SqueezeKerberosNFSv4StrongCrypto

From DcSharedWiki
Revision as of 07:59, 20 September 2011 by Pilou (talk | contribs) (remove weak encryption types from kdc.conf, add check commands)

How to install NFSv4 with strong crypto and Kerberos authentication on Debian Squeeze (using some packages of unstable)


Server

Packages

unstable packages

  • linux-image-2.6 >= 2.6.35
  • version nfs-common >= 1.2.3
  • rpcbind instead of portmap (see debian bug #620059)
kdc:~# apt-get install -t linux-image-2.6
kdc:~# reboot


kdc:~# apt-get install rpcbind # replace portmap by rpcbind in initscripts or install rpcbind >= 0.2.0-5 (see debian bug #565201)


kdc:~# apt-get install -t unstable nfs-kernel-server nfs-common libtirpc1

Configuration

/etc/default/nfs-common

[...]
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes


/etc/default/nfs-kernel-server

NEED_SVCGSSD=yes


/etc/krb5kdc/kdc.conf

` supported_enctypes` must only contains encryption types which are not weak (see weak encryption types)


[kdcdefaults]
    kdc_ports = 750,88
    kdc_tcp_ports = 750,88

[realms]
    COINCOIN.EU = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal
        default_principal_flags = +preauth
    }


/etc/krb5.conf

[libdefaults]
        default_realm = COINCOIN.EU


Create needed directory

kdc:/root# mkdir /mnt/sdb1
kdc:/root# mkdir -p /export/Documents


/etc/exports

/export gss/krb5p(rw,async,no_subtree_check,crossmnt,fsid=0)
/export/Documents  gss/krb5p(rw,async,no_subtree_check)


/etc/fstab

# [...]
/dev/sdb1           /mnt/sdb1         ext3 defaults,acl 1       2
/mnt/sdb1/Documents /export/Documents none ro,bind      0       0


mount directory

kdc:/root# mount /mnt/sdb1
kdc:/root# mount /export/Documents


Export directories

kdc:/root# exportfs -rv
exporting gss/krb5p:/export/Documents
exporting gss/krb5p:/export


NFS service: Create principal entry

kdc:/root# kadmin.local
Authenticating as principal root/admin@COINCOIN.EU with password.
kadmin:  addprinc -randkey nfs/kdc.coincoin.eu
WARNING: no policy specified for nfs/kdc.coincoin.eu@COINCOIN.EU; defaulting to no policy
Principal "nfs/kdc.coincoin.eu@COINCOIN.EU" created.


Check that weak encryption types are not allowed with `getprinc nfs/kdc.coincoin.eu`.

export nfs@kdc principal to the keytab

kdc:/root# kadmin.local
Authenticating as principal root/admin@COINCOIN.EU with password.
ktadd -k /etc/krb5.keytab nfs/kdc.coincoin.eu

You can list content of keytab:

kdc:~# ktutil 
ktutil:  rkt /etc/krb5.keytab 
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2    nfs/kdc.coincoin.eu@COINCOIN.EU


You should check that weak encryption types are not enabled with `list -e`.

Create client entry

kdc:/root# kadmin.local
kadmin:  addprinc -randkey nfs/client.coincoin.eu
WARNING: no policy specified for nfs/client.coincoin.eu@COINCOIN.EU; defaulting to no policy
Principal "nfs/client.coincoin.eu@COINCOIN.EU" created.


Start services

  • /etc/init.d/nfs-common start
  • /etc/init.d/nfs-kernel-server start

Client

Packages

  • linux-image-2.6 >= 2.6.35
  • version nfs-common >= 1.2.3
client:~# apt-get install -t linux-image-2.6
client:~# reboot


client:~# apt-get install -t unstable nfs-client


Configuration

/etc/krb5.conf

[libdefaults]
        default_realm = COINCOIN.EU


/etc/fstab

kdc.coincoin.eu:/Documents /mnt/Documents nfs4 sec=krb5p,rw,hard,rsize=32768,wsize=32768,noexec,nosuid,auto 0  0


Check DNS configuration

root@client:/root# host kdc.coincoin.eu
kdc.coincoin.eu has address 192.168.20.123
root@client:/root# host 192.168.20.123
123.20.168.192.in-addr.arpa domain name pointer kdc.coincoin.eu.


/etc/default/nfs-common

[...]
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes


Start services

client:~# /etc/init.d/nfs-common restart


Create keytab

client:~# kadmin -p superuser
Authenticating as principal superuser with password.
Password for superuser@COINCOIN.EU: 
ktadd -k /etc/krb5.keytab nfs/client.coincoin.eu


Check configuration

See KerberosNFSv4#Errors

verify enctypes

klist -e
Ticket cache: FILE:/tmp/krb5cc_1000_6gVtAq
Default principal: plop@COINCOIN.EU

Valid starting     Expires            Service principal
03/30/11 18:32:59  03/31/11 04:32:59  krbtgt/COINCOIN.EU@COINCOIN.EU
        renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
03/30/11 21:31:05  03/31/11 04:32:59  nfs/kdc.coincoin.eu@COINCOIN.EU
        renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96