NFSv4 GSS_API "support" 
NFSv4 "supports" the following security mechanisms

NFSv4 using AUTH_SYS
NFSv4 using AUTH_GSS (Kerberos 5)
NFSv4 using AUTH_GSS (SPKM-3)*
NFSv4 using AUTH_GSS (LIPKEY)*
NFSv4 Name to ID mapping

http://www.citi.umich.edu/projects/nfsv4/linux/faq/


GSS_API - Generic Security Services Application Program Interface
http://en.wikipedia.org/wiki/Generic_Se ... _Interface

SPKM - Simple Public-Key GSS-API Mechanism (SPKM)
http://tools.ietf.org/html/rfc2025

*GSS-API mechanism which is based on a public-key, rather than a symmetric-key, infrastructure

[ 7 comments ] ( 2 views )   |  [ 0 trackbacks ]   |  permalink
Kerberos: extend the ticket lifetime and make ticket renewable 
TGT renewal might be useful for long running job which mounts NFS/RKB share.

- max_life and max_renewable_life in /var/kerberos/krb5kdc/kdc.conf on the KDC servers as in shipped example /usr/kerberos/share/examples/krb5/kdc.conf (if you do use CentOS/RHEL)

[kdcdefaults]
kdc_ports = 750,88

[realms]
ATHENA.MIT.EDU = {
database_name = /usr/local/var/krb5kdc/principal
admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
acl_file = /usr/local/var/krb5kdc/kadm5.acl
key_stash_file = /usr/local/var/krb5kdc/.k5.ATHENA.MIT.EDU
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}


- ticket_lifetime in /etc/krb5.conf on the client machine

[libdefaults]
default_realm = REALM
dns_lookup_realm = false
dns_lookup_kdc = false
forwardable = yes
ticket_lifetime = 32d
renew_lifetime = 32d


- maxlife for the user and krbtgt/REALM principal


kadmin: modprinc -maxlife 32days -maxrenewlife 32days +allow_renewable krbtgt/REALM
kadmin: modprinc -maxlife 32days -maxrenewlife 32days +allow_renewable user/REALM


- output of the getprinc for user

kadmin:  getprinc USER
Principal: USER@REALM
Maximum ticket life: 32 days 00:00:00
Maximum renewable life: 32 days 00:00:00


- maxlife for the service principal "krbtgt/REALM"

kadmin:  getprinc krbtgt/domain.com@REALM
Maximum ticket life: 32 days 00:00:00
Maximum renewable life: 32 days 00:00:00


- request extended lifetime and renewal in the ticket request
$ kinit -l 14d -r 14d


- to renew the ticket, use the kinit -R option before the ticket expires
$ kinit -R


links:

http://linsec.ca/Using_Kerberos_5_for_S ... entication

k5start and krenew are modified versions of kinit which add support for running as a daemon to maintain a ticket cache, running a command with credentials from a keytab and maintaining a ticket cache until that command completes, obtaining AFS tokens (via an external aklog) after obtaining tickets, and creating an AFS PAG for a command. They are primarily useful in conjunction with long-running jobs; for moving ticket handling code out of servers, cron jobs, or daemons; and to obtain tickets and AFS tokens with a single command.


[ 6 comments ] ( 1 view )   |  [ 0 trackbacks ]   |  permalink
Kerberos web links 
Kerberos overview
To understand MIT Kerberos design and functionality I strongly recommend to read "Designing an Authentication System" dialogue, which, even though, was written some time ago, is still the best Kerberos overview material available. You may find it here: http://web.mit.edu/kerberos/www/dialogue.html

Simple RHEL/CentOS setup guide
A basic setup guide which, along with the "Dialogue", will help you to setup the basic functional Kerberos realm http://www.centos.org/docs/5/html/Deplo ... beros.html

NFS
While combining the Kerberos with NFSv4 you may find some tips here: https://help.ubuntu.com/community/NFSv4Howto

Schopenhauer Implementation
And some extract of the Schopenhauer's work may be assimilated here: http://feuerteufel.blog.cz/1001/svet-ja ... redstava-1


[ add comment ] ( 1 view )   |  [ 0 trackbacks ]   |  permalink
RHEL/CentOS: Kerberos + SSH (add ws to kerberos realm) 
verify you have krb5-workstation (kerberos client software)
# rpm -qa | grep krb
pam_krb5-*
krb5-libs-*
krb5-workstation-*

put the same config as the krb AS/TGT server on ws
cat > /etc/krb5.conf

run kadmin and get kerberos admin and add ws to domain (create and retrieve keys locally)
# kdamin root/admin
kadmin: addprinc -randkey host/hostname.domain.com
kadmin: ktadd - /etc/krb5.keytab host/hostname.domain.com

verify sshd has the GSSAPI on
# cat /etc/ssh/sshd_config | grep GSS
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

renew the ticket on the box from which you would like to connect to ws and you should be in (also the username must be valid across the domain). if any troubles you may debug ssh client with
# ssh -vvv user@domain.com

and the ws you are connecting to
# sshd -d

helpful troubleshooting tips here: http://www.fnal.gov/docs/strongauth/troubleshoot.html

[ 7 comments ]   |  [ 0 trackbacks ]   |  permalink
2 factor authentication with YubiKey (Yubico) 
Two-factor SSH with YubiKey on CentOS 5.6
link: http://www.grennan.com/2011/07/two-fact ... entos-5-6/

YubiKey in Black
link: https://store.yubico.com/store/catalog/product_info.php?products_id=2&osCsid=5lkiba6keok3vkcr5ssio9d3j1

Standalone lightweight Yubikey OATH/HOTP Validation Server
http://code.google.com/p/yubico-yubiser ... gTheServer


[ add comment ]   |  [ 0 trackbacks ]   |  permalink
ssh - authorized_keys HOWTO 
http://www.eng.cam.ac.uk/help/jpmg/ssh/ ... howto.html

[ add comment ]   |  [ 0 trackbacks ]   |  permalink
Duo Security: Two Factor Auth for the Masses 
Recently, I went through http://cuddletech.com/blog/?p=594, very interesting stuff.

Duo can be easily added to any Unix system to protect remote or local logins. It has been tested on Linux (RedHat, Fedora, CentOS, Debian, Ubuntu, Gentoo), BSD (FreeBSD, NetBSD, OpenBSD, MacOS X), Solaris, HP-UX, and AIX.

http://www.duosecurity.com/docs/duounix
http://blog.duosecurity.com/2011/04/ann ... -for-unix/

Sample PAM (RSA SecurID, not Duo)

#%PAM-1.0
# http://www.kernel.org/pub/linux/libs/pa ... rence.html

#required This line must succeed.
#requisite Request is immediately denied if this line fails.
#sufficient Request is immediately allowed if this line succeeds.
#optional It's okay if this line fails.


#############################################
# auth
#############################################
# RSA only
auth required pam_env.so
auth sufficient pam_securid.so
#auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so


##############################################
# account
##############################################
account required pam_nologin.so
account include system-auth

##############################################
# password
#############################################
password include system-auth

##############################################
# session
##############################################
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so


[ 7 comments ]   |  [ 0 trackbacks ]   |  permalink
FUSE: userspace filesystem (RHEL,CentOs) 
The name wanted to be a clever acronym for "Filesystem in USErspace". Linux kernels 2.6.14 or later contain FUSE support out of the box.

FUSE is made up of three main parts:

- a kernel filesystem module
- a userspace library
- a mount/unmount program

Some options regarding mount policy can be set in the file '/etc/fuse.conf'.


# yum install fuse
# yum install fuse-libs
# wget http://dag.wieers.com/rpm/packages/fuse-sshfs/[your-arch, or import repoforge repo]


mount, umount

# sshfs -o follow_symlinks,nonempty,sshfs_sync,compression=yes user@server:/directory/ /mountpoint/
# fusermount -u /mountpoint/


If the system account is intended as the sshfs share provider and no interective logon is required, you might not setup a password on account to allow only logon with authorized_keys.


# cat authorized_keys
from="klient4sftpsubsystem.domain.com",no-port-forwarding,no-pty ssh-rsa AAAAB3Nz****key



[ add comment ]   |  [ 0 trackbacks ]   |  permalink
Interactive simulations <http://phet.colorado.edu/> 
http://www.regentsprep.org/Regents/phys ... icCode=03b

Faraday's Law


Ohm's Law


Battery-Resistor Circuit


[ add comment ]   |  [ 0 trackbacks ]   |  permalink
Check postfix logs for email delivery  

#!/bin/bash

# program: postfix log checker
# version: 1.2
# purpose: to check logs for mail transport
# usage: $0 from email@domain
# $0 to email@domain

argc=$# # argument count
argv[0]=$0 # argv[0] is a prog name

TEMP1=/tmp/$$.temp1
TEMP2=/tmp/$$.temp2
TEMP3=/tmp/$$.temp3

> $TEMP1
> $TEMP2
> $TEMP3

trap "rm -f $TEMP1 $TEMP2 $TEMP3; echo; echo 'program stopped by user'; exit" INT TERM

[ ! $1 ] && echo "please specify from or to, ie: from tomas" && exit
[ ! $2 ] && echo "please specify recipient email address, or a part of address" && exit

for foo in $( seq $argc )
do
eval "argv[${foo}]=\$${foo}"
done

[ $1 == "from" ] && SEARCH=" from="
[ $1 == "to" ] && SEARCH=" to="

email=${argv[2]}

echo "------------------------------------------------"
echo "search: ($SEARCH)*${email}*"
echo "------------------------------------------------"

for logfile in $( ls -1 /var/log/maillog* )
do
echo "parsing logfile ... $logfile"
if [ $( echo $logfile | grep -i "*gz$" ) ]; then
zcat $logfile | grep -i -E "${SEARCH}.${email}|${SEARCH}${email}" >> $TEMP1
else
cat $logfile | grep -i -E "${SEARCH}.${email}|${SEARCH}${email}" >> $TEMP1
fi
done

cat $TEMP1 | sed -e "s/ / /g" | cut -d" " -f 6 | sed -e "s/://g" | sort | uniq \
>> $TEMP2

EVENTS=$( cat $TEMP2 | wc -l )

echo "we have found $EVENTS records in our logs"
echo "compacting results"
echo "------------------------------------------------"

> $TEMP3
for event in $( cat $TEMP2 )
do
> $TEMP1
echo -n " $event"
for logfile in $( ls -1 /var/log/maillog* )
do
if [ $( echo $logfile | grep -i "*gz$" ) ]; then
zcat $logfile | grep -i $event | tr '\n' ' ' >> $TEMP1
else
cat $logfile | grep -i $event | tr '\n' ' ' >> $TEMP1
fi
echo -n "."
done

# here we have in $TEMP1 all the log events related to mail message"
# we have it as a single long line
# first, check for sender and recipient
sender=""; orig_recipient=""; recipient=""; status=""; datetime=""; timestamp=""

#cat $TEMP1

datetime=$( cat $TEMP1 | sed -e "s/ / /g" | cut -d" " -f1,2,3 ) > /dev/null
timestamp=$( date -d "$datetime" "+%s" )

REGULAR="s/.* \(from=[^ ,]*\).*/\1/p"
sender=$( cat $TEMP1 | sed -n "$REGULAR" ) > /dev/null

REGULAR="s/.* \(to=[^ ,]*\).*/\1/p"
recipient=$( cat $TEMP1 | sed -n "$REGULAR" ) > /dev/null

REGULAR="s/.* \(orig_to=[^ ,]*\).*/\1/p"
orig_recipient=$( cat $TEMP1 | sed -n "$REGULAR" ) > /dev/null

REGULAR="s/.* \(status=[^ ]*\).*/\1/p"
status=$( cat $TEMP1 | sed -n "$REGULAR" ) > /dev/null

if [ $orig_recipient ]; then
echo "$timestamp, $event, $datetime, $sender, $orig_recipient (yet forwarded!), $status" >> $TEMP3
else
echo "$timestamp, $event, $datetime, $sender, $recipient, $status" >> $TEMP3
fi
done

echo
echo "------------------------------------------------"
echo "generating list, please press space to continue"
echo "running more "
echo "q to quit "
echo "------------------------------------------------"
echo
sleep 3

sort -n --key=1,9 $TEMP3 | more

rm $TEMP1
rm $TEMP2
rm $TEMP3



[ add comment ]   |  [ 0 trackbacks ]   |  permalink

<<First <Back | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | Next> Last>>