User:Tom/RHCE EX300-2: Difference between revisions

25 Configuring Kerberos

Account information: Information such as username and home directory. Typically LDAP is used here.

Authentication information: Needed to validate that a user is who hhe claims to be. Done by an authentication protocol such as Kerberos.

KDC     Key Distribution Center. A central key server. Issues tickets.
Realm   All hosts taht use the same KDC to get tickets.
TGT     Ticket Granting Ticket

Kerberos Basics

Kerbeors authentication is based on tickets. These tickets are secured with encryption. Tickets are used as an alternative to transmitting passwords across the network. Tickets are sent over the network and encrypted with the user password.

Tickets are issued by a central server, the KDC (Key Distribution Center). A realm consists of all hosts the used the same KDC to get tickets. The DNS domain of the Kerberos site is written in caps as the Kerberos realm name.

Kerberos is not just used for user authentication. Applications running on hosts can also use Kerberos for secure access. Such a host is called an application server. Each application server and each server has an identity in Kerberos, with a password associated with it. The KDC knows the passwords of all users and servers.

Kerberos Principals

Users and services have Kerberos Principals. Services store their password in the keytab file, which allows the server to log in to Kerbeors without human intervention. If a server is hosting Kerberized services, it needs to have the file /etc/krb5.keytab, which contains the names of all servide principals on that server, in addition to the password.

Principal name nfs/server.example.com@EXAMPLE.COM
User name      tom@EXAMPLE.COM

Configuring LDAP Authentication with Kerberos Authorization

authconfig-tui can be used. Several configuration files are involved.

Using nslcd or sssd as Authentication Backend Service

Verify that sssd packages are installed before using the authconfig utilities.. Use a gui, sssd is then used by default. Use yum group install "Directory Client" to install sssd and related packages. Start sssd before using the authconfig utilities.

Recipe:

Setup external Athentication

• yum groups install "Directory Client"
• mkdir /etc/openldap/cacerts
• copy certificate to /etc/openldap/cacerts/.
• Edit /etc/sysconfig/authconfig and set the following:

/etc/sysconfig/authconfig
FORCELEGACY=no                Switch off nslcd.
USESSSD=yes
USESSSDAUTH=yes

• Start autconfig-tui and select "Cache Information", "Use LDAP" and "Use LDAP Authentication.
• In LDAP settings screen "Use TLS" and specify Server labipa.example.com and Base DN: dc=example,dc=com
• Complete the setup procedure in authconfig-tui.
• Do cat /etc/sssd/sssd.conf to verify the configuration has been committed.
• Systemctl restart sssd.
• Do su - ldapuser1 and type id. THis will show that you are currently logged in as user ldapuser1

After configuring LDAP authentication you can now enable Kerberos authentication as well.

• Start authconfig-tui
• yum install pam_krb5 krb5-workstation to install the packages that add Kerberos support.
• Select "Use Kerberos"
• In the Kerberos Settings Screen, enter the following:

Realm:              EXAMPLE.COM
KDC:              labipa.example.com
Admin Server:     labipa.example.com

Or you can set the Use DNS to Resolve Hosts to Realms and Use DNS to Locate KDCs for Realms. This option is going to use the DNS SRV resource records that Kerbeors creates in DNS and makes it easy to find information about thhese services as well.

• At the prompt, type kinit admin as root. When prompted provide the password of the admin user on the labipa server. This verifies that the host can authenticate and shows that Kerberos authentication configuration is correct.
• Now you know that you can authenticate, type kinit ldapuser1 and enter the password. This proves that Kerberos authentication works correctly.

Commands

authconfig                Configure LDAP authentication with Kerberos authorization.
authconfig --test         Get an overview of the current configuration and see what services are used.
authconfig-tui
authconfig-gtk

kinit                      Obtain and cache kerberos ticket-granting ticket.
klist                      Lists cached Kerberos tickets.

Files

/etc/krb5.keytab             Needed by a server hosting Kerberized services. Contains names of all service principals on that server.

/etc/nslcd.conf              Alternative for sssd.
/etc/nsswitch.conf 
/etc/openldap/cacerts        Stores root certificate authorities
/etc/openldap/ldap.conf      LDAP client configuration. Specifies which LDAP user is used.
/etc/pamd.d/
/etc/sssd/sssd.conf          Daemon used for retrieving and caching user and authentication information.
                             Install sssd service before using the authconf utilities (yum install group "Directory Client").
/etc/sysconfig/authconfig    

Packages

pam_krb5
krb5-workstation

26 iSCSI

An iSCSI Target provides storage which is accessed by an iSCSI Initiator.

Using command targetcli create

• backstore
• iscsi iqn for target
• Create portal of /etc/redhat-release pre RHEL-7.1
• Create lun
• Create acl iqn

Using command iscsiadm do

• Edit /etc/iscsi/initiatorname.iscsi and restart iscsid
• iscsiadm --mode discovery
• iscsiadm --mode node ... --login

Mount LV using UUID. use blkid for a list.

Note: RHEL 7.0 has no service isci-target. Use --add-port=3260/tcp instead.

Commands

targetcli
iscsiadm
lsscsi
lsblk --scsi

firewall-cmd --add-service iscsi-target --permanent
firewall-cmd --reload

systemctl start target
systemctl enable target

iscsiadm

Files

Packages

targetcli                 Target

iscsi-initiator-utils     Initiator

30 Routing and Networking

Commands

IPv6 Addresses / Networks
::1/128                        Local host.
::                             All addresses.
::/0                           The default router
2000::/3                       Global unicast address.
fc00::/7                       Unique local address.
fe80::/64                      Link-local address.
ff00::/8                       Multicast
2001::db8/32                  Addresses reserved for use in documentation.

Install rpm bash-completion to enable tab completion for nmcli. Command nmcli recognizes two sources; devices and connections.

man 5 nmcli-examples           Examples how to create a team interface
man -k team     
man teamd.conf                 Describes             

nmcli con add type team con-name team0 config '{ "runner"; {"name": "loadbalance"}}'
nmcli con mod team0 ipv4.addresses 192.168.122.131/24
nmcli con add type team-slave ifname eth1 master team0
nmcli con add type team-slave ifname eth2 master team0

nmcli con edit team1
          help print describe runner type, amongst other things.

nmcli con show et01                 Shows detailed IP configuration (for example: ipv4.addresses)
nmcli con add con-name eth1 type ethernet ifname eth1 ip6 2001:db8:0:1::100/64 gw6 2001:db8:0:1::1 ip4 192.168.122.131/24 gw4 192.168.122.1
mncli con mod con-name eth1 ipv6.address "2001:db8:0:1::1" 
nmcli con mod con-name eth1 +ipv6.address "2001:db8:0:2::1"

nmcli con up team0
nmcli con show
nmcli con reload                Run this command after modifying the configuration files in /etc/sysconfig/network-scripts directly.
teamdctl team0 state 
teamdctl team0 state view
teamnl team0 options             
ip link show

ip route show

Files

/etc/sysconfig/network-scripts/ifcfg-team0
/etc/sysconfig/network-scripts/ifcfg-team-slave-eth[12]

/etc/sysctl.d/forwarding.conf (net.ipv4.p_forward = 1)            Enable forwarding to configurethe server as a router.

32 Advanced Firewall Configuration

Basic ordering rules within zones(DPLAD)

• Direct rules
• Port forwarding and masquerading
• Logging rules
• Allow rules
• Deny rules

Basic syntax of a rich rule:

• rule
• [source] [destination]
• [service|port|protocol|icmp-block|masquerade|forward-port]
• [log] [audit]
• [accept] [reject] [drop]

For NAT the server needs to be configured as a router: /proc/sys/netipv4/ip_forward=1

Two types of NAT:

• Masquerading: IP address of a node is changed by the IP address of the NAT router.
• Port forwarding: The NAT router redirects all traffic to a public port on the NAT router to another port, and possible another host, on the private network. Masquerading needs to be activated for portforwarding to another host.

Commands

firewall-cmd --reload                        
firewall-cmd --get-services                  Shows all services which are stored in /usr/lib/firewalld/services and /etc/firewalld/services

firewall-cmd --add-rich-rule=' rule '
firewall-cmd --remove-rich-rule=' rule '
firewall-cmd --query-rich-rule=' rule '
firewall-cmd --list-rich-rules

firewall-cmd --add-forward-port

firewall-cmd --timeout='xx'                  Lifetime of the rich rule

firewall-config                              GUI, package firewall-config

man firewalld.richlanguage                   Shows rich language examples

Files

/etc/firewalld/services
/usr/lib/firewalld/services

33 Advanced Apache services

• Apache basics
• Apache SELinux related settings
• Write access to DocumentRoot
• Configuring TLS Security
• Deploying CGI Applications PHP, Python
• Configuring Private Directories

SELinux settings

httpd_sys_content_t       Context type    Set on directories that Apache is allowed access to     
httpd_syscontent_rw_t     Context type    Set on directories that Apache os allowed read/write access to
httpd_sys_script_exec_t   Context type    Used for directories that contain executable scripts
httpd_unified             Boolean         Unifies the handling of all httpd_conetn files. Disabled by default. Switch to on for relaxed access
httpd_enable_cgi          Boolean         Switch on by default to allow Apache to run scripts
httpd_tty_comm            Boolean         Used to determine of Apache is allowed access to a tty. Switch if you use TLS private keys that prompt for a password on startup

Commands

genkey                                              Generate SSL certificates and certificate requests
openssl                                             Idem

semanage fcontext -at httpd_sys_content_t "/var/www/html(/.*)?"
restorecon -Rv /var/www/html

setfacl -R -m g:development:rwX /var/www/html       rwX. Uppercase X to set execution bit to directories only.
setfacl -R -m d:g:development:rwx /var/www/html     -R recursive -m modify

man semanage-fcontext                               Examples

yum install httpd-manual
elinks http://localhost/manual                      SSL/TLS Encryption 
yum search TLS
yum install mod_ssl                                 Creates /etc/httpd/conf.d/ssl.conf
yum install mod_php                                 Creates /etc/httpd/conf.d/php.conf    Enable internal PHP interpreter
curl -L --insecure https://www.roggeware.nl         Verify https

yum install mod_php                                 For dynamic PHP content
yum install mod_wsgi

htpasswd

Files

/etc/httpd/conf/httpd.conf                          Main configuration file
/etc/httpd/conf.d/ssl.conf                          TLS security

/etc/pki/tls/certs/www-roggeware-nl.ca-bindle       root ca  
/etc/pki/tls/certs/www-roggeware-nl.crt             public key 
/etc/pki/tls/private/www-roggeware-nl.key           private key

/usr/share/doc/mod_wsgi                             Documents about WSGI configuration

Parameters

DocumentRoot                                        Default location for contents
ServerRoot                                          Default directory for configuration files

...

34 DNS

Unbound is the preferred package.

interface: 0.0.0.0                                   Accept connections from every interface.
access-control: 192.168.4.0/24                       Accept requests from these IP addresses.
forward-zone: name: "."
forward-addr: 192.168.x.x                            Forward all requests to this server.

dig +dnssec DNSKEY rhatcert.com 
domain-insecure: example.com                         Bypass internal domains which not have been configured with DNS-SEC.                     

Commands

yum install unbound
systemctl start unbound
systemctl enable unbound
firewall-cmd --add-service dns --permanent

man unbound
man unbound.conf
unbound-checkconf
unbound-control-setup                                Create server keys manually.
nmtui                                                Do not edit /etc/resolv.conf by hand.
nmcli

Files

/etc/resolv.conf
/etc/unbound/unbound.conf

35 MariaDB

install mariadb mariadb-server mariadb-test
systemctl start mariadb
systemctl enable mariadb

Italic text

firewall-cmd --add-service mysql --permanent

mysql_secure_installation
/usr/libexec/mysqld --help --verbose          Information about all the settings

show databases;
use databases;
create database dbname;
create table tablename (name varchar(40),place varchar(40));
describe tablename;

delete from tablename where field = ' value ';
update tablename set field = value where field2 = ' value ';
insert into tablename (field1,field2) values(' value1 ',' value2 ');

where clause = <> > >= <  >= BETWEEN LIKE IN

create user username@'localhost' identified by password;
drop user 'username'@'localhost';
grant select,update,delete,insert on *.* to username@'localhost';  
grant all priviliges on ...

mysqldump -u root =p -p database --databases >dumpfileItalic text
drop database databasename;
create database databasename;
mysql -u root -p -p databasename <dumpfile;

Files

/etc/my.cnf
/etc/my.cnf.d

36 NFS

Manco's: Kerberized NFS server en NFS V4 SELinux transparancy.

Selinux for NFSv4

nfs_t                  Allows the NFS server to access the share.
public_content_t       Allows the NFS server (and other services as Samba, FTP and web) read access 
public_content_rw_t    Allows the NFS server read/write access

NFSv4 Kerberos Authentication

Add sec=method to the share in /etc/exports. The following methods are available:

• none Anonymous access is allowed. All access is based on the user nfsnobody. If this user needs write access as well, make the SELinux boolean nfsd_anon_write active also.
• sys Default security. User access is based on UID and GID values.
• krb5 NFS clients prove their identity using a Kerberos keytab file. To access files in the NFS share the user needs to initialize a Kerberos session as well, otherwize no access is allowed tot the files.
• krb5i Same as krb5 with added cryptographic guarantee for untampered data.
• krb5p Same as krb5i with added encryption.

To establish a Kerberized session:

• /etc/krb5.keytab. Contains the security principals for both the NFS server as the NFS client, and is required to join the Kerberos realm. Use klist -k to verify the contents of the keytab file.
• A Kerberized user session: After configuring remote authentication against a Kerberos server, the login procedure is already Kerberized and no additional action is needed. Use the klist command to verify this. If klist does not show any KKerberos credentioals, a Kerberized session can be established manually,
• sec=method option. Both is the share definition and in the mount options.
• The nfs-server as well as the nfs-secure-server services must be active on the NFS server. Since RHEL 7.1 these services are automatically loaded.
• The nfs-secure-service must be loaded on the client. SInce RHEL 7.1 these services are automatically loaded.

Commands

man exports            Documents NFS server export table (with examples).
                       Normally user root is mapped to nfsnobody. This ensures that a root user coming from an NFS client
                       has minimal permissions on the NFS server. 
                       no_root_squash gives full access to user root from an NFS client.
man nfs                fstab format and options for the NFS filesystem.

semanage fcontext -a -t nfs_t "/srv/nfsexport(/.*)?"
getsebool -a
setsebool -P boolean
seinfo -t                             List of types. 
seinfo -xtnfs_t

systemctl start nfs-server
systemctl enable nfs-server
systemctl status remote-fs.target                       Vervangt _netdev in /etc/fstab om NFS filesystemen pas te mounten nadat
                                                        het netwerk aktief is.
systemctl start/enable nfs-secure-server for kerberos
restorecon -Rv /etc/krb5.keytab
ls -lZ /etc/krb5.keytab

firewall-cmd --add-service nfs --permanent --reload (add services rpc-bind and mountd to enable showmount -e server1 command).

exportfs -vr
showmount -e server     Show mount information for the NFS server on server. Also refers to rpc and mountd.
systemctl enable remote-fs.target on NFS client to have NFS filesystems mounted when the network has been activated.

kinit username  
klist -k

Files

/etc/exports           /srv/nfsexport *(rw)
/etc/exports           /secureshare *(sec=krb5p,rw)
/etc/fstab             /server.roggeware.nl:/srv/nfsexport  /mnt/nfs nfs _netdev 0 0

/etc/exports.d         for .exports files

Packages

nfs-utils

Ports

2049           NFS Processes (service nfs)
111            Client access (service rpcbind)
20049          Client access (service mountd, and service file shows port 20048)

37 Samba

• Setup samba share.
• Mount share as user.
• Mount with credentials file in fstab.
• Mount Multiuser Samba Mount

Securing Samba

samba_share_t              Give Samba read and write access to this directory and below.
public_content_t           Give Samba and other services read-only access.
public_content_rw_t        Give Samba and other services read-write access. Needs additional boolean.

smbd_anon_write            Allows write access for Samba anonymous users. Required for public_content_rw_t.
samba_enable_home_dirs     Allows Samba to share home directories.
use_samba_home_dirs        Allows remote SMB file shares to be mounted and shared as local home directories.

Samba Firewalling

A firewalld samba service is available. Opens ports 137-139 and 445.

Setup Kerberized Samba share

Add to /etc/samba/smb.conf

security = ADS
realm = KERBEROS_REALM
encryptt passwords = yes
kerberos method = secrets and keytab
password server = kerberos.example.com

Access SMB Shares

Create credentials file /root/smbusers

username=lisa
password=lisa

Add line in /etc/fstab

//servername/sambashare    /mnt/lisa cifsd credentials=/root/smbusers,_netdev 0 0 

Multiuser Samba mount

Add the basic multiuser mount to /etc/fstab:

//server1/sambashare /mnt/multiuser cifs credentials=/root/multi,multiuser,sec=ntlmssp 0 0

As an authorized user do:

cifscreds add server1

See for info about cifs, credentials, multiuser and sec=

man mount.cifs

Commands

yum install samba samba-client cifs-util
systemctl enable smb
systemctl start smb

useradd -s /sbin/nologin lisa             Add a Samba user, no login needed/possible. 
groupadd groupname 
usermod -aG groupname lisa

semanage fcontext -at samba_share_t "/sambashare(/.*)?"
restorecon -Rcv /sambashare

getsebool -a                              Show all SELinux booleans.
setsebool -P smbd_anon_write 1            Set boolean permanent.
seinfo -t

smbpasswd -h
smbclient -L //servername
testparm                                  Check for syntax errors in the configuration file

mount -o user=username //servername/sambashare /mnt
 
klist -k                  List keys in the keytab file

man mount.cifs            credentials= option
man cifscreds             
man firewalld.richlanguage
man semanage-fcontext

Files

/etc/samba/smb.conf                           Main Samba configuration file
/usr/lib/firewalld/services/samba.xml
/etc/krb5.keytab       mod 600 root root

Packages

samba
samba-client
cifs-utils

38 SMTP Server

The RHCE objective want you to create a null client. Such a client is not capable of receiving any messages, but has all the configuration that is needed to send mail messages to other hosts.

Configure on null-client:

inet_interfaces=loopback-only
inet_protocols=ipv4
relayhost=[server1.example.com]
mynetworks=127.0.0.0/8 [::1]/128
mydestination=
mydomain=example.com

Essential postfix parameters:

inet_interfaces          Interfaces on which Postfix will offer services.
myorigin                 Allows you to rewrite posted email to come from a specific domain instead of $myhostname
relayhost                Specifies which central mailserver to forward messages to.
mydestination            Domains handled by this server. Mail addressed to a domain not listed is rejected.
local_transport          Specifies what to use for local mail delivery.
inet_protocols           Specify which protocols to use for delivery.
mynetworks               Spaceseparated list of networks that are allowed to relay.

Commands

postconf -e                                    Edit Postfix parameter
postconf -e 'myorigin = $mydomain'
postconf -e 'relayhost=[server4.example.com]'
postfix check                                  Check the contents of the /etc/postfix/main.cf file
postqueue -f                                   Flush the mailqeue
postqueue -p                                   Display the mailqueueu

systemctl reload postfix
man 5 postconf                                 Complete overview of postfix parameters

Files

/etc/postfix/main.cf
/var/log/maillog

39 Configure SSH

semanage port, man sshd_config, ssh-agent, ssh-add, ssh tunnel.

AllowUsers

Commands

semanage port -l                 List all port definitions.

man semanage-port
man sshd_config 

Local port forwarding

ssh -fNL 3333:server.roggeware.nl:80 root@server2.roggeware.nl            -f to run in the background, -N no command started.
ssh -fNL 4444:server.rhatcertificaion.com:80 root@server2.example.com

Remote port forwarding

ssh -fNR80:localhost:8088 root@...

Files

/etc/ssh/sshd_config
~/ssh/config               SSH configuration for a specific user.

40 Time synchronisation

server, peer, allow

Chronyd daemon, chronyc command. ntp port 123. start, enable, firewall-cmd --add-service

Commands

chronyc help
chronyc sources -v    Shows current servers that chrony is synchronizing with.
chronyc tracking      Detailed information about the current local time configuration.
chronyc sourcestats   Detailed information about the state of the remote servers.

Files

/etc/chrony.conf
/etc/chrony.keys

Chronyd daemon, chronyc command. ntp port 123. start, enable, firewall-cmd --add-service

List commands
getsebool -a                      List all selinux booleans
seinfo                            SELinux policy query tool
         --all
         -r                       List all roles
         -t                       List all types (*-t)
         -u                       List all users
semanage boolean --list           List SELinux booleans with comments
semanage fcontext -l              List all current rules