NFSv4 using AUTH_SYS
NFSv4 using AUTH_GSS (Kerberos 5)
NFSv4 using AUTH_GSS (SPKM-3)*
NFSv4 using AUTH_GSS (LIPKEY)*
NFSv4 Name to ID mapping
http://www.citi.umich.edu/projects/nfsv4/linux/faq/
GSS_API - Generic Security Services Application Program Interface
http://en.wikipedia.org/wiki/Generic_Se ... _Interface
SPKM - Simple Public-Key GSS-API Mechanism (SPKM)
http://tools.ietf.org/html/rfc2025
*GSS-API mechanism which is based on a public-key, rather than a symmetric-key, infrastructure
[ add comment ] ( 7 views ) | [ 0 trackbacks ] | permalink
TGT renewal might be useful for long running job which mounts NFS/RKB share.
- max_life and max_renewable_life in /var/kerberos/krb5kdc/kdc.conf on the KDC servers as in shipped example /usr/kerberos/share/examples/krb5/kdc.conf (if you do use CentOS/RHEL)
[kdcdefaults]
kdc_ports = 750,88
[realms]
ATHENA.MIT.EDU = {
database_name = /usr/local/var/krb5kdc/principal
admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
acl_file = /usr/local/var/krb5kdc/kadm5.acl
key_stash_file = /usr/local/var/krb5kdc/.k5.ATHENA.MIT.EDU
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
- ticket_lifetime in /etc/krb5.conf on the client machine
[libdefaults]
default_realm = REALM
dns_lookup_realm = false
dns_lookup_kdc = false
forwardable = yes
ticket_lifetime = 32d
renew_lifetime = 32d
- maxlife for the user and krbtgt/REALM principal
kadmin: modprinc -maxlife 32days -maxrenewlife 32days +allow_renewable krbtgt/REALM
kadmin: modprinc -maxlife 32days -maxrenewlife 32days +allow_renewable user/REALM
- output of the getprinc for user
kadmin: getprinc USER
Principal: USER@REALM
Maximum ticket life: 32 days 00:00:00
Maximum renewable life: 32 days 00:00:00
- maxlife for the service principal "krbtgt/REALM"
kadmin: getprinc krbtgt/domain.com@REALM
Maximum ticket life: 32 days 00:00:00
Maximum renewable life: 32 days 00:00:00
- request extended lifetime and renewal in the ticket request
$ kinit -l 14d -r 14d
- to renew the ticket, use the kinit -R option before the ticket expires
$ kinit -R
links:
http://linsec.ca/Using_Kerberos_5_for_S ... entication
k5start and krenew are modified versions of kinit which add support for running as a daemon to maintain a ticket cache, running a command with credentials from a keytab and maintaining a ticket cache until that command completes, obtaining AFS tokens (via an external aklog) after obtaining tickets, and creating an AFS PAG for a command. They are primarily useful in conjunction with long-running jobs; for moving ticket handling code out of servers, cron jobs, or daemons; and to obtain tickets and AFS tokens with a single command.
[ add comment ] ( 10 views ) | [ 0 trackbacks ] | permalink
Kerberos overview
To understand MIT Kerberos design and functionality I strongly recommend to read "Designing an Authentication System" dialogue, which, even though, was written some time ago, is still the best Kerberos overview material available. You may find it here: http://web.mit.edu/kerberos/www/dialogue.html
Simple RHEL/CentOS setup guide
A basic setup guide which, along with the "Dialogue", will help you to setup the basic functional Kerberos realm http://www.centos.org/docs/5/html/Deplo ... beros.html
NFS
While combining the Kerberos with NFSv4 you may find some tips here: https://help.ubuntu.com/community/NFSv4Howto
Schopenhauer Implementation
And some extract of the Schopenhauer's work may be assimilated here: http://feuerteufel.blog.cz/1001/svet-ja ... redstava-1
[ add comment ] ( 7 views ) | [ 0 trackbacks ] | permalink
verify you have krb5-workstation (kerberos client software)
# rpm -qa | grep krb
pam_krb5-*
krb5-libs-*
krb5-workstation-*
put the same config as the krb AS/TGT server on ws
cat > /etc/krb5.conf
run kadmin and get kerberos admin and add ws to domain (create and retrieve keys locally)
# kdamin root/admin
kadmin: addprinc -randkey host/hostname.domain.com
kadmin: ktadd - /etc/krb5.keytab host/hostname.domain.com
verify sshd has the GSSAPI on
# cat /etc/ssh/sshd_config | grep GSS
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
renew the ticket on the box from which you would like to connect to ws and you should be in (also the username must be valid across the domain). if any troubles you may debug ssh client with
# ssh -vvv user@domain.com
and the ws you are connecting to
# sshd -d
helpful troubleshooting tips here: http://www.fnal.gov/docs/strongauth/troubleshoot.html
[ add comment ] ( 5 views ) | [ 0 trackbacks ] | permalink
Two-factor SSH with YubiKey on CentOS 5.6
link: http://www.grennan.com/2011/07/two-fact ... entos-5-6/
YubiKey in Black
link: https://store.yubico.com/store/catalog/product_info.php?products_id=2&osCsid=5lkiba6keok3vkcr5ssio9d3j1
Standalone lightweight Yubikey OATH/HOTP Validation Server
http://code.google.com/p/yubico-yubiser ... gTheServer
[ add comment ] ( 9 views ) | [ 0 trackbacks ] | permalink
http://www.eng.cam.ac.uk/help/jpmg/ssh/ ... howto.html
[ add comment ] ( 6 views ) | [ 0 trackbacks ] | permalink
Recently, I went through http://cuddletech.com/blog/?p=594, very interesting stuff.
Duo can be easily added to any Unix system to protect remote or local logins. It has been tested on Linux (RedHat, Fedora, CentOS, Debian, Ubuntu, Gentoo), BSD (FreeBSD, NetBSD, OpenBSD, MacOS X), Solaris, HP-UX, and AIX.
http://www.duosecurity.com/docs/duounix
http://blog.duosecurity.com/2011/04/ann ... -for-unix/
Sample PAM (RSA SecurID, not Duo)
#%PAM-1.0
# http://www.kernel.org/pub/linux/libs/pa ... rence.html
#required This line must succeed.
#requisite Request is immediately denied if this line fails.
#sufficient Request is immediately allowed if this line succeeds.
#optional It's okay if this line fails.
#############################################
# auth
#############################################
# RSA only
auth required pam_env.so
auth sufficient pam_securid.so
#auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
##############################################
# account
##############################################
account required pam_nologin.so
account include system-auth
##############################################
# password
#############################################
password include system-auth
##############################################
# session
##############################################
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
[ add comment ] ( 8 views ) | [ 0 trackbacks ] | permalink
The name wanted to be a clever acronym for "Filesystem in USErspace". Linux kernels 2.6.14 or later contain FUSE support out of the box.
FUSE is made up of three main parts:
- a kernel filesystem module
- a userspace library
- a mount/unmount program
Some options regarding mount policy can be set in the file '/etc/fuse.conf'.
# yum install fuse
# yum install fuse-libs
# wget http://dag.wieers.com/rpm/packages/fuse-sshfs/[your-arch, or import repoforge repo]
mount, umount
# sshfs -o follow_symlinks,nonempty,sshfs_sync,compression=yes user@server:/directory/ /mountpoint/
# fusermount -u /mountpoint/
If the system account is intended as the sshfs share provider and no interective logon is required, you might not setup a password on account to allow only logon with authorized_keys.
# cat authorized_keys
from="klient4sftpsubsystem.domain.com",no-port-forwarding,no-pty ssh-rsa AAAAB3Nz****key
[ add comment ] ( 7 views ) | [ 0 trackbacks ] | permalink
http://www.regentsprep.org/Regents/phys ... icCode=03b
Faraday's Law
Ohm's Law
Battery-Resistor Circuit
[ add comment ] ( 6 views ) | [ 0 trackbacks ] | permalink
#!/bin/bash
# program: postfix log checker
# version: 1.2
# purpose: to check logs for mail transport
# usage: $0 from email@domain
# $0 to email@domain
argc=$# # argument count
argv[0]=$0 # argv[0] is a prog name
TEMP1=/tmp/$$.temp1
TEMP2=/tmp/$$.temp2
TEMP3=/tmp/$$.temp3
> $TEMP1
> $TEMP2
> $TEMP3
trap "rm -f $TEMP1 $TEMP2 $TEMP3; echo; echo 'program stopped by user'; exit" INT TERM
[ ! $1 ] && echo "please specify from or to, ie: from tomas" && exit
[ ! $2 ] && echo "please specify recipient email address, or a part of address" && exit
for foo in $( seq $argc )
do
eval "argv[${foo}]=\$${foo}"
done
[ $1 == "from" ] && SEARCH=" from="
[ $1 == "to" ] && SEARCH=" to="
email=${argv[2]}
echo "------------------------------------------------"
echo "search: ($SEARCH)*${email}*"
echo "------------------------------------------------"
for logfile in $( ls -1 /var/log/maillog* )
do
echo "parsing logfile ... $logfile"
if [ $( echo $logfile | grep -i "*gz$" ) ]; then
zcat $logfile | grep -i -E "${SEARCH}.${email}|${SEARCH}${email}" >> $TEMP1
else
cat $logfile | grep -i -E "${SEARCH}.${email}|${SEARCH}${email}" >> $TEMP1
fi
done
cat $TEMP1 | sed -e "s/ / /g" | cut -d" " -f 6 | sed -e "s/://g" | sort | uniq \
>> $TEMP2
EVENTS=$( cat $TEMP2 | wc -l )
echo "we have found $EVENTS records in our logs"
echo "compacting results"
echo "------------------------------------------------"
> $TEMP3
for event in $( cat $TEMP2 )
do
> $TEMP1
echo -n " $event"
for logfile in $( ls -1 /var/log/maillog* )
do
if [ $( echo $logfile | grep -i "*gz$" ) ]; then
zcat $logfile | grep -i $event | tr '\n' ' ' >> $TEMP1
else
cat $logfile | grep -i $event | tr '\n' ' ' >> $TEMP1
fi
echo -n "."
done
# here we have in $TEMP1 all the log events related to mail message"
# we have it as a single long line
# first, check for sender and recipient
sender=""; orig_recipient=""; recipient=""; status=""; datetime=""; timestamp=""
#cat $TEMP1
datetime=$( cat $TEMP1 | sed -e "s/ / /g" | cut -d" " -f1,2,3 ) > /dev/null
timestamp=$( date -d "$datetime" "+%s" )
REGULAR="s/.* \(from=[^ ,]*\).*/\1/p"
sender=$( cat $TEMP1 | sed -n "$REGULAR" ) > /dev/null
REGULAR="s/.* \(to=[^ ,]*\).*/\1/p"
recipient=$( cat $TEMP1 | sed -n "$REGULAR" ) > /dev/null
REGULAR="s/.* \(orig_to=[^ ,]*\).*/\1/p"
orig_recipient=$( cat $TEMP1 | sed -n "$REGULAR" ) > /dev/null
REGULAR="s/.* \(status=[^ ]*\).*/\1/p"
status=$( cat $TEMP1 | sed -n "$REGULAR" ) > /dev/null
if [ $orig_recipient ]; then
echo "$timestamp, $event, $datetime, $sender, $orig_recipient (yet forwarded!), $status" >> $TEMP3
else
echo "$timestamp, $event, $datetime, $sender, $recipient, $status" >> $TEMP3
fi
done
echo
echo "------------------------------------------------"
echo "generating list, please press space to continue"
echo "running more "
echo "q to quit "
echo "------------------------------------------------"
echo
sleep 3
sort -n --key=1,9 $TEMP3 | more
rm $TEMP1
rm $TEMP2
rm $TEMP3
[ add comment ] ( 7 views ) | [ 0 trackbacks ] | permalink