Honesty admin

From ProgClub
Revision as of 22:45, 8 September 2011 by John (talk | contribs)
Jump to: navigation, search

This page chronicles the administrative changes to honesty.progclub.net. If you make an administrative change you should document the change here. Changes are logged he in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the Administrative reference for other information.

John 2011-09-08 21:44

Installing gcc

root@honesty:~/pcad# apt-get install gcc
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  binutils gcc-4.4 libc-dev-bin libc6-dev libgomp1 linux-libc-dev manpages-dev
Suggested packages:
  binutils-doc gcc-multilib autoconf automake1.9 libtool flex bison gdb
  gcc-doc gcc-4.4-multilib libmudflap0-4.4-dev gcc-4.4-doc gcc-4.4-locales
  libgcc1-dbg libgomp1-dbg libmudflap0-dbg libcloog-ppl0 libppl-c2 libppl7
  glibc-doc
The following NEW packages will be installed:
  binutils gcc gcc-4.4 libc-dev-bin libc6-dev libgomp1 linux-libc-dev
  manpages-dev
0 upgraded, 8 newly installed, 0 to remove and 0 not upgraded.
Need to get 9883kB of archives.
After this operation, 35.3MB of additional disk space will be used.
Do you want to continue [Y/n]?


John 2011-09-03 00:24

Kerberizing Apache

root@honesty:/home/apache/www/www.progclub.net/pcma# kadmin -p jj5
Authenticating as principal jj5 with password.
Password for jj5@PROGCLUB.ORG:
kadmin:  addprinc -randkey HTTP/honesty.progclub.org
WARNING: no policy specified for HTTP/honesty.progclub.org@PROGCLUB.ORG; defaulting to no policy
Principal "HTTP/honesty.progclub.org@PROGCLUB.ORG" created.
kadmin:  delprinc HTTP/honesty.progclub.org
Are you sure you want to delete the principal "HTTP/honesty.progclub.org@PROGCLUB.ORG"? (yes/no): yes
Principal "HTTP/honesty.progclub.org@PROGCLUB.ORG" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
kadmin:  addprinc -randkey HTTP/honesty.progclub.net
WARNING: no policy specified for HTTP/honesty.progclub.net@PROGCLUB.ORG; defaulting to no policy
Principal "HTTP/honesty.progclub.net@PROGCLUB.ORG" created.
kadmin:  ktadd -k /etc/apache2/apache2.keytab HTTP/honesty.progclub.net
Entry for principal HTTP/honesty.progclub.net with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/apache2/apache2.keytab.
Entry for principal HTTP/honesty.progclub.net with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/apache2/apache2.keytab.
Entry for principal HTTP/honesty.progclub.net with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/apache2/apache2.keytab.
Entry for principal HTTP/honesty.progclub.net with kvno 2, encryption type DES cbc mode with CRC-32  added to keytab WRFILE:/etc/apache2/apache2.keytab.
kadmin:  quit
root@honesty:/home/apache/www/www.progclub.net/pcma# chown www-data:www-data /etc/apache/apache2.keytab
root@honesty:/home/apache/www/www.progclub.net/pcma# chmod 400 /etc/apache2/apache2.keytab
root@honesty:/home/apache/www/www.progclub.net/pcma# apt-get install libapache2-mod-auth-kerb
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  libapache2-mod-auth-kerb
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 20.3kB of archives.
After this operation, 119kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libapache2-mod-auth-kerb 5.3-5build2 [20.3kB]
Fetched 20.3kB in 0s (32.7kB/s)
Committing to: /etc/
modified .etckeeper
added apache2/apache2.keytab
Committed revision 23.
Selecting previously deselected package libapache2-mod-auth-kerb.
(Reading database ... 17197 files and directories currently installed.)
Unpacking libapache2-mod-auth-kerb (from .../libapache2-mod-auth-kerb_5.3-5build2_amd64.deb) ...
Setting up libapache2-mod-auth-kerb (5.3-5build2) ...
Enabling module auth_kerb.
Run '/etc/init.d/apache2 restart' to activate new configuration!

Committing to: /etc/
added apache2/mods-available/auth_kerb.load
added apache2/mods-enabled/auth_kerb.load
Committed revision 24.
root@honesty:/home/apache/www/www.progclub.net/pcma#

John 2011-08-19 14:43

Installing fail2ban

jj5@honesty:~$ sudo -s
[sudo] password for jj5:
root@honesty:~# apt-get install fail2ban
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  whois
Suggested packages:
  python-gamin mailx
The following NEW packages will be installed:
  fail2ban whois
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 129kB of archives.
After this operation, 1032kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe fail2ban 0.8.4-1ubuntu1 [96.0kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main whois 5.0.0ubuntu3 [32.6kB]
Fetched 129kB in 1s (128kB/s)
Selecting previously deselected package fail2ban.
(Reading database ... 16972 files and directories currently installed.)
Unpacking fail2ban (from .../fail2ban_0.8.4-1ubuntu1_all.deb) ...
Selecting previously deselected package whois.
Unpacking whois (from .../whois_5.0.0ubuntu3_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up fail2ban (0.8.4-1ubuntu1) ...

Setting up whois (5.0.0ubuntu3) ...
Processing triggers for python-central ...
Committing to: /etc/
added fail2ban
added default/fail2ban
added fail2ban/action.d
added fail2ban/fail2ban.conf
added fail2ban/filter.d
added fail2ban/jail.conf
added fail2ban/action.d/complain.conf
added fail2ban/action.d/dshield.conf
added fail2ban/action.d/hostsdeny.conf
added fail2ban/action.d/ipfilter.conf
added fail2ban/action.d/ipfw.conf
added fail2ban/action.d/iptables-allports.conf
added fail2ban/action.d/iptables-multiport-log.conf
added fail2ban/action.d/iptables-multiport.conf
added fail2ban/action.d/iptables-new.conf
added fail2ban/action.d/iptables.conf
added fail2ban/action.d/mail-buffered.conf
added fail2ban/action.d/mail-whois-lines.conf
added fail2ban/action.d/mail-whois.conf
added fail2ban/action.d/mail.conf
added fail2ban/action.d/mynetwatchman.conf
added fail2ban/action.d/sendmail-buffered.conf
added fail2ban/action.d/sendmail-whois-lines.conf
added fail2ban/action.d/sendmail-whois.conf
added fail2ban/action.d/sendmail.conf
added fail2ban/action.d/shorewall.conf
added fail2ban/filter.d/apache-auth.conf
added fail2ban/filter.d/apache-badbots.conf
added fail2ban/filter.d/apache-nohome.conf
added fail2ban/filter.d/apache-noscript.conf
added fail2ban/filter.d/apache-overflows.conf
added fail2ban/filter.d/common.conf
added fail2ban/filter.d/courierlogin.conf
added fail2ban/filter.d/couriersmtp.conf
added fail2ban/filter.d/cyrus-imap.conf
added fail2ban/filter.d/exim.conf
added fail2ban/filter.d/gssftpd.conf
added fail2ban/filter.d/lighttpd-fastcgi.conf
added fail2ban/filter.d/named-refused.conf
added fail2ban/filter.d/pam-generic.conf
added fail2ban/filter.d/php-url-fopen.conf
added fail2ban/filter.d/postfix.conf
added fail2ban/filter.d/proftpd.conf
added fail2ban/filter.d/pure-ftpd.conf
added fail2ban/filter.d/qmail.conf
added fail2ban/filter.d/sasl.conf
added fail2ban/filter.d/sieve.conf
added fail2ban/filter.d/sshd-ddos.conf
added fail2ban/filter.d/sshd.conf
added fail2ban/filter.d/vsftpd.conf
added fail2ban/filter.d/webmin-auth.conf
added fail2ban/filter.d/wuftpd.conf
added fail2ban/filter.d/xinetd-fail.conf
added init.d/fail2ban
added logrotate.d/fail2ban
added rc0.d/K99fail2ban
added rc1.d/K99fail2ban
added rc2.d/S99fail2ban
added rc3.d/S99fail2ban
added rc4.d/S99fail2ban
added rc5.d/S99fail2ban
added rc6.d/K99fail2ban
Committed revision 16.


John 2011-08-15 05:08

Installing Apache, MySQL and PHP

root@honesty:~# apt-get install apache2 mysql-server php5
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common
  libapache2-mod-php5 libapr1 libaprutil1 libaprutil1-dbd-sqlite3
  libaprutil1-ldap libdbd-mysql-perl libdbi-perl libexpat1
  libhtml-template-perl libmysqlclient16 libnet-daemon-perl libplrpc-perl
  mysql-client-5.1 mysql-client-core-5.1 mysql-common mysql-server-5.1
  mysql-server-core-5.1 php5-common psmisc ssl-cert
Suggested packages:
  www-browser apache2-doc apache2-suexec apache2-suexec-custom ufw php-pear
  dbishell libipc-sharedcache-perl tinyca mailx php5-suhosin
The following NEW packages will be installed:
  apache2 apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common
  libapache2-mod-php5 libapr1 libaprutil1 libaprutil1-dbd-sqlite3
  libaprutil1-ldap libdbd-mysql-perl libdbi-perl libexpat1
  libhtml-template-perl libmysqlclient16 libnet-daemon-perl libplrpc-perl
  mysql-client-5.1 mysql-client-core-5.1 mysql-common mysql-server
  mysql-server-5.1 mysql-server-core-5.1 php5 php5-common psmisc ssl-cert
0 upgraded, 27 newly installed, 0 to remove and 0 not upgraded.
Need to get 31.5MB of archives.
After this operation, 82.8MB of additional disk space will be used.
Do you want to continue [Y/n]?


John 2011-08-15 04:06

Configuring NFS client

root@honesty:/etc# apt-get install nfs-common
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libevent-1.4-2 libgssglue1 libnfsidmap2 librpcsecgss3 portmap
The following NEW packages will be installed:
  libevent-1.4-2 libgssglue1 libnfsidmap2 librpcsecgss3 nfs-common portmap
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 421kB of archives.
After this operation, 1364kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libevent-1.4-2 1.4.13-stable-1 [61.4kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libgssglue1 0.1-4 [24.4kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/main libnfsidmap2 0.23-2 [32.1kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/main librpcsecgss3 0.19-2 [36.3kB]
Get:5 http://archive.ubuntu.com/ubuntu/ lucid/main portmap 6.0.0-1ubuntu2 [38.2kB]
Get:6 http://archive.ubuntu.com/ubuntu/ lucid/main nfs-common 1:1.2.0-4ubuntu4 [228kB]
Fetched 421kB in 1s (359kB/s)
Preconfiguring packages ...
Selecting previously deselected package libevent-1.4-2.
(Reading database ... 15759 files and directories currently installed.)
Unpacking libevent-1.4-2 (from .../libevent-1.4-2_1.4.13-stable-1_amd64.deb) ...
Selecting previously deselected package libgssglue1.
Unpacking libgssglue1 (from .../libgssglue1_0.1-4_amd64.deb) ...
Selecting previously deselected package libnfsidmap2.
Unpacking libnfsidmap2 (from .../libnfsidmap2_0.23-2_amd64.deb) ...
Selecting previously deselected package librpcsecgss3.
Unpacking librpcsecgss3 (from .../librpcsecgss3_0.19-2_amd64.deb) ...
Selecting previously deselected package portmap.
Unpacking portmap (from .../portmap_6.0.0-1ubuntu2_amd64.deb) ...
Selecting previously deselected package nfs-common.
Unpacking nfs-common (from .../nfs-common_1%3a1.2.0-4ubuntu4_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up libevent-1.4-2 (1.4.13-stable-1) ...

Setting up libgssglue1 (0.1-4) ...

Setting up libnfsidmap2 (0.23-2) ...

Setting up librpcsecgss3 (0.19-2) ...

Setting up portmap (6.0.0-1ubuntu2) ...
portmap start/running, process 7410

Setting up nfs-common (1:1.2.0-4ubuntu4) ...

Creating config file /etc/idmapd.conf with new version

Creating config file /etc/default/nfs-common with new version
Adding system user `statd' (UID 104) ...
Adding new user `statd' (UID 104) with group `nogroup' ...
Not creating home directory `/var/lib/nfs'.
statd start/running, process 7626
gssd stop/pre-start, process 7651
idmapd stop/pre-start, process 7679

Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
added gssapi_mech.conf
added idmapd.conf
modified passwd
modified passwd-
modified shadow
modified shadow-
added default/nfs-common
added default/portmap
added init/gssd.conf
added init/idmapd.conf
added init/portmap.conf
added init/rpc_pipefs.conf
added init/statd.conf
added init.d/gssd
added init.d/idmapd
added init.d/portmap
added init.d/rpc_pipefs
added init.d/statd
Committed revision 12.
root@honesty:/etc# vim /etc/fstab
root@honesty:/etc# cat /etc/fstab
proc            /proc       proc    defaults    0 0
/dev/sda1       /           ext3    defaults,errors=remount-ro,noatime    0 1
/dev/sda2       none        swap    sw          0 0
172.19.1.45:/home /home     nfs4    rw,_netdev,auto 0 0
root@honesty:/etc# vim /etc/modules
root@honesty:/etc# cat /etc/modules
# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.
nfs


John 2011-08-15 03:45

Configuring Kerberos client

jj5@honesty:~$ sudo -s
[sudo] password for jj5:
root@honesty:~# apt-get install krb5-user krb5-config libpam-krb5
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  bind9-host geoip-database libbind9-60 libdns64 libgeoip1 libgssrpc4 libisc60
  libisccc60 libisccfg60 libkadm5clnt-mit7 liblwres60
Suggested packages:
  geoip-bin krb5-doc
The following NEW packages will be installed:
  bind9-host geoip-database krb5-config krb5-user libbind9-60 libdns64
  libgeoip1 libgssrpc4 libisc60 libisccc60 libisccfg60 libkadm5clnt-mit7
  liblwres60 libpam-krb5
0 upgraded, 14 newly installed, 0 to remove and 0 not upgraded.
Need to get 2235kB of archives.
After this operation, 5517kB of additional disk space will be used.
Do you want to continue [Y/n]?
Package configuration



┌──────────────────┤ Configuring Kerberos Authentication ├──────────────────┐
│ When users attempt to use Kerberos and specify a principal or user name   │
│ without specifying what administrative Kerberos realm that principal      │
│ belongs to, the system appends the default realm.  The default realm may  │
│ also be used as the realm of a Kerberos service running on the local      │
│ machine.  Often, the default realm is the uppercase version of the local  │
│ DNS domain.                                                               │
│                                                                           │
│ Default Kerberos version 5 realm:                                         │
│                                                                           │
│ PROGCLUB.ORG_____________________________________________________________ │
│                                                                           │
│                                  <Ok>                                     │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘
Package configuration





  ┌────────────────┤ Configuring Kerberos Authentication ├─────────────────┐
  │ Enter the hostnames of Kerberos servers in the PROGCLUB.ORG Kerberos   │
  │ realm separated by spaces.                                             │
  │                                                                        │
  │ Kerberos servers for your realm:                                       │
  │                                                                        │
  │ kerberos.progclub.org_________________________________________________ │
  │                                                                        │
  │                                 <Ok>                                   │
  │                                                                        │
  └────────────────────────────────────────────────────────────────────────┘
Package configuration





┌──────────────────┤ Configuring Kerberos Authentication ├──────────────────┐
│ Enter the hostname of the administrative (password changing) server for   │
│ the PROGCLUB.ORG Kerberos realm.                                          │
│                                                                           │
│ Administrative server for your Kerberos realm:                            │
│                                                                           │
│ kerberos.progclub.org____________________________________________________ │
│                                                                           │
│                                  <Ok>                                     │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libgeoip1 1.4.6.dfsg-17 [109kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libisc60 1:9.7.0.dfsg.P1-1 [169kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/main libdns64 1:9.7.0.dfsg.P1-1 [690kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/main libisccc60 1:9.7.0.dfsg.P1-1 [29.4kB]
Get:5 http://archive.ubuntu.com/ubuntu/ lucid/main libisccfg60 1:9.7.0.dfsg.P1-1 [52.6kB]
Get:6 http://archive.ubuntu.com/ubuntu/ lucid/main libbind9-60 1:9.7.0.dfsg.P1-1 [34.1kB]
Get:7 http://archive.ubuntu.com/ubuntu/ lucid/main liblwres60 1:9.7.0.dfsg.P1-1 [47.9kB]
Get:8 http://archive.ubuntu.com/ubuntu/ lucid/main bind9-host 1:9.7.0.dfsg.P1-1 [68.2kB]
Get:9 http://archive.ubuntu.com/ubuntu/ lucid/main geoip-database 1.4.6.dfsg-17 [658kB]
Get:10 http://archive.ubuntu.com/ubuntu/ lucid/main krb5-config 2.2 [23.0kB]
Get:11 http://archive.ubuntu.com/ubuntu/ lucid/main libgssrpc4 1.8.1+dfsg-2 [81.4kB]
Get:12 http://archive.ubuntu.com/ubuntu/ lucid/main libkadm5clnt-mit7 1.8.1+dfsg-2 [62.0kB]
Get:13 http://archive.ubuntu.com/ubuntu/ lucid/main krb5-user 1.8.1+dfsg-2 [137kB]
Get:14 http://archive.ubuntu.com/ubuntu/ lucid/main libpam-krb5 4.2-1 [73.8kB]
Fetched 2235kB in 1s (1280kB/s)
Preconfiguring packages ...
Selecting previously deselected package libgeoip1.
(Reading database ... 15582 files and directories currently installed.)
Unpacking libgeoip1 (from .../libgeoip1_1.4.6.dfsg-17_amd64.deb) ...
Selecting previously deselected package libisc60.
Unpacking libisc60 (from .../libisc60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package libdns64.
Unpacking libdns64 (from .../libdns64_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package libisccc60.
Unpacking libisccc60 (from .../libisccc60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package libisccfg60.
Unpacking libisccfg60 (from .../libisccfg60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package libbind9-60.
Unpacking libbind9-60 (from .../libbind9-60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package liblwres60.
Unpacking liblwres60 (from .../liblwres60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package bind9-host.
Unpacking bind9-host (from .../bind9-host_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package geoip-database.
Unpacking geoip-database (from .../geoip-database_1.4.6.dfsg-17_all.deb) ...
Selecting previously deselected package krb5-config.
Unpacking krb5-config (from .../krb5-config_2.2_all.deb) ...
Selecting previously deselected package libgssrpc4.
Unpacking libgssrpc4 (from .../libgssrpc4_1.8.1+dfsg-2_amd64.deb) ...
Selecting previously deselected package libkadm5clnt-mit7.
Unpacking libkadm5clnt-mit7 (from .../libkadm5clnt-mit7_1.8.1+dfsg-2_amd64.deb) ...
Selecting previously deselected package krb5-user.
Unpacking krb5-user (from .../krb5-user_1.8.1+dfsg-2_amd64.deb) ...
Selecting previously deselected package libpam-krb5.
Unpacking libpam-krb5 (from .../libpam-krb5_4.2-1_amd64.deb) ...
Processing triggers for man-db ...
Setting up libgeoip1 (1.4.6.dfsg-17) ...

Setting up libisc60 (1:9.7.0.dfsg.P1-1) ...

Setting up libdns64 (1:9.7.0.dfsg.P1-1) ...

Setting up libisccc60 (1:9.7.0.dfsg.P1-1) ...

Setting up libisccfg60 (1:9.7.0.dfsg.P1-1) ...

Setting up libbind9-60 (1:9.7.0.dfsg.P1-1) ... 

Setting up liblwres60 (1:9.7.0.dfsg.P1-1) ...

Setting up bind9-host (1:9.7.0.dfsg.P1-1) ...
Setting up geoip-database (1.4.6.dfsg-17) ...
Setting up krb5-config (2.2) ...

Setting up libgssrpc4 (1.8.1+dfsg-2) ...

Setting up libkadm5clnt-mit7 (1.8.1+dfsg-2) ...

Setting up krb5-user (1.8.1+dfsg-2) ...
Setting up libpam-krb5 (4.2-1) ...

Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
added krb5.conf
modified pam.d/common-account
modified pam.d/common-auth
modified pam.d/common-password
modified pam.d/common-session
modified pam.d/common-session-noninteractive
Committed revision 8.
root@honesty:~# hostname -f
honesty
root@honesty:~# vim /etc/hosts
root@honesty:~# cat /etc/hosts
127.0.0.1     localhost localhost.localdomain
67.207.129.103     honesty.progclub.net honesty
root@honesty:~# hostname -f
honesty.progclub.net
root@honesty:~# kadmin -p jj5
Authenticating as principal jj5 with password.
Password for jj5@PROGCLUB.ORG:
kadmin:  addprinc -randkey host/honesty.progclub.net@PROGCLUB.ORG
WARNING: no policy specified for host/honesty.progclub.net@PROGCLUB.ORG; defaulting to no policy
Principal "host/honesty.progclub.net@PROGCLUB.ORG" created.
kadmin:  ktadd host/honesty.progclub.net@PROGCLUB.ORG
Entry for principal host/honesty.progclub.net@PROGCLUB.ORG with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/honesty.progclub.net@PROGCLUB.ORG with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/honesty.progclub.net@PROGCLUB.ORG with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/honesty.progclub.net@PROGCLUB.ORG with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
kadmin:  quit
root@honesty:~# cd /etc
root@honesty:/etc# ll kr*
-rw-r--r-- 1 root root 3504 Aug 14 17:49 krb5.conf
-rw------- 1 root root  326 Aug 14 17:53 krb5.keytab
root@honesty:/etc# apt-get install libnss-ldapd libsasl2-modules-gssapi-mit kstart
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libpam-ldapd nscd nslcd
The following NEW packages will be installed:
  kstart libnss-ldapd libpam-ldapd libsasl2-modules-gssapi-mit nscd nslcd
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 531kB of archives.
After this operation, 1311kB of additional disk space will be used.
Do you want to continue [Y/n]?
Package configuration


  ┌─────────────────────────┤ Configuring NSLCD ├──────────────────────────┐
  │ Please enter the Uniform Resource Identifier of the LDAP server. The   │
  │ format is 'ldap://<hostname_or_IP_address>:<port>/'. Alternatively,    │
  │ 'ldaps://' or 'ldapi://' can be used. The port number is optional.     │
  │                                                                        │
  │ When using an ldap or ldaps scheme it is recommended to use an IP      │
  │ address to avoid failures when domain name services are unavailable.   │
  │                                                                        │
  │ Multiple URIs can be be specified by separating them with spaces.      │
  │                                                                        │
  │ LDAP server URI:                                                       │
  │                                                                        │
  │ ldaps://charity.progclub.org/_________________________________________ │
  │                                                                        │
  │                   <Ok>                       <Cancel>                  │
  │                                                                        │
  └────────────────────────────────────────────────────────────────────────┘

Package configuration



┌───────────────────────────┤ Configuring NSLCD ├───────────────────────────┐
│ Please enter the distinguished name of the LDAP search base. Many sites   │
│ use the components of their domain names for this purpose. For example,   │
│ the domain "example.net" would use "dc=example,dc=net" as the             │
│ distinguished name of the search base.                                    │
│                                                                           │
│ LDAP server search base:                                                  │
│                                                                           │
│ dc=progclub,dc=org_______________________________________________________ │
│                                                                           │
│                    <Ok>                        <Cancel>                   │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘
Package configuration


┌───────────────────────────┤ Configuring NSLCD ├───────────────────────────┐
│                                                                           │
│ When an encrypted connection is used, a server certificate can be         │
│ requested and checked. Please choose whether lookups should be            │
│ configured to require a certificate, and whether certificates should be   │
│ checked for validity:                                                     │
│  * never: no certificate will be requested or checked;                    │
│  * allow: a certificate will be requested, but it is not                  │
│           required or checked;                                            │
│  * try: a certificate will be requested and checked, but if no            │
│         certificate is provided it is ignored;                            │
│  * demand: a certificate will be requested, required, and checked.        │
│ If certificate checking is enabled, at least one of the tls_cacertdir or  │
│ tls_cacertfile options must be put in /etc/nslcd.conf.                    │
│                                                                           │
│                                  <Ok>                                     │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘
Package configuration





                     ┌──────┤ Configuring NSLCD ├───────┐
                     │ Check server's SSL certificate:  │
                     │                                  │
                     │              never               │
                     │            * allow               │
                     │              try                 │
                     │              demand              │
                     │                                  │
                     │                                  │
                     │      <Ok>          <Cancel>      │
                     │                                  │
                     └──────────────────────────────────┘
Package configuration

┌───────────────────────┤ Configuring libnss-ldapd ├────────────────────────┐
│ For this package to work, you need to modify your /etc/nsswitch.conf to   │
│ use the ldap datasource.                                                  │
│                                                                           │
│ You can select the services that should have LDAP lookups enabled. The    │
│ new LDAP lookups will be added as the last datasource. Be sure to review  │
│ these changes.                                                            │
│                                                                           │
│ Name services to configure:                                               │
│                                                                           │
│    [*] aliases                                                            │
│    [*] ethers                                                             │
│    [*] group                                                              │
│    [*] hosts                                                              │
│    [*] netgroup                                                           │
│    [*] networks                                                           │
│    [*] passwd                                                             │
│    [*] protocols                                                          │
│    [*] rpc                                                                │
│    [*] services                                                           │
│    [*] shadow                                                             │
│                                                                           │
│                                                                           │
│                                  <Ok>                                     │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe kstart 3.16-3 [58.3kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/universe libsasl2-modules-gssapi-mit 2.1.23.dfsg1-5ubuntu1 [73.1kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/universe nscd 2.11.1-0ubuntu7 [211kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/universe nslcd 0.7.2 [120kB]
Get:5 http://archive.ubuntu.com/ubuntu/ lucid/universe libnss-ldapd 0.7.2 [41.8kB]
Get:6 http://archive.ubuntu.com/ubuntu/ lucid/universe libpam-ldapd 0.7.2 [27.6kB]
Fetched 531kB in 1s (441kB/s)
Committing to: /etc/
modified .etckeeper
modified hosts
added krb5.keytab
Committed revision 9.
Preconfiguring packages ...
Selecting previously deselected package kstart.
(Reading database ... 15699 files and directories currently installed.)
Unpacking kstart (from .../kstart_3.16-3_amd64.deb) ...
Selecting previously deselected package libsasl2-modules-gssapi-mit.
Unpacking libsasl2-modules-gssapi-mit (from .../libsasl2-modules-gssapi-mit_2.1.23.dfsg1-5ubuntu1_amd64.deb) ...
Selecting previously deselected package nscd.
Unpacking nscd (from .../nscd_2.11.1-0ubuntu7_amd64.deb) ...
Selecting previously deselected package nslcd.
Unpacking nslcd (from .../archives/nslcd_0.7.2_amd64.deb) ...
Selecting previously deselected package libnss-ldapd.
Unpacking libnss-ldapd (from .../libnss-ldapd_0.7.2_amd64.deb) ...
Selecting previously deselected package libpam-ldapd.
Unpacking libpam-ldapd (from .../libpam-ldapd_0.7.2_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up kstart (3.16-3) ...
Setting up libsasl2-modules-gssapi-mit (2.1.23.dfsg1-5ubuntu1) ...
Setting up nscd (2.11.1-0ubuntu7) ...
 * Starting Name Service Cache Daemon nscd                               [ OK ]

Setting up nslcd (0.7.2) ...
Warning: The home dir /var/run/nslcd/ you specified can't be accessed: No such file or directory
Adding system user `nslcd' (UID 103) ...
Adding new group `nslcd' (GID 105) ...
Adding new user `nslcd' (UID 103) with group `nslcd' ...
Not creating home directory `/var/run/nslcd/'.
 * Starting LDAP connection daemon nslcd                                 [ OK ]

Setting up libnss-ldapd (0.7.2) ...
/etc/nsswitch.conf: enable LDAP lookups for aliases
/etc/nsswitch.conf: enable LDAP lookups for ethers
/etc/nsswitch.conf: enable LDAP lookups for group
/etc/nsswitch.conf: enable LDAP lookups for hosts
/etc/nsswitch.conf: enable LDAP lookups for netgroup
/etc/nsswitch.conf: enable LDAP lookups for networks
/etc/nsswitch.conf: enable LDAP lookups for passwd
/etc/nsswitch.conf: enable LDAP lookups for protocols
/etc/nsswitch.conf: enable LDAP lookups for rpc
/etc/nsswitch.conf: enable LDAP lookups for services
/etc/nsswitch.conf: enable LDAP lookups for shadow
 * Restarting Name Service Cache Daemon nscd                             [ OK ]

Setting up libpam-ldapd (0.7.2) ...

Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
modified .etckeeper
modified group
modified group-
modified gshadow
modified gshadow-
added nscd.conf
added nslcd.conf
modified nsswitch.conf
modified passwd
modified passwd-
modified shadow
modified shadow-
added init.d/nscd
added init.d/nslcd
modified pam.d/common-account
modified pam.d/common-auth
modified pam.d/common-password
modified pam.d/common-session
modified pam.d/common-session-noninteractive
added rc0.d/K20nscd
added rc0.d/K20nslcd
added rc1.d/K20nscd
added rc1.d/K20nslcd
added rc2.d/S20nscd
added rc2.d/S20nslcd
added rc3.d/S20nscd
added rc3.d/S20nslcd
added rc4.d/S20nscd
added rc4.d/S20nslcd
added rc5.d/S20nscd
added rc5.d/S20nslcd
added rc6.d/K20nscd
added rc6.d/K20nslcd
Committed revision 10.
root@honesty:/etc# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

hosts:          files dns ldap
networks:       files ldap

protocols:      db files ldap
services:       db files ldap
ethers:         db files ldap
rpc:            db files ldap

netgroup:       nis ldap
aliases:        ldap
root@honesty:/etc# cat /etc/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldaps://charity.progclub.org/

# The search base that will be used for all queries.
base dc=progclub,dc=org

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret

# SSL options
#ssl off
tls_reqcert allow

# The search scope.
#scope sub
root@honesty:/etc# vim /etc/nslcd.conf
# JE: 2011-08-15: added sasl_mech
sasl_mech GSSAPI
root@honesty:/etc# pam-auth-update
Package configuration

┌───────────────────────────────────┤  ├────────────────────────────────────┐
│ Pluggable Authentication Modules (PAM) determine how authentication,      │
│ authorization, and password changing are handled on the system, as well   │
│ as allowing configuration of additional actions to take when starting     │
│ user sessions.                                                            │
│                                                                           │
│ Some PAM module packages provide profiles that can be used to             │
│ automatically adjust the behavior of all PAM-using applications on the    │
│ system.  Please indicate which of these behaviors you wish to enable.     │
│                                                                           │
│ PAM profiles to enable:                                                   │
│                                                                           │
│    [*] Kerberos authentication                                            │
│    [*] Unix authentication                                                │
│    [ ] LDAP Authentication                                                │
│                                                                           │
│                                                                           │
│                    <Ok>                        <Cancel>                   │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘
root@honesty:/etc# vim /etc/pam.d/common-password
root@honesty:/etc# cat /etc/pam.d/common-password
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.  The default is pam_unix.

# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords.  Without this option,
# the default is Unix crypt.  Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.

# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
#password       requisite                       pam_krb5.so minimum_uid=1000
#password       [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
# here's the fallback if no module succeeds
#password       requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
#password       required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

password   sufficient   pam_krb5.so minimum_uid=1000
password   required     pam_unix.so obscure try_first_pass sha512
root@honesty:/etc# service nslcd restart
 * Restarting LDAP connection daemon nslcd
 nslcd: /etc/nslcd.conf:30: option sasl_mech is currently not fully supported (please report any successes)
                                                                        [ OK ]
root@honesty:/etc# etckeeper commit "Configured Kerberos client"
Committing to: /etc/
modified nslcd.conf
modified pam.d/common-account
modified pam.d/common-auth
modified pam.d/common-password
modified pam.d/common-session
modified pam.d/common-session-noninteractive
Committed revision 11.

John 2011-08-05 16:59

Disabling IPSec

Can't get IPSec to work. Commented out /etc/network/if-up.d/ip and removed the policies from /etc/ipsec-tools.conf.

John 2011-07-30 19:30

Configuring IPSec

jj5@honesty:~$ sudo -s
[sudo] password for jj5:
root@honesty:~# cd /etc/network/if-pre-up.d/
root@honesty:/etc/network/if-pre-up.d# ll
total 12
drwxr-xr-x 2 root root 4096 Apr 22  2010 ./
drwxr-xr-x 6 root root 4096 Apr 22  2010 ../
-rwxr-xr-x 1 root root  348 Dec 21  2009 ethtool*
root@honesty:/etc/network/if-pre-up.d# vim iptables
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules
root@honesty:/etc/network/if-pre-up.d# chmod +x iptables
root@honesty:/etc/network/if-pre-up.d# cd ../if-up.d/
root@honesty:/etc/network/if-up.d# vim ip
#!/bin/sh
# Charity
ip route add 67.207.128.184 dev eth0 advmss 200
# Hope
ip route add 67.207.130.204 dev eth0 advmss 200
root@honesty:/etc/network/if-up.d# chmod +x ip
root@honesty:/etc/network/if-up.d# cd /etc/
root@honesty:/etc# vim iptables.up.rules
*filter
# Allow all loopback (lo0) traffic
-A INPUT -i lo -j ACCEPT
# Drop all traffic to 127/8 that does use lo0
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Accept anything from charity
-A INPUT -s 67.207.128.184 -j ACCEPT
# Accept anything from hope
-A INPUT -s 67.207.130.204 -j ACCEPT
# Allow MySQL connections from John's house
-A INPUT -s 60.240.67.126/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# Allow MySQL connections from localhost
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
#-A INPUT -j LOG --log-prefix "iptables debug: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
root@honesty:/etc# vim ipsec-tools.conf
#!/usr/sbin/setkey -f
## Flush the SAD and SPD
flush;
spdflush;
# Charity/Honesty configuration
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.128.184 67.207.129.103 esp 5 -E aes-cbc
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.129.103 67.207.128.184 esp 6 -E aes-cbc
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# AH SAs using 160 bit long keys
add 67.207.128.184 67.207.129.103 ah 7 -A hmac-sha1
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.129.103 67.207.128.184 ah 8 -A hmac-sha1
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# Security policies
spdadd 67.207.129.103 67.207.128.184 any -P out ipsec
        esp/transport//require
        ah/transport//require;
spdadd 67.207.128.184 67.207.129.103 any -P in ipsec
        esp/transport//require
        ah/transport//require;
# Hope/Honesty configuration
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.130.204 67.207.129.103 esp 9 -E aes-cbc
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.129.103 67.207.130.204 esp 10 -E aes-cbc
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# AH SAs using 160 bit long keys
add 67.207.130.204 67.207.129.103 ah 11 -A hmac-sha1
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.129.103 67.207.130.204 ah 12 -A hmac-sha1
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# Security policies
spdadd 67.207.129.103 67.207.130.204 any -P out ipsec
        esp/transport//require
        ah/transport//require;
spdadd 67.207.130.204 67.207.129.103 any -P in ipsec
        esp/transport//require
        ah/transport//require;
root@honesty:/etc# ll ipsec-tools.conf
-rwxr-xr-x 1 root root 1661 Jul 30 09:46 ipsec-tools.conf*
root@honesty:/etc# chmod 700 ipsec-tools.conf
root@honesty:/etc# ll ipsec-tools.conf
-rwx------ 1 root root 1661 Jul 30 09:46 ipsec-tools.conf*
root@honesty:~# etckeeper commit "Configured IPSec"
Committing to: /etc/
modified .etckeeper
modified ipsec-tools.conf
added iptables.up.rules
added network/if-pre-up.d/iptables
added network/if-up.d/ip
Committed revision 5.
root@honesty:/etc# reboot

Phew, that ought to do it.

The other end of the connections have been configured on charity and hope.

John 2011-07-30 13:57

Adding user jj5

Didn't want to have to do this, but need to ssh in a fair bit.

root@honesty:~# adduser jj5
Adding user `jj5' ...
Adding new group `jj5' (1000) ...
Adding new user `jj5' (1000) with group `jj5' ...
Creating home directory `/home/jj5' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for jj5
Enter the new value, or press ENTER for the default
       Full Name []: John Elliot
       Room Number []:
       Work Phone []:
       Home Phone []:
       Other []:
Is the information correct? [Y/n]
root@honesty:~# gpasswd -a jj5 sudo
Adding user jj5 to group sudo


John 2011-07-29 02:54

Installing Etckeeper

# apt-get install etckeeper
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  bzr bzrtools patch python-configobj python-crypto python-paramiko
  python-support rsync
Suggested packages:
  bzr-gtk bzr-svn python-pycurl xdg-utils python-kerberos bzr-doc librsvg2-bin
  graphviz ed diffutils-doc python-crypto-dbg
The following NEW packages will be installed:
  bzr bzrtools etckeeper patch python-configobj python-crypto python-paramiko
  python-support rsync
0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
Need to get 4787kB of archives.
After this operation, 27.8MB of additional disk space will be used.
Do you want to continue [Y/n]?

Just like that.

Installing IPSec

# apt-get install ipsec-tools
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  ipsec-tools
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 111kB of archives.
After this operation, 274kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main ipsec-tools 1:0.7.1-1.6ubuntu1 [111kB]
Fetched 111kB in 0s (153kB/s)
Selecting previously deselected package ipsec-tools.
(Reading database ... 15571 files and directories currently installed.)
Unpacking ipsec-tools (from .../ipsec-tools_1%3a0.7.1-1.6ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up ipsec-tools (1:0.7.1-1.6ubuntu1) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
modified .etckeeper
added ipsec-tools.conf
added default/setkey
added init.d/setkey
added rcS.d/S37setkey
Committed revision 2.

John 2011-07-28 21:15

The honesty.progclub.org slice has has been created, and the host added to to the DNS zones, but apart from that it's not configured presently.