Hope admin
From ProgClub
Revision as of 12:04, 30 July 2011 by John (talk | contribs) (moved Hope Admin to Hope admin: Lowercase name)
This page chronicles the administrative changes to hope.progclub.org. If you make an administrative change you should document the change here. Changes are logged he in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the Administrative Reference for other information.
John 2011-07-30 09:45
Configuring racoon
See the Charity Admin section for the other half of the configuration.
# vim /etc/racoon/psk.txt
# Charity 67.207.128.184 <secret>
# vim /etc/racoon/racoon.conf
remote 67.207.128.184 {
exchange_mode main,aggressive;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
generate_policy off;
}
sainfo address 67.207.128.184[any] any address 67.207.128.184/32[any] any {
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
# vim /etc/ipsec-tools.conf
# Security policies
spdadd 67.207.128.184 67.207.130.204 any -P in ipsec
esp/transport//require
ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P out ipsec
esp/transport//require
ah/transport//require;
root@hope:/etc/racoon# /etc/init.d/racoon stop Stopping IKE (ISAKMP/Oakley) server: racoon. root@hope:/etc/racoon# /etc/init.d/setkey restart Reloading IPsec SA/SP database: done. root@hope:/etc/racoon# /etc/init.d/racoon start Starting IKE (ISAKMP/Oakley) server: racoon.
John 2011-07-30 01:49
Adding user jj5
I had hoped to have LDAP and SSO operational before adding users to the any user machines, but it looks like there's nothing for it. Debuggin IPSec is a pain, and I need to login to hope all the time, and I'm sick of typing in the long random root password.
root@hope:~# adduser jj5
Adding user `jj5' ...
Adding new group `jj5' (1000) ...
Adding new user `jj5' (1000) with group `jj5' ...
Creating home directory `/home/jj5' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for jj5
Enter the new value, or press ENTER for the default
Full Name []: John Elliot
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
root@hope:~# gpasswd -a jj5 sudo
Adding user jj5 to group sudo
John 2011-07-30 00:04
Installing racoon
Having some trouble with IPSec, going to try using racoon.
root@hope:/etc# apt-get install racoon Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: racoon 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 433kB of archives. After this operation, 1217kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main racoon 1:0.7.1-1.6ubuntu1 [433kB] Fetched 433kB in 1s (377kB/s) Committing to: /etc/ modified .etckeeper modified ipsec-tools.conf added ipsec-tools.conf.bak Committed revision 7. Preconfiguring packages ... Selecting previously deselected package racoon. (Reading database ... 15606 files and directories currently installed.) Unpacking racoon (from .../racoon_1%3a0.7.1-1.6ubuntu1_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up racoon (1:0.7.1-1.6ubuntu1) ... Generating /etc/default/racoon... Starting IKE (ISAKMP/Oakley) server: racoon.
Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ modified .etckeeper added racoon added default/racoon added init.d/racoon added racoon/psk.txt added racoon/racoon-tool.conf added racoon/racoon.conf added rc1.d/K89racoon added rcS.d/S40racoon Committed revision 8.
The install prompted for Package configuration information, and I choose the 'direct' configuration method (the default) over 'racoon-tool', the other option.
┌──────────────────────────┤ Configuring racoon ├──────────────────────────┐ │ Racoon can be configured two ways, either by directly editing │ │ /etc/racoon/racoon.conf or using the racoon-tool administrative front │ │ end. racoon-tool is now deprecated and is only available for backward │ │ compatibility. New installations should always use the "direct" method. │ │ │ │ Configuration mode for racoon IKE daemon. │ │ │ │ direct │ │ racoon-tool │ │ │ │ │ │ <Ok> │ │ │ └──────────────────────────────────────────────────────────────────────────┘
John 2011-07-29 00:13
Installing IPSec
# apt-get install ipsec-tools Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: ipsec-tools 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 111kB of archives. After this operation, 274kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main ipsec-tools 1:0.7.1-1.6ubuntu1 [111kB] Fetched 111kB in 0s (157kB/s) Selecting previously deselected package ipsec-tools. (Reading database ... 15571 files and directories currently installed.) Unpacking ipsec-tools (from .../ipsec-tools_1%3a0.7.1-1.6ubuntu1_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up ipsec-tools (1:0.7.1-1.6ubuntu1) ...
Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ modified .etckeeper added ipsec-tools.conf added default/setkey added init.d/setkey added rcS.d/S37setkey Committed revision 2.
# vim /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
# NOTE: Do not use this file if you use racoon with racoon-tool # utility. racoon-tool will setup SAs and SPDs automatically using # /etc/racoon/racoon-tool.conf configuration. #
# Flush the SAD and SPD flush; spdflush;
# AH SAs using 128 bit long keys
add 67.207.128.184 67.207.130.204 ah 0x200 -A hmac-md5
0x<ah_1>;
add 67.207.130.204 67.207.128.184 ah 0x300 -A hmac-md5
0x<ah_2>;
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.128.184 67.207.130.204 esp 0x201 -E 3des-cbc
0x<esp_1>;
add 67.207.130.204 67.207.128.184 esp 0x301 -E 3des-cbc
0x<esp_2>;
# Security policies
spdadd 67.207.128.184 67.207.130.204 any -P in ipsec
esp/transport//require
ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P out ipsec
esp/transport//require
ah/transport//require;
# sudo chmod 750 /etc/ipsec-tools.conf # sudo /etc/init.d/setkey start * Loading IPsec SA/SP database from /etc/ipsec-tools.conf: [ OK ] $ sudo etckeeper commit "Configured IPSec between charity and hope" Committing to: /etc/ modified .etckeeper modified ipsec-tools.conf Committed revision 3.
Done!
John 2011-07-29 00:12
Installing Etckeeper
Per the instructions,
# apt-get install etckeeper
That was it. The output was too extensive to report here.
John 2011-07-25 19:41
The hope.progclub.org slice has has been created, and the host added to to the DNS zones, but apart from that it's not configured presently.
