Difference between revisions of "Hope admin"

From ProgClub
Jump to: navigation, search
Line 1: Line 1:
 
This page chronicles the administrative changes to [[Hope|hope.progclub.net]]. If you make an administrative change you should document the change here. Changes are logged he in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the [[Administrative reference]] for other information.
 
This page chronicles the administrative changes to [[Hope|hope.progclub.net]]. If you make an administrative change you should document the change here. Changes are logged he in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the [[Administrative reference]] for other information.
 +
 +
= [[User:John|John]] 2011-08-14 17:23 =
 +
 +
== Kerberos client configuration ==
 +
 +
Per [https://help.ubuntu.com/community/SingleSignOn#Client%20Configuration these instructions].
 +
 +
jj5@hope:~$ sudo -s
 +
[sudo] password for jj5:
 +
root@hope:~# apt-get install krb5-user krb5-config libpam-krb5
 +
Reading package lists... Done
 +
Building dependency tree
 +
Reading state information... Done
 +
krb5-user is already the newest version.
 +
krb5-config is already the newest version.
 +
krb5-config set to manually installed.
 +
The following NEW packages will be installed:
 +
  libpam-krb5
 +
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
 +
Need to get 73.8kB of archives.
 +
After this operation, 193kB of additional disk space will be used.
 +
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libpam-krb5 4.2-1 [73.8kB]
 +
Fetched 73.8kB in 0s (107kB/s)
 +
Selecting previously deselected package libpam-krb5.
 +
(Reading database ... 15717 files and directories currently installed.)
 +
Unpacking libpam-krb5 (from .../libpam-krb5_4.2-1_amd64.deb) ...
 +
Processing triggers for man-db ...
 +
Setting up libpam-krb5 (4.2-1) ...
 +
 +
Committing to: /etc/
 +
modified pam.d/common-account
 +
modified pam.d/common-auth
 +
modified pam.d/common-password
 +
modified pam.d/common-session
 +
modified pam.d/common-session-noninteractive
 +
Committed revision 16.
 +
 +
root@hope:~# hostname -f
 +
hope
 +
root@hope:~# vim /etc/hosts
 +
root@hope:~# cat /etc/hosts
 +
127.0.0.1    localhost localhost.localdomain
 +
67.207.130.204    hope.progclub.net hope
 +
root@hope:~# hostname -f
 +
hope.progclub.net
 +
 +
root@hope:~# kadmin
 +
Authenticating as principal root/admin@PROGCLUB.ORG with password.
 +
kadmin: Client not found in Kerberos database while initializing kadmin interface
 +
root@hope:~# kadmin -u jj5/admin
 +
kadmin: invalid option -- 'u'
 +
Usage: kadmin [-r realm] [-p principal] [-q query] [clnt|local args]
 +
        clnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]]|[-n]
 +
        local args: [-x db_args]* [-d dbname] [-e "enc:salt ..."] [-m]
 +
where,
 +
        [-x db_args]* - any number of database specific arguments.
 +
                        Look at each database documentation for supported arguments
 +
root@hope:~# kadmin -p jj5/admin
 +
Authenticating as principal jj5/admin with password.
 +
Password for jj5/admin@PROGCLUB.ORG:
 +
kadmin:  addprinc -randkey host/hope.progclub.net@PROGCLUB.ORG
 +
WARNING: no policy specified for host/hope.progclub.net@PROGCLUB.ORG; defaulting to no policy
 +
add_principal: Principal or policy already exists while creating "host/hope.progclub.net@PROGCLUB.ORG".
 +
kadmin:  ktadd -k ~/hope.keytab host/hope.progclub.net@PROGCLUB.ORG
 +
kadmin: No such file or directory while adding key to keytab
 +
kadmin:  quit
 +
root@hope:~# ls
 +
ipsec-tools.conf
 +
 +
root@hope:~# kadmin -p jj5/admin
 +
kadmin:  ktadd ~/hope.keytab host/hope.progclub.net@PROGCLUB.ORG
 +
kadmin: Principal ~/hope.keytab does not exist.
 +
Entry for principal host/hope.progclub.net@PROGCLUB.ORG with kvno 4, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
 +
Entry for principal host/hope.progclub.net@PROGCLUB.ORG with kvno 4, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
 +
Entry for principal host/hope.progclub.net@PROGCLUB.ORG with kvno 4, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
 +
Entry for principal host/hope.progclub.net@PROGCLUB.ORG with kvno 4, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
 +
kadmin: quit
 +
 +
root@hope:~# cd /etc
 +
root@hope:/etc# ll kr*
 +
-rw-r--r-- 1 root root 3504 Aug  4 13:43 krb5.conf
 +
-rw------- 1 root root  314 Aug 14 07:32 krb5.keytab
 +
 +
root@hope:/etc# apt-get install libnss-ldapd libsasl2-modules-gssapi-mit kstart
 +
Reading package lists... Done
 +
Building dependency tree
 +
Reading state information... Done
 +
The following extra packages will be installed:
 +
  libpam-ldapd nscd nslcd
 +
The following NEW packages will be installed:
 +
  kstart libnss-ldapd libpam-ldapd libsasl2-modules-gssapi-mit nscd nslcd
 +
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
 +
Need to get 531kB of archives.
 +
After this operation, 1311kB of additional disk space will be used.
 +
Do you want to continue [Y/n]?
 +
 +
 +
Package configuration
 +
 +
 +
  ┌─────────────────────────┤ Configuring NSLCD ├──────────────────────────┐
 +
  │ Please enter the Uniform Resource Identifier of the LDAP server. The  │
 +
  │ format is 'ldap://<hostname_or_IP_address>:<port>/'. Alternatively,    │
 +
  │ 'ldaps://' or 'ldapi://' can be used. The port number is optional.    │
 +
  │                                                                        │
 +
  │ When using an ldap or ldaps scheme it is recommended to use an IP      │
 +
  │ address to avoid failures when domain name services are unavailable.  │
 +
  │                                                                        │
 +
  │ Multiple URIs can be be specified by separating them with spaces.      │
 +
  │                                                                        │
 +
  │ LDAP server URI:                                                      │
 +
  │                                                                        │
 +
  │ ldaps://charity.progclub.org/_________________________________________ │
 +
  │                                                                        │
 +
  │                  <Ok>                      <Cancel>                  │
 +
  │                                                                        │
 +
  └────────────────────────────────────────────────────────────────────────┘
 +
 +
Package configuration
 +
 +
 +
 +
 +
┌───────────────────────────┤ Configuring NSLCD ├───────────────────────────┐
 +
│ Please enter the distinguished name of the LDAP search base. Many sites  │
 +
│ use the components of their domain names for this purpose. For example,  │
 +
│ the domain "example.net" would use "dc=example,dc=net" as the            │
 +
│ distinguished name of the search base.                                    │
 +
│                                                                          │
 +
│ LDAP server search base:                                                  │
 +
│                                                                          │
 +
│ dc=progclub,dc=org_______________________________________________________ │
 +
│                                                                          │
 +
│                    <Ok>                        <Cancel>                  │
 +
│                                                                          │
 +
└───────────────────────────────────────────────────────────────────────────┘
 +
 +
Package configuration
 +
 +
 +
┌───────────────────────────┤ Configuring NSLCD ├───────────────────────────┐
 +
│                                                                          │
 +
│ When an encrypted connection is used, a server certificate can be        │
 +
│ requested and checked. Please choose whether lookups should be            │
 +
│ configured to require a certificate, and whether certificates should be  │
 +
│ checked for validity:                                                    │
 +
│  * never: no certificate will be requested or checked;                    │
 +
│  * allow: a certificate will be requested, but it is not                  │
 +
│          required or checked;                                            │
 +
│  * try: a certificate will be requested and checked, but if no            │
 +
│        certificate is provided it is ignored;                            │
 +
│  * demand: a certificate will be requested, required, and checked.        │
 +
│ If certificate checking is enabled, at least one of the tls_cacertdir or  │
 +
│ tls_cacertfile options must be put in /etc/nslcd.conf.                    │
 +
│                                                                          │
 +
│                                  <Ok>                                    │
 +
│                                                                          │
 +
└───────────────────────────────────────────────────────────────────────────┘
 +
 +
Package configuration
 +
 +
 +
 +
 +
 +
                      ┌──────┤ Configuring NSLCD ├───────┐
 +
                      │ Check server's SSL certificate:  │
 +
                      │                                  │
 +
                      │              never              │
 +
                      │            * allow              │
 +
                      │              try                │
 +
                      │              demand              │
 +
                      │                                  │
 +
                      │                                  │
 +
                      │      <Ok>          <Cancel>      │
 +
                      │                                  │
 +
                      └──────────────────────────────────┘
 +
 +
Package configuration
 +
 +
┌───────────────────────┤ Configuring libnss-ldapd ├────────────────────────┐
 +
│ For this package to work, you need to modify your /etc/nsswitch.conf to  │
 +
│ use the ldap datasource.                                                  │
 +
│                                                                          │
 +
│ You can select the services that should have LDAP lookups enabled. The    │
 +
│ new LDAP lookups will be added as the last datasource. Be sure to review  │
 +
│ these changes.                                                            │
 +
│                                                                          │
 +
│ Name services to configure:                                              │
 +
│                                                                          │
 +
│    [*] aliases                                                            │
 +
│    [*] ethers                                                            │
 +
│    [*] group                                                              │
 +
│    [*] hosts                                                              │
 +
│    [*] netgroup                                                          │
 +
│    [*] networks                                                          │
 +
│    [*] passwd                                                            │
 +
│    [*] protocols                                                          │
 +
│    [*] rpc                                                                │
 +
│    [*] services                                                          │
 +
│    [*] shadow                                                            │
 +
│                                                                          │
 +
│                                  <Ok>                                    │
 +
│                                                                          │
 +
└───────────────────────────────────────────────────────────────────────────┘
 +
 +
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe kstart 3.16-3 [58.3kB]
 +
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/universe libsasl2-modules-gssapi-mit 2.1.23.dfsg1-5ubuntu1 [73.1kB]
 +
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/universe nscd 2.11.1-0ubuntu7 [211kB]
 +
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/universe nslcd 0.7.2 [120kB]
 +
Get:5 http://archive.ubuntu.com/ubuntu/ lucid/universe libnss-ldapd 0.7.2 [41.8kB]
 +
Get:6 http://archive.ubuntu.com/ubuntu/ lucid/universe libpam-ldapd 0.7.2 [27.6kB]
 +
Fetched 531kB in 1s (494kB/s)
 +
Committing to: /etc/
 +
modified .etckeeper
 +
modified hosts
 +
added krb5.keytab
 +
Committed revision 17.
 +
Preconfiguring packages ...
 +
Selecting previously deselected package kstart.
 +
(Reading database ... 15728 files and directories currently installed.)
 +
Unpacking kstart (from .../kstart_3.16-3_amd64.deb) ...
 +
Selecting previously deselected package libsasl2-modules-gssapi-mit.
 +
Unpacking libsasl2-modules-gssapi-mit (from .../libsasl2-modules-gssapi-mit_2.1.23.dfsg1-5ubuntu1_amd64.deb) ...
 +
Selecting previously deselected package nscd.
 +
Unpacking nscd (from .../nscd_2.11.1-0ubuntu7_amd64.deb) ...
 +
Selecting previously deselected package nslcd.
 +
Unpacking nslcd (from .../archives/nslcd_0.7.2_amd64.deb) ...
 +
Selecting previously deselected package libnss-ldapd.
 +
Unpacking libnss-ldapd (from .../libnss-ldapd_0.7.2_amd64.deb) ...
 +
Selecting previously deselected package libpam-ldapd.
 +
Unpacking libpam-ldapd (from .../libpam-ldapd_0.7.2_amd64.deb) ...
 +
Processing triggers for man-db ...
 +
Processing triggers for ureadahead ...
 +
Setting up kstart (3.16-3) ...
 +
Setting up libsasl2-modules-gssapi-mit (2.1.23.dfsg1-5ubuntu1) ...
 +
Setting up nscd (2.11.1-0ubuntu7) ...
 +
* Starting Name Service Cache Daemon nscd                              [ OK ]
 +
 +
Setting up nslcd (0.7.2) ...
 +
Warning: The home dir /var/run/nslcd/ you specified can't be accessed: No such file or directory
 +
Adding system user `nslcd' (UID 103) ...
 +
Adding new group `nslcd' (GID 105) ...
 +
Adding new user `nslcd' (UID 103) with group `nslcd' ...
 +
Not creating home directory `/var/run/nslcd/'.
 +
* Starting LDAP connection daemon nslcd                                [ OK ]
 +
 +
Setting up libnss-ldapd (0.7.2) ...
 +
/etc/nsswitch.conf: enable LDAP lookups for aliases
 +
/etc/nsswitch.conf: enable LDAP lookups for ethers
 +
/etc/nsswitch.conf: enable LDAP lookups for group
 +
/etc/nsswitch.conf: enable LDAP lookups for hosts
 +
/etc/nsswitch.conf: enable LDAP lookups for netgroup
 +
/etc/nsswitch.conf: enable LDAP lookups for networks
 +
/etc/nsswitch.conf: enable LDAP lookups for passwd
 +
/etc/nsswitch.conf: enable LDAP lookups for protocols
 +
/etc/nsswitch.conf: enable LDAP lookups for rpc
 +
/etc/nsswitch.conf: enable LDAP lookups for services
 +
/etc/nsswitch.conf: enable LDAP lookups for shadow
 +
  * Restarting Name Service Cache Daemon nscd                            [ OK ]
 +
 +
Setting up libpam-ldapd (0.7.2) ...
 +
 +
Processing triggers for libc-bin ...
 +
ldconfig deferred processing now taking place
 +
Committing to: /etc/
 +
modified .etckeeper
 +
modified group
 +
modified group-
 +
modified gshadow
 +
modified gshadow-
 +
added nscd.conf
 +
added nslcd.conf
 +
modified nsswitch.conf
 +
modified passwd
 +
modified passwd-
 +
modified shadow
 +
modified shadow-
 +
added init.d/nscd
 +
added init.d/nslcd
 +
modified pam.d/common-account
 +
modified pam.d/common-auth
 +
modified pam.d/common-password
 +
modified pam.d/common-session
 +
modified pam.d/common-session-noninteractive
 +
added rc0.d/K20nscd
 +
added rc0.d/K20nslcd
 +
added rc1.d/K20nscd
 +
added rc1.d/K20nslcd
 +
added rc2.d/S20nscd
 +
added rc2.d/S20nslcd
 +
added rc3.d/S20nscd
 +
added rc3.d/S20nslcd
 +
added rc4.d/S20nscd
 +
added rc4.d/S20nslcd
 +
added rc5.d/S20nscd
 +
added rc5.d/S20nslcd
 +
added rc6.d/K20nscd
 +
added rc6.d/K20nslcd
 +
Committed revision 18.
 +
 +
root@hope:/etc# cat /etc/nsswitch.conf
 +
# /etc/nsswitch.conf
 +
#
 +
# Example configuration of GNU Name Service Switch functionality.
 +
# If you have the `glibc-doc-reference' and `info' packages installed, try:
 +
# `info libc "Name Service Switch"' for information about this file.
 +
 +
passwd:        compat ldap
 +
group:          compat ldap
 +
shadow:        compat ldap
 +
 +
hosts:          files dns ldap
 +
networks:      files ldap
 +
 +
protocols:      db files ldap
 +
services:      db files ldap
 +
ethers:        db files ldap
 +
rpc:            db files ldap
 +
 +
netgroup:      nis ldap
 +
aliases:        ldap
 +
 +
root@hope:/etc# cat /etc/nslcd.conf
 +
# /etc/nslcd.conf
 +
# nslcd configuration file. See nslcd.conf(5)
 +
# for details.
 +
 +
# The user and group nslcd should run as.
 +
uid nslcd
 +
gid nslcd
 +
 +
# The location at which the LDAP server(s) should be reachable.
 +
uri ldaps://charity.progclub.org/
 +
 +
# The search base that will be used for all queries.
 +
base dc=progclub,dc=org
 +
 +
# The LDAP protocol version to use.
 +
#ldap_version 3
 +
 +
# The DN to bind with for normal lookups.
 +
#binddn cn=annonymous,dc=example,dc=net
 +
#bindpw secret
 +
 +
# SSL options
 +
#ssl off
 +
tls_reqcert allow
 +
 +
# The search scope.
 +
#scope sub
 +
 +
root@hope:/etc# vim /etc/nslcd.conf
 +
 +
# JE: 2011-08-14: https://help.ubuntu.com/community/SingleSignOn#Client%20Configuration
 +
sasl_mech GSSAPI
 +
krb5_ccname FILE:/tmp/host.tkt
 +
 +
root@hope:/etc# pam-auth-update
 +
 +
Package configuration
 +
 +
┌───────────────────────────────────┤  ├────────────────────────────────────┐
 +
│ Pluggable Authentication Modules (PAM) determine how authentication,      │
 +
│ authorization, and password changing are handled on the system, as well  │
 +
│ as allowing configuration of additional actions to take when starting    │
 +
│ user sessions.                                                            │
 +
│                                                                          │
 +
│ Some PAM module packages provide profiles that can be used to            │
 +
│ automatically adjust the behavior of all PAM-using applications on the    │
 +
│ system.  Please indicate which of these behaviors you wish to enable.    │
 +
│                                                                          │
 +
│ PAM profiles to enable:                                                  │
 +
│                                                                          │
 +
│    [*] Kerberos authentication                                            │
 +
│    [*] Unix authentication                                                │
 +
│    [ ] LDAP Authentication                                                │
 +
│                                                                          │
 +
│                                                                          │
 +
│                    <Ok>                        <Cancel>                  │
 +
│                                                                          │
 +
└───────────────────────────────────────────────────────────────────────────┘
 +
 +
root@hope:/etc# service nslcd restart
 +
  * Restarting LDAP connection daemon nslcd
 +
  nslcd: /etc/nslcd.conf:30:  option sasl_mech is currently not fully supported (please report any successes)
 +
  nslcd: /etc/nslcd.conf:31: error accessing /tmp/host.tkt: No such file or directory
 +
                                                                        [fail]
 +
root@hope:/etc# touch /tmp/host.tkt
 +
root@hope:/etc# service nslcd restart
 +
  * Restarting LDAP connection daemon nslcd
 +
  nslcd: /etc/nslcd.conf:30: option sasl_mech is currently not fully supported (please report any successes)
 +
                                                                        [ OK ]
 +
 +
 +
 +
 +
 +
  
 
= [[User:John|John]] 2011-08-05 16:59 =
 
= [[User:John|John]] 2011-08-05 16:59 =

Revision as of 18:52, 14 August 2011

This page chronicles the administrative changes to hope.progclub.net. If you make an administrative change you should document the change here. Changes are logged he in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the Administrative reference for other information.

John 2011-08-14 17:23

Kerberos client configuration

Per these instructions.

jj5@hope:~$ sudo -s
[sudo] password for jj5:
root@hope:~# apt-get install krb5-user krb5-config libpam-krb5
Reading package lists... Done
Building dependency tree
Reading state information... Done
krb5-user is already the newest version.
krb5-config is already the newest version.
krb5-config set to manually installed.
The following NEW packages will be installed:
  libpam-krb5
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 73.8kB of archives.
After this operation, 193kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libpam-krb5 4.2-1 [73.8kB]
Fetched 73.8kB in 0s (107kB/s)
Selecting previously deselected package libpam-krb5.
(Reading database ... 15717 files and directories currently installed.)
Unpacking libpam-krb5 (from .../libpam-krb5_4.2-1_amd64.deb) ...
Processing triggers for man-db ...
Setting up libpam-krb5 (4.2-1) ...

Committing to: /etc/
modified pam.d/common-account
modified pam.d/common-auth
modified pam.d/common-password
modified pam.d/common-session
modified pam.d/common-session-noninteractive
Committed revision 16.
root@hope:~# hostname -f
hope
root@hope:~# vim /etc/hosts
root@hope:~# cat /etc/hosts
127.0.0.1     localhost localhost.localdomain
67.207.130.204     hope.progclub.net hope
root@hope:~# hostname -f
hope.progclub.net
root@hope:~# kadmin
Authenticating as principal root/admin@PROGCLUB.ORG with password.
kadmin: Client not found in Kerberos database while initializing kadmin interface
root@hope:~# kadmin -u jj5/admin
kadmin: invalid option -- 'u'
Usage: kadmin [-r realm] [-p principal] [-q query] [clnt|local args]
        clnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]]|[-n]
        local args: [-x db_args]* [-d dbname] [-e "enc:salt ..."] [-m]
where,
        [-x db_args]* - any number of database specific arguments.
                        Look at each database documentation for supported arguments
root@hope:~# kadmin -p jj5/admin
Authenticating as principal jj5/admin with password.
Password for jj5/admin@PROGCLUB.ORG:
kadmin:  addprinc -randkey host/hope.progclub.net@PROGCLUB.ORG
WARNING: no policy specified for host/hope.progclub.net@PROGCLUB.ORG; defaulting to no policy
add_principal: Principal or policy already exists while creating "host/hope.progclub.net@PROGCLUB.ORG".
kadmin:  ktadd -k ~/hope.keytab host/hope.progclub.net@PROGCLUB.ORG
kadmin: No such file or directory while adding key to keytab
kadmin:  quit
root@hope:~# ls
ipsec-tools.conf
root@hope:~# kadmin -p jj5/admin
kadmin:  ktadd ~/hope.keytab host/hope.progclub.net@PROGCLUB.ORG
kadmin: Principal ~/hope.keytab does not exist.
Entry for principal host/hope.progclub.net@PROGCLUB.ORG with kvno 4, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/hope.progclub.net@PROGCLUB.ORG with kvno 4, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/hope.progclub.net@PROGCLUB.ORG with kvno 4, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/hope.progclub.net@PROGCLUB.ORG with kvno 4, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
kadmin: quit
root@hope:~# cd /etc
root@hope:/etc# ll kr*
-rw-r--r-- 1 root root 3504 Aug  4 13:43 krb5.conf
-rw------- 1 root root  314 Aug 14 07:32 krb5.keytab
root@hope:/etc# apt-get install libnss-ldapd libsasl2-modules-gssapi-mit kstart
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libpam-ldapd nscd nslcd
The following NEW packages will be installed:
  kstart libnss-ldapd libpam-ldapd libsasl2-modules-gssapi-mit nscd nslcd
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 531kB of archives.
After this operation, 1311kB of additional disk space will be used.
Do you want to continue [Y/n]?


Package configuration


  ┌─────────────────────────┤ Configuring NSLCD ├──────────────────────────┐
  │ Please enter the Uniform Resource Identifier of the LDAP server. The   │
  │ format is 'ldap://<hostname_or_IP_address>:<port>/'. Alternatively,    │
  │ 'ldaps://' or 'ldapi://' can be used. The port number is optional.     │
  │                                                                        │
  │ When using an ldap or ldaps scheme it is recommended to use an IP      │
  │ address to avoid failures when domain name services are unavailable.   │
  │                                                                        │
  │ Multiple URIs can be be specified by separating them with spaces.      │
  │                                                                        │
  │ LDAP server URI:                                                       │
  │                                                                        │
  │ ldaps://charity.progclub.org/_________________________________________ │
  │                                                                        │
  │                   <Ok>                       <Cancel>                  │
  │                                                                        │
  └────────────────────────────────────────────────────────────────────────┘
Package configuration




┌───────────────────────────┤ Configuring NSLCD ├───────────────────────────┐
│ Please enter the distinguished name of the LDAP search base. Many sites   │
│ use the components of their domain names for this purpose. For example,   │
│ the domain "example.net" would use "dc=example,dc=net" as the             │
│ distinguished name of the search base.                                    │
│                                                                           │
│ LDAP server search base:                                                  │
│                                                                           │
│ dc=progclub,dc=org_______________________________________________________ │
│                                                                           │
│                    <Ok>                        <Cancel>                   │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘
Package configuration


┌───────────────────────────┤ Configuring NSLCD ├───────────────────────────┐
│                                                                           │
│ When an encrypted connection is used, a server certificate can be         │
│ requested and checked. Please choose whether lookups should be            │
│ configured to require a certificate, and whether certificates should be   │
│ checked for validity:                                                     │
│  * never: no certificate will be requested or checked;                    │
│  * allow: a certificate will be requested, but it is not                  │
│           required or checked;                                            │
│  * try: a certificate will be requested and checked, but if no            │
│         certificate is provided it is ignored;                            │
│  * demand: a certificate will be requested, required, and checked.        │
│ If certificate checking is enabled, at least one of the tls_cacertdir or  │
│ tls_cacertfile options must be put in /etc/nslcd.conf.                    │
│                                                                           │
│                                  <Ok>                                     │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘

Package configuration



                     ┌──────┤ Configuring NSLCD ├───────┐
                     │ Check server's SSL certificate:  │
                     │                                  │
                     │              never               │
                     │            * allow               │
                     │              try                 │
                     │              demand              │
                     │                                  │
                     │                                  │
                     │      <Ok>          <Cancel>      │
                     │                                  │
                     └──────────────────────────────────┘
Package configuration

┌───────────────────────┤ Configuring libnss-ldapd ├────────────────────────┐
│ For this package to work, you need to modify your /etc/nsswitch.conf to   │
│ use the ldap datasource.                                                  │
│                                                                           │
│ You can select the services that should have LDAP lookups enabled. The    │
│ new LDAP lookups will be added as the last datasource. Be sure to review  │
│ these changes.                                                            │
│                                                                           │
│ Name services to configure:                                               │
│                                                                           │
│    [*] aliases                                                            │
│    [*] ethers                                                             │
│    [*] group                                                              │
│    [*] hosts                                                              │
│    [*] netgroup                                                           │
│    [*] networks                                                           │
│    [*] passwd                                                             │
│    [*] protocols                                                          │
│    [*] rpc                                                                │
│    [*] services                                                           │
│    [*] shadow                                                             │
│                                                                           │
│                                  <Ok>                                     │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe kstart 3.16-3 [58.3kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/universe libsasl2-modules-gssapi-mit 2.1.23.dfsg1-5ubuntu1 [73.1kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/universe nscd 2.11.1-0ubuntu7 [211kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/universe nslcd 0.7.2 [120kB]
Get:5 http://archive.ubuntu.com/ubuntu/ lucid/universe libnss-ldapd 0.7.2 [41.8kB]
Get:6 http://archive.ubuntu.com/ubuntu/ lucid/universe libpam-ldapd 0.7.2 [27.6kB]
Fetched 531kB in 1s (494kB/s)
Committing to: /etc/
modified .etckeeper
modified hosts
added krb5.keytab
Committed revision 17.
Preconfiguring packages ...
Selecting previously deselected package kstart.
(Reading database ... 15728 files and directories currently installed.)
Unpacking kstart (from .../kstart_3.16-3_amd64.deb) ...
Selecting previously deselected package libsasl2-modules-gssapi-mit.
Unpacking libsasl2-modules-gssapi-mit (from .../libsasl2-modules-gssapi-mit_2.1.23.dfsg1-5ubuntu1_amd64.deb) ...
Selecting previously deselected package nscd.
Unpacking nscd (from .../nscd_2.11.1-0ubuntu7_amd64.deb) ...
Selecting previously deselected package nslcd.
Unpacking nslcd (from .../archives/nslcd_0.7.2_amd64.deb) ...
Selecting previously deselected package libnss-ldapd.
Unpacking libnss-ldapd (from .../libnss-ldapd_0.7.2_amd64.deb) ...
Selecting previously deselected package libpam-ldapd.
Unpacking libpam-ldapd (from .../libpam-ldapd_0.7.2_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up kstart (3.16-3) ...
Setting up libsasl2-modules-gssapi-mit (2.1.23.dfsg1-5ubuntu1) ...
Setting up nscd (2.11.1-0ubuntu7) ...
* Starting Name Service Cache Daemon nscd                               [ OK ] 

Setting up nslcd (0.7.2) ...
Warning: The home dir /var/run/nslcd/ you specified can't be accessed: No such file or directory
Adding system user `nslcd' (UID 103) ...
Adding new group `nslcd' (GID 105) ...
Adding new user `nslcd' (UID 103) with group `nslcd' ...
Not creating home directory `/var/run/nslcd/'.
* Starting LDAP connection daemon nslcd                                 [ OK ]

Setting up libnss-ldapd (0.7.2) ...
/etc/nsswitch.conf: enable LDAP lookups for aliases
/etc/nsswitch.conf: enable LDAP lookups for ethers
/etc/nsswitch.conf: enable LDAP lookups for group
/etc/nsswitch.conf: enable LDAP lookups for hosts
/etc/nsswitch.conf: enable LDAP lookups for netgroup
/etc/nsswitch.conf: enable LDAP lookups for networks
/etc/nsswitch.conf: enable LDAP lookups for passwd
/etc/nsswitch.conf: enable LDAP lookups for protocols
/etc/nsswitch.conf: enable LDAP lookups for rpc
/etc/nsswitch.conf: enable LDAP lookups for services
/etc/nsswitch.conf: enable LDAP lookups for shadow
 * Restarting Name Service Cache Daemon nscd                             [ OK ]

Setting up libpam-ldapd (0.7.2) ... 

Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
modified .etckeeper
modified group
modified group-
modified gshadow
modified gshadow-
added nscd.conf
added nslcd.conf
modified nsswitch.conf
modified passwd
modified passwd-
modified shadow
modified shadow-
added init.d/nscd
added init.d/nslcd
modified pam.d/common-account
modified pam.d/common-auth
modified pam.d/common-password
modified pam.d/common-session
modified pam.d/common-session-noninteractive
added rc0.d/K20nscd
added rc0.d/K20nslcd
added rc1.d/K20nscd
added rc1.d/K20nslcd
added rc2.d/S20nscd
added rc2.d/S20nslcd
added rc3.d/S20nscd
added rc3.d/S20nslcd
added rc4.d/S20nscd
added rc4.d/S20nslcd
added rc5.d/S20nscd
added rc5.d/S20nslcd
added rc6.d/K20nscd
added rc6.d/K20nslcd
Committed revision 18.
root@hope:/etc# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

hosts:          files dns ldap
networks:       files ldap

protocols:      db files ldap
services:       db files ldap
ethers:         db files ldap
rpc:            db files ldap

netgroup:       nis ldap
aliases:        ldap
root@hope:/etc# cat /etc/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldaps://charity.progclub.org/

# The search base that will be used for all queries.
base dc=progclub,dc=org

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret

# SSL options
#ssl off
tls_reqcert allow

# The search scope.
#scope sub
root@hope:/etc# vim /etc/nslcd.conf
# JE: 2011-08-14: https://help.ubuntu.com/community/SingleSignOn#Client%20Configuration
sasl_mech GSSAPI
krb5_ccname FILE:/tmp/host.tkt
root@hope:/etc# pam-auth-update
Package configuration

┌───────────────────────────────────┤  ├────────────────────────────────────┐
│ Pluggable Authentication Modules (PAM) determine how authentication,      │
│ authorization, and password changing are handled on the system, as well   │
│ as allowing configuration of additional actions to take when starting     │
│ user sessions.                                                            │
│                                                                           │
│ Some PAM module packages provide profiles that can be used to             │
│ automatically adjust the behavior of all PAM-using applications on the    │
│ system.  Please indicate which of these behaviors you wish to enable.     │
│                                                                           │
│ PAM profiles to enable:                                                   │
│                                                                           │
│    [*] Kerberos authentication                                            │
│    [*] Unix authentication                                                │
│    [ ] LDAP Authentication                                                │
│                                                                           │
│                                                                           │
│                    <Ok>                        <Cancel>                   │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘
root@hope:/etc# service nslcd restart
 * Restarting LDAP connection daemon nslcd
 nslcd: /etc/nslcd.conf:30:  option sasl_mech is currently not fully supported (please report any successes)
 nslcd: /etc/nslcd.conf:31: error accessing /tmp/host.tkt: No such file or directory
                                                                        [fail]
root@hope:/etc# touch /tmp/host.tkt
root@hope:/etc# service nslcd restart
 * Restarting LDAP connection daemon nslcd
 nslcd: /etc/nslcd.conf:30: option sasl_mech is currently not fully supported (please report any successes)
                                                                        [ OK ]




John 2011-08-05 16:59

Disabling IPSec

Can't get IPSec to work. Commented out /etc/network/if-up.d/ip and removed the policies from /etc/ipsec-tools.conf.

John 2011-08-04 23:38

Installing Kerberos client

jj5@hope:~$ sudo -s
[sudo] password for jj5:
root@hope:~# apt-get install krb5-user krb5-config
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  bind9-host geoip-database libbind9-60 libdns64 libgeoip1 libgssrpc4 libisc60
  libisccc60 libisccfg60 libkadm5clnt-mit7 liblwres60
Suggested packages:
  geoip-bin krb5-doc
The following NEW packages will be installed:
  bind9-host geoip-database krb5-config krb5-user libbind9-60 libdns64
  libgeoip1 libgssrpc4 libisc60 libisccc60 libisccfg60 libkadm5clnt-mit7
  liblwres60
0 upgraded, 13 newly installed, 0 to remove and 0 not upgraded.
Need to get 2161kB of archives.
After this operation, 5325kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libgeoip1 1.4.6.dfsg-17 [109kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libisc60 1:9.7.0.dfsg.P1-1 [169kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/main libdns64 1:9.7.0.dfsg.P1-1 [690kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/main libisccc60 1:9.7.0.dfsg.P1-1 [29.4kB]
Get:5 http://archive.ubuntu.com/ubuntu/ lucid/main libisccfg60 1:9.7.0.dfsg.P1-1 [52.6kB]
Get:6 http://archive.ubuntu.com/ubuntu/ lucid/main libbind9-60 1:9.7.0.dfsg.P1-1 [34.1kB]
Get:7 http://archive.ubuntu.com/ubuntu/ lucid/main liblwres60 1:9.7.0.dfsg.P1-1 [47.9kB]
Get:8 http://archive.ubuntu.com/ubuntu/ lucid/main bind9-host 1:9.7.0.dfsg.P1-1 [68.2kB]
Get:9 http://archive.ubuntu.com/ubuntu/ lucid/main geoip-database 1.4.6.dfsg-17 [658kB]
Get:10 http://archive.ubuntu.com/ubuntu/ lucid/main krb5-config 2.2 [23.0kB]
Get:11 http://archive.ubuntu.com/ubuntu/ lucid/main libgssrpc4 1.8.1+dfsg-2 [81.4kB]
Get:12 http://archive.ubuntu.com/ubuntu/ lucid/main libkadm5clnt-mit7 1.8.1+dfsg-2 [62.0kB]
Get:13 http://archive.ubuntu.com/ubuntu/ lucid/main krb5-user 1.8.1+dfsg-2 [137kB]
Fetched 2161kB in 2s (891kB/s)
Preconfiguring packages ...
Selecting previously deselected package libgeoip1.
(Reading database ... 15611 files and directories currently installed.)
Unpacking libgeoip1 (from .../libgeoip1_1.4.6.dfsg-17_amd64.deb) ...
Selecting previously deselected package libisc60.
Unpacking libisc60 (from .../libisc60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package libdns64.
Unpacking libdns64 (from .../libdns64_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package libisccc60.
Unpacking libisccc60 (from .../libisccc60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package libisccfg60.
Unpacking libisccfg60 (from .../libisccfg60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package libbind9-60.
Unpacking libbind9-60 (from .../libbind9-60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package liblwres60.
Unpacking liblwres60 (from .../liblwres60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package bind9-host.
Unpacking bind9-host (from .../bind9-host_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package geoip-database.
Unpacking geoip-database (from .../geoip-database_1.4.6.dfsg-17_all.deb) ...
Selecting previously deselected package krb5-config.
Unpacking krb5-config (from .../krb5-config_2.2_all.deb) ...
Selecting previously deselected package libgssrpc4.
Unpacking libgssrpc4 (from .../libgssrpc4_1.8.1+dfsg-2_amd64.deb) ...
Selecting previously deselected package libkadm5clnt-mit7.
Unpacking libkadm5clnt-mit7 (from .../libkadm5clnt-mit7_1.8.1+dfsg-2_amd64.deb) ...
Selecting previously deselected package krb5-user.
Unpacking krb5-user (from .../krb5-user_1.8.1+dfsg-2_amd64.deb) ...
Processing triggers for man-db ...
Setting up libgeoip1 (1.4.6.dfsg-17) ...

Setting up libisc60 (1:9.7.0.dfsg.P1-1) ...

Setting up libdns64 (1:9.7.0.dfsg.P1-1) ...

Setting up libisccc60 (1:9.7.0.dfsg.P1-1) ...

Setting up libisccfg60 (1:9.7.0.dfsg.P1-1) ...

Setting up libbind9-60 (1:9.7.0.dfsg.P1-1) ...

Setting up liblwres60 (1:9.7.0.dfsg.P1-1) ...

Setting up bind9-host (1:9.7.0.dfsg.P1-1) ...
Setting up geoip-database (1.4.6.dfsg-17) ...
Setting up krb5-config (2.2) ...

Setting up libgssrpc4 (1.8.1+dfsg-2) ...

Setting up libkadm5clnt-mit7 (1.8.1+dfsg-2) ...

Setting up krb5-user (1.8.1+dfsg-2) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
added krb5.conf
Committed revision 13.
Package configuration



┌──────────────────┤ Configuring Kerberos Authentication ├──────────────────┐
│ When users attempt to use Kerberos and specify a principal or user name   │
│ without specifying what administrative Kerberos realm that principal      │
│ belongs to, the system appends the default realm.  The default realm may  │
│ also be used as the realm of a Kerberos service running on the local      │
│ machine.  Often, the default realm is the uppercase version of the local  │
│ DNS domain.                                                               │
│                                                                           │
│ Default Kerberos version 5 realm:                                         │
│                                                                           │
│ PROGCLUB.ORG_____________________________________________________________ │
│                                                                           │
│                                  <Ok>                                     │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘
Package configuration





  ┌────────────────┤ Configuring Kerberos Authentication ├─────────────────┐
  │ Enter the hostnames of Kerberos servers in the PROGCLUB.ORG Kerberos   │
  │ realm separated by spaces.                                             │
  │                                                                        │
  │ Kerberos servers for your realm:                                       │
  │                                                                        │
  │ kerberos.progclub.org_________________________________________________ │
  │                                                                        │
  │                                 <Ok>                                   │
  │                                                                        │
  └────────────────────────────────────────────────────────────────────────┘
Package configuration





┌──────────────────┤ Configuring Kerberos Authentication ├──────────────────┐
│ Enter the hostname of the administrative (password changing) server for   │
│ the PROGCLUB.ORG Kerberos realm.                                          │
│                                                                           │
│ Administrative server for your Kerberos realm:                            │
│                                                                           │
│ kerberos.progclub.org____________________________________________________ │
│                                                                           │
│                                  <Ok>                                     │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘

John 2011-07-30 18:05

Configuring IPSec

jj5@hope:~$ sudo -s
[sudo] password for jj5:
root@hope:~# apt-get install racoon
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  racoon
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/433kB of archives.
After this operation, 1217kB of additional disk space will be used.
Committing to: /etc/
modified ipsec-tools.conf
modified ipsec-tools.conf.bak
added iptables.up.rules
Committed revision 10.
Preconfiguring packages ...
Selecting previously deselected package racoon.
(Reading database ... 15611 files and directories currently installed.)
Unpacking racoon (from .../racoon_1%3a0.7.1-1.6ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up racoon (1:0.7.1-1.6ubuntu1) ...
Starting IKE (ISAKMP/Oakley) server: racoon.
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
root@hope:~# cd /etc/network/if-pre-up.d/
root@hope:/etc/network/if-pre-up.d# ll
total 12
drwxr-xr-x 2 root root 4096 Apr 22  2010 ./
drwxr-xr-x 6 root root 4096 Apr 22  2010 ../
-rwxr-xr-x 1 root root  348 Dec 21  2009 ethtool*
root@hope:/etc/network/if-pre-up.d# vim iptables
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules
root@hope:/etc/network/if-pre-up.d# vim ip
#!/bin/sh
# Charity
ip route add 67.207.128.184 dev eth0 advmss 200
# Honesty
ip route add 67.207.129.103 dev eth0 advmss 200
root@hope:/etc/network/if-pre-up.d# chmod +x iptables ip
root@hope:/etc/network/if-pre-up.d# ll
total 20
drwxr-xr-x 2 root root 4096 Jul 30 08:11 ./
drwxr-xr-x 6 root root 4096 Apr 22  2010 ../
-rwxr-xr-x 1 root root  348 Dec 21  2009 ethtool*
-rwxr-xr-x 1 root root  126 Jul 30 08:11 ip*
-rwxr-xr-x 1 root root   58 Jul 30 08:09 iptables*
root@hope:/etc/network/if-pre-up.d# cd /etc
root@hope:/etc# vim iptables.up.rules
*filter
#  Allow all loopback (lo0) traffic
-A INPUT -i lo -j ACCEPT
# Drop all traffic to 127/8 that does use lo0
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#  Allow all outbound traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
#  Allow SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Accept anything from charity
-A INPUT -s 67.207.128.184 -j ACCEPT
# Accept anything from honesty
-A INPUT -s 67.207.129.103 -j ACCEPT
# Allow MySQL connections from John's house
-A INPUT -s 60.240.67.126/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# Allow MySQL connections from localhost
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
#-A INPUT -j LOG --log-prefix "iptables debug: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
root@hope:/etc# vim ipsec-tools.conf
# Hope/Charity security policy
spdadd 67.207.130.204 67.207.128.184 any -P out ipsec
       esp/transport//require
       ah/transport//require;
spdadd 67.207.128.184 67.207.130.204 any -P in ipsec
       esp/transport//require
       ah/transport//require;
# Hope/Honesty security policy
spdadd 67.207.130.204 67.207.129.103 any -P out ipsec
       esp/transport//require
       ah/transport//require;
spdadd 67.207.129.103 67.207.130.204 any -P in ipsec
       esp/transport//require
       ah/transport//require;
root@hope:/etc# vim racoon/psk.txt
# Charity
67.207.128.184 <secret>
# Honesty
67.207.129.103 <secret>
root@hope:/etc# ll racoon/psk.txt
-rw------- 1 root root 95 Jul 30 08:21 racoon/psk.txt
root@hope:/etc# vim racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote anonymous {
       exchange_mode main,aggressive;
       proposal {
               encryption_algorithm aes;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group modp1024;
       }
       generate_policy off;
}
sainfo anonymous {
       pfs_group modp768;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}
#log debug2;
root@hope:/etc# vim racoon/racoon.conf
root@hope:/etc# /etc/init.d/racoon stop
Stopping IKE (ISAKMP/Oakley) server: racoon.
root@hope:/etc# /etc/init.d/setkey restart
Reloading IPsec SA/SP database: done.
root@hope:/etc# /etc/init.d/racoon start
Starting IKE (ISAKMP/Oakley) server: racoon.
root@hope:/etc# etckeeper commit "Configured IPSec"
Committing to: /etc/
modified ipsec-tools.conf
modified iptables.up.rules
added network/if-pre-up.d/ip
added network/if-pre-up.d/iptables
modified racoon/psk.txt
modified racoon/racoon.conf
Committed revision 11.
root@hope:/etc# /etc/network/if-pre-up.d/ip
RTNETLINK answers: File exists

That ought to do it!

...it didn't do it.

root@hope:~# apt-get remove racoon
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  racoon
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 1217kB disk space will be freed.
Do you want to continue [Y/n]?
(Reading database ... 15675 files and directories currently installed.)
Removing racoon ...
Stopping IKE (ISAKMP/Oakley) server: racoon.
Processing triggers for ureadahead ...
Processing triggers for man-db ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
root@hope:~# dd if=/dev/random count=24 bs=1| xxd -ps
root@hope:~# dd if=/dev/random count=24 bs=1| xxd -ps
root@hope:~# dd if=/dev/random count=20 bs=1| xxd -ps
root@hope:~# dd if=/dev/random count=20 bs=1| xxd -ps
root@hope:~# vim /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
# Flush the SAD and SPD
flush;
spdflush;
# Charity/Hope configuration
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.128.184 67.207.130.204 esp 1 -E aes-cbc
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.130.204 67.207.128.184 esp 2 -E aes-cbc
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# AH SAs using 160 bit long keys
add 67.207.128.184 67.207.130.204 ah 3 -A hmac-sha1
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.130.204 67.207.128.184 ah 4 -A hmac-sha1
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# Security policies
spdadd 67.207.130.204 67.207.128.184 any -P out ipsec
        esp/transport//require
        ah/transport//require;
spdadd 67.207.128.184 67.207.130.204 any -P in ipsec
        esp/transport//require
        ah/transport//require;
# Hope/Honesty configuration
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.130.204 67.207.129.103 esp 9 -E aes-cbc
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.129.103 67.207.130.204 esp 10 -E aes-cbc
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# AH SAs using 160 bit long keys
add 67.207.130.204 67.207.129.103 ah 11 -A hmac-sha1
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.129.103 67.207.130.204 ah 12 -A hmac-sha1
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# Security policies
spdadd 67.207.130.204 67.207.129.103 any -P out ipsec
        esp/transport//require
        ah/transport//require;
spdadd 67.207.129.103 67.207.130.204 any -P in ipsec
        esp/transport//require
        ah/transport//require;
root@hope:~# /etc/init.d/setkey restart
Reloading IPsec SA/SP database: done.
root@hope:~# cd /etc/network
root@hope:/etc/network# ls
if-down.d  if-post-down.d  if-pre-up.d  if-up.d  interfaces
root@hope:/etc/network# mv if-pre-up.d/ip if-up.d/
root@hope:/etc/network# if-up.d/ip
root@hope:/etc# etckeeper commit "Configured IPSec"
Committing to: /etc/
modified ipsec-tools.conf
missing network/if-pre-up.d/ip
modified network/if-pre-up.d/ip
added network/if-up.d/ip
Committed revision 12.

The other end of the connections have been configured on charity and honesty.

Works!

John 2011-07-30 09:45

Configuring racoon

See the Charity Admin section for the other half of the configuration.

# vim /etc/racoon/psk.txt
# Charity
67.207.128.184 <secret>
# vim /etc/racoon/racoon.conf
remote 67.207.128.184 {
       exchange_mode main,aggressive;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group modp1024;
       }
       generate_policy off;
}
sainfo address 67.207.128.184[any] any address 67.207.128.184/32[any] any {
       pfs_group modp768;
       encryption_algorithm 3des;
       authentication_algorithm hmac_md5;
       compression_algorithm deflate;
}
# vim /etc/ipsec-tools.conf
# Security policies
spdadd 67.207.128.184 67.207.130.204 any -P in ipsec
       esp/transport//require
       ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P out ipsec
       esp/transport//require
       ah/transport//require;
root@hope:/etc/racoon# /etc/init.d/racoon stop
Stopping IKE (ISAKMP/Oakley) server: racoon.
root@hope:/etc/racoon# /etc/init.d/setkey restart
Reloading IPsec SA/SP database: done.
root@hope:/etc/racoon# /etc/init.d/racoon start
Starting IKE (ISAKMP/Oakley) server: racoon.

John 2011-07-30 01:49

Adding user jj5

I had hoped to have LDAP and SSO operational before adding users to the any user machines, but it looks like there's nothing for it. Debuggin IPSec is a pain, and I need to login to hope all the time, and I'm sick of typing in the long random root password.

root@hope:~# adduser jj5
Adding user `jj5' ...
Adding new group `jj5' (1000) ...
Adding new user `jj5' (1000) with group `jj5' ...
Creating home directory `/home/jj5' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for jj5
Enter the new value, or press ENTER for the default
        Full Name []: John Elliot
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n]
root@hope:~# gpasswd -a jj5 sudo
Adding user jj5 to group sudo

John 2011-07-30 00:04

Installing racoon

Having some trouble with IPSec, going to try using racoon.

root@hope:/etc# apt-get install racoon
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  racoon
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 433kB of archives.
After this operation, 1217kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main racoon 1:0.7.1-1.6ubuntu1 [433kB]
Fetched 433kB in 1s (377kB/s)
Committing to: /etc/
modified .etckeeper
modified ipsec-tools.conf
added ipsec-tools.conf.bak
Committed revision 7.
Preconfiguring packages ...
Selecting previously deselected package racoon.
(Reading database ... 15606 files and directories currently installed.)
Unpacking racoon (from .../racoon_1%3a0.7.1-1.6ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up racoon (1:0.7.1-1.6ubuntu1) ...
Generating /etc/default/racoon...
Starting IKE (ISAKMP/Oakley) server: racoon.
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
modified .etckeeper
added racoon
added default/racoon
added init.d/racoon
added racoon/psk.txt
added racoon/racoon-tool.conf
added racoon/racoon.conf
added rc1.d/K89racoon
added rcS.d/S40racoon
Committed revision 8.

The install prompted for Package configuration information, and I choose the 'direct' configuration method (the default) over 'racoon-tool', the other option.

 ┌──────────────────────────┤ Configuring racoon ├──────────────────────────┐
 │ Racoon can be configured two ways, either by directly editing            │
 │ /etc/racoon/racoon.conf or using the racoon-tool administrative front    │
 │ end. racoon-tool is now deprecated and is only available for backward    │
 │ compatibility. New installations should always use the "direct" method.  │
 │                                                                          │
 │ Configuration mode for racoon IKE daemon.                                │
 │                                                                          │
 │                               direct                                     │
 │                               racoon-tool                                │
 │                                                                          │
 │                                                                          │
 │                                  <Ok>                                    │
 │                                                                          │
 └──────────────────────────────────────────────────────────────────────────┘

John 2011-07-29 00:13

Installing IPSec

# apt-get install ipsec-tools
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  ipsec-tools
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 111kB of archives.
After this operation, 274kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main ipsec-tools 1:0.7.1-1.6ubuntu1 [111kB]
Fetched 111kB in 0s (157kB/s)
Selecting previously deselected package ipsec-tools.
(Reading database ... 15571 files and directories currently installed.)
Unpacking ipsec-tools (from .../ipsec-tools_1%3a0.7.1-1.6ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up ipsec-tools (1:0.7.1-1.6ubuntu1) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
modified .etckeeper
added ipsec-tools.conf
added default/setkey
added init.d/setkey
added rcS.d/S37setkey
Committed revision 2.
# vim /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
# NOTE: Do not use this file if you use racoon with racoon-tool
# utility. racoon-tool will setup SAs and SPDs automatically using
# /etc/racoon/racoon-tool.conf configuration.
#
# Flush the SAD and SPD
flush;
spdflush;
# AH SAs using 128 bit long keys
add 67.207.128.184 67.207.130.204 ah 0x200 -A hmac-md5
        0x<ah_1>;
add 67.207.130.204 67.207.128.184 ah 0x300 -A hmac-md5
        0x<ah_2>;
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.128.184 67.207.130.204 esp 0x201 -E 3des-cbc
        0x<esp_1>;
add 67.207.130.204 67.207.128.184 esp 0x301 -E 3des-cbc
        0x<esp_2>;
# Security policies
spdadd 67.207.128.184 67.207.130.204 any -P in ipsec
        esp/transport//require
        ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P out ipsec
        esp/transport//require
        ah/transport//require;
# sudo chmod 750 /etc/ipsec-tools.conf
# sudo /etc/init.d/setkey start
* Loading IPsec SA/SP database from /etc/ipsec-tools.conf:              [ OK ]
$ sudo etckeeper commit "Configured IPSec between charity and hope"
Committing to: /etc/
modified .etckeeper
modified ipsec-tools.conf
Committed revision 3.

Done!

John 2011-07-29 00:12

Installing Etckeeper

Per the instructions,

# apt-get install etckeeper

That was it. The output was too extensive to report here.

John 2011-07-25 19:41

The hope.progclub.org slice has has been created, and the host added to to the DNS zones, but apart from that it's not configured presently.