<html> <script language=“JavaScript”> document.title = “[Lab46][Deep Dark Despair]”; </script> <style> body {
background-color:#333333 ! important; color:#AAAAAA;
} a:hover {
color:#FFFFFF ! important;
} div.dokuwiki div.toc {
float:left ! important; margin-top:2em ! important;
} div.dokuwiki div.tocheader {
background-color:#000000! important; color:#820000 ! important; border-color:#000000! important; text-align:left ! important; text-indent:1em ! important;
} div.dokuwiki #tocinside { background-color:#000000 ! important; border-color:#000000 ! important; } div.dokuwiki span.toc_open, div.dokuwiki span.toc_close{ display:none ! important; } div.dokuwiki ul.toc ul.toc li{ background:none ! important; list-style-type:disc ! important; color:#820000 ! important; } div.dokuwiki a.toc:link, div.dokuwiki a.toc:visited { color:#760000! important; } div.dokuwiki a.toc:hover { color:#560000 ! important; text-decoration:line-through ! important; } .wrap_monospace { font-family:Consolas, “Courier New”, Monaco, “Nimbus Mono L”, “Lucidia Console”, monospace ! important; } .w { color:#000000; background-color:#000000; } .b { color:#220000; background-color:#220000; } ʘ rgb (137 51 103) </style> </html>
<html> <p style=“color:#AAAAAA; display:inline;”>Halt! Who goes there?</p><br /><br />
<p style=“color:#AAAAAA; text-align:left; font-family:'Nimbus Sans L', Arial; font-size:10pt; border:0em; margin:0em; padding:0em;”>Vim:</p> <hr /> <p style=“color:#AAAAAA; text-align:left; font-family:'Nimbus Sans L', Arial; font-size:10pt; border:0em; margin:0em; padding:0em;”>To turn off autoindent when you paste code, there's a special “paste” mode.<br /> <br /> Type:</p> <pre style=“color:#AAAAAA; text-align:left; font-family:'Nimbus Sans L', Arial; font-size:10pt; border:0em; margin:0em; padding:0em;”> :set paste </pre><br /><br /> <p style=“color:#AAAAAA; text-align:left; font-family:'Nimbus Sans L', Arial; font-size:10pt; border:0em; margin:0em; padding:0em;”>Then paste your code. Note that the text in the tooltip now says – INSERT (paste) –.<br /> <br /> After you pasted your code, turn off the paste-mode, so that auto-indenting when you type works correctly again.</p> <pre style=“color:#AAAAAA; text-align:left; font-family:'Nimbus Sans L', Arial; font-size:10pt; border:0em; margin:0em; padding:0em;”> :set nopaste </pre><br /> <hr /><br /> <pre style=“color:#AAAAAA; text-align:left; font-family:'Nimbus Sans L', Arial; font-size:10pt; border:0em; margin:0em; padding:0em;”> VM03 → Apache with mpm-itk VM13 → XMPP Server VM30 → RSYSLOG Server VM31 → LDAP / PAM / NSS Authentication Server with Kerberos VM32 → Certificate Authority
to delete a vm: rm -rf /xen/domains/vm## && rm -f /xen/conf/vm##.cfg && rm f /var/log/xen-tools/vm##.log
NTP: <hr /> WAN → vmserver03 → vm##
- - vmserver03 syncs with the juicebox timeserver
- - vmserver03 is a time server for 10.80.3.0/24
- - vm03,vm13,vm30-32 will get their time from vmserver03
NTP /usr/bin/tzselect 2 → 47 → 1 → 1
aptitude install -y ntp
VMSERVER03 NTP CONF: # /etc/ntp.conf # Local clock oscillation file driftfile /var/lib/ntp/ntp.drift
# Allow statistics to be logged. statsdir /var/log/ntpstats/
# Logging configuration statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable
# Access control configuration restrict default kod nomodify notrap nopeer noquery # Deny everybody by default restrict 127.0.0.1 # Allow unrestricted access to self restrict 10.80.3.0 mask 255.255.255.0 nomodify # Serve time to local network
# NTP servers to syncronise with server juicebox.lair.lan
# Allow localhost to serve as a back-up time server server 127.127.1.0 fudge 127.127.1.0 stratum 10
/etc/init.d/ntp restart
VMxx NTP CONF # /etc/ntp.conf
# Disable the panic threshold to allow irregular clock offsets tinker panic 0
# Local clock oscillation file driftfile /var/lib/ntp/ntp.drift
# Allow statistics to be logged. statsdir /var/log/ntpstats/
# Logging configuration statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable
# Access control configuration restrict default kod nomodify notrap nopeer noquery # Deny everybody by default restrict 127.0.0.1 # Allow unrestricted access to self
# NTP servers to syncronise with server vmserver03.student.lab
mkdir /etc/ntp vim /etc/ntp/step-tinkers # /etc/ntp/step-tinkers vmserver03.student.lab
/etc/init.d/ntp restart
rsyslog w/SSL: <hr /> vm03,13,31&32 → vm30
- - vm03, vm13, vm31 & vm32 will use SSL to communicate with vm30
- - vm30 will host a local MySQL syslog database
- - vm32 will not report to vm30
- - vm32 is certificate authority for rsyslog using SSL
- - Log Analyzer: web based rsyslog GUI
- - basic apache w/php on vm30
- - accessible from LAN only
VM03:
- - apache to log errors & access
- - utilize mpm-itk for per-user virtual hosts
- - mysql, php
VM30:
- - local apache will only log errors (no access logging)
VM31:
- - LDAP / NSS / PAM server using Kerberos for encrypted authentication
vim /etc/hosts 127.0.0.1 localhost localhost.localdomain 10.80.3.31 vm31.student.lab vm31 # local machine 10.80.3.31 krb1.student.lab krb1 # Kerberos5 server
Debian packages installed during the procedure will ask us a series of questions through the so-called debconf interface. To configure debconf to a known state, run:
dpkg-reconfigure debconf -> interface:dialog priority:low
in a seperate terminal:
cd /var/log; sudo tail -F daemon.log sulog user.log auth.log debug kern.log syslog dmesg messages kerberos/{krb5kdc,kadmin,krb5lib}.log
aptitude install -y krb5-{admin-server,kdc}
Configuring krb5-kdc
When users attempt to use Kerberos and specify a principal or user name without specifying what administrative Kerberos realm that principal belongs to, the system appends the default realm. Normally, the default realm is the uppercase version of the local DNS domain.
Default Kerberos version 5 realm:
[STUDENT.LAB]
Traditionally new realms have been added to /etc/krb5.conf so that clients can find the Kerberos servers for the realm. Modern Kerberos implementations support looking for this information up using DNS. If your default realm has DNS pointers, they will be used. Otherwise if your realm is not already in /etc/krb5.conf, you will be asked for the Kerberos servers' hostnames so the realm can be added.
Does DNS contain pointers to yourl realm's Kerberos Servers?
<yes> <no> -> [no]
The Kerberos Domain Controller (KDC) configuration files, in /etc/krb5kdc, may be created automatically.
By default, an example template will be copied into this directory with local parameters filled in.
Administrators who already have infrastructure to manage their Kerberos configuration may wish to disable these automatic configuration changes.
Create the Kerberos KDC configuration automatically?
<yes> <no> -> [yes]
By default, Kerberos V4 requests are allowed from principals that do not require preauthentication (“nopreauth”). This allows Kerberos V4 services to exist while requiring most users to use Kerberos V5 clients to get their initial tickets. These tickets can then be converted to Kerberos V4 tickets.
Alternatively, the mode can be set to “full”, allowing Kerberos V4 clients to get initial tickets even when preauthentication would normally be required; to “disable”, returning protocol version errors to all Kerberos V4 clients; or to “none”, which tells the KDC to not respond to Kerberos V4 requests at all.
Kerberos V4 compatibility mode to use: disable, full, nopreauth, none
[none]
The krb524d daemon converts Kerberos V5 tickets into Kerberos V4 tickets for programs, such as krb524init, that obtain Kerberos V4 tickets for compatibility with old applications.
It is recommended to enable that daemon if Kerberos V4 is enabled, especially when Kerberos V4 compatibility is set to “nopreauth”.
Run a Kerberos V5 to Kerberos V4 ticket convresion daemon?
<yes> <no> -> [no]
Setting up a Kerberos Realm
This package contains the administrative tools required to run the Kerberos master server.
However, installing this package does not automatically setup a Kerberos realm. This can be done later by running the “krb5_newrealm” command.
Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the administration guide found in the krb5-doc package.
[Ok]
Kadmind serves requests to add/modify/remove principals in the Kerberos database.
It is required by the kpasswd program, used to change passwords. With standard setups, this daemon should run on the master KDC.
Run the Kerberos V5 administration daemon (kadmin)?
<yes> <no> -> [yes]
Enter the hostnames of Kerberos servers in the STUDENT.LAB Kerberos realm seperated by spaces.
Kerberos servers for your realm: [krb1.student.lab]
Enter the hostname of the administrative (password chaning) server for the STUDENT.LAB Kerberos realm.
Administrative server for your Kerberos realm: [krb1.student.lab]
krb5_newrealm
This script should be run on the master KDC/admin server to initialize a Kerberos realm. It will ask you to type in a master key password. This password will be used to generate a key that is stored in /etc/krb5kdc/stash. You should try to remember this password, but it is much more important that it be a strong password than that it be remembered. However, if you loose the password and /etc/krb5kdc/stash, you cannot decrypt your Kerberos database.
Loading random data
Initializing databsae '/var/lib/krb5kdc/principal' for realm 'STUDENT.LAB' master key name 'K/M@STUDENT.LAB' You will be prompted for the database Master Password It is important that you NOT FORGET this password
Enter KDC database master key: [] Re-enter KDC datasbase master key to veryif: [] </pre> <!– 2.7/7q7%&“t?Fv 2 . 7 / 7 quick 7 % & ” target ? FIREFOX virgin (via strongpasswordgenerator.com) –> <pre style=“color:#AAAAAA; text-align:left; font-family:'Nimbus Sans L', Arial; font-size:10pt; border:0em; margin:0em; padding:0em;”> Now that your realm is set up you may wish to create an administrative principal using the addprinc subcommand of the kadmin.local program. Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that you can use the kadmin program on other computers. Kerberos admin principals usually belong to a single user and end in /admin. For example, if jruser is a Kerberos administrator, then in addition to the normal jruser principal, a jruser/admin principal should be created.
Don't forget to setup DNS information so your clients can find your KDC and admin servers. Doing so is documeinted in the administration guide.
VM32:
- - SSL Certificate Authority
– should have strict firewall rules </pre> </html>
<html> <p style=“margin:4em 0em 0em; padding:0em; font-size:10pt; font-weight:bold; color:#820000;”>.The·Fragile·Art·of·Existence.<br />Copyright © 2010 V.A.D.E.R. All Rights Reserved.</p> <p style=“margin:0em 0em 2em; padding:0em; font-size:10pt;”>
<span style="color:#888888;">Thoughts Fading From Existence</span> <br /> <span style="color:#777777;">Sounds Are Growing Faint</span> <br /> <span style="color:#555555;">Darkness Becoming…</span> <br /> <span style="color:#333333;">The End Is Nigh</span> <br /> <span style="color:#222222;">Death<br />.</span>
</p></div> </html>