Difference: UbuntuBasics (1 vs. 7)

Revision 72019-10-29 - squinney

Line: 1 to 1
 
META TOPICPARENT name="FuturePlatform"

Ubuntu Basics

Line: 24 to 24
 apt install krb5-user libpam-krb5 libsasl2-modules-gssapi-mit
Added:
>
>
  • Kerberos realm config for Informatics:
    krb5-realm.png
 The default configuration will usually work but if you need to tweak it you can using:
Line: 48 to 51
  Copy the /etc/sssd/sssd.conf (and on DICE also the cert file /etc/pki/tls/certs/dice-sixkts-2018.crt) from a managed machine. On Ubuntu/Debian the certificate files are typically stored in the /etc/ssl/certs directory, if using that location don't forget to update the sssd.conf file.
Changed:
<
<
Start the sssd server: systemctl start sssd
>
>
Start the sssd server: systemctl start sssd (it might already be started in which case a restart will be needed). You can test this by looking up data for your username by using something like getent passwd ...
 

LDAP

Line: 62 to 65
 apt install openssh-server
Changed:
<
<
Then edit the options in /etc/ssh/sshd_config to match those below.
>
>
Then edit the options in /etc/ssh/sshd_config to include those below:
 
Changed:
<
<
ChallengeResponseAuthentication yes
>
>
ChallengeResponseAuthentication no UsePAM yes X11Forwarding yes PrintMotd no AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server
 GSSAPIAuthentication yes
Changed:
<
<
GSSAPICleanupCredentials yes GSSAPIKeyExchange yes
>
>
GSSAPICleanupCredentials no
 GSSAPIStoreCredentialsOnRekey yes
Deleted:
<
<
HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key PasswordAuthentication no PermitRootLogin prohibit-password Protocol 2 PubkeyAuthentication no Subsystem sftp /usr/lib/openssh/sftp-server SyslogFacility AUTHPRIV
 UseDNS yes
Deleted:
<
<
UsePAM yes X11Forwarding yes
 
Added:
>
>
The GSSAPI settings are necessary for single-sign-on support. the UseDNS option is necessary if you want to use pam_access to restrict access based on origin.
 Restart the ssh server: systemctl restart ssh

AFS

Line: 94 to 92
 apt install openafs-client openafs-krb5 libpam-afs-session
Added:
>
>
  • AFS Cell config for Informatics:
    afs_cell.png
 That will take a while as it builds the afs kernel module.

Start the openafs client: systemctl start openafs-client

Line: 102 to 104
  This can be manually configured using the pam-auth-update tool.
Added:
>
>
  • pam auth config for Informatics:
    pam-auth-update.png

Note that 'SSS authentication' is intentionally disabled, we're only using it for cached access to data stored in our LDAP server. We could do our authentication using that module but currently we prefer to use 'Kerberos authentication'.

 

mail

By default Ubuntu doesn't have a mail server installed, we recommend using postfix, it can be installed with:

Line: 117 to 124
 

Comments

%COMMENT%

Added:
>
>

META FILEATTACHMENT attachment="afs_cell.png" attr="" comment="AFS Cell config for Informatics" date="1572356209" name="afs_cell.png" path="afs_cell.png" size="33627" user="squinney" version="1"
META FILEATTACHMENT attachment="krb5-realm.png" attr="" comment="Kerberos realm config for Informatics" date="1572356236" name="krb5-realm.png" path="krb5-realm.png" size="44957" user="squinney" version="1"
META FILEATTACHMENT attachment="pam-auth-update.png" attr="" comment="pam auth config for Informatics" date="1572356620" name="pam-auth-update.png" path="pam-auth-update.png" size="80747" user="squinney" version="1"

Revision 62019-10-25 - squinney

Line: 1 to 1
 
META TOPICPARENT name="FuturePlatform"

Ubuntu Basics

This documents all the packages I needed to install and basic configuration I had to change to make an Ubuntu machine useful in the DICE environment, most of this is probably useful for other organisations.

Changed:
<
<
We're working with Ubuntu 19.04 disco dingo, we will move onto 19.10 eoan ermine with an aim to finally settle on the next LTS (20.04 something beginning with f)
>
>
We're working with Ubuntu 19.10 eoan ermine with an aim to finally settle on the next LTS (20.04 something beginning with f)
 

hosts file

Added:
>
>
For machines with static IP addresses where you want SSH gssapi-keyex authentication support.
 Replace any entries in /etc/hosts which map the hostname to 127.0.0.1 (e.g. 127.0.0.1 crocodile) with a correct full entry, e.g.:

129.215.202.190 crocodile.inf.ed.ac.uk crocodile
Changed:
<
<
Without this, for some reason, SSH gssapi-keyex authentication will not work.

Krb5

>
>

Kerberos

 
apt install krb5-user libpam-krb5 libsasl2-modules-gssapi-mit
Changed:
<
<
As root edit /etc/krb5.conf to add the following to the [domain_realm] section:
>
>
The default configuration will usually work but if you need to tweak it you can using:
 
Changed:
<
<
inf.ed.ac.uk = INF.ED.AC.UK .inf.ed.ac.uk = INF.ED.AC.UK
>
>
dpkg-reconfigure -plow krb5-config
 
Changed:
<
<
and also add this to the [realms] section:

  INF.ED.AC.UK = {
    admin_server = kdc.inf.ed.ac.uk:749
    default_domain = inf.ed.ac.uk
  }
>
>
(or manually replace /etc/krb5.conf with the local site version copied from SL7).
 
Changed:
<
<
Whilst we don't have the kdcregister tool you need to create the host principal manually:
>
>
Whilst we don't have the kerberos component you need to create the host principal manually:
 
kadmin -p username/admin
Line: 60 to 52
 

LDAP

Changed:
<
<
Create /etc/ldap/ldap.conf to be the same as /etc/openldap/ldap.conf on SL7 (similarly you might need to edit the TLS_CACERT for the change in directory).
>
>
If you want the various ldap tools to work (e.g. ldapsearch) then you need to create /etc/ldap/ldap.conf to be the same as /etc/openldap/ldap.conf on SL7 (similarly you might need to edit the TLS_CACERT for the change in directory).
 

SSH

Line: 108 to 100
 

PAM

Changed:
<
<
The /etc/pam.d/common-account file needs to be replaced with the following:

account  required  pam_krb5.so minimum_uid=1000
account  required  pam_unix.so
account   required   pam_access.so    
account   required   pam_permit.so    
>
>
This can be manually configured using the pam-auth-update tool.
 

mail

Revision 52019-09-23 - squinney

Line: 1 to 1
 
META TOPICPARENT name="FuturePlatform"

Ubuntu Basics

Line: 85 to 85
 PermitRootLogin prohibit-password Protocol 2 PubkeyAuthentication no
Changed:
<
<
Subsystem sftp /usr/libexec/openssh/sftp-server
>
>
Subsystem sftp /usr/lib/openssh/sftp-server
 SyslogFacility AUTHPRIV UseDNS yes UsePAM yes

Revision 42019-07-24 - squinney

Line: 1 to 1
 
META TOPICPARENT name="FuturePlatform"

Ubuntu Basics

Line: 21 to 21
 

Krb5

Changed:
<
<
apt install krb5-user libpam-krb5
>
>
apt install krb5-user libpam-krb5 libsasl2-modules-gssapi-mit
 

As root edit /etc/krb5.conf to add the following to the [domain_realm] section:

Line: 99 to 99
 Install the packages:
Changed:
<
<
apt install openafs-client openafs-krb5 pam-afs-session
>
>
apt install openafs-client openafs-krb5 libpam-afs-session
 

That will take a while as it builds the afs kernel module.

Revision 32019-06-19 - squinney

Line: 1 to 1
 
META TOPICPARENT name="FuturePlatform"
Changed:
<
<

Ubuntu Basics

>
>

Ubuntu Basics

This documents all the packages I needed to install and basic configuration I had to change to make an Ubuntu machine useful in the DICE environment, most of this is probably useful for other organisations.

We're working with Ubuntu 19.04 disco dingo, we will move onto 19.10 eoan ermine with an aim to finally settle on the next LTS (20.04 something beginning with f)

hosts file

Replace any entries in /etc/hosts which map the hostname to 127.0.0.1 (e.g. 127.0.0.1 crocodile) with a correct full entry, e.g.:

129.215.202.190 crocodile.inf.ed.ac.uk crocodile

Without this, for some reason, SSH gssapi-keyex authentication will not work.

 

Krb5

Line: 40 to 56
  Copy the /etc/sssd/sssd.conf (and on DICE also the cert file /etc/pki/tls/certs/dice-sixkts-2018.crt) from a managed machine. On Ubuntu/Debian the certificate files are typically stored in the /etc/ssl/certs directory, if using that location don't forget to update the sssd.conf file.
Added:
>
>
Start the sssd server: systemctl start sssd
 

LDAP

Create /etc/ldap/ldap.conf to be the same as /etc/openldap/ldap.conf on SL7 (similarly you might need to edit the TLS_CACERT for the change in directory).

Deleted:
<
<

PAM

 

SSH

Install the openssh-server package (if not already there):

Line: 54 to 70
 apt install openssh-server
Changed:
<
<
Then edit the options in /etc/ssh/sshd_config to match those below. Note that this contains one difference with our usual DICE configuration by allowing password authentication, that is useful in the early stages of developing new platforms where access to local accounts is helpful.
>
>
Then edit the options in /etc/ssh/sshd_config to match those below.
 
ChallengeResponseAuthentication yes
Line: 65 to 81
 HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key
Changed:
<
<
PasswordAuthentication yes
>
>
PasswordAuthentication no
 PermitRootLogin prohibit-password Protocol 2 PubkeyAuthentication no
Line: 78 to 94
  Restart the ssh server: systemctl restart ssh
Added:
>
>

AFS

Install the packages:

apt install openafs-client openafs-krb5 pam-afs-session

That will take a while as it builds the afs kernel module.

Start the openafs client: systemctl start openafs-client

PAM

The /etc/pam.d/common-account file needs to be replaced with the following:

account  required  pam_krb5.so minimum_uid=1000
account  required  pam_unix.so
account   required   pam_access.so    
account   required   pam_permit.so    

mail

By default Ubuntu doesn't have a mail server installed, we recommend using postfix, it can be installed with:

apt install postfix

The default config seems to "just work".

 -- squinney - 2019-06-19

Comments

Revision 22019-06-19 - squinney

Line: 1 to 1
 
META TOPICPARENT name="FuturePlatform"

Ubuntu Basics

Line: 34 to 34
 

sssd

Added:
>
>
apt install libnss-sss sssd-tools libsasl2-modules-ldap

Copy the /etc/sssd/sssd.conf (and on DICE also the cert file /etc/pki/tls/certs/dice-sixkts-2018.crt) from a managed machine. On Ubuntu/Debian the certificate files are typically stored in the /etc/ssl/certs directory, if using that location don't forget to update the sssd.conf file.

LDAP

Create /etc/ldap/ldap.conf to be the same as /etc/openldap/ldap.conf on SL7 (similarly you might need to edit the TLS_CACERT for the change in directory).

PAM

 

SSH

Install the openssh-server package (if not already there):

Revision 12019-06-19 - squinney

Line: 1 to 1
Added:
>
>
META TOPICPARENT name="FuturePlatform"

Ubuntu Basics

Krb5

apt install krb5-user libpam-krb5

As root edit /etc/krb5.conf to add the following to the [domain_realm] section:

  inf.ed.ac.uk  =  INF.ED.AC.UK 
  .inf.ed.ac.uk  =  INF.ED.AC.UK 

and also add this to the [realms] section:

  INF.ED.AC.UK = {
    admin_server = kdc.inf.ed.ac.uk:749
    default_domain = inf.ed.ac.uk
  }

Whilst we don't have the kdcregister tool you need to create the host principal manually:

kadmin -p username/admin
ank -randkey host/example.inf.ed.ac.uk
ktadd -k /etc/krb5.keytab host/example.inf.ed.ac.uk

sssd

SSH

Install the openssh-server package (if not already there):

apt install openssh-server

Then edit the options in /etc/ssh/sshd_config to match those below. Note that this contains one difference with our usual DICE configuration by allowing password authentication, that is useful in the early stages of developing new platforms where access to local accounts is helpful.

ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
PasswordAuthentication yes
PermitRootLogin prohibit-password
Protocol 2
PubkeyAuthentication no
Subsystem sftp /usr/libexec/openssh/sftp-server
SyslogFacility AUTHPRIV
UseDNS yes
UsePAM yes
X11Forwarding yes

Restart the ssh server: systemctl restart ssh

-- squinney - 2019-06-19

Comments

%COMMENT%

 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback