SqueezeKerberosNFSv4StrongCrypto: Difference between revisions
From DcSharedWiki
(change title) |
(remove weak encryption types from kdc.conf, add check commands) |
||
Line 44: | Line 44: | ||
<pre><nowiki> |
<pre><nowiki> |
||
NEED_SVCGSSD=yes |
NEED_SVCGSSD=yes |
||
</nowiki></pre> |
|||
=== /etc/krb5kdc/kdc.conf === |
|||
` supported_enctypes` must only contains encryption types which are not weak ([http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-admin.html#Supported%20Encryption%20Types see weak encryption types]) |
|||
<pre><nowiki> |
|||
[kdcdefaults] |
|||
kdc_ports = 750,88 |
|||
kdc_tcp_ports = 750,88 |
|||
[realms] |
|||
COINCOIN.EU = { |
|||
database_name = /var/lib/krb5kdc/principal |
|||
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab |
|||
acl_file = /etc/krb5kdc/kadm5.acl |
|||
key_stash_file = /etc/krb5kdc/stash |
|||
kdc_ports = 750,88 |
|||
max_life = 10h 0m 0s |
|||
max_renewable_life = 7d 0h 0m 0s |
|||
master_key_type = des3-hmac-sha1 |
|||
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal |
|||
default_principal_flags = +preauth |
|||
} |
|||
</nowiki></pre> |
</nowiki></pre> |
||
Line 107: | Line 132: | ||
</nowiki></pre> |
</nowiki></pre> |
||
Check that weak encryption types are not allowed with `getprinc nfs/kdc.coincoin.eu`. |
|||
=== export nfs@kdc principal to the keytab === |
=== export nfs@kdc principal to the keytab === |
||
Line 127: | Line 154: | ||
</nowiki></pre> |
</nowiki></pre> |
||
You should check that weak encryption types are not enabled with `list -e`. |
|||
=== Create client entry === |
=== Create client entry === |
Revision as of 07:59, 20 September 2011
How to install NFSv4 with strong crypto and Kerberos authentication on Debian Squeeze (using some packages of unstable)
Server
Packages
unstable packages
- linux-image-2.6 >= 2.6.35
- version nfs-common >= 1.2.3
- rpcbind instead of portmap (see debian bug #620059)
kdc:~# apt-get install -t linux-image-2.6 kdc:~# reboot
kdc:~# apt-get install rpcbind # replace portmap by rpcbind in initscripts or install rpcbind >= 0.2.0-5 (see debian bug #565201)
kdc:~# apt-get install -t unstable nfs-kernel-server nfs-common libtirpc1
Configuration
/etc/default/nfs-common
[...] # Do you want to start the idmapd daemon? It is only needed for NFSv4. NEED_IDMAPD=yes # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=yes
/etc/default/nfs-kernel-server
NEED_SVCGSSD=yes
/etc/krb5kdc/kdc.conf
` supported_enctypes` must only contains encryption types which are not weak (see weak encryption types)
[kdcdefaults] kdc_ports = 750,88 kdc_tcp_ports = 750,88 [realms] COINCOIN.EU = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal default_principal_flags = +preauth }
/etc/krb5.conf
[libdefaults] default_realm = COINCOIN.EU
Create needed directory
kdc:/root# mkdir /mnt/sdb1 kdc:/root# mkdir -p /export/Documents
/etc/exports
/export gss/krb5p(rw,async,no_subtree_check,crossmnt,fsid=0) /export/Documents gss/krb5p(rw,async,no_subtree_check)
/etc/fstab
# [...] /dev/sdb1 /mnt/sdb1 ext3 defaults,acl 1 2 /mnt/sdb1/Documents /export/Documents none ro,bind 0 0
mount directory
kdc:/root# mount /mnt/sdb1 kdc:/root# mount /export/Documents
Export directories
kdc:/root# exportfs -rv exporting gss/krb5p:/export/Documents exporting gss/krb5p:/export
NFS service: Create principal entry
kdc:/root# kadmin.local Authenticating as principal root/admin@COINCOIN.EU with password. kadmin: addprinc -randkey nfs/kdc.coincoin.eu WARNING: no policy specified for nfs/kdc.coincoin.eu@COINCOIN.EU; defaulting to no policy Principal "nfs/kdc.coincoin.eu@COINCOIN.EU" created.
Check that weak encryption types are not allowed with `getprinc nfs/kdc.coincoin.eu`.
export nfs@kdc principal to the keytab
kdc:/root# kadmin.local Authenticating as principal root/admin@COINCOIN.EU with password. ktadd -k /etc/krb5.keytab nfs/kdc.coincoin.eu
You can list content of keytab:
kdc:~# ktutil ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 nfs/kdc.coincoin.eu@COINCOIN.EU
You should check that weak encryption types are not enabled with `list -e`.
Create client entry
kdc:/root# kadmin.local kadmin: addprinc -randkey nfs/client.coincoin.eu WARNING: no policy specified for nfs/client.coincoin.eu@COINCOIN.EU; defaulting to no policy Principal "nfs/client.coincoin.eu@COINCOIN.EU" created.
Start services
- /etc/init.d/nfs-common start
- /etc/init.d/nfs-kernel-server start
Client
Packages
- linux-image-2.6 >= 2.6.35
- version nfs-common >= 1.2.3
client:~# apt-get install -t linux-image-2.6 client:~# reboot
client:~# apt-get install -t unstable nfs-client
Configuration
/etc/krb5.conf
[libdefaults] default_realm = COINCOIN.EU
/etc/fstab
kdc.coincoin.eu:/Documents /mnt/Documents nfs4 sec=krb5p,rw,hard,rsize=32768,wsize=32768,noexec,nosuid,auto 0 0
Check DNS configuration
root@client:/root# host kdc.coincoin.eu kdc.coincoin.eu has address 192.168.20.123 root@client:/root# host 192.168.20.123 123.20.168.192.in-addr.arpa domain name pointer kdc.coincoin.eu.
/etc/default/nfs-common
[...] # Do you want to start the idmapd daemon? It is only needed for NFSv4. NEED_IDMAPD=yes # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=yes
Start services
client:~# /etc/init.d/nfs-common restart
Create keytab
client:~# kadmin -p superuser Authenticating as principal superuser with password. Password for superuser@COINCOIN.EU: ktadd -k /etc/krb5.keytab nfs/client.coincoin.eu
Check configuration
verify enctypes
klist -e Ticket cache: FILE:/tmp/krb5cc_1000_6gVtAq Default principal: plop@COINCOIN.EU Valid starting Expires Service principal 03/30/11 18:32:59 03/31/11 04:32:59 krbtgt/COINCOIN.EU@COINCOIN.EU renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 03/30/11 21:31:05 03/31/11 04:32:59 nfs/kdc.coincoin.eu@COINCOIN.EU renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96