Changeset b4b71892 for postlfs/security
- Timestamp:
- 06/10/2004 05:47:11 AM (20 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- cf43c83
- Parents:
- f8d632a
- Location:
- postlfs/security
- Files:
-
- 10 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/cracklib.xml
rf8d632a rb4b71892 1 <?xml version="1.0" encoding="ISO-8859-1"?> 2 <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" 3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [ 4 <!ENTITY % general-entities SYSTEM "../../general.ent"> 5 %general-entities; 6 7 <!ENTITY cracklib-download-http "http://www.crypticide.com/users/alecm/security/cracklib,&cracklib-version;.tar.gz"> 8 <!ENTITY cracklib-download-ftp "ftp://ftp.cerias.purdue.edu/pub/tools/unix/libs/cracklib/cracklib.&cracklib-version;.tar.gz"> 9 <!ENTITY cracklib-size "21 KB"> 10 <!ENTITY cracklib-buildsize "17 MB"> 11 <!ENTITY cracklib-time "0.10 SBU"> 12 <!ENTITY crackdict-size "15.6MB"> 13 <!ENTITY alldict-size "466KB"> 14 ]> 15 1 16 <sect1 id="cracklib" xreflabel="cracklib-&cracklib-version;"> 2 17 <?dbhtml filename="cracklib.html"?> 3 18 <title>cracklib-&cracklib-version;</title> 4 19 5 &cracklib-intro; 6 &cracklib-inst; 7 &cracklib-desc; 20 21 <sect2> 22 <title>Introduction to <application>cracklib</application></title> 23 24 <para>The cracklib package contains a library used to enforce strong passwords 25 by comparing user selected passwords to words in a chosen wordlist.</para> 26 27 <sect3><title>Package information</title> 28 <itemizedlist spacing='compact'> 29 <listitem><para>Download (HTTP): <ulink 30 url="&cracklib-download-http;"/></para></listitem> 31 <listitem><para>Download (FTP): <ulink 32 url="&cracklib-download-ftp;"/></para></listitem> 33 <listitem><para>Download size: &cracklib-size;</para></listitem> 34 <listitem><para>Estimated Disk space required (with cracklib wordlist): 35 &cracklib-buildsize;</para></listitem> 36 <listitem><para>Estimated build time: 37 &cracklib-time;</para></listitem></itemizedlist> 38 </sect3> 39 40 <sect3><title>Additional downloads</title> 41 <itemizedlist spacing='compact'> 42 <listitem><para>Required patch: <ulink 43 url="&patch-root;/cracklib,&cracklib-version;-blfs-1.patch"/></para></listitem> 44 <listitem><para>Recommended patch: <ulink 45 url="&patch-root;/cracklib,&cracklib-version;-heimdal-1.patch"/></para></listitem> 46 </itemizedlist> 47 48 <para>You will also need to download a wordlist for use with cracklib. There 49 are two wordlists to choose from at the following location. Use the 50 <filename>cracklib</filename> word list for good security, or opt for the 51 <filename>allwords</filename> word list for lightweight machines short on 52 <acronym>RAM</acronym>. You can of course choose any other word list that you 53 have at your disposal.</para> 54 55 <para>cracklib (&crackdict-size;): <ulink url="http://www.cotse.com/wordlists/cracklib"/></para> 56 <para>allwords (&alldict-size;): <ulink url="http://www.cotse.com/wordlists/allwords"/></para> 57 58 </sect3> 59 60 </sect2> 61 62 <sect2> 63 <title>Installation of <application>cracklib</application></title> 64 65 <para>First, we need to install the chosen word list for cracklib:</para> 66 67 <screen><userinput><command>install -d -m755 /usr/share/dict && 68 install -m644 <replaceable>[wordlist]</replaceable> /usr/share/dict && 69 ln -sf <replaceable>[wordlist]</replaceable> /usr/share/dict/words && 70 echo $(hostname) >> /usr/share/dict/extra.words</command></userinput></screen> 71 72 <para>Our wordlist is linked to <filename>/usr/share/dict/words</filename> as 73 historically, <filename>words</filename> is the primary wordlist in the 74 <filename class="directory">/usr/share/dict</filename> directory. We also echo 75 the value of hostname to a file called extra.words. This extra file is intened 76 to be a site specific list which includes easy to guess passwords such as 77 company or department name, user's names, product names, computer name, domain 78 name, etc.</para> 79 80 <para>Now apply BLFS patch:</para> 81 82 <screen><userinput><command>patch -Np1 -i ../cracklib,&cracklib-version;-blfs-1.patch</command></userinput></screen> 83 84 <para>If necessary, apply the heimdal patch:</para> 85 86 <screen><userinput><command>cp -R cracklib cracklib_krb5 && 87 patch -Np1 -i ../cracklib,&cracklib-version;-heimdal-1.patch</command></userinput></screen> 88 89 <para>Finally install the package:</para> 90 <screen><userinput><command>make install</command></userinput></screen> 91 92 </sect2> 93 94 <sect2> 95 <title>Contents</title> 96 97 <para>The <application>cracklib</application> package 98 contains the <filename class="libraryfile">libcrack</filename> 99 library.</para> 100 101 </sect2> 102 103 <sect2><title>Description</title> 104 105 <sect3><title>libcrack library</title> 106 <para>The <filename class="libraryfile">libcrack</filename> library 107 provides a fast dictionary lookup method for strong password 108 enforcement.</para></sect3> 109 110 </sect2> 8 111 9 112 </sect1> -
postlfs/security/firewalling.xml
rf8d632a rb4b71892 1 <?xml version="1.0" encoding="ISO-8859-1"?> 2 <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" 3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [ 4 <!ENTITY % general-entities SYSTEM "../../general.ent"> 5 %general-entities; 6 ]> 7 1 8 <sect1 id="postlfs-security-fw-firewall" xreflabel="Firewalling"> 2 9 <?dbhtml filename="firewall.html"?> … … 6 13 have already installed iptables as described in the previous section.</para> 7 14 8 &postlfs-security-fw-intro; 9 &postlfs-security-fw-disclaimer; 10 &postlfs-security-fw-kernel; 11 &postlfs-security-fw-writing; 12 &postlfs-security-fw-finale; 13 &postlfs-security-fw-extrainfo; 14 15 16 <sect2 id="postlfs-security-fw-intro" xreflabel="Firewalling Introduction"> 17 <title>Introduction to Firewall Creation</title> 18 19 <para>The general purpose of a firewall is to protect a network 20 against malicious access by using a single machine as a firewall. 21 This does imply that the firewall is to be considered a single point 22 of failure, but it can make the administrator's life a lot easier.</para> 23 24 <para>In a perfect world where you knew that every daemon or service 25 on every machine was perfectly configured and was immune to, e.g., 26 buffer-overflows and any other imaginable problem regarding its 27 security, and where you trusted every user accessing your services 28 to aim no harm, you wouldn't need to have a firewall! 29 In the real world however, daemons may be misconfigured, 30 exploits against essential services are freely available, you 31 may wish to choose which services are accessible by certain machines, 32 you may wish to limit which machines or applications are allowed 33 to have Internet access, or you may simply not trust some of your 34 apps or users. 35 In these situations you might benefit by using a firewall.</para> 36 37 <para>Don't assume however, that having a firewall makes careful 38 configuration redundant, or that it makes any negligent 39 misconfiguration harmless. It also doesn't prevent anyone from exploiting a 40 service you intentionally offer but haven't recently updated or patched 41 after an exploit went public. Despite having a firewall, you need to 42 keep applications and daemons on your system well-configured and 43 up-to-date; a firewall is not a cure-all!</para> 44 45 </sect2> 46 47 <sect2> 48 <title>Meaning of the word firewall.</title> 49 50 <para>The word firewall can have several different meanings.</para> 51 52 <sect3><title><xref linkend="postlfs-security-fw-persFw"/></title> 53 54 <para>This is a setup or program, for Windows commercially sold by 55 companies such as Symantec, of which they claim or pretend that it 56 secures a home or desktop-pc with Internet access. This topic is 57 highly relevant for users who do not know the methods their computers 58 might be accessed via the Internet or how to disable them, 59 especially if they are always online and connected via 60 broadband links.</para></sect3> 61 62 <sect3><title><xref linkend="postlfs-security-fw-masqRouter"/></title> 63 <para>This is a box placed between the Internet and an intranet. 64 To minimize the risk of compromising the firewall itself it 65 should generally have only one role, that of protecting the intranet. 66 Although not completely risk free, the tasks of doing the routing 67 and eventually IP masquerading (rewriting IP-headers 68 of the packets it routes from clients with private IP-addresses onto 69 the Internet so that they seem to come from the firewall 70 itself) are commonly considered harmless.</para></sect3> 71 72 <sect3><title><xref linkend="postlfs-security-fw-busybox"/></title> 73 <para>This is often an old box you may have retired and nearly forgotten, 74 performing masquerading or routing functions, but offering a bunch of 75 services, e.g., web-cache, mail, etc. This may be very commonly used 76 for home networks, but can definitely not be considered as secure 77 anymore because the combining of server and router on one machine raises 78 the complexity of the setup.</para></sect3> 79 80 <sect3><title>Firewall with a demilitarized zone [not further described 81 here]</title> 82 <para>This box performs masquerading or routing, but grants public access to 83 some branch of your network which, because of public IP's and a physically 84 separated structure, is neither considered to be part of the inter- nor 85 intranet. These servers are those which must be easily accessible 86 from both the inter- and intranet. The firewall protects 87 them all.</para></sect3> 88 89 <sect3><title>Packetfilter / partly accessible net [partly described 90 here, see <xref linkend="postlfs-security-fw-busybox"/>]</title> 91 <para>Doing routing or masquerading, but permitting only selected 92 services to be accessible, sometimes only by selected internal users or boxes; 93 mostly used in highly secure business contexts, sometimes by distrusting 94 employers. This was the common configuration of a firewall at the time of 95 the Linux 2.2 kernel. It's still possible to configure a firewall this way, 96 but it makes the rules quite complex and lengthy.</para></sect3> 97 98 </sect2> 99 100 <sect2 id="postlfs-security-fw-disclaimer" xreflabel="Disclaimer"> 101 <title>Disclaimer</title> 102 103 <!-- <para><emphasis>NEITHER THE AUTHOR NOR ANY OF THE LINUXFROMSCRATCH TEAM 104 ARE RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS 105 DOCUMENT.</emphasis></para> --> 106 107 <para>This document is meant as an introduction to how to setup a firewall. It 108 is not a complete guide to securing systems. Firewalling is a complex issue 109 that requires careful configuration. The scripts quoted here are simply 110 intended to give examples as to how a firewall works, they are not intended to 111 fit into any imaginable configuration and may not prevent any imaginable 112 attack.</para> 113 114 <para>The purpose of this text is simply to give you a hint on how to get 115 started with a firewall.</para> 116 117 <para>Customization of these scripts for your specific situation will 118 be necessary for an optimal configuration, but you should make a serious 119 study of the iptables documentation and creating firewalls in general before hacking 120 away. Have a look at the list of <xref linkend="postlfs-security-fw-library"/> at the end 121 of this section for more details. Here you will find a list of URLs that 122 contain quite comprehensive information about building your own firewall.</para> 123 124 </sect2> 125 126 127 <sect2 id="postlfs-security-fw-kernel" xreflabel="getting a firewalling-enabled Kernel"> 128 <title>Getting a firewall enabled Kernel</title> 129 130 <para>If you want your Linux-Box to have a firewall, you must first ensure 131 that your kernel has been compiled with the relevant options turned on. 132 <!-- <footnote><para>If you needed assistance how to configure, compile and install 133 a new kernel, refer back to chapter VIII of the LinuxFromScratch book, 134 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink> 135 and eventually 136 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink> 137 ; note, that you'll need to reboot 138 to actually run your new kernel.</para></footnote>--> 139 </para> 140 141 <para>How to configure your kernel, with enabling the options to be 142 either compiled into the kernel or as modules, depends on your personal 143 preferences and experience. Note, that for the quoted scripts it is assumed 144 that the modules need to be loaded at first.</para> 145 146 <screen>Network options menu 147 Network packet filtering: Y 148 Unix domain sockets: Y or M 149 TCP/IP networking: Y 150 IP: advanced router: Y 151 IP: verbose route monitoring: Y 152 IP: TCP Explicit Congestion Notification support: Y 153 IP: TCP syncookie support: Y 154 IP: Netfilter Configuration menu 155 Every option except: Y or M 156 ipchains (2.2-style) support N 157 ipfwadm (2.0-style) support N 158 Fast switching: N</screen> 159 160 <!-- 161 <table frame='none'> 162 <title>Essential config-options for a firewall enabled Kernel</title> 163 164 <tgroup cols='5'> 165 <colspec colnum='1' colwidth='8*' align='center'/> 166 <colspec colnum='2' colwidth='19*' align='left'/> 167 <colspec colnum='3' colwidth='11*' align='center'/> 168 <colspec colnum='4' colwidth='1*' align='center'/> 169 <colspec colnum='5' colwidth='14*' align='left'/> 170 171 <tbody> 172 173 <row> 174 <entry><emphasis><userinput>Networking options:</userinput></emphasis></entry> 175 <entry><userinput>Network packet filtering</userinput></entry> 176 <entry></entry> 177 <entry>=</entry> 178 <entry>CONFIG_NETFILTER</entry> 179 </row> 180 181 <row> 182 <entry></entry> 183 <entry><userinput>Unix domain sockets</userinput></entry> 184 <entry></entry> 185 <entry>=</entry> 186 <entry>CONFIG_UNIX</entry> 187 </row> 188 189 <row> 190 <entry></entry> 191 <entry><userinput>IP: TCP/IP networking</userinput></entry> 192 <entry></entry> 193 <entry>=</entry> 194 <entry>CONFIG_INET</entry> 195 </row> 196 197 <row> 198 <entry></entry> 199 <entry><userinput>IP: advanced router</userinput></entry> 200 <entry></entry> 201 <entry>=</entry> 202 <entry>CONFIG_IP_ADVANCED_ROUTER</entry> 203 </row> 204 205 <row> 206 <entry></entry> 207 <entry><userinput>IP: verbose route monitoring</userinput></entry> 208 <entry></entry> 209 <entry>=</entry> 210 <entry>CONFIG_IP_ROUTE_VERBOSE</entry> 211 </row> 212 213 <row> 214 <entry></entry> 215 <entry><userinput>IP: TCP Explicit Congestion Notification support</userinput></entry> 216 <entry></entry> 217 <entry>=</entry> 218 <entry>CONFIG_INET_ECN</entry> 219 </row> 220 221 <row> 222 <entry></entry> 223 <entry><userinput>IP: TCP syncookie support</userinput></entry> 224 <entry></entry> 225 <entry>=</entry> 226 <entry>CONFIG_SYN_COOKIES</entry> 227 </row> 228 229 <row> 230 <entry></entry> 231 <entry align='center'> 232 <emphasis><userinput>IP: Netfilter Configuration:</userinput></emphasis></entry> 233 <entry align='left'><userinput>every option</userinput></entry> 234 <entry>=</entry> 235 <entry>CONFIG_IP_NF_*</entry> 236 </row> 237 238 <row> 239 <entry></entry> 240 <entry align='right'><emphasis>WITHOUT:</emphasis></entry> 241 <entry align='left'><literallayout><userinput>ipchains (2.2-style) support 242 ipfw-adm (2.0-style) support</userinput></literallayout></entry> 243 <entry>w\</entry> 244 <entry>CONFIG_IP_NF_COMPAT_*</entry> 245 </row> 246 247 <row> 248 <entry></entry> 249 <entry><userinput>Fast switching</userinput></entry> 250 <entry>Make sure to disable it because it would setup a bypass around 251 your firewall rules.</entry> 252 <entry>w\</entry> 253 <entry>CONFIG_NET_FASTROUTE</entry> 254 </row> 255 256 </tbody> 257 258 </tgroup> 259 260 </table> --> 261 262 </sect2> 263 264 265 <sect2 id="postlfs-security-fw-writing" xreflabel="writing the firewalling-setup-scripts"> 266 <title>Now you can start to build your Firewall</title> 267 268 269 <sect3 id="postlfs-security-fw-persFw" xreflabel="Personal Firewall"> 270 <title>Personal Firewall</title> 271 272 <para>A Personal Firewall is supposed to let you access all the services 273 offered on the Internet, but keep your box secure and your data private.</para> 274 275 <para>Below is a slightly modified version of Rusty Russell's recommendation 276 from the <ulink 277 url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">Linux 278 2.4 Packet Filtering HOWTO</ulink>:</para> 279 280 <screen><userinput><command>cat > /etc/rc.d/init.d/firewall << "EOF"</command> 281 #!/bin/sh 282 283 # Begin $rc_base/init.d/firewall 284 285 # Insert connection-tracking modules (not needed if built into the kernel). 286 modprobe ip_tables 287 modprobe iptable_filter 288 modprobe ip_conntrack 289 modprobe ip_conntrack_ftp 290 modprobe ipt_state 291 modprobe ipt_LOG 292 293 # allow local-only connections 294 iptables -A INPUT -i lo -j ACCEPT 295 # free output on any interface to any ip for any service (equal to -P ACCEPT) 296 iptables -A OUTPUT -j ACCEPT 297 298 # permit answers on already established connections 299 # and permit new connections related to established ones (eg active-ftp) 300 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 301 302 # Log everything else: What's Windows' latest exploitable vulnerability? 303 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 304 305 # set a sane policy: everything not accepted > /dev/null 306 iptables -P INPUT DROP 307 iptables -P FORWARD DROP 308 iptables -P OUTPUT DROP 309 310 # be verbose on dynamic ip-addresses (not needed in case of static IP) 311 echo 2 > /proc/sys/net/ipv4/ip_dynaddr 312 313 # disable ExplicitCongestionNotification - too many routers are still ignorant 314 echo 0 > /proc/sys/net/ipv4/tcp_ecn 315 316 # End $rc_base/init.d/firewall 317 <command>EOF</command></userinput></screen> 318 319 <para>His script is quite simple, it drops all traffic coming in into your 320 computer that wasn't initiated from your box, but as long as you are simply 321 surfing the Internet you are unlikely to exceed its limits.</para> 322 323 <para>If you frequently encounter certain delays at accessing ftp-servers, 324 please have a look at <xref linkend="postlfs-security-fw-busybox"/> - 325 <xref linkend="postlfs-security-fw-BB-4"/>.</para> 326 327 <para>Even if you have daemons or services running on your box, these 328 should be inaccessible everywhere but from your box itself. 329 If you want to allow access to services on your machine, such as ssh or pinging, 330 take a look at <xref linkend="postlfs-security-fw-busybox"/>.</para> 331 332 </sect3> 333 334 335 <sect3 id="postlfs-security-fw-masqRouter" xreflabel="Masquerading Router"> 336 <title>Masquerading Router</title> 337 338 <para>A true Firewall has two interfaces, one connected to an intranet, 339 in this example, <emphasis role="strong">eth0</emphasis>, and one 340 connected to the Internet, here, <emphasis role="strong">ppp0</emphasis>. 341 To provide the maximum security against the box itself being broken into, 342 make sure that there are no servers running on it, especially not 343 <application>X11</application> et 344 al. And, as a general principle, the box itself should not access any untrusted 345 service (Think of a name server giving answers that make your 346 bind crash, or, even worse, that implement a worm via a 347 buffer-overflow).</para> 348 349 <screen><userinput><command>cat > /etc/rc.d/init.d/firewall << "EOF"</command> 350 #!/bin/sh 351 352 # Begin $rc_base/init.d/firewall 353 354 echo 355 echo "You're using the example-config for a setup of a firewall" 356 echo "from the firewalling-hint written for LinuxFromScratch." 357 echo "This example is far from being complete, it is only meant" 358 echo "to be a reference." 359 echo "Firewall security is a complex issue, that exceeds the scope" 360 echo "of the quoted configuration rules." 361 echo "You can find some quite comprehensive information" 362 echo "about firewalls in Chapter 4 of the BLFS book." 363 echo "http://www.linuxfromscratch.org/blfs" 364 echo 365 366 # Insert iptables modules (not needed if built into the kernel). 367 368 modprobe ip_tables 369 modprobe iptable_filter 370 modprobe ip_conntrack 371 modprobe ip_conntrack_ftp 372 modprobe ipt_state 373 modprobe iptable_nat 374 modprobe ip_nat_ftp 375 modprobe ipt_MASQUERADE 376 modprobe ipt_LOG 377 modprobe ipt_REJECT 378 379 # allow local-only connections 380 iptables -A INPUT -i lo -j ACCEPT 381 iptables -A OUTPUT -o lo -j ACCEPT 382 383 # allow forwarding 384 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 385 iptables -A FORWARD -m state --state NEW -i ! ppp+ -j ACCEPT 386 387 # do masquerading (not needed if intranet is not using private ip-addresses) 388 iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE 389 390 # Log everything for debugging (last of all rules, but before DROP/REJECT) 391 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 392 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD" 393 iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT " 394 395 # set a sane policy 396 iptables -P INPUT DROP 397 iptables -P FORWARD DROP 398 iptables -P OUTPUT DROP 399 400 # be verbose on dynamic ip-addresses (not needed in case of static IP) 401 echo 2 > /proc/sys/net/ipv4/ip_dynaddr 402 403 # disable ExplicitCongestionNotification 404 echo 0 > /proc/sys/net/ipv4/tcp_ecn 405 406 # activate TCPsyncookies 407 echo 1 > /proc/sys/net/ipv4/tcp_syncookies 408 409 # activate Route-Verification = IP-Spoofing_protection 410 for f in /proc/sys/net/ipv4/conf/*/rp_filter; do 411 echo 1 > $f 412 done 413 414 # activate IP-Forwarding 415 echo 1 > /proc/sys/net/ipv4/ip_forward 416 <command>EOF</command></userinput></screen> 417 418 <para>With this script your intranet should be sufficiently secure against 419 external attacks. No one should be able to setup a new connection to any 420 internal service and, if it's masqueraded, it's even invisible. Furthermore, 421 your firewall should be nearly immune because there are no services running 422 that a cracker could attack.</para> 423 424 <para>Note: if the interface you're connecting to the Internet 425 doesn't connect via ppp, you will need to change 426 <replaceable>ppp+</replaceable> to the name of the interface which you are 427 using. If you are using the same interface type to connect to both your 428 intranet and the Internet, you need to use the actual name of the 429 interface such as <emphasis role="strong">eth0</emphasis>, 430 on both interfaces.</para> 431 432 <para>If you need stronger security (e.g., against DOS, connection 433 highjacking, spoofing, etc.), have a look at the list of 434 <xref linkend="postlfs-security-fw-library"/> at the end of this section.</para> 435 436 </sect3> 437 438 <sect3 id="postlfs-security-fw-busybox" xreflabel="BusyBox"> 439 <title>BusyBox</title> 440 441 <para>This scenario isn't too different from (<xref linkend="postlfs-security-fw-masqRouter"/>), 442 but in this case you want to offer some services to your intranet. 443 Examples of this can be when you want to admin your box from another host 444 on your intranet or use it as a proxy or a name server. Note: Outlining a true 445 concept of how to protect a server that offers services on the Internet 446 goes far beyond the scope of this document, 447 see <xref linkend="postlfs-security-fw-disclaimer"/>.</para> 448 449 <para>Be cautious. Every service you offer and have enabled makes your 450 setup more complex and your box less secure. You induce the risks of 451 misconfigured services or running a service with an exploitable bug. A firewall 452 should generally not run any extra services. See the introduction to 453 <xref linkend="postlfs-security-fw-masqRouter"/> for some more details.</para> 454 455 <para>If the services you'd like to offer do not need to access the Internet 456 themselves, like internal-only samba- or name-servers, it's quite 457 simple and should still be acceptable from a security standpoint. 458 Just add the following lines <emphasis>before</emphasis> the logging-rules 459 into the script.</para> 460 461 <screen>iptables -A INPUT -i ! ppp+ -j ACCEPT 462 iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen> 463 464 <para>If your daemons have to access the web themselves, like squid would need 465 to, you could open OUTPUT generally and restrict INPUT.</para> 466 467 <screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 468 iptables -A OUTPUT -j ACCEPT</screen> 469 470 <para>However, it is generally not advisable to leave OUTPUT unrestricted. You lose 471 any control over trojans who'd like to "call home", and a bit of redundancy in case 472 you've (mis-)configured a service so that it does broadcast its existence to the 473 world.</para> 474 475 <para>If you prefer to have this protection, you may restrict INPUT and OUTPUT 476 on all ports except those that it's absolutely necessary to have open. 477 Which ports you have to open depends on your needs: mostly you will find them 478 by looking for failed accesses in your log-files.</para> 479 <itemizedlist spacing="compact"> 480 <!-- <orderedlist numeration="arabic" spacing="compact"> --> 481 <title>Have a look at the following examples:</title> 482 483 <listitem><para>Squid is caching the web:</para> 484 <screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT 485 iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></listitem> 486 487 <listitem><para>Your caching name server (e.g., dnscache) does its 488 lookups via udp:</para> 489 <screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT 490 iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></listitem> 491 492 <listitem><para>Alternatively, if you want to be able to ping your box to ensure 493 it's still alive:</para> 494 <screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT 495 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen></listitem> 496 497 <listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are 498 frequently accessing ftp-servers or enjoy chatting, you might notice certain 499 delays because some implementations of these daemons have the feature of 500 querying an identd on your box for logging usernames. 501 Although there's really no harm in this, having an identd running is not 502 recommended because some implementations are known to be vulnerable.</para> 503 504 <para>To avoid these delays you could reject the requests 505 with a 'tcp-reset':</para> 506 507 <screen>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset 508 iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></listitem> 509 510 <listitem><para>To log and drop invalid packets (harmless packets 511 that came in after netfilter's timeout or some types of network scans):</para> 512 513 <screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \ 514 "FIREWALL:INVALID" 515 iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></listitem> 516 517 <listitem><para>Anything coming from the outside should not have a 518 private address, this is a common attack called IP-spoofing:</para> 519 520 <screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP 521 iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP 522 iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></listitem> 523 524 <listitem><para>To simplify debugging and be fair to anyone who'd like to 525 access a service you have disabled, purposely or by mistake, you should REJECT 526 those packets that are dropped.</para> 527 528 <para>Obviously this must be done directly after logging as the very 529 last lines before the packets are dropped by policy:</para> 530 531 <screen>iptables -A INPUT -j REJECT 532 iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></listitem> 533 </itemizedlist> 534 <!--</orderedlist>--> 535 536 <para>These are only examples to show you some of the capabilities of the new 537 firewall code in Linux-Kernel 2.4. Have a look at the man page of 538 iptables. 539 There you will find more of them. The port-numbers you'll need for this 540 can be found in <filename>/etc/services</filename>, in case you didn't 541 find them by trial and error in your log file.</para> 542 543 <para>If you add any of your offered or accessed services such as the above, 544 maybe even in FORWARD and for intranet-communication, and delete the 545 general clauses, you get an old fashioned packet filter.</para> 546 547 548 </sect3> 549 550 </sect2> 551 552 553 <sect2 id="postlfs-security-fw-finale" xreflabel="Conclusion"> 554 <title>Conclusion</title> 555 556 <para>Finally, I'd like to remind you of one fact we must not forget: 557 The effort spent attacking a system corresponds to the value the cracker 558 expects to gain from it. 559 If you are responsible for such valuable assets that you expect great 560 effort to be made by potential crackers, you hopefully won't be in the 561 need of this hint!</para> 562 563 <!-- <para><literallayout>Be cautious! 564 565 Henning Rohde 566 <email>Henning.Rohde@uni-bayreuth.de</email></literallayout></para> 567 568 <para>PS: And always do remember: 569 SecureIT is not a matter of a status-quo but one of never stopping 570 to take care!</para> 571 572 <para>PPS: If any of these scripts fail, please tell me. I will try to trace 573 any faults.</para> --> 574 575 </sect2> 576 577 578 <sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information"> 579 <title>Extra Information</title> 580 581 <sect3 id="postlfs-security-fw-library" xreflabel="Links for further reading"> 582 <title>Where to start with further reading on firewalls.</title> 583 584 <para><blockquote><literallayout> 585 <ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink> 586 <ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink> 587 <ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink> 588 <ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink> 589 <ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink> 590 <ulink url="http://en.tldp.org/HOWTO/Firewall-HOWTO.html">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink> 591 <ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire.html">www.ibm.com/developerworks/security/library/s-fire.html</ulink> 592 <ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire2.html">www.ibm.com/developerworks/security/library/s-fire2.html</ulink> 593 <ulink url="http://www.interhack.net/pubs/fw-faq/">www.interhack.net/pubs/fw-faq/</ulink> 594 <ulink url="http://www.linuxsecurity.com/docs/">www.linuxsecurity.com/docs/</ulink> 595 <ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German & outdated, but very comprehensive)</ulink> 596 <ulink url="http://www.linuxgazette.com/issue65/stumpel.html">www.linuxgazette.com/issue65/stumpel.html</ulink> 597 <ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink> 598 <ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink> 599 <ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink> 600 <ulink url="http://www.circlemud.org/~jelson/writings/security/index.htm">www.circlemud.org/~jelson/writings/security/index.htm</ulink> 601 <ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink> 602 <ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink> 603 <ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink> 604 <ulink url="http://www.linux-firewall-tools.com/linux/">www.linux-firewall-tools.com/linux/</ulink> 605 <ulink url="http://logi.cc/linux/athome-firewall.php3">logi.cc/linux/athome-firewall.php3</ulink> 606 <ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink> 607 <ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink> 608 </literallayout></blockquote></para> 609 610 <!-- <para>If a link proves to be dead or if you think I missed one, 611 please mail!</para> --> 612 613 </sect3> 614 615 <sect3 id="postlfs-security-fw-status" xreflabel="/etc/rc.d/init.d/firewall.status"> 616 <title>firewall.status</title> 617 618 <para>If you'd like to have a look at the chains your firewall consists of and 619 the order in which the rules take effect:</para> 620 621 <screen><userinput><command>cat > /etc/rc.d/init.d/firewall.status << "EOF"</command> 622 #!/bin/sh 623 624 # Begin $rc_base/init.d/firewall.status 625 626 echo "iptables.mangling:" 627 iptables -t mangle -v -L -n --line-numbers 628 629 echo 630 echo "iptables.nat:" 631 iptables -t nat -v -L -n --line-numbers 632 633 echo 634 echo "iptables.filter:" 635 iptables -v -L -n --line-numbers 636 <command>EOF</command></userinput></screen> 637 </sect3> 638 639 <sect3 id="postlfs-security-fw-stop" xreflabel="/etc/rc.d/init.d/firewall.stop"> 640 <title>firewall.stop</title> 641 642 <para>If you need to turn the firewall off, this script will do it:</para> 643 644 <screen><userinput><command>cat > /etc/rc.d/init.d/firewall.stop << "EOF"</command> 645 #!/bin/sh 646 647 # Being $rc_base/init.d/firewall.stop 648 649 # deactivate IP-Forwarding 650 echo 0 > /proc/sys/net/ipv4/ip_forward 651 652 iptables -Z 653 iptables -F 654 iptables -t nat -F PREROUTING 655 iptables -t nat -F OUTPUT 656 iptables -t nat -F POSTROUTING 657 iptables -t mangle -F PREROUTING 658 iptables -t mangle -F OUTPUT 659 iptables -X 660 iptables -P INPUT ACCEPT 661 iptables -P FORWARD ACCEPT 662 iptables -P OUTPUT ACCEPT 663 <command>EOF</command></userinput></screen> 664 665 </sect3> 666 667 </sect2> 15 668 </sect1> 16 669 -
postlfs/security/gnupg.xml
rf8d632a rb4b71892 1 <?xml version="1.0" encoding="ISO-8859-1"?> 2 <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" 3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [ 4 <!ENTITY % general-entities SYSTEM "../../general.ent"> 5 %general-entities; 6 7 <!ENTITY gnupg-download-http "http://public.ftp.planetmirror.com/pub/gnupg/gnupg-&gnupg-version;.tar.bz2"> 8 <!ENTITY gnupg-download-ftp "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-&gnupg-version;.tar.bz2"> 9 <!ENTITY gnupg-size "2.3 MB"> 10 <!ENTITY gnupg-buildsize "26 MB"> 11 <!ENTITY gnupg-time "0.44 SBU"> 12 ]> 13 1 14 <sect1 id="gnupg" xreflabel="GnuPG-&gnupg-version;"> 2 15 <?dbhtml filename="gnupg.html"?> 3 16 <title>GnuPG-&gnupg-version;</title> 4 17 5 &gnupg-intro; 6 &gnupg-inst; 7 &gnupg-exp; 8 &gnupg-desc; 18 <sect2> 19 <title>Introduction to <application>GnuPG</application></title> 20 21 <para>The <application>GnuPG</application> package contains a public/private 22 key encryptor. This is 23 becoming useful for signing files or emails as proof of identity and 24 preventing tampering with contents of the file or email.</para> 25 26 <sect3><title>Package information</title> 27 <itemizedlist spacing='compact'> 28 <listitem><para>Download (HTTP): <ulink 29 url="&gnupg-download-http;"/></para></listitem> 30 <listitem><para>Download (FTP): <ulink 31 url="&gnupg-download-ftp;"/></para></listitem> 32 <listitem><para>Download size: &gnupg-size;</para></listitem> 33 <listitem><para>Estimated Disk space required: 34 &gnupg-buildsize;</para></listitem> 35 <listitem><para>Estimated build time: 36 &gnupg-time;</para></listitem></itemizedlist> 37 </sect3> 38 39 <sect3><title><application>GnuPG</application> dependencies</title> 40 <sect4><title>Optional</title> 41 <para><xref linkend="openldap"/></para></sect4> 42 </sect3> 43 44 </sect2> 45 46 <sect2> 47 <title>Installation of <application>GnuPG</application></title> 48 49 <para>Install <application>GnuPG</application> by running the following commands:</para> 50 51 <screen><userinput><command>./configure --prefix=/usr --libexecdir=/usr/lib && 52 make && 53 make install && 54 chmod 4755 /usr/bin/gpg</command></userinput></screen> 55 56 </sect2> 57 58 <sect2> 59 <title>Command explanations</title> 60 61 <para><parameter>--libexecdir=/usr/lib</parameter>: This command 62 creates a <filename class="directory">gnupg</filename> directory in 63 <filename class="directory">/usr/lib</filename> instead of 64 <filename class="directory">/usr/libexec</filename>.</para> 65 66 <para><command>chmod 4755 /usr/bin/gpg</command>: We install 67 <command>gpg</command> setuid root to avoid swapping out of 68 sensitive data.</para> 69 70 </sect2> 71 72 <sect2> 73 <title>Contents</title> 74 75 <para>The <application>GnuPG</application> package contains <command>gpg</command>, 76 <command>gpgsplit</command> and <command>gpgv</command>.</para> 77 78 </sect2> 79 80 <sect2><title>Description</title> 81 82 <sect3><title>gpg</title> 83 <para><command>gpg</command> is the backend (command-line interface) for 84 this Open<acronym>PGP</acronym> 85 implementation.</para></sect3> 86 87 <sect3><title>gpgsplit</title> 88 <para><command>gpgsplit</command> separates key rings.</para></sect3> 89 90 <sect3><title>gpgv</title> 91 <para><command>gpgv</command> is a verify only version of 92 <command>gpg</command>.</para></sect3> 93 94 </sect2> 9 95 10 96 </sect1> -
postlfs/security/heimdal.xml
rf8d632a rb4b71892 1 <?xml version="1.0" encoding="ISO-8859-1"?> 2 <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" 3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [ 4 <!ENTITY % general-entities SYSTEM "../../general.ent"> 5 %general-entities; 6 7 <!ENTITY heimdal-download-http "http://ftp.vc-graz.ac.at/mirror/crypto/kerberos/heimdal/heimdal-&heimdal-version;.tar.gz"> 8 <!ENTITY heimdal-download-ftp "ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-&heimdal-version;.tar.gz"> 9 <!ENTITY heimdal-size "3.2 MB"> 10 <!ENTITY heimdal-buildsize "142 MB"> 11 <!ENTITY heimdal-time "2.55 SBU"> 12 ]> 13 1 14 <sect1 id="heimdal" xreflabel="Heimdal-&heimdal-version;"> 2 15 <?dbhtml filename="heimdal.html"?> 3 16 <title>Heimdal-&heimdal-version;</title> 4 17 5 &heimdal-intro; 6 &heimdal-inst; 7 &heimdal-exp; 8 &heimdal-config; 9 &heimdal-desc; 18 <sect2> 19 <title>Introduction to <application>Heimdal</application></title> 20 21 <para> <application>Heimdal</application> is a free implementation of Kerberos 22 5, that aims to be compatible with <acronym>MIT</acronym> krb5 and is backwards 23 compatible with krb4. Kerberos is a network authentication protocol. Basically 24 it preserves the integrity of passwords in any untrusted network (like the 25 Internet). Kerberized applications work hand-in-hand with sites that support 26 Kerberos to ensure that passwords cannot be stolen. A Kerberos installation 27 will make changes to the authentication mechanisms on your network and will 28 overwrite several programs and daemons from the Coreutils, Inetutils, Qpopper 29 and Shadow packages. </para> 30 31 <sect3><title>Package information</title> 32 <itemizedlist spacing='compact'> 33 <listitem><para>Download (HTTP): <ulink url="&heimdal-download-http;"/></para></listitem> 34 <listitem><para>Download (FTP): <ulink url="&heimdal-download-ftp;"/></para></listitem> 35 <listitem><para>Download size: &heimdal-size;</para></listitem> 36 <listitem><para>Estimated Disk space required: &heimdal-buildsize;</para></listitem> 37 <listitem><para>Estimated build time: &heimdal-time;</para></listitem></itemizedlist> 38 </sect3> 39 40 <sect3><title>Additional downloads</title> 41 <itemizedlist spacing='compact'> 42 <listitem><para>Required patch: <ulink 43 url="&patch-root;/heimdal-&heimdal-version;-fhs-compliance-1.patch"/></para> 44 </listitem> 45 <listitem><para>Required patch for cracklib: <ulink 46 url="&patch-root;/heimdal-&heimdal-version;-cracklib-1.patch"/></para> 47 </listitem> 48 </itemizedlist> 49 50 </sect3> 51 52 <sect3><title><application>Heimdal</application> dependencies</title> 53 <sect4><title>Required</title> 54 <para> 55 <xref linkend="openssl"/> and 56 <xref linkend="db"/> 57 </para></sect4> 58 <sect4><title>Optional</title> 59 <para> 60 <xref linkend="readline"/>, 61 <xref linkend="Linux_PAM"/>, 62 <xref linkend="openldap"/>, 63 X (<xref linkend="xorg"/> or <xref linkend="xfree86"/>), 64 <xref linkend="cracklib"/> and 65 <ulink url="http://www.pdc.kth.se/kth-krb/">krb4</ulink> 66 </para> 67 68 <note><para> 69 Some sort of time synchronization facility on your system (like <xref 70 linkend="ntp"/>) is required since Kerberos won't authenticate if the 71 time differential between a kerberized client and the 72 <acronym>KDC</acronym> server is more than 5 minutes.</para></note> 73 </sect4> 74 75 </sect3> 76 77 </sect2> 78 79 <sect2> 80 <title>Installation of <application>Heimdal</application></title> 81 82 <para> 83 Before installing the package, you may want to preserve the 84 <command>ftp</command> program from the Inetutils package. This is 85 because using the Heimdal <command>ftp</command> program to connect to 86 non kerberized ftp servers may not work properly. It will allow you to 87 connect (letting you know that transmission of the password is clear 88 text) but will have problems doing puts and gets. 89 </para> 90 91 <screen><userinput><command>mv /usr/bin/ftp /usr/bin/ftpn</command></userinput></screen> 92 93 <para> 94 If you wish the Heimdal package to link against the cracklib library, 95 you must apply a patch: 96 </para> 97 98 <screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-cracklib-1.patch</command></userinput></screen> 99 100 <para>Install <application>Heimdal</application> by running the following commands:</para> 101 102 <screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-fhs-compliance-1.patch && 103 ./configure --prefix=/usr --sysconfdir=/etc/heimdal \ 104 --datadir=/var/lib/heimdal --libexecdir=/usr/sbin \ 105 --sharedstatedir=/usr/share --localstatedir=/var/lib/heimdal \ 106 --enable-shared --with-openssl=/usr && 107 make && 108 make install && 109 mv /bin/login /bin/login.shadow && 110 mv /bin/su /bin/su.coreutils && 111 mv /usr/bin/{login,su} /bin && 112 ln -sf ../../bin/login /usr/bin && 113 mv /usr/lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /lib && 114 mv /usr/lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /lib && 115 mv /usr/lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /lib && 116 mv /usr/lib/lib{com_err.so.2,com_err.so.2.1,db-4.1.so} /lib && 117 ln -sf ../../lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /usr/lib && 118 ln -sf ../../lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /usr/lib && 119 ln -sf ../../lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /usr/lib && 120 ln -sf ../../lib/lib{com_err.so.2,com_err.so.2.1,db-4.1.so} /usr/lib && 121 ldconfig</command></userinput></screen> 122 123 </sect2> 124 125 <sect2> 126 <title>Command explanations</title> 127 128 <para><parameter>--libexecdir=/usr/sbin</parameter>: 129 This switch puts the daemon programs into <filename 130 class="directory">/usr/sbin</filename>. 131 </para> 132 133 <note><para> 134 If you want to preserve all your existing Inetutils package daemons, 135 install the Heimdal daemons into <filename 136 class="directory">/usr/sbin/heimdal</filename> (or wherever you want). 137 Since these programs will be called from <command>(x)inetd</command> or 138 <command>rc</command> scripts, it really doesn't matter where they live, 139 as long as they are correctly specified in the 140 <filename>/etc/(x)inetd.conf</filename> file and <command>rc</command> 141 scripts. If you choose something other than <filename 142 class="directory">/usr/sbin</filename>, you may want to move some of the 143 user programs (such as <command>kadmin</command>) to <filename 144 class="directory">/usr/sbin</filename> manually. 145 </para></note> 146 147 <para> 148 <screen><command>mv /bin/login /bin/login.shadow 149 mv /bin/su /bin/su.coreutils 150 mv /usr/bin/{login,su} /bin 151 ln -sf ../../bin/login /usr/bin</command></screen> 152 The <command>login</command> and <command>su</command> programs 153 installed by Heimdal belong in the <filename 154 class="directory">/bin</filename> directory. The 155 <command>login</command> program is symlinked because Heimdal is expecting 156 to find it in <filename class="directory">/usr/bin</filename>. We 157 preserve the old executables before the move to keep things sane should 158 breaks occur. 159 </para> 160 161 <para> 162 <screen><command>mv /usr/lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /lib 163 mv /usr/lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /lib 164 mv /usr/lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /lib 165 mv /usr/lib/lib{com_err.so.2,com_err.so.2.1,db-4.1.so} /lib 166 ln -sf ../../lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /usr/lib 167 ln -sf ../../lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /usr/lib 168 ln -sf ../../lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /usr/lib 169 ln -sf ../../lib/lib{com_err.so.2,com_err.so.2.1,db-4.1.so} /usr/lib</command></screen> 170 The <command>login</command> and <command>su</command> programs 171 installed by Heimdal link against Heimdal libraries as well as crypto 172 and db libraries. We move these libraries to <filename 173 class="directory">/lib</filename> to be <acronym>FHS</acronym> 174 compliant and in case when <filename 175 class="directory">/usr</filename> is located on a separate partition which 176 may not always be mounted. 177 </para> 178 179 </sect2> 180 181 <sect2> 182 <title>Configuring Heimdal</title> 183 184 <sect3><title>Config files</title> 185 <para><filename>/etc/heimdal/*</filename></para> 186 </sect3> 187 188 <sect3><title>Configuration Information</title> 189 190 <sect4><title>Master KDC Server Configuration</title> 191 192 <para> 193 Create the Kerberos configuration file with the following command: 194 </para> 195 196 <screen><userinput><command>install -d /etc/heimdal && 197 cat > /etc/heimdal/krb5.conf << "EOF"</command> 198 # Begin /etc/heimdal/krb5.conf 199 200 [libdefaults] 201 default_realm = <replaceable>[LFS.ORG]</replaceable> 202 encrypt = true 203 204 [realms] 205 <replaceable>[LFS.ORG]</replaceable> = { 206 kdc = <replaceable>[belgarath.lfs.org]</replaceable> 207 admin_server = <replaceable>[belgarath.lfs.org]</replaceable> 208 kpasswd_server = <replaceable>[belgarath.lfs.org]</replaceable> 209 } 210 211 [domain_realm] 212 .<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable> 213 214 [logging] 215 kdc = FILE:/var/log/kdc.log 216 admin_server = FILE:/var/log/kadmin.log 217 default = FILE:/var/log/krb.log 218 219 # End /etc/heimdal/krb5.conf 220 <command>EOF</command></userinput></screen> 221 222 <para> 223 You will need to substitute your domain and proper hostname for the 224 occurances of the belgarath and lfs.org names. 225 </para> 226 227 <para> 228 <userinput>default_realm</userinput> should be the name of your domain changed to ALL CAPS. 229 This isn't required, but both Heimdal and <acronym>MIT</acronym> 230 recommend it. 231 </para> 232 233 <para> 234 <userinput>encrypt = true</userinput> provides encryption of all traffic between kerberized 235 clients and servers. It's not necessary and can be left off. If you 236 leave it off, you can encrypt all traffic from the client to the server 237 using a switch on the client program instead. 238 </para> 239 240 <para> 241 The <userinput>[realms]</userinput> parameters tell the client programs where to look for the 242 <acronym>KDC</acronym> authentication services. 243 </para> 244 245 <para> 246 The <userinput>[domain_realm]</userinput> section maps a domain to a realm. 247 </para> 248 249 <para> 250 Store the master password in a key file using the following commands: 251 </para> 252 253 <screen><userinput><command>install -d -m 755 /var/lib/heimdal && 254 kstash</command></userinput></screen> 255 256 <para> 257 Create the <acronym>KDC</acronym> database: 258 </para> 259 260 <screen><userinput><command>kadmin -l</command></userinput></screen> 261 262 <para> 263 Choose the defaults for now. You can go in later and change the 264 defaults, should you feel the need. At the 265 <userinput>kadmin></userinput> prompt, issue the following statement: 266 </para> 267 268 <screen><userinput><command>init <replaceable>[LFS.ORG]</replaceable></command></userinput></screen> 269 270 <para> 271 Now we need to populate the database with principles (users). For now, 272 just use your regular login name or root. 273 </para> 274 275 <screen><userinput><command>add <replaceable>[loginname]</replaceable></command></userinput></screen> 276 277 <para> 278 The <acronym>KDC</acronym> server and any machine running kerberized 279 server daemons must have a host key installed: 280 </para> 281 282 <screen><userinput><command>add --random-key host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen> 283 284 <para> 285 After choosing the defaults when prompted, you will have to export the 286 data to a keytab file: 287 </para> 288 289 <screen><userinput><command>ext host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen> 290 291 <para> 292 This should have created two files in 293 <filename class="directory">/etc/heimdal</filename>; 294 <filename>krb5.keytab</filename> (Kerberos 5) and 295 <filename>srvtab</filename> (Kerberos 4). Both files should have 600 296 (root rw only) permissions. Keeping the keytab files from public access 297 is crucial to the overall security of the Kerberos installation. 298 </para> 299 300 <para> 301 Eventually, you'll want to add server daemon principles to the database 302 and extract them to the keytab file. You do this in the same way you 303 created the host principles. Below is an example: 304 </para> 305 306 <screen><userinput><command>add --random-key ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen> 307 308 <para> 309 (choose the defaults) 310 </para> 311 312 <screen><userinput><command>ext ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen> 313 314 <para> 315 Exit the <command>kadmin</command> program (use <command>quit</command> 316 or <command>exit</command>) and return back to the shell prompt. Start 317 the <acronym>KDC</acronym> daemon manually, just to test out the 318 installation: 319 </para> 320 321 <screen><userinput><command>/usr/sbin/kdc &</command></userinput></screen> 322 323 <para> 324 Attempt to get a <acronym>TGT</acronym> (ticket granting ticket) with the 325 following command: 326 </para> 327 328 <screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen> 329 330 <para> 331 You will be prompted for the password you created. After you get your 332 ticket, you should list it with the following command: 333 </para> 334 335 <screen><userinput><command>klist</command></userinput></screen> 336 337 <para> 338 Information about the ticket should be displayed on the screen. 339 </para> 340 341 <para> 342 To test the functionality of the keytab file, issue the following 343 command: 344 </para> 345 346 <screen><userinput><command>ktutil list</command></userinput></screen> 347 348 <para> 349 This should dump a list of the host principals, along with the encryption 350 methods used to access the principals. 351 </para> 352 353 <para> 354 At this point, if everything has been successful so far, you can feel 355 fairly confident in the installation and configuration of the package. 356 </para> 357 358 <para>Install the <filename>/etc/rc.d/init.d/heimdal</filename> init script 359 included in the <xref linkend="intro-important-bootscripts"/> 360 package.</para> 361 362 <screen><userinput><command>make install-heimdal</command></userinput></screen> 363 364 </sect4> 365 366 <sect4><title>Using Kerberized Client Programs</title> 367 368 <para> 369 To use the kerberized client programs (<command>telnet</command>, 370 <command>ftp</command>, <command>rsh</command>, 371 <command>rxterm</command>, <command>rxtelnet</command>, 372 <command>rcp</command>, <command>xnlock</command>), you first must get 373 a <acronym>TGT</acronym>. Use the <command>kinit</command> program to 374 get the ticket. After you've acquired the ticket, you can use the 375 kerberized programs to connect to any kerberized server on the network. 376 You will not be prompted for authentication until your ticket expires 377 (default is one day), unless you specify a different user as a command 378 line argument to the program. 379 </para> 380 381 <para> 382 The kerberized programs will connect to non kerberized daemons, warning 383 you that authentication is not encrypted. As mentioned earlier, only the 384 <command>ftp</command> program gives any trouble connecting to non 385 kerberized daemons. 386 </para> 387 388 <para> 389 For additional information consult <ulink 390 url="http://www.linuxfromscratch.org/hints/downloads/files/heimdal.txt">the 391 Heimdal hint</ulink> on which the above instructions are based. 392 </para> 393 394 </sect4> 395 396 </sect3> 397 398 </sect2> 399 400 <sect2> 401 <title>Contents</title> 402 403 <para>The <application>Heimdal</application> package contains 404 <command>afslog</command>, 405 <command>dump_log</command>, 406 <command>ftp</command>, 407 <command>ftpd</command>, 408 <command>hprop</command>, 409 <command>hpropd</command>, 410 <command>ipropd-master</command>, 411 <command>ipropd-slave</command>, 412 <command>kadmin</command>, 413 <command>kadmind</command>, 414 <command>kauth</command>, 415 <command>kdc</command>, 416 <command>kdestroy</command>, 417 <command>kf</command>, 418 <command>kfd</command>, 419 <command>kgetcred</command>, 420 <command>kinit</command>, 421 <command>klist</command>, 422 <command>kpasswd</command>, 423 <command>kpasswdd</command>, 424 <command>krb5-config</command>, 425 <command>kstash</command>, 426 <command>ktutil</command>, 427 <command>kx</command>, 428 <command>kxd</command>, 429 <command>login</command>, 430 <command>mk_cmds</command>, 431 <command>otp</command>, 432 <command>otpprint</command>, 433 <command>pagsh</command>, 434 <command>pfrom</command>, 435 <command>popper</command>, 436 <command>push</command>, 437 <command>rcp</command>, 438 <command>replay_log</command>, 439 <command>rsh</command>, 440 <command>rshd</command>, 441 <command>rxtelnet</command>, 442 <command>rxterm</command>, 443 <command>string2key</command>, 444 <command>su</command>, 445 <command>telnet</command>, 446 <command>telnetd</command>, 447 <command>tenletxr</command>, 448 <command>truncate_log</command>, 449 <command>verify_krb5_conf</command>, 450 <command>xnlock</command>, 451 <filename class="libraryfile">libasn1</filename>, 452 <filename class="libraryfile">libeditline</filename>, 453 <filename class="libraryfile">libgssapi</filename>, 454 <filename class="libraryfile">libhdb</filename>, 455 <filename class="libraryfile">libkadm5clnt</filename>, 456 <filename class="libraryfile">libkadm5srv</filename>, 457 <filename class="libraryfile">libkafs</filename>, 458 <filename class="libraryfile">libkrb5</filename>, 459 <filename class="libraryfile">libotp</filename>, 460 <filename class="libraryfile">libroken</filename>, 461 <filename class="libraryfile">libsl</filename> and 462 <filename class="libraryfile">libss</filename>. 463 464 </para> 465 466 </sect2> 467 468 <sect2><title>Description</title> 469 470 <sect3><title>afslog</title> 471 <para><command>afslog</command> obtains AFS tokens for a number of 472 cells.</para></sect3> 473 474 <sect3><title>hprop</title> 475 <para><command>hprop</command> takes a principal database in a specified 476 format and converts it into a stream of Heimdal database 477 records.</para></sect3> 478 479 <sect3><title>hpropd</title> 480 <para><command>hpropd</command> receives a database sent by 481 <command>hprop</command> and writes it as a local 482 database.</para></sect3> 483 484 <sect3><title>kadmin</title> 485 <para><command>kadmin</command> is an utility used to make modifications 486 to the Kerberos database.</para></sect3> 487 488 <sect3><title>kadmind</title> 489 <para><command>kadmind</command> is a server for administrative access 490 to Kerberos database.</para></sect3> 491 492 <sect3><title>kauth, kinit</title> 493 <para><command>kauth</command> and <command>kinit</command> are used to 494 authenticate to the Kerberos server as principal and acquire a ticket 495 granting ticket that can later be used to obtain tickets for other 496 services.</para></sect3> 497 498 <sect3><title>kdc</title> 499 <para><command>kdc</command> is a Kerberos 5 server.</para></sect3> 500 501 <sect3><title>kdestroy</title> 502 <para><command>kdestroy</command> removes the current set of 503 tickets.</para></sect3> 504 505 <sect3><title>kf</title> 506 <para><command>kf</command> is a program which forwards tickets to a 507 remote host through an authenticated and encrypted 508 stream.</para></sect3> 509 510 <sect3><title>kfd</title> 511 <para><command>kfd</command> receives forwarded tickets.</para></sect3> 512 513 <sect3><title>kgetcred</title> 514 <para><command>kgetcred</command> obtains a ticket for a 515 service.</para></sect3> 516 517 <sect3><title>klist</title> 518 <para><command>klist</command> reads and displays the current tickets in 519 the credential cache.</para></sect3> 520 521 <sect3><title>kpasswd</title> 522 <para><command>kpasswd</command> is a program for changing Kerberos 5 523 passwords.</para></sect3> 524 525 <sect3><title>kpasswdd</title> 526 <para><command>kpasswdd</command> is a Kerberos 5 password changing 527 server.</para></sect3> 528 529 <sect3><title>krb5-config</title> 530 <para><command>krb5-config</command> gives information on how to link 531 programs against Heimdal libraries.</para></sect3> 532 533 <sect3><title>kstash</title> 534 <para><command>kstash</command> stores the <acronym>KDC</acronym> master 535 password in a file.</para></sect3> 536 537 <sect3><title>ktutil</title> 538 <para><command>ktutil</command> is a program for managing Kerberos 539 keytabs.</para></sect3> 540 541 <sect3><title>kx</title> 542 <para><command>kx</command> is a program which securely forwards X 543 connections.</para></sect3> 544 545 <sect3><title>kxd</title> 546 <para><command>kxd</command> is the daemon for 547 <command>kx</command>.</para></sect3> 548 549 <sect3><title>otp</title> 550 <para><command>otp</command> manages one-time passwords.</para></sect3> 551 552 <sect3><title>otpprint</title> 553 <para><command>otpprint</command> prints lists of one-time 554 passwords.</para></sect3> 555 556 <sect3><title>rxtelnet</title> 557 <para><command>rxtelnet</command> program starts an 558 <command>xterm</command> window with a telnet to given host and forwards 559 X connections.</para></sect3> 560 561 <sect3><title>rxterm</title> 562 <para><command>rxterm</command> starts a secure remote 563 <command>xterm</command>.</para></sect3> 564 565 <sect3><title>string2key</title> 566 <para><command>string2key</command> maps a password into a 567 key.</para></sect3> 568 569 <sect3><title>tenletxr</title> 570 <para><command>tenletxr</command> forwards X connections 571 backwards.</para></sect3> 572 573 <sect3><title>verify_krb5_conf</title> 574 <para><command>verify_krb5_conf</command> checks 575 <filename>krb5.conf</filename> file for obvious errors.</para></sect3> 576 577 <sect3><title>xnlock</title> 578 <para><command>xnlock</command> is a program that acts as a secure screen 579 saver for workstations running X.</para></sect3> 580 581 </sect2> 10 582 11 583 </sect1> -
postlfs/security/iptables.xml
rf8d632a rb4b71892 1 <?xml version="1.0" encoding="ISO-8859-1"?> 2 <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" 3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [ 4 <!ENTITY % general-entities SYSTEM "../../general.ent"> 5 %general-entities; 6 7 <!ENTITY iptables-download-http "http://www.iptables.org/files/iptables-&iptables-version;.tar.bz2"> 8 <!ENTITY iptables-download-ftp "ftp://ftp.netfilter.org/pub/iptables/iptables-&iptables-version;.tar.bz2"> 9 <!ENTITY iptables-size "183 KB"> 10 <!ENTITY iptables-buildsize "3.4 MB"> 11 <!ENTITY iptables-time "0.13 SBU"> 12 ]> 13 1 14 <sect1 id="postlfs-security-iptables"> 2 15 <?dbhtml filename="iptables.html"?> 3 16 <title>iptables-&iptables-version;</title> 4 17 5 <para>The next part of this chapter deals with firewalls. The 6 principlefirewall tool for Linux, as of the 2.4 kernel series, is18 <para>The next part of this chapter deals with firewalls. The principle 19 firewall tool for Linux, as of the 2.4 kernel series, is 7 20 <application>iptables</application>. It replaces 8 21 <application>ipchains</application> from the 2.2 series and 9 <application>ipfwadm</application> from the 10 2.0 series. You will need to install <application>iptables</application> if 11 you intend on using any form ofa firewall.</para>22 <application>ipfwadm</application> from the 2.0 series. You will need to 23 install <application>iptables</application> if you intend on using any form of 24 a firewall.</para> 12 25 13 &iptables-intro; 14 &iptables-inst; 15 &iptables-exp; 16 &iptables-desc; 26 <sect2> 27 <title>Introduction to <application>iptables</application></title> 28 29 <para>To use a firewall, as well as installing 30 <application>iptables</application>, you will need 31 to configure the relevant options into your kernel. This is discussed 32 in the next part of this chapter - <xref linkend="postlfs-security-fw-kernel"/>.</para> 33 34 <para>If you intend to use <acronym>IP</acronym>v6 you might consider extending 35 the kernel by running <command>make patch-o-matic</command> in the top-level 36 directory of the sources of <application>iptables</application>. If you are 37 going to do this, on a freshly untarred kernel, you need to run 38 <command>yes "" | make config && make dep</command> first because 39 otherwise the patch-o-matic command is likely to fail while setting up 40 some dependencies.</para> 41 42 <para>If you are going to patch the kernel, you need to do it before you 43 compile <application>iptables</application>, because during the compilation, 44 the kernel source tree is checked (if it is available at <filename 45 class="directory">/usr/src/linux-<replaceable>[version]</replaceable> 46 </filename>) to see which features are available. Support will only be compiled 47 into <application>iptables</application> for the features recognized at 48 compile-time. Applying a kernel patch may result in errors, often because the 49 hooks for the patches have changed or because the runme script doesn't 50 recognize that a patch has already been incorporated.</para> 51 52 <para>Note that for most people, patching the kernel is unnecessary. 53 With the later 2.4.x kernels, most functionality is already available 54 and those who need to patch it are generally those who need a specific 55 feature; if you don't know why you need to patch the kernel, you're 56 unlikely to need to!</para> 57 58 <sect3><title>Package information</title> 59 <itemizedlist spacing='compact'> 60 <listitem><para>Download (HTTP): <ulink 61 url="&iptables-download-http;"/></para></listitem> 62 <listitem><para>Download (FTP): <ulink 63 url="&iptables-download-ftp;"/></para></listitem> 64 <listitem><para>Download size: &iptables-size;</para></listitem> 65 <listitem><para>Estimated Disk space required: 66 &iptables-buildsize;</para></listitem> 67 <listitem><para>Estimated build time: 68 &iptables-time;</para></listitem></itemizedlist> 69 </sect3> 70 71 </sect2> 72 73 74 <sect2> 75 <title>Installation of <application>iptables</application></title> 76 77 <para>Install <application>iptables</application> by running the following commands:</para> 78 79 <screen><userinput><command>make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin && 80 make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin install</command></userinput></screen> 81 82 </sect2> 83 84 85 <sect2> 86 <title>Command explanations</title> 87 88 <para><parameter>PREFIX=/usr LIBDIR=/lib BINDIR=/sbin</parameter>: Compiles and installs 89 <application>iptables</application> libraries into <filename 90 class="directory">/lib</filename>, binaries into <filename 91 class="directory">/sbin</filename> and the remainder into the 92 <filename class="directory">/usr</filename> hierarchy instead of 93 <filename class="directory">/usr/local</filename>. Firewalls are 94 generally set during the boot process and <filename 95 class="directory">/usr</filename> may not be mounted at that time.</para> 96 97 </sect2> 98 99 <sect2> 100 <title>Contents</title> 101 102 <para>The <application>iptables</application> package contains <command>iptables</command>, 103 <command>iptables-restore</command>, <command>iptables-save</command>, 104 <command>ip6tables</command> and some libraries.</para> 105 106 </sect2> 107 108 <sect2><title>Description</title> 109 110 <sect3><title>iptables</title> 111 <para><command>iptables</command> is used to set up, maintain, and inspect the 112 tables of <acronym>IP</acronym> packet filter rules in the Linux kernel.</para> 113 </sect3> 114 115 <sect3><title>iptables-restore, iptables-save</title> 116 <para>These are used to save and to restore your elaborated set of chains and 117 rules. Until <application>iptables</application>-1.2.5, they were declared 118 experimental.</para> 119 </sect3> 120 121 <sect3 id="ip6tables" xreflabel="ip6tables"><title>ip6tables</title> 122 <para>This is the same as <command>iptables</command> but for use with 123 <acronym>IP</acronym>v6. As of v1.2.5, it is not as complete as the standard 124 <acronym>IP</acronym>v4 version, especially with regard to some of the modules.</para> 125 </sect3> 126 127 <sect3><title>libip*.so</title> 128 <para>These are various modules (implemented as dynamic libraries) which 129 extend the core functionality of <command>iptables</command>.</para> 130 </sect3> 131 132 </sect2> 17 133 18 134 </sect1> -
postlfs/security/linux_pam.xml
rf8d632a rb4b71892 1 <?xml version="1.0" encoding="ISO-8859-1"?> 2 <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" 3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [ 4 <!ENTITY % general-entities SYSTEM "../../general.ent"> 5 %general-entities; 6 7 8 <!ENTITY Linux_PAM-download-http "http://www.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-&Linux_PAM-version;.tar.bz2"> 9 <!ENTITY Linux_PAM-download-ftp "ftp://ftp.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-&Linux_PAM-version;.tar.bz2"> 10 <!ENTITY Linux_PAM-size "332 KB"> 11 <!ENTITY Linux_PAM-buildsize "4.1 MB"> 12 <!ENTITY Linux_PAM-time "0.07 SBU"> 13 ]> 14 1 15 <sect1 id="Linux_PAM" xreflabel="Linux-PAM-&Linux_PAM-version;"> 2 16 <?dbhtml filename="linux_pam.html"?> 3 17 <title>Linux-PAM-&Linux_PAM-version;</title> 4 18 5 &Linux_PAM-intro; 6 &Linux_PAM-inst; 7 &Linux_PAM-exp; 8 &Linux_PAM-config; 9 &Linux_PAM-desc; 19 <sect2> 20 <title>Introduction to <application>Linux-<acronym>PAM</acronym></application> 21 </title> 22 23 <para>The <application>Linux-<acronym>PAM</acronym></application> package 24 contains Pluggable Authentication Modules. This is useful to enable the local 25 system administrator to choose how applications authenticate users.</para> 26 27 <sect3><title>Package information</title> 28 <itemizedlist spacing='compact'> 29 <listitem><para>Download (HTTP): <ulink 30 url="&Linux_PAM-download-http;"/></para></listitem> 31 <listitem><para>Download (FTP): <ulink 32 url="&Linux_PAM-download-ftp;"/></para></listitem> 33 <listitem><para>Download size: &Linux_PAM-size;</para></listitem> 34 <listitem><para>Estimated Disk space required: 35 &Linux_PAM-buildsize;</para></listitem> 36 <listitem><para>Estimated build time: 37 &Linux_PAM-time;</para></listitem></itemizedlist> 38 </sect3> 39 40 <sect3><title>Additional download</title> 41 <itemizedlist spacing='compact'> 42 <listitem><para>Required patch: 43 <ulink url="&patch-root;/Linux-PAM-0.77-linkage-3.patch"/></para></listitem></itemizedlist> 44 </sect3> 45 46 <sect3><title><application>Linux-<acronym>PAM</acronym></application> dependencies</title> 47 <sect4><title>Optional</title> 48 <para><xref linkend="cracklib"/></para></sect4> 49 </sect3> 50 51 </sect2> 52 53 <sect2> 54 <title>Installation of <application>Linux-<acronym>PAM</acronym></application> 55 </title> 56 57 <para>Install <application>Linux-<acronym>PAM</acronym></application> by 58 running the following commands:</para> 59 60 <screen><userinput><command>patch -Np1 -i ../Linux-PAM-0.77-linkage-3.patch && 61 autoconf && 62 ./configure --enable-static-libpam --with-mailspool=/var/mail \ 63 --enable-read-both-confs --sysconfdir=/etc && 64 make && 65 make install && 66 mv /lib/libpam.a /lib/libpam_misc.a /lib/libpamc.a /usr/lib && 67 ln -sf ../../lib/libpam.so.&Linux_PAM-version; /usr/lib/libpam.so && 68 ln -sf ../../lib/libpam_misc.so.&Linux_PAM-version; /usr/lib/libpam_misc.so && 69 ln -sf ../../lib/libpamc.so.&Linux_PAM-version; /usr/lib/libpamc.so</command></userinput></screen> 70 71 </sect2> 72 73 74 <sect2> 75 <title>Command explanations</title> 76 77 <para><command>autoconf</command>: This is necessary as in the patch, we 78 change where <acronym>PAM</acronym> looks for the cracklib libs. This 79 requires that the configure script be recreated.</para> 80 81 <para><option>--enable-static-libpam</option>: This switch builds 82 static <acronym>PAM</acronym> libraries as well as the dynamic libraries.</para> 83 84 <para><parameter>--with-mailspool=/var/mail</parameter>: This switch makes 85 the mailspool directory <acronym>FHS</acronym> compliant.</para> 86 87 <para><option>--enable-read-both-confs</option>: This switch lets the local 88 administrator choose which configuration file setup to use.</para> 89 90 <para><command>mv /lib/libpam.a /lib/libpam_misc.a /lib/libpamc.a 91 /usr/lib</command>: This command moves the static libraries to 92 <filename>/usr/lib</filename> to comply with <acronym>FHS</acronym>.</para> 93 94 </sect2> 95 96 97 <sect2> 98 <title>Configuring <application>Linux-<acronym>PAM</acronym></application> 99 </title> 100 101 <sect3><title>Config files</title> 102 <para><filename>/etc/pam.d</filename> or <filename>/etc/pam.conf</filename> 103 </para></sect3> 104 105 <sect3><title>Configuration Information</title> 106 107 <para>Configuration information is placed in <filename>/etc/pam.d</filename> or 108 <filename>/etc/pam.conf</filename> depending on user preference. Below are 109 example files of each type:</para> 110 111 <screen># Begin /etc/pam.d/other 112 113 auth required pam_unix.so nullok 114 account required pam_unix.so 115 session required pam_unix.so 116 password required pam_unix.so nullok 117 118 # End /etc/pam.d/other 119 120 # Begin /etc/pam.conf 121 122 other auth required pam_unix.so nullok 123 other account required pam_unix.so 124 other session required pam_unix.so 125 other password required pam_unix.so nullok 126 127 # End /etc/pam.conf</screen> 128 129 <para>The <application><acronym>PAM</acronym></application> man page 130 (<command>man pam</command>) provides a good starting point for descriptions 131 of fields and allowable entries. The 132 <ulink url="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html"> 133 Linux-PAM guide for system administrators</ulink> 134 is recommended for further reading.</para> 135 136 <para>Refer to <ulink url="http://www.kernel.org/pub/linux/libs/pam/modules.html"/> 137 for a list of various modules available.</para> 138 139 </sect3> 140 141 </sect2> 142 143 <sect2> 144 <title>Contents</title> 145 146 <para>The <application>Linux-<acronym>PAM</acronym></application> package 147 contains <command>unix-chkpwd</command> and <filename 148 class="libraryfile">libpam</filename> 149 libraries.</para> 150 151 </sect2> 152 153 <sect2><title>Description</title> 154 155 <sect3><title>unix-chkpwd</title> 156 <para>No description available.</para></sect3> 157 158 <sect3><title>libpam libraries</title> 159 <para><filename class="libraryfile">libpam</filename> libraries provide the interfaces between 160 applications and the modules included with <acronym>PAM</acronym>.</para></sect3> 161 162 </sect2> 163 10 164 11 165 </sect1> -
postlfs/security/mitkrb.xml
rf8d632a rb4b71892 1 <?xml version="1.0" encoding="ISO-8859-1"?> 2 <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" 3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [ 4 <!ENTITY % general-entities SYSTEM "../../general.ent"> 5 %general-entities; 6 7 <!ENTITY mitkrb-download-http "http://web.mit.edu/kerberos/www/dist/krb5/1.3/krb5-&mitkrb-version;.tar"> 8 <!ENTITY mitkrb-download-ftp " "> 9 <!ENTITY mitkrb-size "6.2 MB"> 10 <!ENTITY mitkrb-buildsize "137.4 MB"> 11 <!ENTITY mitkrb-time "2.55 SBU"> 12 ]> 13 14 1 15 <sect1 id="mitkrb" xreflabel="MIT krb5-&mitkrb-version;"> 2 16 <?dbhtml filename="mitkrb.html"?> 3 17 <title>MIT krb5-&mitkrb-version;</title> 4 18 5 &mitkrb-intro; 6 &mitkrb-inst; 7 &mitkrb-exp; 8 &mitkrb-config; 9 &mitkrb-desc; 19 <sect2> 20 <title>Introduction to <application><acronym>MIT</acronym> krb5</application></title> 21 22 <para> 23 <application>MIT krb5</application> is a free implementation of Kerberos 24 5. Kerberos is a network authentication protocol. It centralizes the 25 authentication database and uses kerberized applications to work with 26 servers or services that support Kerberos allowing single logins and 27 encrypted communication over internal networks or the Internet.</para> 28 29 <sect3><title>Package information</title> 30 <itemizedlist spacing='compact'> 31 <listitem><para>Download (HTTP): <ulink url="&mitkrb-download-http;"/></para></listitem> 32 <listitem><para>Download (FTP): <ulink url="&mitkrb-download-ftp;"/></para></listitem> 33 <listitem><para>Download size: &mitkrb-size;</para></listitem> 34 <listitem><para>Estimated Disk space required: &mitkrb-buildsize;</para></listitem> 35 <listitem><para>Estimated build time: &mitkrb-time;</para></listitem></itemizedlist> 36 </sect3> 37 38 <sect3><title><application><acronym>MIT</acronym> krb5</application> dependencies</title> 39 <sect4><title>Optional</title> 40 <para> 41 <xref linkend="xinetd"/> (services servers only), 42 <xref linkend="Linux_PAM"/> (for xdm based logins) and 43 <xref linkend="openldap"/> (alternative for krb5kdc password database) 44 </para> 45 46 <note><para> 47 Some sort of time synchronization facility on your system (like <xref 48 linkend="ntp"/>) is required since Kerberos won't authenticate if there 49 is a time difference between a kerberized client and the 50 <acronym>KDC</acronym> server.</para></note> 51 </sect4> 52 53 </sect3> 54 55 </sect2> 56 57 <sect2> 58 <title>Installation of <application>MIT krb5</application></title> 59 60 <para>Install <application>MIT krb5</application> by running the following commands:</para> 61 62 <screen><userinput><command>./configure --prefix=/usr --sysconfdir=/etc \ 63 --localstatedir=/var/lib --enable-dns --enable-shared --mandir=/usr/share/man && 64 make && 65 make install && 66 mv /bin/login /bin/login.shadow && 67 cp /usr/sbin/login.krb5 /bin/login && 68 mv /usr/bin/ksu /bin && 69 mv /usr/lib/libkrb5.so.3* /lib && 70 mv /usr/lib/libkrb4.so.2* /lib && 71 mv /usr/lib/libdes425.so.3* /lib && 72 mv /usr/lib/libk5crypto.so.3* /lib && 73 mv /usr/lib/libcom_err.so.3* /lib && 74 ln -sf ../../lib/libkrb5.so /usr/lib && 75 ln -sf ../../lib/libkrb4.so /usr/lib && 76 ln -sf ../../lib/libdes425.so /usr/lib && 77 ln -sf ../../lib/libk5crypto.so /usr/lib && 78 ln -sf ../../lib/libcom_err.so /usr/lib && 79 ldconfig</command></userinput></screen> 80 81 </sect2> 82 83 <sect2> 84 <title>Command explanations</title> 85 86 <para><parameter>--enable-dns</parameter>: This switch allows realms to 87 be resolved using the <acronym>DNS</acronym> server.</para> 88 89 <para><screen><command>mv /bin/login /bin/login.shadow 90 cp /usr/sbin/login.krb5 /bin/login 91 mv /usr/bin/ksu /bin</command></screen> 92 Preserves <application>Shadow</application>'s <command>login</command> 93 command, moves <command>ksu</command> and <command>login</command> to 94 the <filename class="directory">/bin</filename> directory.</para> 95 96 <para><screen><command>mv /usr/lib/libkrb5.so.3* /lib 97 mv /usr/lib/libkrb4.so.2* /lib 98 mv /usr/lib/libdes425.so.3* /lib 99 mv /usr/lib/libk5crypto.so.3* /lib 100 mv /usr/lib/libcom_err.so.3* /lib 101 ln -sf ../../lib/libkrb5.so /usr/lib 102 ln -sf ../../lib/libkrb4.so /usr/lib 103 ln -sf ../../lib/libdes425.so /usr/lib 104 ln -sf ../../lib/libk5crypto.so /usr/lib 105 ln -sf ../../lib/libcom_err.so /usr/lib</command></screen> 106 The <command>login</command> and <command>ksu</command> programs 107 are linked against these libraries, therefore we move these libraries to 108 <filename class="directory">/lib</filename> to allow logins without mounting <filename class="directory">/usr</filename>.</para> 109 110 </sect2> 111 112 <sect2> 113 <title>Configuring <application><acronym>MIT</acronym> krb5</application></title> 114 115 <sect3><title>Config files</title> 116 <para><filename>/etc/krb5.conf</filename> and 117 <filename>/var/lib/krb5kdc/kdc.conf</filename></para> 118 </sect3> 119 120 <sect3><title>Configuration Information</title> 121 122 <sect4><title>Kerberos Configuration</title> 123 124 <para> 125 Create the Kerberos configuration file with the following command: 126 </para> 127 128 <screen><userinput><command>cat > /etc/krb5.conf << "EOF"</command> 129 # Begin /etc/krb5.conf 130 131 [libdefaults] 132 default_realm = <replaceable>[LFS.ORG]</replaceable> 133 encrypt = true 134 135 [realms] 136 <replaceable>[LFS.ORG]</replaceable> = { 137 kdc = <replaceable>[belgarath.lfs.org]</replaceable> 138 admin_server = <replaceable>[belgarath.lfs.org]</replaceable> 139 } 140 141 [domain_realm] 142 .<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable> 143 144 [logging] 145 kdc = SYSLOG[:INFO[:AUTH]] 146 admin_server = SYSLOG[INFO[:AUTH]] 147 default = SYSLOG[[:SYS]] 148 149 # End /etc/krb5.conf 150 <command>EOF</command></userinput></screen> 151 152 <para> 153 You will need to substitute your domain and proper hostname for the 154 occurances of the belgarath and lfs.org names. 155 </para> 156 157 <para> 158 <userinput>default_realm</userinput> should be the name of your domain changed to ALL CAPS. 159 This isn't required, but both Heimdal and <acronym>MIT</acronym> 160 recommend it. 161 </para> 162 163 <para> 164 <userinput>encrypt = true</userinput> provides encryption of all traffic between kerberized 165 clients and servers. It's not necessary and can be left off. If you 166 leave it off, you can encrypt all traffic from the client to the server 167 using a switch on the client program instead. 168 </para> 169 170 <para> 171 The <userinput>[realms]</userinput> parameters tell the client programs where to look for the 172 <acronym>KDC</acronym> authentication services. 173 </para> 174 175 <para> 176 The <userinput>[domain_realm]</userinput> section maps a domain to a realm. 177 </para> 178 179 <para> 180 Create the <acronym>KDC</acronym> database: 181 </para> 182 183 <screen><userinput><command>kdb5_util create -r <replaceable>[LFS.ORG]</replaceable> -s </command></userinput></screen> 184 185 <para> 186 Now we need to populate the database with principles (users). For now, 187 just use your regular login name or root. 188 </para> 189 190 <screen><userinput><command>kadmin.local</command></userinput> 191 <prompt>kadmin:</prompt><userinput><command>addprinc <replaceable>[loginname]</replaceable></command></userinput></screen> 192 193 <para> 194 The <acronym>KDC</acronym> server and any machine running kerberized 195 server daemons must have a host key installed: 196 </para> 197 198 <screen><prompt>kadmin:</prompt><userinput><command>addprinc --randkey host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen> 199 200 <para> 201 After choosing the defaults when prompted, you will have to export the 202 data to a keytab file: 203 </para> 204 205 <screen><prompt>kadmin:</prompt><userinput><command>ktadd host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen> 206 207 <para> 208 This should have created a file in 209 <filename class="directory">/etc</filename> named 210 <filename>krb5.keytab</filename> (Kerberos 5). This file should have 600 211 (root rw only) permissions. Keeping the keytab files from public access 212 is crucial to the overall security of the Kerberos installation. 213 </para> 214 215 <para> 216 Eventually, you'll want to add server daemon principles to the database 217 and extract them to the keytab file. You do this in the same way you 218 created the host principles. Below is an example: 219 </para> 220 221 <screen><prompt>kadmin:</prompt><userinput><command>addprinc --randkey ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput> 222 <prompt>kadmin:</prompt><userinput><command>ktadd ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen> 223 224 <para> 225 Exit the <command>kadmin</command> program (use <command>quit</command> 226 or <command>exit</command>) and return back to the shell prompt. Start 227 the <acronym>KDC</acronym> daemon manually, just to test out the 228 installation: 229 </para> 230 231 <screen><userinput><command>/usr/sbin/krb5kdc &</command></userinput></screen> 232 233 <para> 234 Attempt to get a ticket with the following command: 235 </para> 236 237 <screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen> 238 239 <para> 240 You will be prompted for the password you created. After you get your 241 ticket, you can list it with the following command: 242 </para> 243 244 <screen><userinput><command>klist</command></userinput></screen> 245 246 <para> 247 Information about the ticket should be displayed on the screen. 248 </para> 249 250 <para> 251 To test the functionality of the keytab file, issue the following 252 command: 253 </para> 254 255 <screen><userinput><command>ktutil</command></userinput> 256 <prompt>ktutil:</prompt><userinput><command>rkt /etc/krb5.keytab</command></userinput> 257 <prompt>ktutil:</prompt><userinput><command>l</command></userinput></screen> 258 259 <para> 260 This should dump a list of the host principal, along with the encryption 261 methods used to access the principal. 262 </para> 263 264 <para> 265 At this point, if everything has been successful so far, you can feel 266 fairly confident in the installation and configuration of the package. 267 </para> 268 269 <para>Install the <filename>/etc/rc.d/init.d/kerberos</filename> init script 270 included in the <xref linkend="intro-important-bootscripts"/> 271 package.</para> 272 273 <screen><userinput><command>make install-kerberos</command></userinput></screen> 274 275 </sect4> 276 277 <sect4><title>Using Kerberized Client Programs</title> 278 279 <para> 280 To use the kerberized client programs (<command>telnet</command>, 281 <command>ftp</command>, <command>rsh</command>, 282 <command>rcp</command>, <command>rlogin</command>), you first must get 283 an authentication ticket. Use the <command>kinit</command> program to 284 get the ticket. After you've acquired the ticket, you can use the 285 kerberized programs to connect to any kerberized server on the network. 286 You will not be prompted for authentication until your ticket expires 287 (default is one day), unless you specify a different user as a command 288 line argument to the program. 289 </para> 290 291 <para> 292 The kerberized programs will connect to non kerberized daemons, warning 293 you that authentication is not encrypted.</para></sect4> 294 295 296 <sect4><title>Using Kerberized Server Programs</title> 297 298 <para>Using kerberized server programs (<command>telnetd</command>, 299 <command>kpropd</command>, 300 <command>klogind</command> and <command>kshd</command>) requires two additional configuration steps. 301 First the <filename>/etc/services</filename> file must be updated to 302 include eklogin and krb5_prop. Second, the 303 <filename>inetd.conf</filename> or <filename>xinetd.conf</filename> must 304 be modified for each server that will be activated, usually replacing 305 the server from <application>inetutils</application>.</para></sect4> 306 307 <sect4><title>Additional Information</title> 308 <para> 309 For additional information consult <ulink 310 url="http://web.mit.edu/kerberos/www/krb5-1.3/#documentation">Documentation 311 for krb-&mitkrb-version;</ulink> on which the above instructions are based. 312 </para> 313 314 </sect4> 315 316 </sect3> 317 318 </sect2> 319 320 <sect2> 321 <title>Contents</title> 322 323 <para>The <application>MIT krb5</application> package contains 324 <command>compile-et</command>, 325 <command>ftp</command>, 326 <command>ftpd</command>, 327 <command>gss-client</command>, 328 <command>gss-server</command>, 329 <command>k5srvutil</command>, 330 <command>kadmin</command>, 331 <command>kadmin.local</command>, 332 <command>kadmind</command>, 333 <command>kadmind4</command>, 334 <command>kdb5_util</command> 335 <command>kdestroy</command>, 336 <command>kinit</command>, 337 <command>klist</command>, 338 <command>klogind</command>, 339 <command>kpasswd</command>, 340 <command>kprop</command>, 341 <command>kpropd</command>, 342 <command>krb5-send-pr</command>, 343 <command>krb5-config</command>, 344 <command>krb524d</command>, 345 <command>krb524init</command>, 346 <command>krb5kdc</command>, 347 <command>kshd</command>, 348 <command>ksu</command>, 349 <command>ktutil</command>, 350 <command>kvno</command>, 351 <command>login.krb5</command>, 352 <command>rcp</command>, 353 <command>rlogin</command>, 354 <command>rsh</command>, 355 <command>rshd</command>, 356 <command>rxtelnet</command>, 357 <command>rxterm</command>, 358 <command>sclient</command>, 359 <command>sim_client</command>, 360 <command>sim_server</command>, 361 <command>sserver</command>, 362 <command>telnet</command>, 363 <command>telnetd</command>, 364 <command>uuclient</command>, 365 <command>uuserver</command>, 366 <command>v5passwd</command>, 367 <command>v5passwdd</command>, 368 <filename class="libraryfile">libcom_err</filename>, 369 <filename class="libraryfile">libdes425</filename>, 370 <filename class="libraryfile">libgssapi</filename>, 371 <filename class="libraryfile">libgssrpc</filename>, 372 <filename class="libraryfile">lib5crypto</filename>, 373 <filename class="libraryfile">libkadm5clnt</filename>, 374 <filename class="libraryfile">libkadm5srv</filename>, 375 <filename class="libraryfile">libkdb5</filename>, 376 <filename class="libraryfile">libkrb4</filename>, 377 <filename class="libraryfile">libkrb5</filename>.</para> 378 379 </sect2> 380 381 <sect2><title>Description</title> 382 383 <sect3><title>compile_et</title> 384 <para><command>compile_et</command> converts the table listing 385 error-code names into a <application>C</application> source file.</para></sect3> 386 387 <sect3><title>k5srvutil</title> 388 <para><command>k5srvutil</command> is a host keytable manipulation 389 utility.</para></sect3> 390 391 <sect3><title>kadmin</title> 392 <para><command>kadmin</command> is an utility used to make modifications 393 to the Kerberos database.</para></sect3> 394 395 <sect3><title>kadmind</title> 396 <para><command>kadmind</command> is a server for administrative access 397 to Kerberos database.</para></sect3> 398 399 <sect3><title>kinit</title> 400 <para><command>kinit</command> is used to 401 authenticate to the Kerberos server as principal and acquire a ticket 402 granting ticket that can later be used to obtain tickets for other 403 services.</para></sect3> 404 405 <sect3><title>krb5kdc</title> 406 <para><command>kdc</command> is a Kerberos 5 server.</para></sect3> 407 408 <sect3><title>kdestroy</title> 409 <para><command>kdestroy</command> removes the current set of 410 tickets.</para></sect3> 411 412 <sect3><title>kdb5_util</title> 413 <para><command>kdb5_util</command> is the <acronym>KDC</acronym> 414 database utility.</para></sect3> 415 416 <sect3><title>klist</title> 417 <para><command>klist</command> reads and displays the current tickets in 418 the credential cache.</para></sect3> 419 420 <sect3><title>klogind</title> 421 <para><command>klogind</command> is the server that responds to rlogin 422 requests.</para></sect3> 423 424 <sect3><title>kpasswd</title> 425 <para><command>kpasswd</command> is a program for changing Kerberos 5 426 passwords.</para></sect3> 427 428 <sect3><title>kprop</title> 429 <para><command>kprop</command> takes a principal database in a specified 430 format and converts it into a stream of database 431 records.</para></sect3> 432 433 <sect3><title>kpropd</title> 434 <para><command>kpropd</command> receives a database sent by 435 <command>hprop</command> and writes it as a local 436 database.</para></sect3> 437 438 <sect3><title>krb5-config</title> 439 <para><command>krb5-config</command> gives information on how to link 440 programs against libraries.</para></sect3> 441 442 <sect3><title>ksu</title> 443 <para><command>ksu</command> is the super user program using Kerberos 444 protocol. Requires a properly configured 445 <filename>/etc/shells</filename> and <filename>~/.k5login</filename> 446 containing principals authorized to become super users.</para></sect3> 447 448 <sect3><title>ktutil</title> 449 <para><command>ktutil</command> is a program for managing Kerberos 450 keytabs.</para></sect3> 451 452 <sect3><title>kvno</title> 453 <para><command>kvno</command> prints keyversion numbers of Kerberos 454 principals.</para></sect3> 455 456 457 </sect2> 10 458 11 459 </sect1> -
postlfs/security/security.xml
rf8d632a rb4b71892 1 <?xml version="1.0" encoding="ISO-8859-1"?> 2 <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" 3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [ 4 <!ENTITY % general-entities SYSTEM "../../general.ent"> 5 %general-entities; 6 ]> 7 1 8 <chapter id="postlfs-security"> 2 9 <?dbhtml filename="security.html"?> … … 23 30 "signatures" and compares for files that have been changed.</para> 24 31 25 &cracklib; 26 &Linux_PAM; 27 &shadow; 28 &iptables; 29 &postlfs-security-fw; 30 &gnupg; 31 &tripwire; 32 &heimdal; 33 &mitkrb; 34 <!--&postlfs-security-syslog;--> 32 <xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="cracklib.xml"/> 33 <xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="linux_pam.xml"/> 34 <xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="shadow.xml"/> 35 <xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="iptables.xml"/> 36 <xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="firewalling.xml"/> 37 <xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="gnupg.xml"/> 38 <xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="tripwire.xml"/> 39 <xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="heimdal.xml"/> 40 <xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="mitkrb.xml"/> 35 41 36 42 </chapter> -
postlfs/security/shadow.xml
rf8d632a rb4b71892 1 <?xml version="1.0" encoding="ISO-8859-1"?> 2 <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" 3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [ 4 <!ENTITY % general-entities SYSTEM "../../general.ent"> 5 %general-entities; 6 ]> 7 1 8 <sect1 id="shadow"> 2 9 <?dbhtml filename="shadow.html"?> … … 24 31 </sect2> 25 32 --> 26 &shadow-intro; 27 &shadow-inst; 28 &shadow-exp; 29 &shadow-config; 33 34 35 <sect2> 36 <title>Introduction to <application>Shadow</application></title> 37 38 <para>Shadow was indeed installed in <acronym>LFS</acronym> and there is 39 no reason to reinstall it unless you installed 40 <application>Linux-<acronym>PAM</acronym></application>. If you did, 41 this will allow programs like <command>login</command> and 42 <command>su</command> to utilize 43 <acronym>PAM</acronym>.</para> 44 45 <sect3><title>Additional downloads</title> 46 <itemizedlist spacing='compact'> 47 <listitem><para>Patch to fix linking against PAM: 48 <ulink url="&patch-root;/shadow-&shadow-version;-pam-1.patch"/></para></listitem> 49 </itemizedlist> 50 </sect3> 51 52 <sect3><title><application>Shadow</application> dependencies</title> 53 <sect4><title>Required</title> 54 <para><xref linkend="Linux_PAM"/></para></sect4> 55 </sect3> 56 </sect2> 57 58 59 <sect2> 60 <title>Installation of <application>shadow</application></title> 61 62 <para>Reinstall shadow by running the following commands:</para> 63 64 <screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch && 65 LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \ 66 --enable-shared --with-libpam --without-libcrack && 67 echo '#define HAVE_SETLOCALE 1' >> config.h && 68 make && 69 make install && 70 mv /bin/sg /usr/bin && 71 mv /bin/vigr /usr/sbin && 72 rm /bin/groups && 73 mv /usr/lib/lib{misc,shadow}.so.0* /lib && 74 ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so && 75 ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</command></userinput></screen> 76 77 </sect2> 78 79 80 <sect2> 81 <title>Command explanations</title> 82 83 <para><parameter>--without-libcrack</parameter>: This switch tells shadow 84 not to use libcrack. This is desired as 85 <application>Linux-<acronym>PAM</acronym></application> already 86 contains libcrack.</para> 87 88 <!-- Leftover from older instructions???? 89 <para><command>cp debian/securetty /etc/securetty</command>: This 90 command sets the tty's that allow logins through <acronym>PAM</acronym>.</para> 91 --> 92 93 </sect2> 94 95 96 <sect2> 97 <title>Configuring <application><acronym>PAM</acronym></application> to work 98 with <application>shadow</application></title> 99 100 <sect3><title>Config files</title> 101 <para><filename>/etc/pam.d/login</filename>, 102 <filename>/etc/pam.d/passwd</filename>, 103 <filename>/etc/pam.d/su</filename>, 104 <filename>/etc/pam.d/shadow</filename>, and 105 <filename>/etc/pam.d/useradd</filename></para> 106 </sect3> 107 108 <sect3><title>Configuration Information</title> 109 110 <para>Add the following <application><acronym>PAM</acronym></application> 111 configuration files to <filename class="directory">/etc/pam.d</filename> (or add them to 112 <filename>/etc/pam.conf</filename> with the additional field for the program). 113 </para> 114 <screen><userinput><command>cat > /etc/pam.d/login << "EOF"</command> 115 # Begin /etc/pam.d/login 116 117 auth requisite pam_securetty.so 118 auth requisite pam_nologin.so 119 auth required pam_env.so 120 auth required pam_unix.so 121 account required pam_access.so 122 account required pam_unix.so 123 session required pam_motd.so 124 session required pam_limits.so 125 session optional pam_mail.so dir=/var/mail standard 126 session optional pam_lastlog.so 127 session required pam_unix.so 128 129 # End /etc/pam.d/login 130 <command>EOF 131 cat > /etc/pam.d/passwd << "EOF"</command> 132 # Begin /etc/pam.d/passwd 133 134 password required pam_unix.so md5 shadow 135 136 # End /etc/pam.d/passwd 137 <command>EOF 138 cat > /etc/pam.d/shadow << "EOF"</command> 139 # Begin /etc/pam.d/shadow 140 141 auth sufficient pam_rootok.so 142 auth required pam_unix.so 143 account required pam_unix.so 144 session required pam_unix.so 145 password required pam_permit.so 146 147 # End /etc/pam.d/shadow 148 <command>EOF 149 cat > /etc/pam.d/su << "EOF"</command> 150 # Begin /etc/pam.d/su 151 152 auth sufficient pam_rootok.so 153 auth required pam_unix.so 154 account required pam_unix.so 155 session required pam_unix.so 156 157 # End /etc/pam.d/su 158 <command>EOF 159 cat > /etc/pam.d/useradd << "EOF"</command> 160 # Begin /etc/pam.d/useradd 161 162 auth sufficient pam_rootok.so 163 auth required pam_unix.so 164 account required pam_unix.so 165 session required pam_unix.so 166 password required pam_permit.so 167 168 # End /etc/pam.d/useradd 169 <command>EOF 170 cat > /etc/pam.d/chage << "EOF"</command> 171 # Begin /etc/pam.d/chage 172 173 auth sufficient pam_rootok.so 174 auth required pam_unix.so 175 account required pam_unix.so 176 session required pam_unix.so 177 password required pam_permit.so 178 179 # End /etc/pam.d/chage 180 <command>EOF</command></userinput></screen> 181 182 <para>Currently, <filename>/etc/pam.d/other</filename> is configured to 183 allow anyone with an account on the machine to use programs 184 that do not specifically have a configuration file of their own. After 185 testing <application><acronym>PAM</acronym></application> for proper 186 configuration, it can be changed to the following:</para> 187 188 <screen><userinput><command>cat > /etc/pam.d/other << "EOF"</command> 189 # Begin /etc/pam.d/other 190 191 auth required pam_deny.so 192 auth required pam_warn.so 193 account required pam_deny.so 194 session required pam_deny.so 195 password required pam_deny.so 196 password required pam_warn.so 197 198 # End /etc/pam.d/other 199 <command>EOF</command></userinput></screen> 200 201 <para>Finally, edit <filename>/etc/login.defs</filename> by adding '#' 202 to the beginning of the following lines:</para> 203 <screen>LASTLOG_ENAB 204 MAIL_CHECK_ENAB 205 PORTTIME_CHECKS_ENAB 206 CONSOLE 207 MOTD_FILE 208 NOLOGINS_FILE 209 PASS_MIN_LEN 210 SU_WHEEL_ONLY 211 MD5_CRYPT_ENAB 212 CONSOLE_GROUPS 213 ENVIRON_FILE</screen> 214 215 <para>This stops <command>login</command> from performing these functions, as 216 they will now be performed by <acronym>PAM</acronym> modules.</para> 217 218 </sect3> 219 220 </sect2> 30 221 31 222 </sect1> -
postlfs/security/tripwire.xml
rf8d632a rb4b71892 1 <?xml version="1.0" encoding="ISO-8859-1"?> 2 <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" 3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [ 4 <!ENTITY % general-entities SYSTEM "../../general.ent"> 5 %general-entities; 6 7 <!ENTITY tripwire-download-http "http://prdownloads.sourceforge.net/tripwire/tripwire-&tripwire-version;.tar.gz"> 8 <!ENTITY tripwire-download-ftp "ftp://ftp.fu-berlin.de/unix/security/tripwire/tripwire-&tripwire-version;.tar.gz"> 9 <!ENTITY tripwire-size "1.4 MB"> 10 <!ENTITY tripwire-buildsize "63 MB"> 11 <!ENTITY tripwire-time "2.35 SBU"> 12 ]> 13 1 14 <sect1 id="tripwire" xreflabel="Tripwire-&tripwire-version;"> 2 15 <?dbhtml filename="tripwire.html"?> 3 16 <title>Tripwire-&tripwire-version;</title> 4 17 5 &tripwire-intro; 6 &tripwire-inst; 7 &tripwire-exp; 8 &tripwire-config; 9 &tripwire-desc; 18 <sect2> 19 <title>Introduction to <application>Tripwire</application></title> 20 21 <para>The <application>Tripwire</application> package contains the programs 22 used by <application>Tripwire</application> to verify the integrity of the 23 files on a given system.</para> 24 25 <sect3><title>Package information</title> 26 <itemizedlist spacing='compact'> 27 <listitem><para>Download (HTTP): <ulink 28 url="&tripwire-download-http;"/></para></listitem> 29 <listitem><para>Download (FTP): <ulink 30 url="&tripwire-download-ftp;"/></para></listitem> 31 <listitem><para>Download size: &tripwire-size;</para></listitem> 32 <listitem><para>Estimated Disk space required: 33 &tripwire-buildsize;</para></listitem> 34 <listitem><para>Estimated build time: 35 &tripwire-time;</para></listitem></itemizedlist> 36 </sect3> 37 38 <sect3><title>Additional downloads</title> 39 <itemizedlist spacing='compact'> 40 <listitem><para>Required patch to fix multiple build issues (see patch for more information): 41 <ulink url="&patch-root;/tripwire-&tripwire-version;-gcc3-build-fixes.patch"/></para></listitem> 42 </itemizedlist> 43 </sect3> 44 45 <sect3><title><application>Shadow</application> dependencies</title> 46 <sect4><title>Optional</title> 47 <para>MTA (See <xref linkend="server-mail"/>)</para></sect4> 48 </sect3> 49 50 </sect2> 51 52 53 <sect2> 54 <title>Installation of <application>Tripwire</application></title> 55 56 <para>Compile <application>Tripwire</application> by running the following 57 commands:</para> 58 59 <screen><userinput><command>patch -Np1 -i ../tripwire-&tripwire-version;-gcc3-build-fixes.patch && 60 make -C src release && 61 cp install/install.{sh,cfg} .</command></userinput></screen> 62 63 <para>The default configuration is to use a local MTA. If you don't have 64 a MTA installed and have no wish to install one, modify the 65 <filename>install.cfg</filename> to use an SMTP server instead. 66 Install <application>Tripwire</application> by running the following 67 commands:</para> 68 69 <screen><userinput><command>./install.sh && 70 cp /etc/tripwire/tw.cfg /usr/sbin && 71 cp policy/*.txt /usr/share/doc/tripwire</command></userinput></screen> 72 73 </sect2> 74 75 <sect2> 76 <title>Command explanations</title> 77 78 <para><command>make release</command>: This command creates the 79 <application>Tripwire</application> binaries.</para> 80 81 <para><command>cp install.{sh,cfg} .</command>: These are copied to the main 82 <application>Tripwire</application> directory so that the script can be used to 83 install the package.</para> 84 85 <para><command>cp policy/*.txt /usr/share/doc/tripwire</command>: This command 86 installs the documentation.</para> 87 88 </sect2> 89 90 <sect2> 91 <title>Configuring <application>Tripwire</application></title> 92 93 <sect3><title>Config files</title> 94 <para><filename class="directory">/etc/tripwire</filename></para> 95 </sect3> 96 97 <sect3><title>Configuration Information</title> 98 99 <para><application>Tripwire</application> uses a policy file to determine which 100 files integrity are checked. The default policy file (<filename>twpol.txt 101 </filename> found in <filename class="directory">/etc/tripwire/</filename>) is for a default 102 installation of Redhat 7.0 and is woefully outdated.</para> 103 104 <para>Policy files are also a custom thing and should be tailored to each 105 individual distribution and/or installation. Some custom policy files can be 106 found below: </para> 107 <screen><ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-all.txt">http://home.iprimus.com.au/glombowski/blfs/twpol-all.txt</ulink> 108 Checks integrity of all files 109 <ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-lfs.txt">http://home.iprimus.com.au/glombowski/blfs/twpol-lfs.txt</ulink> 110 Custom policy file for Base LFS 3.0 system 111 <ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-suse7.2.txt">http://home.iprimus.com.au/glombowski/blfs/twpol-suse7.2.txt</ulink> 112 Custom policy file for SuSE 7.2 system</screen> 113 114 <para>Download the custom policy file you'd like to try, copy it into 115 <filename class="directory">/etc/tripwire/</filename>, and use it instead of 116 <filename>twpol.txt</filename>. It is, however, recommended that you make your own policy file. 117 Get ideas from the examples above and read <filename> 118 /usr/share/doc/tripwire/policyguide.txt</filename>. <filename>twpol.txt 119 </filename> is a good policy file for beginners as it will note any changes to 120 the file system and can even be used as an annoying way of keeping track of 121 changes for uninstallation of software.</para> 122 123 <para>After your policy file has been transferred to <filename 124 class="directory">/etc/tripwire/</filename> you may begin the configuration steps:</para> 125 126 <screen><userinput><command>twadmin -m P /etc/tripwire/twpol.txt && 127 tripwire -m i</command></userinput></screen> 128 129 <para>During installation <application>Tripwire</application> will create two 130 (2) keys: a site key and a local key which will be stored in <filename 131 class="directory">/etc/tripwire/</filename>.</para> 132 133 </sect3> 134 135 <sect3><title>Usage Information</title> 136 <para>To use <application>Tripwire</application> after this and run a report, 137 use the following command:</para> 138 139 <screen><userinput><command>tripwire -m c > /etc/tripwire/report.txt</command></userinput></screen> 140 141 <para>View the output to check the integrity of your files. An automatic 142 integrity report can be produced by using a cron facility to schedule 143 the runs. </para> 144 145 <para>Please note that after you run an integrity check, you must check 146 the report or email and then modify the 147 <application>Tripwire</application> database of the files 148 on your system so that <application>Tripwire</application> will not continually notify you that 149 files you intentionally changed are a security violation. To do this you 150 must first <command>ls -l /var/lib/tripwire/report/</command> and note 151 the name of the newest file which starts with <filename>linux-</filename> and 152 ends in <filename>.twr</filename>. This encrypted file was created during the 153 last report creation and is needed to update the 154 <application>Tripwire</application> database of your 155 system. Then, type in the following command making the appropriate 156 substitutions for '?':</para> 157 <screen><userinput><command>tripwire -m u -r /var/lib/tripwire/report/linux-???????-??????.twr </command></userinput></screen> 158 159 <para>You will be placed into vim with a copy of the report in front of you. If 160 all the changes were good, then just type <command>:x</command> and after 161 entering your local key, the database will be updated. If there are files which 162 you still want to be warned about, please remove the x before the filename in 163 the report and type <command>:x</command>. </para> 164 165 </sect3> 166 167 <sect3><title>Changing the Policy File</title> 168 169 <para>If you are unhappy with your policy file and would like to modify it or 170 use a new one, modify the policy file and then execute the following 171 commands:</para> 172 <screen><userinput><command>twadmin -m P /etc/tripwire/twpol.txt && 173 tripwire -m i</command></userinput></screen> 174 175 </sect3> 176 177 </sect2> 178 179 <sect2> 180 <title>Contents</title> 181 182 <para>The <application>Tripwire</application> package contains <command>siggen 183 </command>, 184 <command>tripwire</command>, <command>twadmin</command> 185 and <command>twprint</command>.</para> 186 187 </sect2> 10 188 11 189 </sect1>
Note:
See TracChangeset
for help on using the changeset viewer.