Hope admin

From ProgClub
Revision as of 06:02, 15 August 2011 by John (talk | contribs)
Jump to: navigation, search

This page chronicles the administrative changes to hope.progclub.net. If you make an administrative change you should document the change here. Changes are logged he in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the Administrative reference for other information.

John 2011-08-15 04:56

Configuring Apache

John 2011-08-15 04:47

Installing Apache, MySQL and PHP

jj5@hope:~$ sudo -s
[sudo] password for jj5:
root@hope:~# apt-get install apache2 mysql-server
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common libapr1
  libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libdbd-mysql-perl
  libdbi-perl libexpat1 libhtml-template-perl libmysqlclient16
  libnet-daemon-perl libplrpc-perl mysql-client-5.1 mysql-client-core-5.1
  mysql-common mysql-server-5.1 mysql-server-core-5.1 psmisc ssl-cert
Suggested packages:
  www-browser apache2-doc apache2-suexec apache2-suexec-custom ufw dbishell
  libipc-sharedcache-perl tinyca mailx
The following NEW packages will be installed:
  apache2 apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common
  libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap
  libdbd-mysql-perl libdbi-perl libexpat1 libhtml-template-perl
  libmysqlclient16 libnet-daemon-perl libplrpc-perl mysql-client-5.1
  mysql-client-core-5.1 mysql-common mysql-server mysql-server-5.1
  mysql-server-core-5.1 psmisc ssl-cert
0 upgraded, 24 newly installed, 0 to remove and 0 not upgraded.
Need to get 28.0MB of archives.
After this operation, 73.2MB of additional disk space will be used.
Do you want to continue [Y/n]?

...

Setting up libdbd-mysql-perl (4.012-1ubuntu1) ...
Setting up mysql-client-core-5.1 (5.1.41-3ubuntu12) ...
Setting up mysql-client-5.1 (5.1.41-3ubuntu12) ...
Setting up psmisc (22.10-1) ... 

Setting up mysql-server-core-5.1 (5.1.41-3ubuntu12) ...
Setting up mysql-server-5.1 (5.1.41-3ubuntu12) ...
mysql start/running, process 3901

Setting up libexpat1 (2.0.1-7ubuntu1) ...

Setting up libapr1 (1.3.8-1build1) ... 

Setting up libaprutil1 (1.3.9+dfsg-3build1) ... 

Setting up libaprutil1-dbd-sqlite3 (1.3.9+dfsg-3build1) ...
Setting up libaprutil1-ldap (1.3.9+dfsg-3build1) ...
Setting up apache2.2-bin (2.2.14-5ubuntu8) ...
Setting up apache2-utils (2.2.14-5ubuntu8) ...
Setting up apache2.2-common (2.2.14-5ubuntu8) ...
Enabling site default.
Enabling module alias.
Enabling module autoindex.
Enabling module dir.
Enabling module env.
Enabling module mime.
Enabling module negotiation.
Enabling module setenvif.
Enabling module status.
Enabling module auth_basic.
Enabling module deflate.
Enabling module authz_default.
Enabling module authz_user.
Enabling module authz_groupfile.
Enabling module authn_file.
Enabling module authz_host.
Enabling module reqtimeout.

Setting up apache2-mpm-worker (2.2.14-5ubuntu8) ...
 * Starting web server apache2                                           [ OK ]

Setting up apache2 (2.2.14-5ubuntu8) ...

Setting up libhtml-template-perl (2.9-1) ...
Setting up mysql-server (5.1.41-3ubuntu12) ...
Setting up ssl-cert (1.0.23ubuntu2) ...

Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
modified .etckeeper
added apache2
modified group
modified group-
modified gshadow
modified gshadow-
added mysql
modified passwd
modified passwd-
modified shadow
modified shadow-
added apache2/apache2.conf
added apache2/conf.d
added apache2/envvars
added apache2/httpd.conf
added apache2/magic
added apache2/mods-available
added apache2/mods-enabled
added apache2/ports.conf
added apache2/sites-available
added apache2/sites-enabled
added apache2/conf.d/charset
added apache2/conf.d/localized-error-pages
added apache2/conf.d/security
added apache2/mods-available/actions.conf
added apache2/mods-available/actions.load
added apache2/mods-available/alias.conf
added apache2/mods-available/alias.load
added apache2/mods-available/asis.load
added apache2/mods-available/auth_basic.load
added apache2/mods-available/auth_digest.load
added apache2/mods-available/authn_alias.load
added apache2/mods-available/authn_anon.load
added apache2/mods-available/authn_dbd.load
added apache2/mods-available/authn_dbm.load
added apache2/mods-available/authn_default.load
added apache2/mods-available/authn_file.load
added apache2/mods-available/authnz_ldap.load
added apache2/mods-available/authz_dbm.load
added apache2/mods-available/authz_default.load
added apache2/mods-available/authz_groupfile.load
added apache2/mods-available/authz_host.load
added apache2/mods-available/authz_owner.load
added apache2/mods-available/authz_user.load
added apache2/mods-available/autoindex.conf
added apache2/mods-available/autoindex.load
added apache2/mods-available/cache.load
added apache2/mods-available/cern_meta.load
added apache2/mods-available/cgi.load
added apache2/mods-available/cgid.conf
added apache2/mods-available/cgid.load
added apache2/mods-available/charset_lite.load
added apache2/mods-available/dav.load
added apache2/mods-available/dav_fs.conf
added apache2/mods-available/dav_fs.load
added apache2/mods-available/dav_lock.load
added apache2/mods-available/dbd.load
added apache2/mods-available/deflate.conf
added apache2/mods-available/deflate.load
added apache2/mods-available/dir.conf
added apache2/mods-available/dir.load
added apache2/mods-available/disk_cache.conf
added apache2/mods-available/disk_cache.load
added apache2/mods-available/dump_io.load
added apache2/mods-available/env.load
added apache2/mods-available/expires.load
added apache2/mods-available/ext_filter.load
added apache2/mods-available/file_cache.load
added apache2/mods-available/filter.load
added apache2/mods-available/headers.load
added apache2/mods-available/ident.load
added apache2/mods-available/imagemap.load
added apache2/mods-available/include.load
added apache2/mods-available/info.conf
added apache2/mods-available/info.load
added apache2/mods-available/ldap.load
added apache2/mods-available/log_forensic.load
added apache2/mods-available/mem_cache.conf
added apache2/mods-available/mem_cache.load
added apache2/mods-available/mime.conf
added apache2/mods-available/mime.load
added apache2/mods-available/mime_magic.conf
added apache2/mods-available/mime_magic.load
added apache2/mods-available/negotiation.conf
added apache2/mods-available/negotiation.load
added apache2/mods-available/proxy.conf
added apache2/mods-available/proxy.load
added apache2/mods-available/proxy_ajp.load
added apache2/mods-available/proxy_balancer.load
added apache2/mods-available/proxy_connect.load
added apache2/mods-available/proxy_ftp.load
added apache2/mods-available/proxy_http.load
added apache2/mods-available/proxy_scgi.load
added apache2/mods-available/reqtimeout.conf
added apache2/mods-available/reqtimeout.load
added apache2/mods-available/rewrite.load
added apache2/mods-available/setenvif.conf
added apache2/mods-available/setenvif.load
added apache2/mods-available/speling.load
added apache2/mods-available/ssl.conf
added apache2/mods-available/ssl.load
added apache2/mods-available/status.conf
added apache2/mods-available/status.load
added apache2/mods-available/substitute.load
added apache2/mods-available/suexec.load
added apache2/mods-available/unique_id.load
added apache2/mods-available/userdir.conf
added apache2/mods-available/userdir.load
added apache2/mods-available/usertrack.load
added apache2/mods-available/version.load
added apache2/mods-available/vhost_alias.load
added apache2/mods-enabled/alias.conf
added apache2/mods-enabled/alias.load
added apache2/mods-enabled/auth_basic.load
added apache2/mods-enabled/authn_file.load
added apache2/mods-enabled/authz_default.load
added apache2/mods-enabled/authz_groupfile.load
added apache2/mods-enabled/authz_host.load
added apache2/mods-enabled/authz_user.load
added apache2/mods-enabled/autoindex.conf
added apache2/mods-enabled/autoindex.load
added apache2/mods-enabled/cgid.conf
added apache2/mods-enabled/cgid.load
added apache2/mods-enabled/deflate.conf
added apache2/mods-enabled/deflate.load
added apache2/mods-enabled/dir.conf
added apache2/mods-enabled/dir.load
added apache2/mods-enabled/env.load
added apache2/mods-enabled/mime.conf
added apache2/mods-enabled/mime.load
added apache2/mods-enabled/negotiation.conf
added apache2/mods-enabled/negotiation.load
added apache2/mods-enabled/reqtimeout.conf
added apache2/mods-enabled/reqtimeout.load
added apache2/mods-enabled/setenvif.conf
added apache2/mods-enabled/setenvif.load
added apache2/mods-enabled/status.conf
added apache2/mods-enabled/status.load
added apache2/sites-available/default
added apache2/sites-available/default-ssl
added apache2/sites-enabled/000-default
added apparmor.d/usr.sbin.mysqld
added bash_completion.d/apache2.2-common
added cron.daily/apache2
added default/apache2
added init/mysql.conf
added init.d/apache2
added init.d/mysql
added logcheck/ignore.d.paranoid
added logcheck/ignore.d.workstation
added logcheck/ignore.d.paranoid/mysql-server-5_1
added logcheck/ignore.d.server/mysql-server-5_1
added logcheck/ignore.d.workstation/mysql-server-5_1
added logrotate.d/apache2
added logrotate.d/mysql-server
added mysql/conf.d
added mysql/debian-start
added mysql/debian.cnf
added mysql/my.cnf
added mysql/conf.d/mysqld_safe_syslog.cnf
added rc0.d/K09apache2
added rc1.d/K09apache2
added rc2.d/S91apache2
added rc3.d/S91apache2
added rc4.d/S91apache2
added rc5.d/S91apache2
added rc6.d/K09apache2
added ssl/certs/a186bf0f
added ssl/certs/ssl-cert-snakeoil.pem
added ssl/private/ssl-cert-snakeoil.key
added ufw/applications.d/apache2.2-common
Committed revision 25.
root@hope:~# apt-get install php5
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  apache2-mpm-prefork libapache2-mod-php5 php5-common
Suggested packages:
  php-pear php5-suhosin
The following packages will be REMOVED:
  apache2-mpm-worker
The following NEW packages will be installed:
  apache2-mpm-prefork libapache2-mod-php5 php5 php5-common
0 upgraded, 4 newly installed, 1 to remove and 0 not upgraded.
Need to get 3535kB of archives.
After this operation, 9544kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main apache2-mpm-prefork 2.2.14-5ubuntu8 [2418B]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main php5-common 5.3.2-1ubuntu4 [546kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/main libapache2-mod-php5 5.3.2-1ubuntu4 [2985kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/main php5 5.3.2-1ubuntu4 [1110B]
Fetched 3535kB in 2s (1763kB/s)
dpkg: apache2-mpm-worker: dependency problems, but removing anyway as you requested:
 apache2 depends on apache2-mpm-worker (= 2.2.14-5ubuntu8) | apache2-mpm-prefork (= 2.2.14-5ubuntu8) | apache2- mpm-event (= 2.2.14-5ubuntu8) | apache2-mpm-itk (= 2.2.14-5ubuntu8); however:
  Package apache2-mpm-worker is to be removed.
  Package apache2-mpm-prefork is not installed.
  Package apache2-mpm-event is not installed.
  Package apache2-mpm-itk is not installed.
(Reading database ... 16997 files and directories currently installed.)
Removing apache2-mpm-worker ...
 * Stopping web server apache2
 ... waiting  .                                                           [ OK ]
Selecting previously deselected package apache2-mpm-prefork.
(Reading database ... 16989 files and directories currently installed.)
Unpacking apache2-mpm-prefork (from .../apache2-mpm-prefork_2.2.14-5ubuntu8_amd64.deb) ...
Selecting previously deselected package php5-common.
Unpacking php5-common (from .../php5-common_5.3.2-1ubuntu4_amd64.deb) ...
Selecting previously deselected package libapache2-mod-php5.
Unpacking libapache2-mod-php5 (from .../libapache2-mod-php5_5.3.2-1ubuntu4_amd64.deb) ...
Selecting previously deselected package php5.
Unpacking php5 (from .../php5_5.3.2-1ubuntu4_all.deb) ...
Setting up apache2-mpm-prefork (2.2.14-5ubuntu8) ...
 * Starting web server apache2                                           [ OK ] 

Setting up php5-common (5.3.2-1ubuntu4) ...
Setting up libapache2-mod-php5 (5.3.2-1ubuntu4) ...

Creating config file /etc/php5/apache2/php.ini with new version
 * Reloading web server config apache2                                   [ OK ] 

Setting up php5 (5.3.2-1ubuntu4) ...
Committing to: /etc/
added php5
added apache2/mods-available/php5.conf
added apache2/mods-available/php5.load
added apache2/mods-enabled/cgi.load
missing apache2/mods-enabled/cgid.conf
modified apache2/mods-enabled/cgid.conf
missing apache2/mods-enabled/cgid.load
modified apache2/mods-enabled/cgid.load
added apache2/mods-enabled/php5.conf
added apache2/mods-enabled/php5.load
added cron.d/php5
added php5/apache2
added php5/conf.d
added php5/apache2/conf.d
added php5/apache2/php.ini
added php5/conf.d/pdo.ini
Committed revision 26.

John 2011-08-15 01:32

Configuring NFS client

Per these instructions.

root@hope:/# apt-get install nfs-common
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libevent-1.4-2 libgssglue1 libnfsidmap2 librpcsecgss3 portmap
The following NEW packages will be installed:
  libevent-1.4-2 libgssglue1 libnfsidmap2 librpcsecgss3 nfs-common portmap
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 421kB of archives.
After this operation, 1364kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libevent-1.4-2 1.4.13-stable-1 [61.4kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libgssglue1 0.1-4 [24.4kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/main libnfsidmap2 0.23-2 [32.1kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/main librpcsecgss3 0.19-2 [36.3kB]
Get:5 http://archive.ubuntu.com/ubuntu/ lucid/main portmap 6.0.0-1ubuntu2 [38.2kB]
Get:6 http://archive.ubuntu.com/ubuntu/ lucid/main nfs-common 1:1.2.0-4ubuntu4 [228kB]
Fetched 421kB in 1s (386kB/s)
Preconfiguring packages ...
Selecting previously deselected package libevent-1.4-2.
(Reading database ... 15829 files and directories currently installed.)
Unpacking libevent-1.4-2 (from .../libevent-1.4-2_1.4.13-stable-1_amd64.deb) ...
Selecting previously deselected package libgssglue1.
Unpacking libgssglue1 (from .../libgssglue1_0.1-4_amd64.deb) ...
Selecting previously deselected package libnfsidmap2.
Unpacking libnfsidmap2 (from .../libnfsidmap2_0.23-2_amd64.deb) ...
Selecting previously deselected package librpcsecgss3.
Unpacking librpcsecgss3 (from .../librpcsecgss3_0.19-2_amd64.deb) ...
Selecting previously deselected package portmap.
Unpacking portmap (from .../portmap_6.0.0-1ubuntu2_amd64.deb) ...
Selecting previously deselected package nfs-common.
Unpacking nfs-common (from .../nfs-common_1%3a1.2.0-4ubuntu4_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up libevent-1.4-2 (1.4.13-stable-1) ...

Setting up libgssglue1 (0.1-4) ...

Setting up libnfsidmap2 (0.23-2) ...

Setting up librpcsecgss3 (0.19-2) ...

Setting up portmap (6.0.0-1ubuntu2) ...
portmap start/running, process 2830

Setting up nfs-common (1:1.2.0-4ubuntu4) ... 

Creating config file /etc/idmapd.conf with new version 

Creating config file /etc/default/nfs-common with new version
Adding system user `statd' (UID 104) ...
Adding new user `statd' (UID 104) with group `nogroup' ...
Not creating home directory `/var/lib/nfs'.
statd start/running, process 3046
gssd stop/pre-start, process 3071
idmapd stop/pre-start, process 3099

Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
added gssapi_mech.conf
added idmapd.conf
modified passwd
modified passwd-
modified shadow
modified shadow-
added default/nfs-common
added default/portmap
added init/gssd.conf
added init/idmapd.conf
added init/portmap.conf
added init/rpc_pipefs.conf
added init/statd.conf
added init.d/gssd
added init.d/idmapd
added init.d/portmap
added init.d/rpc_pipefs
added init.d/statd
Committed revision 23.
jj5@hope:/home$ cat /etc/fstab
proc            /proc       proc    defaults    0 0
/dev/sda1       /           ext3    defaults,errors=remount-ro,noatime    0 1
/dev/sda2       none        swap    sw          0 0
172.19.1.45:/home /home     nfs4    rw,_netdev,auto 0 0
root@hope:~# cat /etc/modules
# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.
nfs
jj5@hope:/home$ cat /etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

#sleep 5
#modprobe nfs
#mount /home 

exit 0

John 2011-08-15 01:07

Installing sshfs

Per these notes.

jj5@hope:~$ sudo -s
[sudo] password for jj5:
root@hope:~# apt-get install sshfs
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  fuse-utils libfuse2
The following NEW packages will be installed:
  fuse-utils libfuse2 sshfs
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 214kB of archives.
After this operation, 725kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libfuse2 2.8.1-1.1ubuntu2 [146kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main fuse-utils 2.8.1-1.1ubuntu2 [23.7kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/main sshfs 2.2-1build1 [43.7kB]
Fetched 214kB in 0s (260kB/s)
Committing to: /etc/
modified pam.d/common-password
Committed revision 21.
Selecting previously deselected package libfuse2.
(Reading database ... 15788 files and directories currently installed.)
Unpacking libfuse2 (from .../libfuse2_2.8.1-1.1ubuntu2_amd64.deb) ...
Selecting previously deselected package fuse-utils.
Unpacking fuse-utils (from .../fuse-utils_2.8.1-1.1ubuntu2_amd64.deb) ...
Selecting previously deselected package sshfs.
Unpacking sshfs (from .../sshfs_2.2-1build1_amd64.deb) ...
Processing triggers for man-db ...
Setting up libfuse2 (2.8.1-1.1ubuntu2) ...

Setting up fuse-utils (2.8.1-1.1ubuntu2) ...
creating fuse group...
Adding group `fuse' (GID 106) ...
Done.
udev active, skipping device node creation.
update-initramfs: deferring update (trigger activated)

Setting up sshfs (2.2-1build1) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Processing triggers for initramfs-tools ...
Committing to: /etc/
modified .etckeeper
added fuse.conf
modified group
modified group-
modified gshadow
modified gshadow-
Committed revision 22.

John 2011-08-14 22:42

Fixing passwd update problem

Was receiving the following error when running passwd:

Current Kerberos password:
passwd: Authentication token manipulation error
passwd: password unchanged

The same problem as reported here. To fix I changed /etc/pam.d/common-password from from:

password       requisite                       pam_krb5.so minimum_uid=1000
password       [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
password       requisite                       pam_deny.so
password       required                        pam_permit.so

to:

password   sufficient   pam_krb5.so minimum_uid=1000
password   required     pam_unix.so obscure try_first_pass sha512

John 2011-08-14 17:23

Configuring Kerberos client

Per these instructions.

jj5@hope:~$ sudo -s
[sudo] password for jj5:
root@hope:~# apt-get install krb5-user krb5-config libpam-krb5
Reading package lists... Done
Building dependency tree
Reading state information... Done
krb5-user is already the newest version.
krb5-config is already the newest version.
krb5-config set to manually installed.
The following NEW packages will be installed:
  libpam-krb5
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 73.8kB of archives.
After this operation, 193kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libpam-krb5 4.2-1 [73.8kB]
Fetched 73.8kB in 0s (107kB/s)
Selecting previously deselected package libpam-krb5.
(Reading database ... 15717 files and directories currently installed.)
Unpacking libpam-krb5 (from .../libpam-krb5_4.2-1_amd64.deb) ...
Processing triggers for man-db ...
Setting up libpam-krb5 (4.2-1) ...

Committing to: /etc/
modified pam.d/common-account
modified pam.d/common-auth
modified pam.d/common-password
modified pam.d/common-session
modified pam.d/common-session-noninteractive
Committed revision 16.
root@hope:~# hostname -f
hope
root@hope:~# vim /etc/hosts
root@hope:~# cat /etc/hosts
127.0.0.1     localhost localhost.localdomain
67.207.130.204     hope.progclub.net hope
root@hope:~# hostname -f
hope.progclub.net
root@hope:~# kadmin
Authenticating as principal root/admin@PROGCLUB.ORG with password.
kadmin: Client not found in Kerberos database while initializing kadmin interface
root@hope:~# kadmin -u jj5/admin
kadmin: invalid option -- 'u'
Usage: kadmin [-r realm] [-p principal] [-q query] [clnt|local args]
        clnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]]|[-n]
        local args: [-x db_args]* [-d dbname] [-e "enc:salt ..."] [-m]
where,
        [-x db_args]* - any number of database specific arguments.
                        Look at each database documentation for supported arguments
root@hope:~# kadmin -p jj5/admin
Authenticating as principal jj5/admin with password.
Password for jj5/admin@PROGCLUB.ORG:
kadmin:  addprinc -randkey host/hope.progclub.net@PROGCLUB.ORG
WARNING: no policy specified for host/hope.progclub.net@PROGCLUB.ORG; defaulting to no policy
add_principal: Principal or policy already exists while creating "host/hope.progclub.net@PROGCLUB.ORG".
kadmin:  ktadd -k ~/hope.keytab host/hope.progclub.net@PROGCLUB.ORG
kadmin: No such file or directory while adding key to keytab
kadmin:  quit
root@hope:~# ls
ipsec-tools.conf
root@hope:~# kadmin -p jj5/admin
kadmin:  ktadd ~/hope.keytab host/hope.progclub.net@PROGCLUB.ORG
kadmin: Principal ~/hope.keytab does not exist.
Entry for principal host/hope.progclub.net@PROGCLUB.ORG with kvno 4, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/hope.progclub.net@PROGCLUB.ORG with kvno 4, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/hope.progclub.net@PROGCLUB.ORG with kvno 4, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/hope.progclub.net@PROGCLUB.ORG with kvno 4, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
kadmin: quit
root@hope:~# cd /etc
root@hope:/etc# ll kr*
-rw-r--r-- 1 root root 3504 Aug  4 13:43 krb5.conf
-rw------- 1 root root  314 Aug 14 07:32 krb5.keytab
root@hope:/etc# apt-get install libnss-ldapd libsasl2-modules-gssapi-mit kstart
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libpam-ldapd nscd nslcd
The following NEW packages will be installed:
  kstart libnss-ldapd libpam-ldapd libsasl2-modules-gssapi-mit nscd nslcd
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 531kB of archives.
After this operation, 1311kB of additional disk space will be used.
Do you want to continue [Y/n]?


Package configuration


  ┌─────────────────────────┤ Configuring NSLCD ├──────────────────────────┐
  │ Please enter the Uniform Resource Identifier of the LDAP server. The   │
  │ format is 'ldap://<hostname_or_IP_address>:<port>/'. Alternatively,    │
  │ 'ldaps://' or 'ldapi://' can be used. The port number is optional.     │
  │                                                                        │
  │ When using an ldap or ldaps scheme it is recommended to use an IP      │
  │ address to avoid failures when domain name services are unavailable.   │
  │                                                                        │
  │ Multiple URIs can be be specified by separating them with spaces.      │
  │                                                                        │
  │ LDAP server URI:                                                       │
  │                                                                        │
  │ ldaps://charity.progclub.org/_________________________________________ │
  │                                                                        │
  │                   <Ok>                       <Cancel>                  │
  │                                                                        │
  └────────────────────────────────────────────────────────────────────────┘
Package configuration




┌───────────────────────────┤ Configuring NSLCD ├───────────────────────────┐
│ Please enter the distinguished name of the LDAP search base. Many sites   │
│ use the components of their domain names for this purpose. For example,   │
│ the domain "example.net" would use "dc=example,dc=net" as the             │
│ distinguished name of the search base.                                    │
│                                                                           │
│ LDAP server search base:                                                  │
│                                                                           │
│ dc=progclub,dc=org_______________________________________________________ │
│                                                                           │
│                    <Ok>                        <Cancel>                   │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘
Package configuration


┌───────────────────────────┤ Configuring NSLCD ├───────────────────────────┐
│                                                                           │
│ When an encrypted connection is used, a server certificate can be         │
│ requested and checked. Please choose whether lookups should be            │
│ configured to require a certificate, and whether certificates should be   │
│ checked for validity:                                                     │
│  * never: no certificate will be requested or checked;                    │
│  * allow: a certificate will be requested, but it is not                  │
│           required or checked;                                            │
│  * try: a certificate will be requested and checked, but if no            │
│         certificate is provided it is ignored;                            │
│  * demand: a certificate will be requested, required, and checked.        │
│ If certificate checking is enabled, at least one of the tls_cacertdir or  │
│ tls_cacertfile options must be put in /etc/nslcd.conf.                    │
│                                                                           │
│                                  <Ok>                                     │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘

Package configuration



                     ┌──────┤ Configuring NSLCD ├───────┐
                     │ Check server's SSL certificate:  │
                     │                                  │
                     │              never               │
                     │            * allow               │
                     │              try                 │
                     │              demand              │
                     │                                  │
                     │                                  │
                     │      <Ok>          <Cancel>      │
                     │                                  │
                     └──────────────────────────────────┘
Package configuration

┌───────────────────────┤ Configuring libnss-ldapd ├────────────────────────┐
│ For this package to work, you need to modify your /etc/nsswitch.conf to   │
│ use the ldap datasource.                                                  │
│                                                                           │
│ You can select the services that should have LDAP lookups enabled. The    │
│ new LDAP lookups will be added as the last datasource. Be sure to review  │
│ these changes.                                                            │
│                                                                           │
│ Name services to configure:                                               │
│                                                                           │
│    [*] aliases                                                            │
│    [*] ethers                                                             │
│    [*] group                                                              │
│    [*] hosts                                                              │
│    [*] netgroup                                                           │
│    [*] networks                                                           │
│    [*] passwd                                                             │
│    [*] protocols                                                          │
│    [*] rpc                                                                │
│    [*] services                                                           │
│    [*] shadow                                                             │
│                                                                           │
│                                  <Ok>                                     │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe kstart 3.16-3 [58.3kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/universe libsasl2-modules-gssapi-mit 2.1.23.dfsg1-5ubuntu1 [73.1kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/universe nscd 2.11.1-0ubuntu7 [211kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/universe nslcd 0.7.2 [120kB]
Get:5 http://archive.ubuntu.com/ubuntu/ lucid/universe libnss-ldapd 0.7.2 [41.8kB]
Get:6 http://archive.ubuntu.com/ubuntu/ lucid/universe libpam-ldapd 0.7.2 [27.6kB]
Fetched 531kB in 1s (494kB/s)
Committing to: /etc/
modified .etckeeper
modified hosts
added krb5.keytab
Committed revision 17.
Preconfiguring packages ...
Selecting previously deselected package kstart.
(Reading database ... 15728 files and directories currently installed.)
Unpacking kstart (from .../kstart_3.16-3_amd64.deb) ...
Selecting previously deselected package libsasl2-modules-gssapi-mit.
Unpacking libsasl2-modules-gssapi-mit (from .../libsasl2-modules-gssapi-mit_2.1.23.dfsg1-5ubuntu1_amd64.deb) ...
Selecting previously deselected package nscd.
Unpacking nscd (from .../nscd_2.11.1-0ubuntu7_amd64.deb) ...
Selecting previously deselected package nslcd.
Unpacking nslcd (from .../archives/nslcd_0.7.2_amd64.deb) ...
Selecting previously deselected package libnss-ldapd.
Unpacking libnss-ldapd (from .../libnss-ldapd_0.7.2_amd64.deb) ...
Selecting previously deselected package libpam-ldapd.
Unpacking libpam-ldapd (from .../libpam-ldapd_0.7.2_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up kstart (3.16-3) ...
Setting up libsasl2-modules-gssapi-mit (2.1.23.dfsg1-5ubuntu1) ...
Setting up nscd (2.11.1-0ubuntu7) ...
* Starting Name Service Cache Daemon nscd                               [ OK ] 

Setting up nslcd (0.7.2) ...
Warning: The home dir /var/run/nslcd/ you specified can't be accessed: No such file or directory
Adding system user `nslcd' (UID 103) ...
Adding new group `nslcd' (GID 105) ...
Adding new user `nslcd' (UID 103) with group `nslcd' ...
Not creating home directory `/var/run/nslcd/'.
* Starting LDAP connection daemon nslcd                                 [ OK ]

Setting up libnss-ldapd (0.7.2) ...
/etc/nsswitch.conf: enable LDAP lookups for aliases
/etc/nsswitch.conf: enable LDAP lookups for ethers
/etc/nsswitch.conf: enable LDAP lookups for group
/etc/nsswitch.conf: enable LDAP lookups for hosts
/etc/nsswitch.conf: enable LDAP lookups for netgroup
/etc/nsswitch.conf: enable LDAP lookups for networks
/etc/nsswitch.conf: enable LDAP lookups for passwd
/etc/nsswitch.conf: enable LDAP lookups for protocols
/etc/nsswitch.conf: enable LDAP lookups for rpc
/etc/nsswitch.conf: enable LDAP lookups for services
/etc/nsswitch.conf: enable LDAP lookups for shadow
 * Restarting Name Service Cache Daemon nscd                             [ OK ]

Setting up libpam-ldapd (0.7.2) ... 

Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
modified .etckeeper
modified group
modified group-
modified gshadow
modified gshadow-
added nscd.conf
added nslcd.conf
modified nsswitch.conf
modified passwd
modified passwd-
modified shadow
modified shadow-
added init.d/nscd
added init.d/nslcd
modified pam.d/common-account
modified pam.d/common-auth
modified pam.d/common-password
modified pam.d/common-session
modified pam.d/common-session-noninteractive
added rc0.d/K20nscd
added rc0.d/K20nslcd
added rc1.d/K20nscd
added rc1.d/K20nslcd
added rc2.d/S20nscd
added rc2.d/S20nslcd
added rc3.d/S20nscd
added rc3.d/S20nslcd
added rc4.d/S20nscd
added rc4.d/S20nslcd
added rc5.d/S20nscd
added rc5.d/S20nslcd
added rc6.d/K20nscd
added rc6.d/K20nslcd
Committed revision 18.
root@hope:/etc# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

hosts:          files dns ldap
networks:       files ldap

protocols:      db files ldap
services:       db files ldap
ethers:         db files ldap
rpc:            db files ldap

netgroup:       nis ldap
aliases:        ldap
root@hope:/etc# cat /etc/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldaps://charity.progclub.org/

# The search base that will be used for all queries.
base dc=progclub,dc=org

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret

# SSL options
#ssl off
tls_reqcert allow

# The search scope.
#scope sub
root@hope:/etc# vim /etc/nslcd.conf
# JE: 2011-08-14: https://help.ubuntu.com/community/SingleSignOn#Client%20Configuration
sasl_mech GSSAPI
# JE: 2011-08-14: the documentation said to add the following line, but it causes errors
#                 so I removed it. I'm not sure what it's for. Seems to work ok without it.
#krb5_ccname FILE:/tmp/host.tkt
root@hope:/etc# pam-auth-update
Package configuration

┌───────────────────────────────────┤  ├────────────────────────────────────┐
│ Pluggable Authentication Modules (PAM) determine how authentication,      │
│ authorization, and password changing are handled on the system, as well   │
│ as allowing configuration of additional actions to take when starting     │
│ user sessions.                                                            │
│                                                                           │
│ Some PAM module packages provide profiles that can be used to             │
│ automatically adjust the behavior of all PAM-using applications on the    │
│ system.  Please indicate which of these behaviors you wish to enable.     │
│                                                                           │
│ PAM profiles to enable:                                                   │
│                                                                           │
│    [*] Kerberos authentication                                            │
│    [*] Unix authentication                                                │
│    [ ] LDAP Authentication                                                │
│                                                                           │
│                                                                           │
│                    <Ok>                        <Cancel>                   │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘
root@hope:/etc# service nslcd restart
 * Restarting LDAP connection daemon nslcd
 nslcd: /etc/nslcd.conf:30:  option sasl_mech is currently not fully supported (please report any successes)
 nslcd: /etc/nslcd.conf:31: error accessing /tmp/host.tkt: No such file or directory
                                                                        [fail]
root@hope:/etc# touch /tmp/host.tkt
root@hope:/etc# service nslcd restart
 * Restarting LDAP connection daemon nslcd
 nslcd: /etc/nslcd.conf:30: option sasl_mech is currently not fully supported (please report any successes)
                                                                        [ OK ]
root@hope:~# vim /etc/passwd
root@hope:~# etckeeper commit "Removed jj5 from /etc/passwd"
Committing to: /etc/
modified nslcd.conf
modified passwd
modified pam.d/common-account
modified pam.d/common-auth
modified pam.d/common-password
modified pam.d/common-session
modified pam.d/common-session-noninteractive
Committed revision 19.

John 2011-08-05 16:59

Disabling IPSec

Can't get IPSec to work. Commented out /etc/network/if-up.d/ip and removed the policies from /etc/ipsec-tools.conf.

John 2011-08-04 23:38

Installing Kerberos client

jj5@hope:~$ sudo -s
[sudo] password for jj5:
root@hope:~# apt-get install krb5-user krb5-config
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  bind9-host geoip-database libbind9-60 libdns64 libgeoip1 libgssrpc4 libisc60
  libisccc60 libisccfg60 libkadm5clnt-mit7 liblwres60
Suggested packages:
  geoip-bin krb5-doc
The following NEW packages will be installed:
  bind9-host geoip-database krb5-config krb5-user libbind9-60 libdns64
  libgeoip1 libgssrpc4 libisc60 libisccc60 libisccfg60 libkadm5clnt-mit7
  liblwres60
0 upgraded, 13 newly installed, 0 to remove and 0 not upgraded.
Need to get 2161kB of archives.
After this operation, 5325kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libgeoip1 1.4.6.dfsg-17 [109kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libisc60 1:9.7.0.dfsg.P1-1 [169kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/main libdns64 1:9.7.0.dfsg.P1-1 [690kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/main libisccc60 1:9.7.0.dfsg.P1-1 [29.4kB]
Get:5 http://archive.ubuntu.com/ubuntu/ lucid/main libisccfg60 1:9.7.0.dfsg.P1-1 [52.6kB]
Get:6 http://archive.ubuntu.com/ubuntu/ lucid/main libbind9-60 1:9.7.0.dfsg.P1-1 [34.1kB]
Get:7 http://archive.ubuntu.com/ubuntu/ lucid/main liblwres60 1:9.7.0.dfsg.P1-1 [47.9kB]
Get:8 http://archive.ubuntu.com/ubuntu/ lucid/main bind9-host 1:9.7.0.dfsg.P1-1 [68.2kB]
Get:9 http://archive.ubuntu.com/ubuntu/ lucid/main geoip-database 1.4.6.dfsg-17 [658kB]
Get:10 http://archive.ubuntu.com/ubuntu/ lucid/main krb5-config 2.2 [23.0kB]
Get:11 http://archive.ubuntu.com/ubuntu/ lucid/main libgssrpc4 1.8.1+dfsg-2 [81.4kB]
Get:12 http://archive.ubuntu.com/ubuntu/ lucid/main libkadm5clnt-mit7 1.8.1+dfsg-2 [62.0kB]
Get:13 http://archive.ubuntu.com/ubuntu/ lucid/main krb5-user 1.8.1+dfsg-2 [137kB]
Fetched 2161kB in 2s (891kB/s)
Preconfiguring packages ...
Selecting previously deselected package libgeoip1.
(Reading database ... 15611 files and directories currently installed.)
Unpacking libgeoip1 (from .../libgeoip1_1.4.6.dfsg-17_amd64.deb) ...
Selecting previously deselected package libisc60.
Unpacking libisc60 (from .../libisc60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package libdns64.
Unpacking libdns64 (from .../libdns64_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package libisccc60.
Unpacking libisccc60 (from .../libisccc60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package libisccfg60.
Unpacking libisccfg60 (from .../libisccfg60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package libbind9-60.
Unpacking libbind9-60 (from .../libbind9-60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package liblwres60.
Unpacking liblwres60 (from .../liblwres60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package bind9-host.
Unpacking bind9-host (from .../bind9-host_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package geoip-database.
Unpacking geoip-database (from .../geoip-database_1.4.6.dfsg-17_all.deb) ...
Selecting previously deselected package krb5-config.
Unpacking krb5-config (from .../krb5-config_2.2_all.deb) ...
Selecting previously deselected package libgssrpc4.
Unpacking libgssrpc4 (from .../libgssrpc4_1.8.1+dfsg-2_amd64.deb) ...
Selecting previously deselected package libkadm5clnt-mit7.
Unpacking libkadm5clnt-mit7 (from .../libkadm5clnt-mit7_1.8.1+dfsg-2_amd64.deb) ...
Selecting previously deselected package krb5-user.
Unpacking krb5-user (from .../krb5-user_1.8.1+dfsg-2_amd64.deb) ...
Processing triggers for man-db ...
Setting up libgeoip1 (1.4.6.dfsg-17) ...

Setting up libisc60 (1:9.7.0.dfsg.P1-1) ...

Setting up libdns64 (1:9.7.0.dfsg.P1-1) ...

Setting up libisccc60 (1:9.7.0.dfsg.P1-1) ...

Setting up libisccfg60 (1:9.7.0.dfsg.P1-1) ...

Setting up libbind9-60 (1:9.7.0.dfsg.P1-1) ...

Setting up liblwres60 (1:9.7.0.dfsg.P1-1) ...

Setting up bind9-host (1:9.7.0.dfsg.P1-1) ...
Setting up geoip-database (1.4.6.dfsg-17) ...
Setting up krb5-config (2.2) ...

Setting up libgssrpc4 (1.8.1+dfsg-2) ...

Setting up libkadm5clnt-mit7 (1.8.1+dfsg-2) ...

Setting up krb5-user (1.8.1+dfsg-2) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
added krb5.conf
Committed revision 13.
Package configuration



┌──────────────────┤ Configuring Kerberos Authentication ├──────────────────┐
│ When users attempt to use Kerberos and specify a principal or user name   │
│ without specifying what administrative Kerberos realm that principal      │
│ belongs to, the system appends the default realm.  The default realm may  │
│ also be used as the realm of a Kerberos service running on the local      │
│ machine.  Often, the default realm is the uppercase version of the local  │
│ DNS domain.                                                               │
│                                                                           │
│ Default Kerberos version 5 realm:                                         │
│                                                                           │
│ PROGCLUB.ORG_____________________________________________________________ │
│                                                                           │
│                                  <Ok>                                     │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘
Package configuration





  ┌────────────────┤ Configuring Kerberos Authentication ├─────────────────┐
  │ Enter the hostnames of Kerberos servers in the PROGCLUB.ORG Kerberos   │
  │ realm separated by spaces.                                             │
  │                                                                        │
  │ Kerberos servers for your realm:                                       │
  │                                                                        │
  │ kerberos.progclub.org_________________________________________________ │
  │                                                                        │
  │                                 <Ok>                                   │
  │                                                                        │
  └────────────────────────────────────────────────────────────────────────┘
Package configuration





┌──────────────────┤ Configuring Kerberos Authentication ├──────────────────┐
│ Enter the hostname of the administrative (password changing) server for   │
│ the PROGCLUB.ORG Kerberos realm.                                          │
│                                                                           │
│ Administrative server for your Kerberos realm:                            │
│                                                                           │
│ kerberos.progclub.org____________________________________________________ │
│                                                                           │
│                                  <Ok>                                     │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘

John 2011-07-30 18:05

Configuring IPSec

jj5@hope:~$ sudo -s
[sudo] password for jj5:
root@hope:~# apt-get install racoon
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  racoon
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/433kB of archives.
After this operation, 1217kB of additional disk space will be used.
Committing to: /etc/
modified ipsec-tools.conf
modified ipsec-tools.conf.bak
added iptables.up.rules
Committed revision 10.
Preconfiguring packages ...
Selecting previously deselected package racoon.
(Reading database ... 15611 files and directories currently installed.)
Unpacking racoon (from .../racoon_1%3a0.7.1-1.6ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up racoon (1:0.7.1-1.6ubuntu1) ...
Starting IKE (ISAKMP/Oakley) server: racoon.
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
root@hope:~# cd /etc/network/if-pre-up.d/
root@hope:/etc/network/if-pre-up.d# ll
total 12
drwxr-xr-x 2 root root 4096 Apr 22  2010 ./
drwxr-xr-x 6 root root 4096 Apr 22  2010 ../
-rwxr-xr-x 1 root root  348 Dec 21  2009 ethtool*
root@hope:/etc/network/if-pre-up.d# vim iptables
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules
root@hope:/etc/network/if-pre-up.d# vim ip
#!/bin/sh
# Charity
ip route add 67.207.128.184 dev eth0 advmss 200
# Honesty
ip route add 67.207.129.103 dev eth0 advmss 200
root@hope:/etc/network/if-pre-up.d# chmod +x iptables ip
root@hope:/etc/network/if-pre-up.d# ll
total 20
drwxr-xr-x 2 root root 4096 Jul 30 08:11 ./
drwxr-xr-x 6 root root 4096 Apr 22  2010 ../
-rwxr-xr-x 1 root root  348 Dec 21  2009 ethtool*
-rwxr-xr-x 1 root root  126 Jul 30 08:11 ip*
-rwxr-xr-x 1 root root   58 Jul 30 08:09 iptables*
root@hope:/etc/network/if-pre-up.d# cd /etc
root@hope:/etc# vim iptables.up.rules
*filter
#  Allow all loopback (lo0) traffic
-A INPUT -i lo -j ACCEPT
# Drop all traffic to 127/8 that does use lo0
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#  Allow all outbound traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
#  Allow SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Accept anything from charity
-A INPUT -s 67.207.128.184 -j ACCEPT
# Accept anything from honesty
-A INPUT -s 67.207.129.103 -j ACCEPT
# Allow MySQL connections from John's house
-A INPUT -s 60.240.67.126/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# Allow MySQL connections from localhost
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
#-A INPUT -j LOG --log-prefix "iptables debug: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
root@hope:/etc# vim ipsec-tools.conf
# Hope/Charity security policy
spdadd 67.207.130.204 67.207.128.184 any -P out ipsec
       esp/transport//require
       ah/transport//require;
spdadd 67.207.128.184 67.207.130.204 any -P in ipsec
       esp/transport//require
       ah/transport//require;
# Hope/Honesty security policy
spdadd 67.207.130.204 67.207.129.103 any -P out ipsec
       esp/transport//require
       ah/transport//require;
spdadd 67.207.129.103 67.207.130.204 any -P in ipsec
       esp/transport//require
       ah/transport//require;
root@hope:/etc# vim racoon/psk.txt
# Charity
67.207.128.184 <secret>
# Honesty
67.207.129.103 <secret>
root@hope:/etc# ll racoon/psk.txt
-rw------- 1 root root 95 Jul 30 08:21 racoon/psk.txt
root@hope:/etc# vim racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote anonymous {
       exchange_mode main,aggressive;
       proposal {
               encryption_algorithm aes;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group modp1024;
       }
       generate_policy off;
}
sainfo anonymous {
       pfs_group modp768;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}
#log debug2;
root@hope:/etc# vim racoon/racoon.conf
root@hope:/etc# /etc/init.d/racoon stop
Stopping IKE (ISAKMP/Oakley) server: racoon.
root@hope:/etc# /etc/init.d/setkey restart
Reloading IPsec SA/SP database: done.
root@hope:/etc# /etc/init.d/racoon start
Starting IKE (ISAKMP/Oakley) server: racoon.
root@hope:/etc# etckeeper commit "Configured IPSec"
Committing to: /etc/
modified ipsec-tools.conf
modified iptables.up.rules
added network/if-pre-up.d/ip
added network/if-pre-up.d/iptables
modified racoon/psk.txt
modified racoon/racoon.conf
Committed revision 11.
root@hope:/etc# /etc/network/if-pre-up.d/ip
RTNETLINK answers: File exists

That ought to do it!

...it didn't do it.

root@hope:~# apt-get remove racoon
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  racoon
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 1217kB disk space will be freed.
Do you want to continue [Y/n]?
(Reading database ... 15675 files and directories currently installed.)
Removing racoon ...
Stopping IKE (ISAKMP/Oakley) server: racoon.
Processing triggers for ureadahead ...
Processing triggers for man-db ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
root@hope:~# dd if=/dev/random count=24 bs=1| xxd -ps
root@hope:~# dd if=/dev/random count=24 bs=1| xxd -ps
root@hope:~# dd if=/dev/random count=20 bs=1| xxd -ps
root@hope:~# dd if=/dev/random count=20 bs=1| xxd -ps
root@hope:~# vim /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
# Flush the SAD and SPD
flush;
spdflush;
# Charity/Hope configuration
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.128.184 67.207.130.204 esp 1 -E aes-cbc
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.130.204 67.207.128.184 esp 2 -E aes-cbc
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# AH SAs using 160 bit long keys
add 67.207.128.184 67.207.130.204 ah 3 -A hmac-sha1
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.130.204 67.207.128.184 ah 4 -A hmac-sha1
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# Security policies
spdadd 67.207.130.204 67.207.128.184 any -P out ipsec
        esp/transport//require
        ah/transport//require;
spdadd 67.207.128.184 67.207.130.204 any -P in ipsec
        esp/transport//require
        ah/transport//require;
# Hope/Honesty configuration
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.130.204 67.207.129.103 esp 9 -E aes-cbc
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.129.103 67.207.130.204 esp 10 -E aes-cbc
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# AH SAs using 160 bit long keys
add 67.207.130.204 67.207.129.103 ah 11 -A hmac-sha1
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.129.103 67.207.130.204 ah 12 -A hmac-sha1
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# Security policies
spdadd 67.207.130.204 67.207.129.103 any -P out ipsec
        esp/transport//require
        ah/transport//require;
spdadd 67.207.129.103 67.207.130.204 any -P in ipsec
        esp/transport//require
        ah/transport//require;
root@hope:~# /etc/init.d/setkey restart
Reloading IPsec SA/SP database: done.
root@hope:~# cd /etc/network
root@hope:/etc/network# ls
if-down.d  if-post-down.d  if-pre-up.d  if-up.d  interfaces
root@hope:/etc/network# mv if-pre-up.d/ip if-up.d/
root@hope:/etc/network# if-up.d/ip
root@hope:/etc# etckeeper commit "Configured IPSec"
Committing to: /etc/
modified ipsec-tools.conf
missing network/if-pre-up.d/ip
modified network/if-pre-up.d/ip
added network/if-up.d/ip
Committed revision 12.

The other end of the connections have been configured on charity and honesty.

Works!

John 2011-07-30 09:45

Configuring racoon

See the Charity Admin section for the other half of the configuration.

# vim /etc/racoon/psk.txt
# Charity
67.207.128.184 <secret>
# vim /etc/racoon/racoon.conf
remote 67.207.128.184 {
       exchange_mode main,aggressive;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group modp1024;
       }
       generate_policy off;
}
sainfo address 67.207.128.184[any] any address 67.207.128.184/32[any] any {
       pfs_group modp768;
       encryption_algorithm 3des;
       authentication_algorithm hmac_md5;
       compression_algorithm deflate;
}
# vim /etc/ipsec-tools.conf
# Security policies
spdadd 67.207.128.184 67.207.130.204 any -P in ipsec
       esp/transport//require
       ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P out ipsec
       esp/transport//require
       ah/transport//require;
root@hope:/etc/racoon# /etc/init.d/racoon stop
Stopping IKE (ISAKMP/Oakley) server: racoon.
root@hope:/etc/racoon# /etc/init.d/setkey restart
Reloading IPsec SA/SP database: done.
root@hope:/etc/racoon# /etc/init.d/racoon start
Starting IKE (ISAKMP/Oakley) server: racoon.

John 2011-07-30 01:49

Adding user jj5

I had hoped to have LDAP and SSO operational before adding users to the any user machines, but it looks like there's nothing for it. Debuggin IPSec is a pain, and I need to login to hope all the time, and I'm sick of typing in the long random root password.

root@hope:~# adduser jj5
Adding user `jj5' ...
Adding new group `jj5' (1000) ...
Adding new user `jj5' (1000) with group `jj5' ...
Creating home directory `/home/jj5' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for jj5
Enter the new value, or press ENTER for the default
        Full Name []: John Elliot
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n]
root@hope:~# gpasswd -a jj5 sudo
Adding user jj5 to group sudo

John 2011-07-30 00:04

Installing racoon

Having some trouble with IPSec, going to try using racoon.

root@hope:/etc# apt-get install racoon
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  racoon
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 433kB of archives.
After this operation, 1217kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main racoon 1:0.7.1-1.6ubuntu1 [433kB]
Fetched 433kB in 1s (377kB/s)
Committing to: /etc/
modified .etckeeper
modified ipsec-tools.conf
added ipsec-tools.conf.bak
Committed revision 7.
Preconfiguring packages ...
Selecting previously deselected package racoon.
(Reading database ... 15606 files and directories currently installed.)
Unpacking racoon (from .../racoon_1%3a0.7.1-1.6ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up racoon (1:0.7.1-1.6ubuntu1) ...
Generating /etc/default/racoon...
Starting IKE (ISAKMP/Oakley) server: racoon.
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
modified .etckeeper
added racoon
added default/racoon
added init.d/racoon
added racoon/psk.txt
added racoon/racoon-tool.conf
added racoon/racoon.conf
added rc1.d/K89racoon
added rcS.d/S40racoon
Committed revision 8.

The install prompted for Package configuration information, and I choose the 'direct' configuration method (the default) over 'racoon-tool', the other option.

 ┌──────────────────────────┤ Configuring racoon ├──────────────────────────┐
 │ Racoon can be configured two ways, either by directly editing            │
 │ /etc/racoon/racoon.conf or using the racoon-tool administrative front    │
 │ end. racoon-tool is now deprecated and is only available for backward    │
 │ compatibility. New installations should always use the "direct" method.  │
 │                                                                          │
 │ Configuration mode for racoon IKE daemon.                                │
 │                                                                          │
 │                               direct                                     │
 │                               racoon-tool                                │
 │                                                                          │
 │                                                                          │
 │                                  <Ok>                                    │
 │                                                                          │
 └──────────────────────────────────────────────────────────────────────────┘

John 2011-07-29 00:13

Installing IPSec

# apt-get install ipsec-tools
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  ipsec-tools
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 111kB of archives.
After this operation, 274kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main ipsec-tools 1:0.7.1-1.6ubuntu1 [111kB]
Fetched 111kB in 0s (157kB/s)
Selecting previously deselected package ipsec-tools.
(Reading database ... 15571 files and directories currently installed.)
Unpacking ipsec-tools (from .../ipsec-tools_1%3a0.7.1-1.6ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up ipsec-tools (1:0.7.1-1.6ubuntu1) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
modified .etckeeper
added ipsec-tools.conf
added default/setkey
added init.d/setkey
added rcS.d/S37setkey
Committed revision 2.
# vim /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
# NOTE: Do not use this file if you use racoon with racoon-tool
# utility. racoon-tool will setup SAs and SPDs automatically using
# /etc/racoon/racoon-tool.conf configuration.
#
# Flush the SAD and SPD
flush;
spdflush;
# AH SAs using 128 bit long keys
add 67.207.128.184 67.207.130.204 ah 0x200 -A hmac-md5
        0x<ah_1>;
add 67.207.130.204 67.207.128.184 ah 0x300 -A hmac-md5
        0x<ah_2>;
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.128.184 67.207.130.204 esp 0x201 -E 3des-cbc
        0x<esp_1>;
add 67.207.130.204 67.207.128.184 esp 0x301 -E 3des-cbc
        0x<esp_2>;
# Security policies
spdadd 67.207.128.184 67.207.130.204 any -P in ipsec
        esp/transport//require
        ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P out ipsec
        esp/transport//require
        ah/transport//require;
# sudo chmod 750 /etc/ipsec-tools.conf
# sudo /etc/init.d/setkey start
* Loading IPsec SA/SP database from /etc/ipsec-tools.conf:              [ OK ]
$ sudo etckeeper commit "Configured IPSec between charity and hope"
Committing to: /etc/
modified .etckeeper
modified ipsec-tools.conf
Committed revision 3.

Done!

John 2011-07-29 00:12

Installing Etckeeper

Per the instructions,

# apt-get install etckeeper

That was it. The output was too extensive to report here.

John 2011-07-25 19:41

The hope.progclub.org slice has has been created, and the host added to to the DNS zones, but apart from that it's not configured presently.