bits | andy smith's blog » Security

IPv6 for a Linux generation

Andy Smith — Sun, 07 Feb 2010 23:35:04 +0000

IPv6 is nothing new – it was finally standardised back in 1998 in RFC 2460, and virtually all operating systems have supported it now for at least 5 years, so most people are in a position to give it a try.

If you’re one of the lucky ones, your ISP might provide native IPv6 connectivity (like AAISP), but for most of us, the main way to get connected to the rest of the IPv6 Internet is to use something we’ve already got – IPv4. And we’re going to tunnel over it.

The first thing we need to do is choose a tunnel broker, which is a fancy name for someone who’ll provide us with an IPv4 endpoint we can tunnel IPv6 over. Wikipedia has a list, but the main, globally available ones are Hurricane Electric and SixXS. Either of these will do, and some people prefer HE over SixXS, but that’s a purely personal choice – in my experience, both work equally as well. For this example, though, we’ll go with HE – so head on over to http://tunnelbroker.net/ and create an account.

My first tunnel

Once you’ve created your account, log in and create a tunnel. For some reason, it always seems to pick their New York POP, so you might want to manually choose one geographically closer (in my case – and for our example – London, UK)

Creating a tunnel

The IP address you use as your local end of the tunnel will need to be a public IP address. It’s possible to use a machine behind a NAT device if it’s in a DMZ-style setup where all the traffic destined for the public IP address gets forwarded by the NAT device to the machine behind it, but your mileage may vary.

Once created, view the tunnel details, which should look something like this:-

Editing the tunnel details

Our tunnel has been created! At the bottom of the page, you’ll notice a little drop-down that generates the commands needed to bring up the tunnel. For this example, we’re using iproute2, so the commands go something like this:-

ip tunnel add he-ipv6 mode sit remote 216.66.80.26 local 192.0.2.1 ttl 255
ip link set he-ipv6 up
ip addr add 2001:470:1f08:810::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6

The first command creates an IPv6-in-IPv4 tunnel between us and HE, and the second command brings up that tunnel. The third command adds our IPv6 address to our end of the tunnel, and finally the fourth command sets the IPv6 default route to be down our newly-created tunnel.

And that’s it – we’re now connected to the global IPv6 internet. To test it, let’s try pinging something:-

mordor:~# ping6 -c 3 www.he.net
PING www.he.net(he.net) 56 data bytes
64 bytes from he.net: icmp_seq=1 ttl=58 time=375 ms
64 bytes from he.net: icmp_seq=2 ttl=58 time=257 ms
64 bytes from he.net: icmp_seq=3 ttl=58 time=255 ms

--- www.he.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 255.562/296.218/375.628/56.158 ms

If you see something like the above, then give yourself a pat on the back, because it’s working!

Next steps

HE by default assigns you a /64 network, which is the smallest size intended to be allocated. This gives you 18,446,744,073,709,551,616 IPs, and whichever way you look at it that’s a lot of addresses. With this in mind, you might be wondering why HE will give you a /48 (that’s 1,208,925,819,614,629,174,706,176 IPs!). The reason is that each network is intended to have a /64, and a /48 allows you to carve up that space into a total of 65,536 separate /64 networks. Now this obviously sounds like overkill to the average user, but autoconfiguration tools such as radvd won’t work with networks smaller than /64, again because of the intentions mentioned previously. This means that if you have more than one network at home (say, a wired network and a wireless network, currently with separate IPv4 networks for each), you can assign a /64 to each one.

With this is mind, let’s ask HE for a /48 by clicking on Allocate in the ‘Routed /48′ section. After a few seconds, you’ll see something like this:-

Allocating our /48

In our example, we’ve been allocated 2001:470:90d3::/48, and now it’s time to plan our IP schema.

Laying it out

Taking my own home network as an example, I have three networks – one for general use (the ‘LAN‘), one for guest use over wireless (the ‘WLAN‘), and finally a DMZ (the… er, ‘DMZ‘). We could lay these out like this:-

LAN – 2001:470:90d3:1::/64
DMZ – 2001:470:90d3:2::/64
WLAN – 2001:470:90d3:3::/64

Nice and simple, and easy to remember. Assuming all three networks are connected to the same gateway machine, we can give the gateway the first IP in the range – 2001:470:90d3:1::1, 2001:470:90d3:2::1 and 2001:470:90d3:3::1.

Routing things further

Before we start, we need to enable IP forwarding for IPv6:-

sysctl -w net.ipv6.conf.all.forwarding=1

You’ll probably want to add this somewhere so it gets activated on bootup – under Debian this would be in /etc/sysctl.conf (which already has the entry, albeit commented out).

One way to provide connectivity to machines on the individual networks is to manually give each machine an IPv6 address, and to route it through our gateway:-

ip addr add 2001:470:90d3:1::2/64 dev eth0
ip route add ::/0 via 2001:470:90d3:1::1 dev eth0

Again, all being well, you should now be able to route to the wider IPv6 Internet from our newly-configured IPv6 node. More importantly, this also means that the wider IPv6 Internet can route back to you – which brings us to…

Security, not obscurity

Don’t be fooled into thinking that because of the immense range of possible IPv6 addresses that securing your new IPv6 setup isn’t required – IPv6 is no exception when it comes to the Internet Bad Guys, so implementing firewall rules is of the utmost importance.

The problem with IPv4 and NAT is that it’s allowed people to become somewhat complacent about security, because machines behind a NAT device are naturally unreachable from the global Internet. IPv6 does not have NAT, which means you don’t have this (rather lazy) safety net, so we have to do it properly.

Luckily, if you’re familiar with iptables, you’ll be glad to know that there’s an IPv6 equivalent – and it’s called (predicatably) ip6tables. The syntax is identical, and in fact the only noticeable difference is that you’re using IPv6 addresses and networks instead of IPv4 ones.

A quick example would go something like this:-

# Clear our INPUT, OUTPUT and FORWARD chains
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD

# Allow packets related to existing connections
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow link-local (for neighbour discovery)
ip6tables -A INPUT -s fe80::/10 -j ACCEPT

# Allow SSH inbound to our gateway from our LAN
ip6tables -A INPUT -i lan -s 2001:470:90d3:1::/64 -p tcp
   -m tcp --dport 22 -j ACCEPT

# Allow all outbound from our networks
ip6tables -A FORWARD -i dmz -s 2001:470:90d3:1::/64 -j ACCEPT
ip6tables -A FORWARD -i lan -s 2001:470:90d3:2::/64 -j ACCEPT
ip6tables -A FORWARD -i wlan -s 2001:470:90d3:3::/64 -j ACCEPT

# Allow all outbound from our gateway
ip6tables -A OUTPUT -j ACCEPT

# Allow SSH and HTTPS inbound to our DMZ
ip6tables -A FORWARD -i he-ipv6 -d 2001:470:90d3:1::/64 -p tcp
   -m multiport --dports 22,443 -j ACCEPT

# Set the default policy to drop
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP

So there you have it – IPv6 firewalling needn’t be difficult. If you want to make something more complex, you might want to take a look at my previous post about iptables and the ‘mark’ target, which also applies to ip6tables.

IPv6 – automatically

Just like DHCP for IPv4, there are autoconfiguration mechanisms for IPv6 – radvd and DHCPv6. Radvd is the older of the two, but both can be used for the same purpose. Configuration of radvd is relatively straightforward, and if we wanted to provide autoconfiguration on our example LAN, we can do something like this:-

interface lan
{
      AdvSendAdvert on;
      MinRtrAdvInterval 3;
      MaxRtrAdvInterval 10;
      AdvDefaultPreference low;
      AdvHomeAgentFlag off;

      prefix 2001:470:90d3:2::/64
      {
            AdvOnLink on;
            AdvAutonomous on;
            AdvRouterAddr off;
      };
};

Where next?

This only covers the start – there’s more involved in bringing an IPv6 network up to scratch, like setting up forward and reverse DNS, and configuring various daemons to talk over IPv6 as well as IPv4. If you’re interested, you might find some of the following links useful reading:-

GnuPG – RSA key-pair mini-Howto with stronger digests

Andy Smith — Tue, 02 Feb 2010 15:19:16 +0000

(Note: This was originally posted on my previous blog, but I’ve noticed that it’s being linked to, so I’ve reposted it here)

I’m not a mathematician (or a cryptographer) so I’m happy to take this post‘s word for it about a recent attack against SHA-1 (short PDF here). The post goes into detail about changing the preferred digests on a key, and is well worth a read.

The post also talks about using 2048-bit RSA keys, instead of the DSA/Elgamal default (which has a maximum size of 1024 bits). It goes into detail about how to migrate to an RSA key – if you’re going to migrate, I definitely recommend reading it.

However, I thought it would be nice to write a (very) quick guide on generating RSA private keys with GnuPG, as there are a few extra steps involved – but nothing complicated!

Preparation

The first thing mentioned in the post on Debian Administration is to set a couple of GnuPG config options to ensure that any digests generated by you are using the stronger SHA256, rather than SHA-1. Doing this is simple:-

cat >>~/.gnupg/gpg.conf <

We’re now ready to generate our key.

Generate our first key

To start with, start the key generation as normal:-

[andys@sirius ~]$ gpg --gen-key
Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)

(1) is the default, and generates a DSA key with an Elgamal subkey for encrypting. But for our RSA key, we need to choose (5).

Next, we’re asked for our key length. This is between 1024 and 4096 bits. The default is 2048, but for mine I’ve chosen 4096. A good overview of keys and key sizes can be found on pgp.net here.

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits

The next question is about how long you want the key to be valid. Again, this is personal preference, and in this instance I’ve chosen ’0′ for ‘never expires’:-

Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

Next up is your user ID, which consists of your name, e-mail address and a comment. I tend to leave the comment field blank, but it’s there if you want it:-

You need a user ID to identify your key; the software constructs the
user ID from the Real Name, Comment and E-mail Address in this form:
    "Heinrich Heine (Der Dichter) "

Real name: Andy Smith
E-mail address: andy.smith@netprojects.org.uk
Comment: [Return]
You selected this USER-ID:
    "Andy Smith "

Change (N)ame, (C)omment, (E)-mail or (O)kay/(Q)uit?

Select ‘O’ to continue.

You need a Passphrase to protect your secret key.

You’re now being prompted to set a passphrase on the key. This can be as strong or as weak as you like, but considering the importance of your private key it’s best to secure it with a strong passphrase.

After supplying a passphrase, the actual key will be generated. RSA keys require quite a bit of entropy (‘randomness’), and you’ll probably get a warning like this:-

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy!  (Need 284 more bytes)

A good way to generate entropy is to create lots of I/O traffic (keyboard, mouse, network, disk, etc.). I found using cat(1) on files and redirecting the output to /dev/null worked quite well, especially if you use a block device of some sort (for example, I did cat /dev/sdb >/dev/null, where /dev/sdb was a 1GB USB key).

Eventually – hopefully after not too much of a wait – gpg will report that it has completed generating the key, and you’ll have output a bit like this:-

gpg: key A0E6B93E marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
pub   4096R/A0E6B93E 2009-05-08
 Key fingerprint = B2C5 59E3 E685 757A 45CD  7760 5BF3 1276 A0E6 B93E
uid                  Andy Smith

Note that this key cannot be used for encryption.  You may want to use
the command "--edit-key" to generate a subkey for this purpose.

The key ID is now given, which in this case is A0E6B93E. We can also see (on the line that starts with ‘pub’) that the key is 4096 bits in size, and is an RSA key (denoted by the ‘R’). Sharp-eyed readers may have noticed that the key ID is actually the last 8 bytes^[1] of the key’s fingerprint – this is because the key ID is just a shorter way of expressing the key fingerprint, and in itself isn’t guaranteed (or indeed intended) to be unique.

Also important is the last two lines, which point out that our brand spanking new key can’t be used to encrypt anything just yet.

Adding encryption

So without further ado, let’s create a subkey that lets us do encryption with our key:-

[andys@sirius ~]$ gpg --edit-key A0E6B93E
<...version information...>

Secret key is available.

pub  4096R/A0E6B93E  created: 2009-05-08  expires: never
  usage: SC
 trust: ultimate      validity: ultimate
[ultimate] (1). Andy Smith 

Command>

Unsuprisingly, ‘addkey’ is the command we want to generate a subkey, so that’s what we’ll run. Upon hitting enter, you’ll be prompted for the passphrase you set on your key earlier. Once given, you’ll be presented with a menu like this:-

Please select what kind of key you want:
 (2) DSA (sign only)
 (4) Elgamal (encrypt only)
 (5) RSA (sign only)
 (6) RSA (encrypt only)
Your selection?

Since it’s to complement our existing RSA key – which can already be used for signing – (6) is the option we want. Picking it brings us to a familiar prompt, wherein we’re asked for a key size:-

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096

The subkey’s size doesn’t have to match that of the parent key, but in this case I’ve gone for the same size, so 4096 it is. After picking a size, you’ll again be asked how long you want the key to be valid for. I’ve gone for 0 again, but again it doesn’t have to match that of the parent key. There is a slight difference, in that you’ll be prompted twice, just to make sure that you want to create the subkey:-

Really create? (y/N) y

Now it’s time once more to play the entropy game. Use whatever you found worked for you earlier, and eventually you’ll see something like this:-

pub  4096R/A0E6B93E  created: 2009-05-08  expires: never
  usage: SC
                     trust: ultimate      validity: ultimate
sub  4096R/5D0CCD64  created: 2009-05-08  expires: never
  usage: E
[ultimate] (1). Andy Smith

As you can see, I now have a subkey with a fingerprint ending in 5D0CCD64, which can be used for encryption – denoted by the ‘E’ at the end of the line. Also noted is that the key is ‘ultimately trusted’ by me, because it’s been added as a subkey to my key.

Changing the digest settings

As per the post linked to at the beginning, we can change the digest (or ‘hash’) that we prefer to receive signed data in. Without going into too much detail (you should read the post!), we can change these preferences:-

Command> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES
  CAST5 ZLIB BZIP2 ZIP Uncompressed

Our preferences are confirmed back to us, and we’re asked to accept them:-

Set preference list to:
     Cipher: AES256, AES192, AES, CAST5, 3DES
     Digest: SHA512, SHA384, SHA256, SHA224, SHA1
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify
Really update the preferences? (y/N) y

Confirming our changes

Since we’re now finished, we need to save the key to confirm our subkey:-

Command> save
[andys@sirius ~]$ _

At this point, the key can now be used for signing and encryption. You can do other things, such as add a small photo to the key using the ‘addphoto’ command, but two things you should do are to publish the key to a keyserver, and to generate a revocation certificate.

Publishing your new key

I won’t dwell too much on details, but in brief keyservers are exactly what they sound like – they serve keys out to users. Submitting your key to a keyserver allows other people to search for and download your public key from a keyserver. This saves you having to send a copy to everybody who wants it, for one.

Submitting is simple:-

[andys@sirius ~]$ gpg --keyserver keys.gnupg.net --send-key A0E6B93E
gpg: sending key A0E6B93E to hkp server keys.gnupg.net

Providing there are no errors, your key has been submitted to the keyserver at keys.gnupg.net.

Revocation

There’s a few reasons why you may no longer wish to use a key. It might have been compromised by a 3rd party, or it might simply be that you’ve forgotten the password. That’s why it’s a good idea imperative that you generate a revocation certificate and store it somewhere safe and inaccessible to everyone but you! A revocation certificate allows the holder of the certificate to revoke your key, and ideally the holder will be you and only you.

To generate a revocation certificate:-

[andys@sirius ~]$ gpg --gen-revoke A0E6B93E >A0E6B93E-rev.asc

This then gives us:-

sec  4096R/A0E6B93E 2009-05-08 Andy Smith

Create a revocation certificate for this key? (y/N) y

After answering in the affirmative, you’ll be prompted for a reason why you want to revoke the key. In my case, I’m going to choose (3), as the key was created for the purposes of this demonstration, but as you can see there are a number of other options to choose from:-

Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 3

You can now enter a description, which is fairly obvious:-

Enter an optional description; end it with an empty line:
> Demonstration
> [Return]
Reason for revocation: Key is no longer used
Demonstration

Is this okay? (y/N) y

Answer yes, and you’ll again be prompted for your passphrase:-

You need a passphrase to unlock the secret key for
user: "Andy Smith "
4096-bit RSA key, ID A0E6B93E, created 2009-05-08

ASCII armoured output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print
system of your machine might store the data and make it available to
others!

At this point, you now have a revocation certificate in A0E6B93E-rev.asc. If you want to revoke this key now (which we do), then import it. It’s important to note that you don’t import the revocation certificate until you actually want to revoke the key. Anyway, here’s how:-

[andys@sirius ~]$ gpg --import

You won’t be asked to confirm this action, and you’ll immediately see the following:-

gpg: key A0E6B93E: "Andy Smith " revocation certificate imported gpg: Total number processed: 1 gpg: new key revocations: 1 gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u

This indicates that the key has now been revoked, which we can check by typing:-

[andys@sirius ~]$ gpg -k A0E6B93E pub 4096R/A0E6B93E 2009-05-08 [revoked: 2009-05-08] uid Andy Smith

All that remains is for us to repeat the process we used earlier to submit our key to the keyserver, which this time will send the revoked version of the key:-

[andys@sirius ~]$ gpg --keyserver keys.gnupg.net --send-key A0E6B93E gpg: sending key A0E6B93E to hkp server keys.gnupg.net

Our key will now appear to be revoked to anyone who looks for it.

Summary

That should just about cover the basics of generating an public/private RSA key pair with GnuPG. There’s a lot more that can be done with it, and having a good read about cryptography in general will help you get your head around some of the fruitier bits.

[1] – Thanks to Tero Pesonen who correctly pointed out that I’d originally put 8 bits when of course it’s the last 8 bytes.[2] Cheers Tero!

[2] – Thanks also to Tom, who pointed out that both myself and Tero were wrong – it’s the last 4 bytes. I might give up now

Further reading

Thanks to Daniel Kahn Gillmor for his article ‘HOWTO prep for migration off of SHA-1 in OpenPGP‘, which details the digest steps above and was the inspiration for this article. Thanks also to Martin Krafft for his post ‘The need for a GPG revocation certificate‘.

The comp.security.pgp FAQ – http://www.pgp.net/pgpnet/pgp-faq/

HOWTO prep for migration off of SHA-1 in OpenPGP (Daniel Kahn Gillmor / Debian Administration)

The need for a GPG revocation certificate (Martin Krafft)

Pretty Good Privacy (Wikipedia)

Authenticating Active Directory users on Linux with Likewise Open

Andy Smith — Thu, 28 Jan 2010 01:09:35 +0000

Historically, if you wanted to use Active Directory to authenticate users on a UNIX box, you were pretty much limited to using LDAP. This works fine for some people, but it’s not particularly elegant – especially if you’re having to create users home directories all the time, which negates some of the point of centralising authentication to begin with.

I’m from a UNIX (mostly Linux) background, so I’m more at home using UNIX-alike platforms. That said, there’s a few things that Microsoft do that are particularly useful, and in my opinion AD is one of them (quiet at the back, there). Handily, there’s a project that can marry the two, and it goes by the name of Likewise.

Likewise Enterprise is Likewise Software’s commercial offering, but they also provide an open-source edition in the form of Likewise Open, which is what I’m going to focus on here. Conceptually, using Likewise is equivalent to binding a Windows machine to a domain, and the method of doing it is similar. The code is somewhat related to Samba, so some parts of it may be familiar to anyone who’s meddled around with Samba in any depth.

Starting out

First off, you’ll need the Likewise Open installer, which you can get from here (signup required). Grab the installer for your particular distro or operating system – for this example I’m using a fresh Debian (lenny) GNU/Linux install, but the process is essentially the same for others, such as Solaris. One you’ve got it, installing it is just a matter of running it:-

adtest:~# chmod +x ./LikewiseIdentityServiceOpen-...-linux-i386-deb-installer adtest:~# ./LikewiseIdentityServiceOpen-...-linux-i386-deb-installer

Follow the prompts, and after a few seconds you’ll be returned to a prompt. Assuming the install completed successfully, in the case of Debian (or Ubuntu), running ‘dpkg -l | grep likewise‘ will show a few new packages have been installed (for RedHat/CentOS, replace ‘dpkg -l‘ with ‘rpm -qa‘).

Before going any further, make sure your resolvers are set up correctly, and that the local machine’s time is synchronised – either against an external NTP source, or one of the domain controllers. You can check that DNS resolution is working correctly by running:-

adtest:~# host test.example.com

…and all being well, you’ll see something like this:-

test.example.com          A     10.1.1.1 test.example.com          A     10.1.2.1

If you’re okay so far, configuring the machine to use AD requires one command:-

adtest:~# /opt/likewise/bin/domainjoin-cli join test.example.com andys

After a few seconds, providing the local machine can see the domain controllers, you should be prompted for your domain password. As when binding a Windows machine to a domain, the account you use must have the right privileges, which usually means that it’s in the Domain Admins group or similar. So:-

Joining to AD Domain:   test.example.com With Computer DNS Name: adtest.test.example.com andys@TEST.EXAMPLE.COM's password:

…wait a few seconds…

Warning: System restart required Your system has been configured to authenticate to Active Directory for the first time. It is recommended that you restart your system to ensure that all applications recognize the new settings. SUCCESS

Now, in my experience you don’t strictly need to reboot, however it’s a good idea to, so go ahead and reboot the machine.

The basics

Assuming the box rebooted, we can now test that AD integration is working. Log in, and at a prompt type:-

adtest:~# id TEST\\andys

…replacing ‘TEST\\andys‘ with your domain and username. The double backslash is important, because most UNIX shells use ‘\’ for escaping characters. If you want, you can also use the ‘user@domain‘ syntax. If all is well, you’ll see something like this:-

uid=2096628820(TEST\andys) gid=2096628225(TEST\domain^users) groups=2096628225(TEST\domain^users),2096628224(TEST\domain^admins)

At this point I should offer a word of caution: Because the machine is now bound to the domain, it means users on the domain can log into it. Obviously this is the whole point, but it’s something to be mindful of, especially if the domain is used by many people.

The UIDs and GIDs may look ridiculously large, but don’t worry – UIDs under most UNIXen are 32-bit, so this will be fine. There’s also a good reason for it – Likewise guarantees that the IDs will be unique and consistent across all machines bound to the same domain. You’ll also notice that the user’s primary group is set to the primary group from AD, which is usually ‘Domain Users‘.

The domainjoin-cli command also makes some changes to /etc/nsswitch.conf and the PAM configuration. On my example Debian box, having a peek at /etc/pam.d/common-auth reveals:-

auth   sufficient   /lib/security/pam_lsass.so auth   required   pam_unix.so nullok_secure try_first_pass

pam_lsass.so is the PAM shared library for the lsass – or Local Security Authority Subsystem Service – part of Likewise. The example above is simple enough, and accepts domain users, falling back to standard UNIX users if the given username isn’t a domain user.

Making changes

Likewise installs its configuration files in /etc/likewise. The one that’s probably of most interest is lsassd.conf, which controls how the lsass daemon lsassd handles users. Before going into any detail, you’ll notice that lsassd.conf is split into two sections – the first being for domain users (the [auth provider:lsa-activedirectory-provider] section), and the second being for ‘local’ users (under [auth provider:lsa-local-provider]). The local users are usually just ‘COMPUTER\Administrator‘ and ‘COMPUTER\Guest‘ (where COMPUTER is the name of the local machine), and are synonymous to the Administrator and Guest accounts on Windows machines. Chances are you won’t need to touch the local users section, so we can safely ignore it.

There’s quite a few options to play with in lssasd.conf, but the main ones we’re interested in are:-

login-shell-template, which allows us to set the default shell for domain users. This is (by default) set to /bin/sh, so in many cases you might want to change it to /bin/bash.

homedir-template, which specifies where domain users’ home directories will be created. The default for this is %H/local/%D/%U, which in our example would expand to /home/local/TEST/andys for my account. Personally, I prefer to drop the ‘local’ bit and use %H/%D/%U, which would change my home directory to /home/TEST/andys.

require-membership-of, which lets us specify which groups are allowed to authenticate against this machine in a comma-separated list.

It’s important to note that if you use the last option, any domain user which isn’t a member of one of the specified groups will fail any PAM configuration that calls pam_lsass.so. This means that if you wanted to allow certains groups SSH access, whilst allowing a larger set of groups access to FTP, you don’t want to omit the FTP user groups from here. If you’re building this kind of setup, you’ll want to allow all the groups in lsassd.conf, and then build your PAM configuration to conditionally allow access based on group membership using pam_group.

Once you’ve finished making your configuration changes, you’ll need to tell Likewise to reload the configuration:-

adtest:~# /opt/likewise/bin/lw-refresh-configuration Configuration successfully loaded from disk.

It also doesn’t hurt (and I’ve sometimes found it neccessary) to clear the local AD cache:-

adtest:~# /opt/likewise/bin/lw-ad-cache --delete-all The cache has been emptied successfully.

…and that’s it! You should now have AD authentication working through PAM.

Useful commands

Likewise installs quite a few tools in /opt/likewise/bin (many of which are symlinks to lw-lsa), some of which come in handy for testing:-

lw-refresh-configuration, which as mentioned above reloads the lsassd configuration from lsassd.conf.

lw-ad-cache (also partly mentioned above), which lets us manipulate the local AD cache. For example, lw-ad-cache –enum-users will list the users’ details currently stored in the cache.

lw-enum-users/lw-enum-groups, which predictably list all the users and groups in the domain.

lw-get-status, which shows quite a bit of information about the domain itself.

These are just a few, so it’s useful to have a poke about in /opt/likewise/bin and see what there is.

Hints

Because Likewise integrates itself via PAM, pretty much everything which can work with normal UNIX users can cope fine with domain users. For instance:-

You can use the tilde (~) shortcut to go to a domain user’s home directory, for example cd ~andys@TEST. For some reason, the backslash notation doesn’t work here, and you may also notice that tab completion doesn’t work either.

With most things, you can refer to domain users as either TEST\\andys, TEST.EXAMPLE.COM\\andys, andys@TEST or andys@TEST.EXAMPLE.COM, including when logging in on the console or via SSH. There are exceptions (such as the previous point), but they’re few and far between.

Sudo happily works with domain groups – just remember to double-backslash.

You can use chown and chgrp in the ways you’d normally expect, using either the domain group names, or their GIDs.

ACLs (under Linux) also work, so if you’ve mounted a partition with the ‘acl‘ option, you can use setfacl as normal.

If it all goes wrong…

Sometimes things go wrong. With Likewise, it’s usually straightforward. If you’re getting errors when binding to the domain with domainjoin-cli, it’s usually because it’s having problems connecting to the domain controller. If your domain controllers are on a different network, check that any firewalls inbetween aren’t dropping SMB traffic. The domainjoin-cli command should give you a definitive list of ports it needs open to communicate with the domain controller.

Once up and running, I’ve found Likewise Open to be very stable, but on the odd occasion that something has gone awry, it’s often enough to just restart the lsassd daemon. Failing that, try emptying the cache (with lw-ad-cache –delete-all). If you’re still getting odd errors, it might be worth checking out the documentation or the forums.

Where to from here?

Because the PAM magic happens with pam_lsass, in theory anything which uses PAM can be made AD-aware. I’ve personally used it with Pure-FTPd to provide company-wide access to an fileserver, and it works flawlessly with gdm, so you can use it on your desktop. Again, because it’s PAM-based, it can be stacked with other modules such as pam_securid (for RSA’s SecurID tokens) or pam_opie (for one-time password sets).

Ironically, one thing that does require a little bit more configuration is Samba – something I’ll cover in a future post.

Update: Yvo van Doorn comments below with a handy hint if you only need access to one domain, which should save on keyboard wear for some users

IPTables: Fun with MARK

Andy Smith — Wed, 27 Jan 2010 13:52:45 +0000

One thing that’s always bugged me about IPTables is the lack of a way to use groups when writing rules, which can complicate things if you’ve got a potentially large rulebase. One way round this is to use something like fwbuilder, which gives you a graphical interface not unlike Checkpoint‘s SmartDashboard GUI for their Firewall-1 devices. The downside to this, though, is that the resulting IPTables ruleset is far from legible – which, to be fair, isn’t the goal of fwbuilder – and this makes hacking about with the rules nearly impossible.

So what options are there? One way is to repeat the same rule for different sources or destinations, but this can quickly get messy, especially if there’s multiple ports involved. If there was a way we could group things together and keep them tidy, maintaining the rulebase would be a lot easier. This is where MARK comes in.

The MARK target lets us set a 32-bit value (or 0xFFFFFFFF) on a packet, which we can then look for later with the mark match. This in itself can be useful, but where it gets really handy is adding the values together.

Starting out

To start off with, here’s an example

# Create a new chain, which will in effect be our source 'group' iptables -N S-TRUSTED # Add our sources iptables -A S-TRUSTED -s 192.168.1.1/32 -j MARK --set-xmark 0x8/0x0 iptables -A S-TRUSTED -s 192.168.2.0/24 -j MARK --set-xmark 0x8/0x0 iptables -A S-TRUSTED -s 192.168.3.3/29 -j MARK --set-xmark 0x8/0x0 # Create a chain for the destination group iptables -N D-DMZ # Add our DMZ machines iptables -A D-DMZ -d 10.1.1.1/32 -j MARK --set-xmark 0x4/0x0 iptables -A D-DMZ -d 10.1.2.0/24 -j MARK --set-xmark 0x4/0x0 # Create a chain for the services iptables -N D-SRV-MGMT # Add our service iptables -A D-SRV-MGMT -p tcp -m tcp --dport 22 -j MARK --set-xmark 0x2/0x0 iptables -A D-SRV-MGMT -p tcp -m tcp --dport 80 -j MARK --set-xmark 0x2/0x0

So what we have now are three chains, which do the following

If the source matches, add 0×8 to the packet mark

If the destination matches, add 0×4 to the packet mark

If the service matches, add 0×2 to the packet mark

If you know your hexadecimal, you’ll already know that if all of these are true, we’ll come out with 0xE (or 14, in decimal).

Making the rule

Hopefully you’ll see where we’re going with this with the next example, which is our actual rule

# Create a new chain for our rule and add it to our FORWARD chain iptables -N R-ALLOW-DMZ-MGMT iptables -A FORWARD -j R-ALLOW-DMZ-MGMT # Zero out the packet mark to make sure no previous rules interfere iptables -A R-ALLOW-DMZ-MGMT -j MARK --set-xmark 0x0/0x0 # Jump to our 'source group' chain iptables -A R-ALLOW-DMZ-MGMT -j S-TRUSTED # Jump to our 'destination group' chain iptables -A R-ALLOW-DMZ-MGMT -j D-DMZ # Jump to our 'service group' chain iptables -A R-ALLOW-DMZ-MGMT -j D-SRV-MGMT # If the packet mark matches 0xE, then ACCEPT iptables -A R-ALLOW-DMZ-MGMT -m mark --mark 0xE -j ACCEPT

And there we have it – if the packet matches the source, destination and service, the packet mark will be 0xE. If, say, it matches everything except the destination, it’ll come out as 0xC, which won’t match and so netfilter will carry on along the rest of the rules. If you want processing to stop here, you could always add a LOG and REJECT/DROP target at the end of the R-ALLOW-DMZ-MGMT chain.

Negation

Sometimes we want to be able to say ‘everything but that particular network’, whether it be for accepting or dropping packets. We can do that with this, too

# Add a new chain for negating the source iptables -N S-NEGATE # XOR the current packet mark with 0x8 - our 'source match' identifier iptables -A S-NEGATE -j MARK --xor-mark 0x8

To use it, simply drop it in the R-ALLOW-DMZ-MGMT rule above after the jump to the S-TRUSTED chain, and if S-TRUSTED matched, it won’t any more, and vice versa. To negate the destination and service matches, you’ll need to create similar chains for (for example) D-NEGATE and D-SRV-NEGATE, replacing the 0×8 with 0×4 and 0×2 respectively.

Things to note

One downside of this method is that because of the way IPTables works, if you want to use the same set of networks and hosts as a source and a destination, you’ll need to duplicate them, but match on the source or destination as appropriate. Using the example given above, if we wanted a group with the same entries as S-TRUSTED, but matching on traffic going to them, we’d need to create another group (for example, D-TRUSTED), which will be identical save for the IP matches (which will need changing to -d) and the mask (which will need setting to 0×4 instead of 0×8).

Also, be careful if you’re using packet marks to do something outside of netfilter (say, for traffic control – which I’ll cover in a future post). One way round this is the facility to save the current packet mark to the current connection mark, or vice versa – if you go down this path then having a look at the iptables manpage for the MARK and CONNMARK targets will be useful.

Conclusions

This is an effective way of grouping hosts, networks and services within IPTables. It can be quite a bit of work to start with to add all the groups, but once in place it makes writing rules a lot more logical.

Taking things further

One way which you could take this further would be to group interfaces together in a similar fashion, say by adding 0×10 to the packet, and then matching on 0x1E rather than 0xE.

Usefully, if you send the packet out to syslog with the LOG target, netfilter will print out the current packet mark at the end of the log message as MARK=0xN, which can be useful when debugging.

OpenSSH and OpenSC for Debian and Ubuntu

Andy Smith — Wed, 23 Dec 2009 02:27:04 +0000

I’m using OpenSC at the moment so that I can repurpose an otherwise unused Aladdin eToken to hold SSH keys. I could go through the process involved in setting up the token, but as this chap has already done a thorough job, I won’t go into detail.

Unfortunately, the openssh-client package from Debian (and Ubuntu) doesn’t enable OpenSC support. It’s trivial to rebuild the package with OpenSC support, but for those who don’t want to or can’t for some reason, I’ve put my rebuilt, OpenSC-enabled packages here.

Once installed, if your token is set up correctly, you should be able to get your SSH public key from the card with:-

ssh-keygen -D

…which should give you something like:-

ssh-rsa AAAA .. .. .. t8/Q== 1024 65537 14233 .. .. .. 70941

You can then add your private key to a running SSH agent with:-

ssh-add -s

Pop in your PIN, and ssh should function as if you were using a normally-generated key.