User:Tom/RHCE EX300-2: Difference between revisions

25 Configuring Kerberos

Account information: Information such as username and home directory. Typically LDAP is used here.

Authentication information: Needed to validate that a user is who hhe claims to be. Done by an authentication protocol such as Kerberos.

KDC     Key Distribution Center. A central key server. Issues tickets.
Realm   All hosts taht use the same KDC to get tickets.
TGT     Ticket Granting Ticket

Kerberos Basics

Kerbeors authentication is based on tickets. These tickets are secured with encryption. Tickets are used as an alternative to transmitting passwords across the network. Tickets are sent over the network and encrypted with the user password.

Tickets are issued by a central server, the KDC (Key Distribution Center). A realm consists of all hosts the used the same KDC to get tickets. The DNS domain of the Kerberos site is written in caps as the Kerberos realm name.

Kerberos is not just used for user authentication. Applications running on hosts can also use Kerberos for secure access. Such a host is called an application server. Each application server and each server has an identity in Kerberos, with a password associated with it. The KDC knows the passwords of all users and servers.

Kerberos Principals

Users and services have Kerberos Principals. Services store their password in the keytab file, which allows the server to log in to Kerbeors without human intervention. If a server is hosting Kerberized services, it needs to have the file /etc/krb5.keytab, which contains the names of all servide principals on that server, in addition to the password.

Principal name nfs/server.example.com@EXAMPLE.COM
User name      tom@EXAMPLE.COM

Configuring LDAP Authentication with Kerberos Authorization

authconfig-tui can be used. Several configuration files are involved.

Using nslcd or sssd as Authentication Backend Service

Verify that sssd packages are installed before using the authconfig utilities.. Use a gui, sssd is then used by default. Use yum group install "Directory Client" to install sssd and related packages. Start sssd before using the authconfig utilities.

/etc/sysconfig/authconfig
FORCELEGACY=no                Switch off nslcd.
USESSSD=yes
USESSSDAUTH=yes

Commands

authconfig                Configure LDAP authentication with Kerberos authorization.
authconfig --test         Get an overview of the current configuration and see what services are used.
authconfig-tui
authconfig-gtk

kinit                      Obtain and cache kerberos ticket-granting ticket.
klist                      Lists cached Kerberos tickets.

Files

/etc/krb5.keytab             Needed by a server hosting Kerberized services. Contains names of all service principals on that server.

/etc/nslcd.conf              Alternative for sssd.
/etc/nsswitch.conf 
/etc/openldap/cacerts        Stores root certificate authorities
/etc/openldap/ldap.conf      LDAP client configuration. Specifies which LDAP user is used.
/etc/pamd.d/
/etc/sssd/sssd.conf          Daemon used for retrieving and caching user and authentication information.
                             Install sssd service before using the authconf utilities (yum install group "Directory Client").
/etc/sysconfig/authconfig    

Packages

pam_krb5
krb5-workstation

26 iSCSI

Commands

targetcli
firewall-cmd --add-service iscsi-target --permanent
firewall-cmd --reload
systemctl start target
systemctl enable target

iscsiadm

Files

Packages

targetcli                 Target

iscsi-initiator-utils     Initiator
lsscsi

30 Routing and Networking

Commands

IPv6 Addresses / Networks
::1/128                        Local host.
::                             All addresses.
::/0                           The default router
2000::/3                       Global unicast address.
fc00::/7                       Unique local address.
fe80::/64                      Link-local address.
ff00::/8                       Multicast
20001::db8/32                  Addresses reserved for use in documentation.

man 5 nmcli-examples           Examples how to create a team interface
man -k team                    

nmcli con add type team con-name team0 config '{ "runner"; {"name": "loadbalance"}}'
nmcli con mod team0 ipv4.addresses 192.168.122.131/24
nmcli con add tpye team-slave ifname eth1 master team0
nmcli con add type team-slave ifname eth2 master team0

nmcli con show et01                 Shows detailed IP configuration (for example: ipv4.addresses)
nmcli con add con-name eth1 type ethernet ifname eth1 ip6 2001:db8:0:1::100/64 gw6 2001:db8:0:1::1 ip4 192.168.122.131/24 gw4 192.168.122.1
mncli con mod con-name eth1 ipv6.address "2001:db8:0:1::1" 
nmcli con mod con-name eth1 +ipv6.address "2001:db8:0:2::1"

nmcli con up team0
nmcli con show
nmcli con reload                Run this command after modifying the configuration files in /etc/sysconfig/network-scripts directly.
teamdctl team0 state 
teamdctl team0 state view
teamnl team0 options             
ip link show

ip route show

Files

/etc/sysconfig/network-scripts/ifcfg-team0
/etc/sysconfig/network-scripts/ifcfg-team-slave-eth[12]

/etc/sysctl.d/forwarding.conf (net.ipv4.p_forward = 1)            Enable forwarding to configurethe server as a router.

32 Advanced Firewall Configuration

Basic ordering rules within zones:

• Direct rules
• Port forwarding and masquerading
• Logging rules
• Allow rules
• Deny rules

For NAT the server needs to be configured as a router: /proc/sys/netipv4/ip_forward=1

Two types of NAT:

• Masquerading: IP address of a node is changed by the IP address of the NAT router.
• Port forwarding: The NAT router redirects all traffic to a public port on the NAT router to another port, and possible another host, on the private network. Masquerading needs to be activated for portforwarding to another host.

Commands

firewall-cmd --reload                        
firewall-cmd --get-services                  Shows all services which are stored in /usr/lib/firewalld/services and /etc/firewalld/services

firewall-cmd --add-rich-rule=' rule '
firewall-cmd --remove-rich-rule=' rule '
firewall-cmd --query-rich-rule=' rule '
firewall-cmd --list-rich-rules

firewall-cmd --add-forward-port

firewall-cmd --timeout='xx'                  Lifetime of the rich rule

firewall-config                              GUI, package firewall-config

man firewalld.richlanguage                   Shows rich language examples

Files

/etc/firewalld/services
/usr/lib/firewalld/services

33 Advanced Apache services

• Apache basics
• Apache SELinux related settings
• Write access to DocumentRoot
• Configuring TLS Security
• Deploying CGI Applications PHP, Python
• Configuring Private Directories

SELinux settings

httpd_sys_content_t       Context type    Set on directories that Apache is allowed access to     
httpd_syscontent_rw_t     Context type    Set on directories that Apache os allowed read/write access to
httpd_sys_script_exec_t   Context type    Used for directories that contain executable scripts
httpd_unified             Boolean         Unifies the handling of all httpd_conetn files. Disabled by default. Switch to on for relaxed access
httpd_enable_cgi          Boolean         Switch on by default to allow Apache to run scripts
httpd_tty_comm            Boolean         Used to determine of Apache is allowed access to a tty. Switch if you use TLS private keys that prompt for a password on startup

Commands

genkey                                              Generate SSL certificates and certificate requests
openssl                                             Idem

semanage fcontext -at httpd_sys_content_t "/var/www/html(/.*)?"
restorecon -Rv /var/www/html

setfacl -R -m g:development:rwX /var/www/html       -R recursive -m acl commands on commandline.
setfacl -R -m d:g:development:rwx /var/www/html

man semanage-fcontext                               Examples

yum install httpd-manual
elinks http://localhost/manual                      SSL/TLS Encryption 
yum search TLS
yum install mod_ssl                                 Creates /etc/httpd/conf.d/ssl/conf
curl -L --insecure https://www.roggeware.nl         Verify https

yum install mod_php                                 For dynamic PHP content
yum install mod_wsgi

htpasswd

Files

/etc/httpd/conf/httpd.conf
/etc/httpd/conf.d/ssl.conf                          TLS security
/etc/pki/tls/certs/www-roggeware-nl.ca-bindle       root ca  
/etc/pki/tls/certs/www-roggeware-nl.crt             public key 
/etc/pki/tls/private/www-roggeware-nl.key           private key

/usr/share/doc/mod_wsgi                             Documents about WSGI configuration

...

34 DNS

Unbound is the preferred package.

interface
access-control
forward-zone: name: "." forward-addr: 192.168.x.x
dig +dnssec DNSKEY rhatcert.com

Commands

yum install unbound
systemctl start unbound
systemctl enable unbound
firewall-cmd --add-service dns --permanent

man unbound
man unbound.conf
unbound-checkconf
nmtui                  Do not edit /etc/resolv.conf by hand.
nmcli

Files

/etc/resolv.conf
/etc/unbound/unbound.conf

35 MariaDB

install mariadb mariadb-server mariadb-test
systemctl start mariadb
systemctl enable mariadb

Italic text

firewall-cmd --add-service mysql --permanent

mysql_secure_installation
/usr/libexec/mysqld --help --verbose          Information about all the settings

show databases;
use databases;
create database dbname;
create tsble tablename (name varchar(40),place varchar(40));
describe tablename;

delete from tablename where field = ' value ';
update tablename set field = value where field2 = ' value ';
insert into tablename (field1,field2) values(' value1 ',' value2 ');

where clause = <> > >= <  >= BETWEEN LIKE IN

create user username@'localhost' identified by password;
drop user 'username'@'localhost';
grant select,update,delete,insert on *.* to username@'localhost';  
grant all priviliges on ...

mysqldump -u root =p -p database --databases >dumpfileItalic text
drop database databasename;
create database databasename;
mysql -u root -p -p databasename <dumpfile;

Files

/etc/my.cnf
/etc/my.cnf.d

36 NFS

Selinux for NFSv4

nfs_t                  Allows the NFS server to access the share.
public_content_t       Allows the NFS server (and other services as Samba, FTP and web) read access 
public_content_rw_t    Allows the NFS server read/writeaccess

NFSv4 Kerberos Authentication

Add sec=method to the share in /etc/exports. The following methods are available:

• none Anonymous access is allowed. All access is based on the user nfsnobody. If this user needs write access as well, make the SELinux boolean nfsd_anon_write active also.
• sys Default security. User access is based on UID and GID values.
• krb5 NFS clients prove their identity using a Kerberos keytab file. To access files in the NFS sharem the user needs to initialize a Kerberos session as well, otherwize no access is allowed tot the files.
• krb5i Same as krb5 with added cryptographic guarantee for untampered data.
• krb5p Same as krb5i with added encryption.

To establish a Kerberized session:

• /etc/krb5.keytab. Contains the security principals for both the NFS server as the NFS client, and is required to join the Kerebors realm. Use klist -k to verify the contents of the keytab file.
• A Kerberized user session: After configuring remote authentication against a Kerberos server, the login procedure is already KKerberized and no additional action is needed. Ue the klist command to verify this. If klist does not show any KKerberos credentioals, a Kerberied session can be established manually,
• sec=method option. Both is the share definition and in the mount options.
• The nfs-server as well as the nfs-secure-server services must be active on the NFS server. Since RHEL 7.1 these services are automatically loaded.
• The nfs-secure-service must be loaded on the client. SInce RHEL 7.1 these services are automatically loaded.

Commands

man exports            Documents NFS server export table (with examples).

semanage fcontext -a -t nfs_t "/srv/nfsexport(/.*)?"
getsebool -a
setsebool -P boolean

systemctl start nfs-server
systemctl enable nfs-server
systemctl start/enable nfs-secure-server for kerberos
restorecon -Rv /etc/krb5.keytab
ls -lZ /etc/krb5.keytab

firewall-cmd --add-service nfs --permanent --reload

exportfs -vt
showmount -e server     Show mount information for the NFS server on server. Also refers to rpc and mountd

kinit username  
klist -k

Files

/etc/exports           /srv/nfsexport *(rw)
/etc/exports           /secureshare *(sec=krb5p,rw)
/etc/fstab             /server.roggeware.nl:/srv/nfsexport  /mnt/nfs nfs _netdev 0 0

Packages

nfs-utils

37 Samba

Securing Samba

samba_share_t              Give Samba read and write access to this directory and below.
public_content_t           Give Samba and other services read-only access.
public_content_rw_t        Give Samba and other services read-write access. Needs additional boolean.

smbd_anon_write            Allows write access for Samba anonymous users. Required for public_content_rw_t.
samba_enable_home_dirs     Allows Samba to share home directories.
use_samba_home_dirs        Allows remote SMB file shares to be mounted and shared as local home directories.

Samba Firewalling

A firewalld samba service is available. Opens ports 137-139 and 445.

Setup Kerberized Samba share

Add to /etc/samba/smb.conf

security = ADS
realm = KERBEROS_REALM
encryptt passwords = yes
kerberos method = secrets and keytab
password server = kerberos.example.com

Access SMB Shares

Create credentials file /root/smbusers

username=lisa
password=lisa

Add line in /etc/fstab

//servername/sambashare    /mnt/lisa cifsd credentials=/root/smbusers,_netdev 0 0 

Multiuser Samba mount

Commands

yum install samba samba-client cifs-util
systemctl enable smb
systemctl start smb

useradd -s /sbin/nologin lisa             Add a Samba user, no login needed/possible. 
groupadd groupname 
usermod -aG groupname lisa

semanage fcontext -at samba_share_t "/sambashare(/.*)?"
restorecon -Rcv /sambashare

getsebool -a                              Show all SELinux booleans.
setsebool -P smbd_anon_write 1            Set boolean permanent.
seinfo -t

smbpasswd -h
smbclient -L //servername
testparm

mount -o user=username //servername/sambashare /mnt
 
klist -k                  List keys in the keytab file

man mount.cifs            credentials= option
man cifscreds             
man firewalld.richlanguage
man semanage-fcontext

Files

/etc/samba/samba.conf
/usr/lib/firewalld/services/samba.xml
/etc/krb5.keytab       mod 600 root root

Packages

samba
samba-client
cifs-utils

38 SMTP Server

The RHCE objective want you to create a null client. Such a client is not capable of receiving any messages, but has all the configuration that is needed to send mail messages to other hosts.

Configure on null-client:

relayhost
inet_interfaces=loopback-only
mynetworks
mydestination=

Essential postfix parameters:

inet_interfaces          Interfaces on which Postfix will offer services.
myorigin                 Allows you to rewrite posted email to come from a specific domain instead of $myhostname
relayhost                Specifies which central mailserver to forward messages to.
mydestination            Domains handled by this server. Mail addressed to a domain not listed is rejected.
local_transport          Specifies what to use for local mail delivery.
inet_protocols           Specify which protocols to use for delivery.
mynetworks               Spaceseparated list of networks that are allowed to relay.

Commands

postconf -e                                    Edit Postfix parameter
postconf -e 'myorigin = $mydomain'
postconf -e 'relayhost=[server4.example.com]'
postfix check                                  Check the contents of the /etc/postfix/main.cf file
postqueue -f                                   Flush the mailqeue
postqueue -p                                   Display the mailqueueu

systemctl reload postfix
man 5 postconf                                 Complete overview of postfix parameters

Files

/etc/postfix/main.cf
/var/log/maillog

39 Configure SSH

semanage port, man sshd_config, ssh-agent, ssh-add, ssh tunnel.

Commands

semanage port -l                 List all port definitions.

man semanage-port
man sshd_config 

ssh -fNL 3333:server.roggeware.nl:80 root@server2.roggeware.nl            -f to run in the background, -N no command started.

Files

/etc/ssh/sshd_config

40 Time synchronisation

server, peer, allow

Chronyd daemon, chronyc command. ntp port 123. start, enable, firewall-cmd --add-service

Commands

chronyc help
chronyc sources -v    Shows current servers that chrony is synchronizing with.
chronyc tracking      Detailed information about the current local time configuration.
chronyc sourcestats   Detailed information about the state of the remote servers.

Files

/etc/chrony.conf
/etc/chrony.keys

Chronyd daemon, chronyc command. ntp port 123. start, enable, firewall-cmd --add-service

List commands
getsebool -a                      List all selinux booleans
seinfo                            SELinux policy query tool
         --all
         -r                       List all roles
         -t                       List all types (*-t)
         -u                       List all users
semanage boolean --list           List SELinux booleans with comments
semanage fcontext -l              List all current rules