1 [433kB]
Fetched 433kB in 1s (329kB/s)
Committing to: /etc/
modified .etckeeper
modified ipsec-tools.conf
added ipsec-tools.conf.bak
Committed revision 19.
Preconfiguring packages ...
Selecting previously deselected package racoon.
(Reading database ... 17749 files and directories currently installed.)
Unpacking racoon (from .../racoon_1%3a0.7.1-1.6ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up racoon (1:0.7.1-1.6ubuntu1) ...
Generating /etc/default/racoon...
Starting IKE (ISAKMP/Oakley) server: racoon.
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
modified .etckeeper
added racoon
added default/racoon
added init.d/racoon
added racoon/psk.txt
added racoon/racoon-tool.conf
added racoon/racoon.conf
added rc1.d/K89racoon
added rcS.d/S40racoon
Committed revision 20.

The install promped for Package configuration information, and I choose the 'direct' configuration method (the default) over 'racoon-tool', the other option.

 ┌──────────────────────────┤ Configuring racoon ├──────────────────────────┐
 │ Racoon can be configured two ways, either by directly editing            │
 │ /etc/racoon/racoon.conf or using the racoon-tool administrative front    │
 │ end. racoon-tool is now deprecated and is only available for backward    │
 │ compatibility. New installations should always use the "direct" method.  │
 │                                                                          │
 │ Configuration mode for racoon IKE daemon.                                │
 │                                                                          │
 │                               direct                                     │
 │                               racoon-tool                                │
 │                                                                          │
 │                                                                          │
 │                                  <Ok>                                    │
 │                                                                          │
 └──────────────────────────────────────────────────────────────────────────┘


John 2011-07-28 11:32

Firstly some house-keeping

$ cd /etc
$ sudo bzr status
[sudo] password for jj5:
modified:
  shadow
$ sudo etckeeper commit "Changed password for jj5"
Committing to: /etc/
modified shadow
Committed revision 13.

Installing IPSec

See this article for instructions.

$ sudo apt-get install ipsec-tools
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  ipsec-tools
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 111kB of archives.
After this operation, 274kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main ipsec-tools 1:0.7.1-1.6ubuntu1 [111kB]
Fetched 111kB in 0s (116kB/s)
Selecting previously deselected package ipsec-tools.
(Reading database ... 17714 files and directories currently installed.)
Unpacking ipsec-tools (from .../ipsec-tools_1%3a0.7.1-1.6ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up ipsec-tools (1:0.7.1-1.6ubuntu1) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
added ipsec-tools.conf
added default/setkey
added init.d/setkey
added rcS.d/S37setkey
Committed revision 14.

To generate two 128-bit 'ah' keys:

$ dd if=/dev/random count=16 bs=1| xxd -ps
$ dd if=/dev/random count=16 bs=1| xxd -ps

To generate two 192-bit 'esp' keys:

$ dd if=/dev/random count=24 bs=1| xxd -ps
$ dd if=/dev/random count=24 bs=1| xxd -ps

Then edit the ipsec-tools.conf file,

$ sudo vim /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
# NOTE: Do not use this file if you use racoon with racoon-tool
# utility. racoon-tool will setup SAs and SPDs automatically using
# /etc/racoon/racoon-tool.conf configuration.
#
# Flush the SAD and SPD
flush;
spdflush;
# AH SAs using 128 bit long keys
add 67.207.128.184 67.207.130.204 ah 0x200 -A hmac-md5
        0x<ah_1>;
add 67.207.130.204 67.207.128.184 ah 0x300 -A hmac-md5
        0x<ah_2>;
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.128.184 67.207.130.204 esp 0x201 -E 3des-cbc
        0x<esp_1>;
add 67.207.130.204 67.207.128.184 esp 0x301 -E 3des-cbc
        0x<esp_2>;
# Security policies
spdadd 67.207.128.184 67.207.130.204 any -P out ipsec
        esp/transport//require
        ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P in ipsec
        esp/transport//require
        ah/transport//require;

Make sure the ipsec-tools.conf file is not world-readable:

$ sudo chmod 750 ipsec-tools.conf

Now I'll go and setup the other side of the connection...

Then,

$ sudo /etc/init.d/setkey start
* Loading IPsec SA/SP database from /etc/ipsec-tools.conf:              [ OK ]
$ sudo etckeeper commit "Configured IPSec between charity and hope"
Committing to: /etc/
modified .etckeeper
modified ipsec-tools.conf
Committed revision 15.

Done!

...or, not-so-done. After testing discovered that IPTables was getting in the way of IPSec traffic.

John 2011-07-27 12:01

Public read-only svn access via HTTPS and HTTP

See this article for the general idea.

# cd /etc/apache2/
# vim dav_svn.ro.authz
[/]
* = r
# vim dav_svn.rw.authz
[/]
jj5 = rw
# vim sites-available/default-ssl
<Location /svn>
  DAV svn
  SVNParentPath /var/svn
  AuthType Basic
  AuthName "Subversion Repository"
  AuthUserFile /etc/apache2/dav_svn.passwd
  AuthzSVNAccessFile /etc/apache2/dav_svn.rw.authz
  Require valid-user
</Location>
<Location /svnro>
  DAV svn
  SVNParentPath /var/svn
  AuthzSVNAccessFile /etc/apache2/dav_svn.ro.authz
</Location>
# vim sites-available/default
<Location /svnro>
  DAV svn
  SVNParentPath /var/svn
  AuthzSVNAccessFile /etc/apache2/dav_svn.ro.authz
</Location>
# apache2ctl graceful
# etckeeper commit "Public read-only svn access"
Committing to: /etc/
added apache2/dav_svn.ro.authz
added apache2/dav_svn.rw.authz
modified apache2/sites-available/default
modified apache2/sites-available/default-ssl
Committed revision 12.

John 2011-07-27 06:12

Installing Subversion with HTTPS support

See this article for a primer.

# apt-get install subversion libapache2-svn
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libneon27-gnutls libsvn1
Suggested packages:
  db4.8-util subversion-tools
The following NEW packages will be installed:
  libapache2-svn libneon27-gnutls libsvn1 subversion
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,595kB of archives.
After this operation, 7,250kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libneon27-gnutls 0.29.0-1 [136kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libsvn1 1.6.6dfsg-2ubuntu1.3 [906kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/universe libapache2-svn 1.6.6dfsg-2ubuntu1.3 [168kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid-updates/main subversion 1.6.6dfsg-2ubuntu1.3 [385kB]
Fetched 1,595kB in 1s (866kB/s)
Selecting previously deselected package libneon27-gnutls.
(Reading database ... 17613 files and directories currently installed.)
Unpacking libneon27-gnutls (from .../libneon27-gnutls_0.29.0-1_amd64.deb) ...
Selecting previously deselected package libsvn1.
Unpacking libsvn1 (from .../libsvn1_1.6.6dfsg-2ubuntu1.3_amd64.deb) ...
Selecting previously deselected package libapache2-svn.
Unpacking libapache2-svn (from .../libapache2-svn_1.6.6dfsg-2ubuntu1.3_amd64.deb) ...
Selecting previously deselected package subversion.
Unpacking subversion (from .../subversion_1.6.6dfsg-2ubuntu1.3_amd64.deb) ...
Processing triggers for man-db ...
Setting up libneon27-gnutls (0.29.0-1) ...
Setting up libsvn1 (1.6.6dfsg-2ubuntu1.3) ...
Setting up libapache2-svn (1.6.6dfsg-2ubuntu1.3) ...
Considering dependency dav for dav_svn:
Enabling module dav.
Enabling module dav_svn.
Run '/etc/init.d/apache2 restart' to activate new configuration!
Setting up subversion (1.6.6dfsg-2ubuntu1.3) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
added emacs
added subversion
added apache2/mods-available/dav_svn.conf
added apache2/mods-available/dav_svn.load
added apache2/mods-enabled/dav.load
added apache2/mods-enabled/dav_svn.conf
added apache2/mods-enabled/dav_svn.load
added bash_completion.d/subversion
added emacs/site-start.d
added emacs/site-start.d/50psvn.el
added subversion/config
added subversion/servers
Committed revision 9.
# apache2ctl graceful
# cd /var
# ls
backups  cache  crash  lib  local  lock  log  mail  opt  run  spool  tmp  www
# mkdir svn
# cd svn
# svnadmin create pcrepo
# ls
pcrepo
# chown -R www-data:www-data pcrepo/
# chmod -R g+ws pcrepo/
# htpasswd -c /etc/apache2/dav_svn.passwd jj5
New password:
Re-type new password:
Adding password for user jj5
# vim /etc/apache2/sites-enabled/000-default-ssl

Add the following,

<Location /svn>
  DAV svn
  SVNParentPath /var/svn
  AuthType Basic
  AuthName "Subversion Repository"
  AuthUserFile /etc/apache2/dav_svn.passwd
  Require valid-user
</Location>
# apache2ctl graceful
$ pwd
/home/jj5
$ mkdir test
$ cd test
$ svn co https://www.progclub.org/svn/pcrepo .
Authentication realm: <https://www.progclub.org> Subversion Repository
Password for 'jj5':
Checked out revision 0.

Works!

Migrating mediawiki-1.17.0 to pcwiki, and checking into svn

$ cd ..
$ mv test pcrepo
$ ls
bin  pcrepo
$ cd pcrepo/
$ mkdir pcwiki
$ cd pcwiki/
$ mkdir trunk
$ mkdir branches
$ mkdir tags
$ cp -R /var/www/www.progclub.org/mediawiki-1.17.0/* trunk/
$ ls
branches  tags  trunk
$ cd trunk/
$ ls
api.php     images             maintenance           RELEASE-NOTES
api.php5    img_auth.php       math                  resources
bin         img_auth.php5      mw-config             serialized
cache       includes           opensearch_desc.php   skins
config      index.php          opensearch_desc.php5  StartProfiler.sample
COPYING     index.php5         php5.php5             thumb.php
CREDITS     INSTALL            profileinfo.php       thumb.php5
docs        languages          README                trackback.php
extensions  load.php           redirect.php          trackback.php5
FAQ         load.php5          redirect.php5         UPGRADE
HISTORY     LocalSettings.php  redirect.phtml        wiki.phtml
$ rm LocalSettings.php
$ cd ../..
$ svn add pcwiki/
$ svn ci -m "Checking in original mediawiki files"
$ sudo etckeeper commit "Subversion HTTPS"
[sudo] password for jj5:
Committing to: /etc/
added apache2/dav_svn.passwd
modified apache2/sites-available/default-ssl
Committed revision 10.

Then using TortoiseSVN on my workstation I checked out,

https://www.progclub.org/svn/pcrepo/pcwiki/trunk

into

C:\Inetpub\wwwroot\pcwiki

Copied in LocalSettings.php, added it to the ignore list, and checked in.

# cd /var/www/www.progclub.org/
# svn co https://www.progclub.org/svn/pcrepo/pcwiki/trunk pcwiki
# cp mediawiki-1.17.0/LocalSettings.php pcwiki/
# cd /etc/apache2/sites-enabled/
# vim 000-default

Changed alias on line 17,

Alias /pc /var/www/www.progclub.org/pcwiki/index.php
# vim 000-default-ssl

Changed alias on line 17,

Alias /pc /var/www/www.progclub.org/pcwiki/index.php
# apache2ctl graceful
# etckeeper commit "pcwiki web"
Committing to: /etc/
modified apache2/sites-available/default
modified apache2/sites-available/default-ssl
Committed revision 11.

Reloaded a page from the web-site, and everything seems to be working well.

Copied in changes for mediawiki skin oldskool on my workstation and checked in to svn. There seems to be a new-line thing going on whereby every file got updated with different line-feed sequence (I'm guessing \r\n rather than just \n) -- it changed nearly every file, but I just checked it in anyway.

# cd /var/www/www.progclub.org/pcwiki
# svn update

Reloaded a page from the web-site, and everything seems to be in order.

# cd /var/www/www.progclub.org/
# svn co https://www.progclub.org/svn/pcrepo/pcwiki/trunk pcwiki-dev
# cp pcwiki/LocalSettings.php pcwiki-dev/
# cd pcwiki-dev/
# vim LocalSettings.php
(reconfigured style and script path)
# svn update

John 2011-07-27 04:44

Configuring MySQL for (not too) public access

# cd /etc/mysql
# vim my.cnf

Changed from line 52,

#bind-address           = 127.0.0.1
bind-address            = 67.207.128.184
# service mysql restart
mysql start/running, process 2598
# etckeeper commit "Bound MySQL to public IP address"
Committing to: /etc/
modified mysql/my.cnf
Committed revision 7.
# vim /etc/iptables.up.rules
# Allows MySQL connections from John's house
-A INPUT -s <John's IP>/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# Allows MySQL connections from localhost
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# iptables -F
# iptables-restore < /etc/iptables.up.rules
# etckeeper commit "Updated firewall rules -- MySQL from John's house"
Committing to: /etc/
modified iptables.up.rules
Committed revision 8.
# mysql -uroot -p
mysql> use mysql;
mysql> select host, user from user
mysql> create user 'pcwiki'@'<John's house>' identified by '<password>';
mysql> grant all privileges on pcwiki.* to 'pcwiki'@'<John's house>' with grant option;
mysql> flush privileges;

My development version of MediaWiki can now connect to the production database!

John 2011-07-27 04:09

Installing fail2ban

See Fail2ban for information about installing and configuring the program.

# apt-get install fail2ban
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  whois
Suggested packages:
  python-gamin mailx
The following NEW packages will be installed:
  fail2ban whois
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 129kB of archives.
After this operation, 1032kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe fail2ban 0.8.4-1ubuntu1 [96.0kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main whois 5.0.0ubuntu3 [32.6kB]
Fetched 129kB in 1s (123kB/s)
Selecting previously deselected package fail2ban.
(Reading database ... 17493 files and directories currently installed.)
Unpacking fail2ban (from .../fail2ban_0.8.4-1ubuntu1_all.deb) ...
Selecting previously deselected package whois.
Unpacking whois (from .../whois_5.0.0ubuntu3_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up fail2ban (0.8.4-1ubuntu1) ... 
Setting up whois (5.0.0ubuntu3) ...
Processing triggers for python-central ...
Committing to: /etc/
added fail2ban
added default/fail2ban
added fail2ban/action.d
added fail2ban/fail2ban.conf
added fail2ban/filter.d
added fail2ban/jail.conf
added fail2ban/action.d/complain.conf
added fail2ban/action.d/dshield.conf
added fail2ban/action.d/hostsdeny.conf
added fail2ban/action.d/ipfilter.conf
added fail2ban/action.d/ipfw.conf
added fail2ban/action.d/iptables-allports.conf
added fail2ban/action.d/iptables-multiport-log.conf
added fail2ban/action.d/iptables-multiport.conf
added fail2ban/action.d/iptables-new.conf
added fail2ban/action.d/iptables.conf
added fail2ban/action.d/mail-buffered.conf
added fail2ban/action.d/mail-whois-lines.conf
added fail2ban/action.d/mail-whois.conf
added fail2ban/action.d/mail.conf
added fail2ban/action.d/mynetwatchman.conf
added fail2ban/action.d/sendmail-buffered.conf
added fail2ban/action.d/sendmail-whois-lines.conf
added fail2ban/action.d/sendmail-whois.conf
added fail2ban/action.d/sendmail.conf
added fail2ban/action.d/shorewall.conf
added fail2ban/filter.d/apache-auth.conf
added fail2ban/filter.d/apache-badbots.conf
added fail2ban/filter.d/apache-nohome.conf
added fail2ban/filter.d/apache-noscript.conf
added fail2ban/filter.d/apache-overflows.conf
added fail2ban/filter.d/common.conf
added fail2ban/filter.d/courierlogin.conf
added fail2ban/filter.d/couriersmtp.conf
added fail2ban/filter.d/cyrus-imap.conf
added fail2ban/filter.d/exim.conf
added fail2ban/filter.d/gssftpd.conf
added fail2ban/filter.d/lighttpd-fastcgi.conf
added fail2ban/filter.d/named-refused.conf
added fail2ban/filter.d/pam-generic.conf
added fail2ban/filter.d/php-url-fopen.conf
added fail2ban/filter.d/postfix.conf
added fail2ban/filter.d/proftpd.conf
added fail2ban/filter.d/pure-ftpd.conf
added fail2ban/filter.d/qmail.conf
added fail2ban/filter.d/sasl.conf
added fail2ban/filter.d/sieve.conf
added fail2ban/filter.d/sshd-ddos.conf
added fail2ban/filter.d/sshd.conf
added fail2ban/filter.d/vsftpd.conf
added fail2ban/filter.d/webmin-auth.conf
added fail2ban/filter.d/wuftpd.conf
added fail2ban/filter.d/xinetd-fail.conf
added init.d/fail2ban
added logrotate.d/fail2ban
added rc0.d/K99fail2ban
added rc1.d/K99fail2ban
added rc2.d/S99fail2ban
added rc3.d/S99fail2ban
added rc4.d/S99fail2ban
added rc5.d/S99fail2ban
added rc6.d/K99fail2ban
Committed revision 6.
# iptables -L
...
Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Then I tried dud logins from loki.progsoc.uts.edu.au, and

# iptables -L
...
Chain fail2ban-ssh (1 references)
target     prot opt source               destination
DROP       all  --  loki.progsoc.uts.edu.au  anywhere
RETURN     all  --  anywhere             anywhere

Which is what we wanted to see.

John 2011-07-27 03:41

Configuring IPTables

See this article for information on configuring IPTables.

# vim /etc/iptables.up.rules
*filter
#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
#  Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#  Allows all outbound traffic
#  You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
#  Allows SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
# iptables-restore < /etc/iptables.up.rules
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             127.0.0.0/8         reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:30000
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
LOG        all  --  anywhere             anywhere            limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: '
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
# vim /etc/network/if-pre-up.d/iptables
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules
# chmod +x /etc/network/if-pre-up.d/iptables
# etckeeper commit "Configured IPTables"
Committing to: /etc/
added iptables.up.rules
added network/if-pre-up.d/iptables
Committed revision 4.

The commands for modifying IPTables firewall rules are now:

# vim /etc/iptables.up.rules
# /sbin/iptables -F
# /sbin/iptables-restore < /etc/iptables.up.rules
# etckeeper commit "Updated firewall rules"

John 2011-07-27 03:33

Disabling root SSH login

Per the instructions Disabling Direct Root Login (SSH),

$ sudo -s
# cd /etc/ssh
# vim sshd_config

Changed line 26 to,

PermitRootLogin no

Then,

$ sudo service ssh restart
$ sudo etckeeper commit "Disabled root logins"

John 2011-07-27 03:27

Configuring the system locale

Per the instructions,

$ sudo /usr/sbin/locale-gen en_AU.UTF-8
Generating locales...
  en_AU.UTF-8... done
Generation complete.
$ sudo /usr/sbin/update-locale LANG=en_AU.UTF-8
$ sudo etckeeper commit "Set system locale"

John 2011-07-27 03:20

Configuring jj5's environment

Per the instructions about configuring the Environment, I added,

# JE 2011-07-27 03:16
export EDITOR=/usr/bin/vim

to end of /home/jj5/.profile

and ran,

$ sudo update-alternatives --config editor
There are 3 choices for the alternative editor (providing /usr/bin/editor).
  Selection    Path                Priority   Status
------------------------------------------------------------
* 0            /bin/nano            40        auto mode
  1            /bin/nano            40        manual mode
  2            /usr/bin/vim.basic   30        manual mode
  3            /usr/bin/vim.tiny    10        manual mode
Press enter to keep the current choice[*], or type selection number: 2
update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/editor (editor) in manual mode.

to configure the visudo editor. (Forgot to commit with etckeeper!)

John 2011-07-27 01:20

Creating a favicon.ico

MediaWiki is configured to use one, and web-browsers are requesting it, and it's 404ing, so best if I put a file there. Used iconj to generate a favicon.ico file, and used WinSCP to copy it to /var/www/www.progclub.org/favicon.ico on Charity.

Was having a problem with the favicon.ico loading in firefox, so I generated a new one with favicon.cc. I don't actually think the favicon.ico file was the problem though. But the change has been made now, and there's no point reverting it, because it's all working.

John 2011-07-27 01:01

Configuring robots.txt

Having some trouble with search engine looking for URLs from the previous domain owners. Going to setup a robots.txt file to try and fix up what I can there. Found 6 methods to control what and how your content appears in search engines to help guide me.

# cd /var/www/www.progclub.org/
# vim robots.txt
User-agent: *
Disallow: /stories/
Disallow: /story/
Disallow: /members/
Disallow: /vehicles/

Will expand on this as other URLs that need addressing become apparent in the logs.

Watching the Apache web-logs

Created /home/jj5/bin/spy to setup a window to watch the web-logs.

#!/bin/bash
sudo tail -f /var/log/apache2/access.log /var/log/apache2/ssl_access.log

John 2011-07-26 22:25

Adding user key720

# adduser key720
Adding user `key720' ...
Adding new group `key720' (1003) ...
Adding new user `key720' (1003) with group `key720' ...
Creating home directory `/home/key720' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for key720
Enter the new value, or press ENTER for the default
        Full Name []: <name>
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n]

Also added Key to the wiki.

Tasaio 2011-07-26 21:39

Setting up Etckeeper

$ sudo apt-get install etckeeper

That's really all there is to it. There's an auto commit every day, an autocommit whenever you apt-get install something and you can manually commit your changes using:

$ sudo etckeeper commit "Changed foo to achieve bar"

See the commit log for a file with:

$ sudo bzr log /etc/passwd

This means we should be able to see with reasonable accuracy what changed when, and as long as people commit their changes (and use sudo rather than abusing sudo su or the like), we'll even know who did it. Useful for quickly rolling back silly changes and catching those changes people forget to log on the wiki.

John 2011-07-26 09:55

Adding user sanguinev

# adduser sanguinev
Adding user `sanguinev' ...
Adding new group `sanguinev' (1002) ...
Adding new user `sanguinev' (1002) with group `sanguinev' ...
Creating home directory `/home/sanguinev' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for sanguinev
Enter the new value, or press ENTER for the default
        Full Name []: Thomas
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n]
# gpasswd -a sanguinev sudo
Adding user sanguinev to group sudo

Added a wiki user too.

John 2011-07-26 09:13

Adding user jj5

root@charity:~# adduser jj5
Adding user `jj5' ...
Adding new group `jj5' (1000) ...
Adding new user `jj5' (1000) with group `jj5' ...
Creating home directory `/home/jj5' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for jj5
Enter the new value, or press ENTER for the default
        Full Name []: John Elliot
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n]
root@charity:~# gpasswd -a jj5 sudo
Adding user jj5 to group sudo

That was easy. PuTTY says it works!

Adding user tasaio

root@charity:~# adduser tasaio
Adding user `tasaio' ...
Adding new group `tasaio' (1001) ...
Adding new user `tasaio' (1001) with group `tasaio' ...
Creating home directory `/home/tasaio' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for tasaio
Enter the new value, or press ENTER for the default
        Full Name []: Justin
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n]
root@charity:~# gpasswd -a tasaio sudo
Adding user tasaio to group sudo

That was easy too! Will create a wiki user for him too.

John 2011-07-26 08:47

I could be accused of ignorance. When I created my key file for the CSR request I nominated a pass-phrase. This phrase is required to be entered every time you restart Apache. Gah! Until I can figure out a way to fix it I've created a script in /sbin called restart-apache which enters the key's pass-phrase automatically.

# cd /sbin
# vim restart-apache
#!/bin/bash
echo <the pass phrase> | apache2ctl graceful
# chmod u+x restart-apache
# restart-apache

Works swimmingly. Will reboot to see what happens when apache tries to load from a boot.

Apache chokes on boot. Found this article, which suggests,

# cd ~
# cp progclub.key progclub.key.pass-phrase
# openssl rsa -in progclub.key.pass-phrase -out progclub.key
# chmod 400 progclub.*
# reboot

Hopefully Apache comes back up this time... yep!

Will keep the restart-apache script in sbin, but will remove the part that specified the key pass-phrase.

John 2011-07-26 06:20

Getting an HTTPS certificate

Searched for certificate sni cheap, found Go Daddy SSL Certificate. Decided on the Multiple Domains UCC - A$82.93/yr setup, which looks like it will suit us. Picked up to 5 domains for 3 years. It offered me free .mobi registration, so I added progclub.mobi. I then also added progclub.biz and progclub.co, I'm a sucker. Registration information recorded in Blackbrick Account Manager. Setup the nameservers for the new domains to point to ns*.slicehost.net via My Account.

Had to generate a Certificate Signing Request (CSR) per these instructions (for Apache 2.x).

# cd ~
# openssl genrsa -des3 -out progclub.key 2048
# openssl req -new -key progclub.key -out progclub.csr

See Blackbrick Account Manager for full details.

Certificate Type

  • Hosting: Third Party Hosting
  • Domain Name: www.progclub.org
  • Certificate Issuing Organization: Go Daddy
  • Subject Alt Names: www.progclub.net www.progclub.mobi www.progclub.info www.progclub.co
You're through!
Your certificate will be issued shortly.
You can monitor the progress of your certificate application by going to the
Pending Requests folder and clicking your Common Name. When we are through
verifying your application, you will receive an email with further instructions.

Downloaded the progclub.org.zip that was eventually generated, and used WinSCP to copy it to root's home directory on charity. Found info about Installing an SSL Certificate in Apache.

# cd /etc/apache2/sites-available/
# vim default-ssl

Set,

ServerAdmin jj5@jj5.net
DocumentRoot /var/www/www.progclub.org
# cd ~
# ls
progclub.csr  progclub.key  progclub.org.zip
# unzip progclub.org.zip
-bash: unzip: command not found
# apt-get install unzip
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  zip
The following NEW packages will be installed:
  unzip
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 189kB of archives.
After this operation, 406kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main unzip 6.0-1build1 [189kB]
Fetched 189kB in 0s (195kB/s)
Selecting previously deselected package unzip.
(Reading database ... 15343 files and directories currently installed.)
Unpacking unzip (from .../unzip_6.0-1build1_amd64.deb) ...
Processing triggers for man-db ...
Setting up unzip (6.0-1build1) ...
# unzip progclub.org.zip
Archive:  progclub.org.zip
  inflating: gd_bundle.crt
  inflating: progclub.org.crt
# ls
gd_bundle.crt  progclub.csr  progclub.key  progclub.org.crt  progclub.org.zip
# cd /etc/apache2/sites-available/
# vim default-ssl
#SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateFile /root/progclub.org.crt
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCertificateKeyFile /root/progclub.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
SSLCertificateChainFile /root/gd_bundle.crt

Saved changes.

# a2ensite default-ssl
# /etc/init.d/apache2 reload
 * Reloading web server config apache2                                   [ OK ]
# a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!
# /etc/init.d/apache2 restart

Navigated to https://www.progclub.org/, and it worked!

# cd /etc/apache2/sites-enabled/
# vim 000-default-ssl
Alias /pc /var/www/www.progclub.org/mediawiki-1.17.0/index.php

The secure wiki is now working!

John 2011-07-25 17:53

Installing MediaWiki

Found the MediaWiki download page, which references mediawiki-1.17.0.tar.gz.

# cd /var/www/www.progclub.org/
# wget http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0.tar.gz
# ls
index.html  mediawiki-1.17.0.tar.gz  test.php
# tar xzf mediawiki-1.17.0.tar.gz
# ls
index.html  mediawiki-1.17.0  mediawiki-1.17.0.tar.gz  test.php
# rm mediawiki-1.17.0.tar.gz
# cd mediawiki-1.17.0/
# ls
COPYING               bin            languages             redirect.php5
CREDITS               cache          load.php              redirect.phtml
FAQ                   config         load.php5             resources
HISTORY               docs           maintenance           serialized
INSTALL               extensions     math                  skins
README                images         mw-config             thumb.php
RELEASE-NOTES         img_auth.php   opensearch_desc.php   thumb.php5
StartProfiler.sample  img_auth.php5  opensearch_desc.php5  trackback.php
UPGRADE               includes       php5.php5             trackback.php5
api.php               index.php      profileinfo.php       wiki.phtml
api.php5              index.php5     redirect.php

Didn't find a LocalSettings.php, which is what I was expecting, so reading INSTALL.

# less INSTALL

It told me to navigate to the setup page. The setup page complained about a missing LocalSettings.php, so they haven't changed that after all. Clicked on setup the wiki.

Specified,

* Your language: en - English
* Wiki language: en - English

Clicked continue, and amoung it's checks was a complaint:

Could not find a suitable database driver! You need to install a database driver for PHP. The following
database types are supported: MySQL, PostgreSQL, Oracle, SQLite.
If you are on shared hosting, ask your hosting provider to install a suitable database driver. If you compiled
PHP yourself, reconfigure it with a database client enabled, for example using ./configure --with-mysql. 
If you installed PHP from a Debian or Ubuntu package, then you also need install the php5-mysql module.

So,

# apt-get install php5-mysql
# apache2ctl graceful

Then reloaded the config page,

The environment has been checked. You can install MediaWiki.

Clicked continue, and got the Connect to database page. Looks like I'm going to need a database user for the wiki, so

# mysql -h localhost -u root --password=<password>
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 36
Server version: 5.1.41-3ubuntu12.10 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create user 'pcwiki'@'localhost' identified by '<password>';
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye

Back on the config page:

* Database type: MySQL
* Database host: localhost
* Database name: pcwiki
* Database table prefix: pcwiki__
* Database username: pcwiki
* Database password: <password>

Clicked continue, and got the Database settings page. Specified,

* Database account for web access: Use the same account as for installation
* Storage engine: InnoDB (the default, other choice was MyISAM)
* Database character set: UTF-8 (not the default, the default choice was Binary)

Clicked continue, and got the Name page. Specified,

* Name of wiki: ProgClub
* Project namespace: Same as the wiki name: ProgClub

Configuration for the Administrator account,

* Your name: John
* Password: <password>
* Password again: <password>
* E-mail address: jj5@jj5.net
You are almost done! You can now skip the remaining configuration and install the wiki right now.

Chose Ask me more questions, and got the Options page. Specified,

* User rights profile: Traditional wiki
* Copyright and license: No license footer
* Enable outbound e-mail: true
* Return e-mail address: wiki@progclub.org
* Enable user-to-user e-mail: true
* Enable user talk page notification: true
* Enable watchlist notification: true
* Enable e-mail authentication: true
* Enable file uploads: true
* Directory for deleted files: /var/www/www.progclub.org/mediawiki-1.17.0/images/deleted
* Logo URL: /res/img/logo.png
* Settings for object caching: No caching

Clicked Continue, and got the confirmation page. Clicked Continue again. Got an error because the database user couldn't create the database. Created the database manually,

# mysql -h localhost -u root --password=<password>
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 43
Server version: 5.1.41-3ubuntu12.10 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create database `pcwiki`;
Query OK, 1 row affected (0.00 sec)
mysql> exit
Bye

Decided it would be easier to let MediaWiki create the database, so went back and specified the database config details to use the root user. I will change this to be the pcwiki user manually after the database has been created.

Setting up database... done
Creating tables... done
Creating database user... done
Populating default interwiki table... done
Initializing statistics... done
Generating secret keys... done
Creating administrator user account... done
Creating main page with default content... done

Clicked continue,

Congratulations! You have successfully installed MediaWiki.
The installer has generated a LocalSettings.php file. It contains all your configuration.
You will need to download it and put it in the base of your wiki installation (the same
directory as index.php). The download should have started automatically.
If the download was not offered, or if you cancelled it, you can restart the download by
clicking the link below: Download LocalSettings.php
Note: If you do not do this now, this generated configuration file will not be available
to you later if you exit the installation without downloading it.
When that has been done, you can enter your wiki.

Downloaded the LocalSettings.php file and copied it to /var/www/www.progclub.org/mediawiki.1.17.0

Edited LocalSettings.php and changed the database user:

$wgDBuser           = "pcwiki";
$wgDBpassword       = "<password>";

Also added an article path:

$wgArticlePath      = "/pc/$1";

Also need to grant access for pcwiki user:

# mysql -h localhost -u root --password=<password>
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 54
Server version: 5.1.41-3ubuntu12.10 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> grant all privileges on pcwiki.* to pcwiki@localhost;
Query OK, 0 rows affected (0.11 sec)
mysql> exit
Bye

Then need to edit apache conf file to include the pc alias:

# cd /etc/apache2/sites-enabled/
# vim 000-default

added,

Alias /pc /var/www/www.progclub.org/mediawiki-1.17.0/index.php

then,

# apache2ctl graceful

Also,

# cd /var/www/www.progclub.org/
# mkdir res
# mkdir res/img

Then uploaded a logo.png to there with WinSCP. The logo settings hadn't been properly specified in the generated LocalSettings.php file, so,

# cd /var/www/www.progclub.org/mediawiki-1.17.0/
# vim LocalSettings.php

and changed the logo setting,

$wgLogo             = "/res/img/logo.png";

Checked the wiki, and it's all working nicely.

John 2011-07-25 17:12

Preparing WWW hosting

# cd /var/www
# mkdir www.progclub.org
# mv index.html test.php www.progclub.org/
# ls
# cd www.progclub.org/
# ls
index.html  test.php

Everything is in order.

# cd /etc/apache2/sites-enabled/
# ls
000-default
# vim 000-default

Specified ServerAdmin,

ServerAdmin jj5@progclub.org

Changed document root,

DocumentRoot /var/www/www.progclub.org/

Changed the <Directory /var/www/> section to,

<Directory /var/www/www.progclub.org/>

Saved changes and quit vim. Restarted apache,

# apache2ctl graceful

Apache complained,

apache2: Could not reliably determine the server's fully qualified domain name, using charity.progclub.org for ServerName

Searched for "apache2: Could not reliably determine the server's fully qualified domain name, using " and found an answer.

Ran,

# hostname charity.progclub.org

which I guess is a better way to set the hostname than editing /etc/hostname like I did. :P

Ran,

# apache2ctl graceful

again, and got the same error,

apache2: Could not reliably determine the server's fully qualified domain name, using charity.progclub.org for ServerName

Tried a reboot to see if the hostname is updated after that,

# reboot

Still having problems with,

# apache2ctl graceful

So read more of the answer, and then,

# hostname charity
# vim /etc/hosts

Specified the file contents as

127.0.0.1          localhost localhost.localdomain
67.207.128.184     charity charity.progclub.org

Then rebooted,

# reboot

Ran hostname and got,

# hostname
charity.progclub.org

So edited /etc/hostname and specified

charity

Rebooted,

# reboot

Searched for "/etc/hostname", and found an answer. Short name goes in /etc/hostname, so we should be configured correctly now. Apache is still complaining though,

# apache2ctl graceful
apache2: Could not reliably determine the server's fully qualified domain name, using 67.207.128.184 for ServerName

and it's using the IP address rather than charity.progclub.org now. Will manually specify ServerName in /etc/apache2/sites-enabled/000-default

# cd /etc/apache2/sites-enabled/
# vim 000-default

Added,

ServerName  charity.progclub.org

Ran,

# apache2ctl graceful

again, and got the same friggin' error! More web-searching... found a different answer, tried editing /etc/hosts to put the names the other way around,

# vim /etc/hosts
127.0.0.1          localhost.localdomain localhost
67.207.128.184     charity.progclub.org charity

Rebooted,

# reboot

Tried apache2ctl again,

# apache2ctl graceful

And got no error! Yay!

Checked

* www.progclub.org

and found everything to be working. Web hosting is now configured.

John 2011-07-25 17:11

PHP software installation

I created a test.php file at /var/www/test.php to see if PHP was working out-of-the-box. I navigated to test.php to check, and it tried to download the PHP file, so I guess PHP isn't installed.

The test.php file I used was,

<? phpinfo(); ?>

Searched for PHP installation candidate,

# apt-cache search php5 | less

Found php5, which looks promising.

# apt-get install php5
The following extra packages will be installed:
 apache2-mpm-prefork libapache2-mod-php5 php5-common
Suggested packages:
 php-pear php5-suhosin
The following packages will be REMOVED:
 apache2-mpm-worker
The following NEW packages will be installed:
 apache2-mpm-prefork libapache2-mod-php5 php5 php5-common
0 upgraded, 4 newly installed, 1 to remove and 0 not upgraded.
Need to get 3544kB of archives.
After this operation, 9568kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main apache2-mpm-prefork 2.2.14-5ubuntu8.4 [2420B]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main php5-common 5.3.2-1ubuntu4.9 [551kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libapache2-mod-php5 5.3.2-1ubuntu4.9 [2990kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid-updates/main php5 5.3.2-1ubuntu4.9 [1112B]
Fetched 3544kB in 1s (1913kB/s)
dpkg: apache2-mpm-worker: dependency problems, but removing anyway as you requested:
 apache2 depends on apache2-mpm-worker (= 2.2.14-5ubuntu8.4) | apache2-mpm-prefork (= 2.2.14-5ubuntu8.4) | apache2-mpm-event (= 2.2.14-5ubuntu8.4) | apache2-mpm-itk (= 2.2.14-5ubuntu8.4); however:
 Package apache2-mpm-worker is to be removed.
 Package apache2-mpm-prefork is not installed.
 Package apache2-mpm-event is not installed.
 Package apache2-mpm-itk is not installed.
(Reading database ... 15291 files and directories currently installed.)
Removing apache2-mpm-worker ...
 * Stopping web server apache2                                                  apache2: Could not reliably determine the server's fully qualified domain name, using 67.207.128.184 for ServerName
... waiting .                                                           [ OK ]
Selecting previously deselected package apache2-mpm-prefork.
(Reading database ... 15283 files and directories currently installed.)
Unpacking apache2-mpm-prefork (from .../apache2-mpm-prefork_2.2.14-5ubuntu8.4_amd64.deb) ...
Selecting previously deselected package php5-common.
Unpacking php5-common (from .../php5-common_5.3.2-1ubuntu4.9_amd64.deb) ...
Selecting previously deselected package libapache2-mod-php5.
Unpacking libapache2-mod-php5 (from .../libapache2-mod-php5_5.3.2-1ubuntu4.9_amd64.deb) ...
Selecting previously deselected package php5.
Unpacking php5 (from .../php5_5.3.2-1ubuntu4.9_all.deb) ...
Setting up apache2-mpm-prefork (2.2.14-5ubuntu8.4) ...
 * Starting web server apache2                                                  apache2: Could not reliably determine the server's fully qualified domain name, using 67.207.128.184 for ServerName
                                                                        [ OK ]
Setting up php5-common (5.3.2-1ubuntu4.9) ...
Setting up libapache2-mod-php5 (5.3.2-1ubuntu4.9) ...
Creating config file /etc/php5/apache2/php.ini with new version
 * Reloading web server config apache2                                          apache2: Could not reliably determine the server's fully qualified domain name, using 67.207.128.184 for ServerName
                                                                        [ OK ]
Setting up php5 (5.3.2-1ubuntu4.9) ...

Noticed the complaining about the server's fully qualified domain name, so

# vim /etc/hostname

and changed from

charity

to

charity.progclub.org

Then I rebooted,

# reboot

Logged in again and checked the hostname,

# hostname

which was correctly reported as,

charity.progclub.org

Then I navigated to the test.php page, and got back the phpinfo().

John 2011-07-25 16:40

Apache and MySQL software installation

Searched for MySQL software,

# apt-cache search mysql | less

Found mysql-server, which looks like a good candidate.

Searched for Apache software,

# apt-cache search apache2 | less

Found apache2, which looks like a good candidate.

# apt-get install apache2 mysql-server
The following extra packages will be installed:
 apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common libapr1
 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libdbd-mysql-perl
 libdbi-perl libexpat1 libhtml-template-perl libmysqlclient16
 libnet-daemon-perl libplrpc-perl mysql-client-5.1 mysql-client-core-5.1
 mysql-common mysql-server-5.1 mysql-server-core-5.1 psmisc ssl-cert
Suggested packages:
 www-browser apache2-doc apache2-suexec apache2-suexec-custom ufw dbishell
 libipc-sharedcache-perl tinyca mailx
The following NEW packages will be installed:
 apache2 apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common
 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap
 libdbd-mysql-perl libdbi-perl libexpat1 libhtml-template-perl
 libmysqlclient16 libnet-daemon-perl libplrpc-perl mysql-client-5.1
 mysql-client-core-5.1 mysql-common mysql-server mysql-server-5.1
 mysql-server-core-5.1 psmisc ssl-cert

Configuring mysql-server-5.1

Dpkg showed a configuration screen for configuring the root password. I set one.

Apache and MySQL software installation, continued

I rebooted after installing the above software,

# reboot

I checked the Apache installation by navigating to www.progclub.org and It Works!

John 2011-07-25 16:34

SSH'ed in as root and ran:

# apt-get update
# apt-get dist-upgrade
# reboot

John 2011-07-25 16:00

Had to stuff around with resetting the root password on charity, but remote logins via SSH are working now for root.

John 2011-07-25 15:52

Configured the name server with progclub.org, progclub.net and progclub.info DNS zones on slicehost. The SliceManager should be used to maintain the DNS records for progclub.