cursorblinken

2011-12-13T16:09:00.000+04:00

Capsicum: practical capabilities for UNIX

BSDCan 2011 presentation Capsicum and OpenBSD

2011-05-04T05:26:00.000+04:00

Using Apache mod_auth_kerb for authentication/authorization against Windows domain

1. (Windows) Create account for HTTP/, map it to Kerberos principal & export the keytab.

Import-Module ActiveDirectory

New-ADUser unixcomputer_http -UserPrincipalName "unixcomputer_http@company.test" -CannotChangePassword 1 -PasswordNeverExpires 1 -Enabled 1 -Path 'OU=Service Accounts,OU=Unix Systems,OU=09_Corporate_Apps,DC=company,DC=test' -DisplayName "unixcomputer_http.company.test" -Description "Used for Kerberos authentication" -Company "Company" -Department "IS&T" -Division "USG" -Country "CA" -City "Calgary" -AccountPassword (ConvertTo-SecureString -string "SomeReallySecurePassword" -asplaintext -force)

ktpass -princ HTTP/unixcomputer.company.test@COMPANY.TEST -mapuser unixcomputer@company.test -pType KRB5_NT_PRINCIPAL +rndpass -out unixcomputer_http.keytab

Securely copy the keytab to /var/www/conf

2. (OpenBSD) Set permissions on keytab & add mod_auth_kerb package

chown root.www /var/www/conf/unixcomputer_http.keytab

pkg_add mod_auth_kerb-5.3p6.tgz
/usr/local/sbin/mod_auth_kerb-enable

3. Configure Apache for Kerberos auth. Example:

LoadModule auth_kerb_module /usr/lib/apache/modules/mod_auth_kerb.so
<Location "/cgi-bin/cvsweb">
    AuthType Kerberos
    Krb5Keytab /conf/unixcomputer_http.keytab
    KrbServiceName HTTP
    KrbAuthRealms COMPANY.TEST
    KrbVerifyKDC on
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    require user admin@COMPANY.TEST user1@COMPANY.TEST user2@COMPANY.TEST
</Location>

Links:

mod_auth_kerb homepage

Using mod_auth_kerb and Windows 2000/2003/2008R2 as KDC

Using negotiate authentication (GSSAPI Kerberos) with Firefox

2011-05-04T04:55:00.003+04:00

Configuring privileges for RANCID access to Cisco devices

This is a workaround for older IOS versions (12.4x) where Role-Based CLI cannot be used for rancid user because clogin(1) expects # symbol as prompt while older IOS sends > when Role-Based CLI is used.

1. Configure AAA:

aaa new-model
aaa authentication login default local
aaa authorization exec default local

2. Create _rancid user on cisco:

username test privilege 5 secret SomeTrueSecret

3. Set privilege level for appropriate commands:

privilege exec level 5 dir
privilege exec level 5 show vlan-switch
privilege exec level 5 show vtp status
privilege exec level 5 show vtp
privilege exec level 1 show inventory raw
privilege exec level 1 show inventory
privilege exec level 5 show vlans
privilege exec level 5 show diag
privilege exec level 5 show version
privilege exec level 5 show debugging
privilege exec level 5 show controllers
privilege exec level 5 show running-config view full
privilege exec level 5 show running-config view
privilege exec level 5 show running-config
privilege exec level 5 show

The list of commands may vary, for each Cisco platform it can be determined by extracting commands from @commandtable hash in rancid(1) and adding it to Cisco config, it will pick up those which it supports.

Using RADIUS server gives more granular access control, for example using Microsoft NPAS:

1. (PowerShell) Add NPS Server Role

Import-Module ServerManager
Add-WindowsFeature NPAS-Policy-Server
wuauclt.exe /detectnow

2. (PowerShell) Create group and user accounts

Import-Module ActiveDirectory

New-ADGroup "Cisco-lvl5" Global -Path 'OU=Admin_Groups,OU=10_Admin,DC=company,DC=test' -Description "Membership grants level 5 exec access on Cisco equipment" -OtherAttributes @{mail="noc@company.test"}

New-ADUser _rancid -UserPrincipalName "_rancid@company.test" -CannotChangePassword 1 -PasswordNeverExpires 1 -Enabled 1 -Path 'OU=Service Accounts,OU=RANCID,OU=09_Corporate_Apps,DC=company,DC=test' -DisplayName "_rancid" -Description "Really Awesome New Cisco confIg Differ" -Company "Company" -Department "IS&T" -Division "NOC" -Country "US" -City "Portland" -AccountPassword (ConvertTo-SecureString -string "SomeTrueSecret" -asplaintext -force) -passthru | Add-ADPrincipalGroupMembership -memberof "Cisco-lvl5"

3. (NPAS) Add Cisco devices to RADIUS clients:

Advanced -> Vendor name: RADIUS Standard

4. (NPAS) Create Network Policy:

Conditions:

Service-Type: Login
Client Friendly Name: cisco
NAS Port Type: Virtual (VPN)
User Groups: COMPANY\Cisco-lvl5
Calling Station ID: 192\.168\.*|2001:DB8:DEAD:BEEF::.*

Settings:

Cisco-AV-Pair: shell:priv-lvl=5
Access Permission: Grant Access
NAS Port Type: Virtual (VPN)
Authentication Method: Unencrypted Authentication (PAP, SPAP)

5. (IOS) Configure Cisco for RAIDUS authentication:

aaa new-model
aaa authentication login default group radius local-case
aaa authorization exec default group radius local

ip radius source-interface Loopback0
radius-server attribute 6 on-for-login-auth
radius-server host 192.168.1.x retransmit 0 key mykey1
radius-server host 192.168.2.x retransmit 0 key mykey2

2011-05-04T02:55:00.002+04:00

RANCID patch:

- workaround for Cisco's Role-Based CLI
- fix radius-server key partial exposure if FILTER_PWDS is used and key uses non-"word" characters
- more password-filtering with cisco
- filter out ddns add URLs (I don't use ddns remove URLs) - dirty quickfix, I didn't want to waste my time figuring out how to filter out logins and passwords from URLs, so fixed it by removing entire URL strings

--- bin/rancid.in.orig  Wed Feb 16 02:16:59 2011
+++ bin/rancid.in       Tue May  3 18:44:49 2011
@@ -1672,6 +1672,9 @@ sub WriteTerm {
        if (/^(ppp .* password) 7 .*/ && $filter_pwds >= 1) {
            ProcessHistory("","","","!$1 \n"); next;
        }
+       if (/^\s+(ppp chap (hostname|(password \d))) / && $filter_pwds >= 1) {
+           ProcessHistory("","","","!$1 \n"); next;
+       }
        if (/^(ip ftp password) / && $filter_pwds >= 1) {
            ProcessHistory("","","","!$1 \n"); next;
        }
@@ -1725,6 +1728,12 @@ sub WriteTerm {
        if (/(\s+ldap-login-password )\S+(.*)/ && $filter_pwds >= 1) {
            ProcessHistory("","","","!$1  $'"); next;
        }
+       if (/^\s+(wpa-psk ascii|hex \d) / && $filter_pwds >= 1) {
+           ProcessHistory("","","","!$1 \n"); next;
+       }
+       if (/^\s+add / && $filter_pwds >= 1) {
+           ProcessHistory("","","","!$1 \n"); next;
+       }
        #
        if (/^( cable shared-secret )/ && $filter_pwds >= 1) {
            ProcessHistory("","","","!$1 \n");
@@ -1828,7 +1837,7 @@ sub WriteTerm {
            }
        }
        # prune tacacs/radius server keys
-       if (/^((tacacs|radius)-server\s(\w*[-\s(\s\S+])*\s?key) (\d )?\w+/
+       if (/^((tacacs|radius)-server\s(\w*[-\s(\s\S+])*\s?key) (\d )?\S+/
            && $filter_pwds >= 1) {
            ProcessHistory("","","","!$1 $'"); next;
        }
@@ -1949,6 +1958,7 @@ sub DoNothing {print STDOUT;}
        {'show vlan-switch'             => 'ShowVLAN'},
        {'show debug'                   => 'ShowDebug'},
        {'more system:running-config'   => 'WriteTerm'},        # ASA/PIX
+       {'show running-config view full' => 'WriteTerm'},       # workaround for role-based CLI
        {'show running-config'          => 'WriteTerm'},
        {'write term'                   => 'WriteTerm'},
 );

2011-05-04T02:14:00.005+04:00

Collecting/tracking network devices configurations with RANCID

Key components: RANCID, CVSweb

Note: In this particular case the OS of choice is OpenBSD

1. Install rancid package:

# pkg_add rancid-2.3.6.tgz
rancid-2.3.6:tcl-8.5.9: ok
rancid-2.3.6:expect-5.44.1.15p0-no_tk: ok
useradd: Warning: home directory `/var/rancid' doesn't exist, and -m was not specified
rancid-2.3.6: ok
Look in /usr/local/share/doc/pkg-readmes for extra documentation.

2. Edit /etc/rancid.conf, e.g.:

TERM=network;export TERM
umask 027
TMPDIR=/tmp; export TMPDIR
BASEDIR=/var/rancid; export BASEDIR
PATH=/usr/local/bin:/usr/bin:/usr/local/bin:/usr/sbin:/bin:/usr/bin; export PATH
CVSROOT=$BASEDIR/CVS; export CVSROOT
LOGDIR=$BASEDIR/logs; export LOGDIR
RCSSYS=cvs; export RCSSYS
ACLSORT=YES; export ACLSORT
FILTER_PWDS=YES; export FILTER_PWDS
NOCOMMSTR=YES; export NOCOMMSTR
LIST_OF_GROUPS="group1 group2"

3. Add RANCID entries to aliases(5):

# local aliases
_rancid: admin@company.test

# rancid aliases
rancid-group1: user1@company.test
rancid-admin-group1: admin@company.test
rancid-group2: user2@company.test
rancid-admin-group2: admin@company.test

See /usr/local/share/doc/rancid/README for detailed explanations and more examples.

Note: do not forget to run newaliases(8)

4. Switch to _rancid user and create /var/rancid/.cloginrc, e.g.

add user * $env(USER)
add password * {MYPASSWORD}
add autoenable * {1}
add method * {ssh}

Set appropriate permissions:

$ chmod 600 /var/rancid/.cloginrc

5. Initialize CVS tree:

$ rancid-cvs

No conflicts created by this import

cvs checkout: Updating group1
Directory /var/rancid/CVS/group1/configs added to the repository
cvs commit: Examining configs
cvs add: scheduling file `router.db' for addition
cvs add: use 'cvs commit' to add this file permanently
RCS file: /var/rancid/CVS/group1/router.db,v
done
Checking in router.db;
/var/rancid/CVS/group1/router.db,v  <--  router.db
initial revision: 1.1
done

No conflicts created by this import

cvs checkout: Updating group2
Directory /var/rancid/CVS/group2/configs added to the repository
cvs commit: Examining configs
cvs add: scheduling file `router.db' for addition
cvs add: use 'cvs commit' to add this file permanently
RCS file: /var/rancid/CVS/group2/router.db,v
done
Checking in router.db;
/var/rancid/CVS/group2/router.db,v  <--  router.db
initial revision: 1.1
done

6. Create router.db file for each group:

$ echo router1:cisco:up > /var/rancid/group1/router.db
$ echo router2:juniper:up > /var/rancid/group2/router.db

7. Run rancid, check logs, check mail delivery:

$ rancid-run

Logfiles location: /var/rancid/logs

8. Create _rancid's crontab, e.g.:

MAILTO=admin@company.test
#minute hour    mday    month   wday    command
60      *       *       *       *       nice /usr/local/bin/rancid-run group1
50      *       *       *       *       nice /usr/local/bin/rancid-run group2
05      2       *       *       *       find /var/rancid/logs -type f -mtime +2 -exec rm {} \;

9. Install cvsweb package:

# pkg_add cvsweb-2.0.6p10.tgz
cvsweb-2.0.6p10: ok
Look in /usr/local/share/doc/pkg-readmes for extra documentation.

10. Configure cvsweb as described in /usr/local/share/doc/pkg-readmes/cvsweb-2.0.6p10:

In one line:

# cd /var/www && mkdir tmp usr && chown www.www tmp && cd /var/www/usr && mkdir -p {bin,lib,libdata/perl5,libexec} && cd /var/www/usr/libdata/perl5 && mkdir -p {File,IPC,Time,warnings,`machine`-openbsd/5.12.2} && cd /var/www/usr/bin && cp -p /usr/bin/{co,cvs,diff,perl,rcsdiff,rlog,uname} . && cd /var/www/usr/lib && cp -p /usr/lib/lib{c,crypto,gssapi,krb5,m,perl,util,z}.so* . && cd /var/www/usr/libexec && cp -p /usr/libexec/ld.so . && cd /var/www/usr/libdata/perl5 && cp -p /usr/libdata/perl5/{Carp,Exporter,Symbol,base,integer}.pm . && cp -p /usr/libdata/perl5/{strict,warnings,vars,constant}.pm . && cp -p /usr/libdata/perl5/File/Basename.pm ./File/ && cp -p /usr/libdata/perl5/IPC/Open{2,3}.pm ./IPC/ && cp -p /usr/libdata/perl5/Time/Local.pm ./Time/ && cp -p /usr/libdata/perl5/warnings/register.pm ./warnings/ && cd /var/www/usr/libdata/perl5/`machine`-openbsd/5.12.2 && cp -p /usr/libdata/perl5/`machine`-openbsd/5.12.2/{Config,Cwd}.pm . && cp -p /usr/libdata/perl5/`machine`-openbsd/5.12.2/Config_{git,heavy}.pl .

11. Add rancid entry to exports(5):

# echo "/var/rancid/CVS -ro -mapall=nobody localhost" >> /etc/exports

12. Add rancid mount point to fstab(5):

# echo "localhost:/var/rancid/CVS /var/www/rancid nfs ro,nodev,nosuid,noexec 0 0" >> /etc/fstab

13. Configure rc.conf.local(8) appropriately, e.g.

httpd_flags=""
nfs_server=YES
portmap=YES

14. Since httpd(8) in OpenBSD runs chrooted, cvsweb files require some changes (as described in /usr/local/share/doc/pkg-readmes/cvsweb-2.0.6p10:

--- /var/www/conf/cvsweb/cvsweb.conf.orig
+++ /var/www/conf/cvsweb/cvsweb.conf
@@ -43,7 +43,8 @@
 # 'symbolic_name' => ['name_to_display', 'path_to_the_actual_repository']
 # Listed in the order specified:
 @CVSrepositories = (
-       'local'   => ['Local Repository', '/home/cvs'],
+       'rancid'  => ['rancid',           '/rancid'],
+#      'local'   => ['Local Repository', '/home/cvs'],
 #      'freebsd' => ['FreeBSD',          '/home/ncvs'],
 #      'openbsd' => ['OpenBSD',          '/home/ncvs'],
 #      'netbsd'  => ['NetBSD',           '/home/ncvs'],
@@ -321,7 +322,7 @@
 # cvsweb to guess the correct mime-type on
 # checkout; you can use the mime.types from
 # apache here:
-$mime_types = '/var/www/conf/mime.types';
+$mime_types = '/conf/mime.types';

 # quick mime-type lookup; maps file-suffices to
 # mime-types for displaying checkouts in the browser.

--- /var/www/cgi-bin/cvsweb.orig
+++ /var/www/cgi-bin/cvsweb
@@ -157,7 +157,7 @@

 # == EDIT this ==
 # Locations to search for user configuration, in order:
-for ("$mydir/cvsweb.conf", '/var/www/conf/cvsweb/cvsweb.conf') {
+for ("$mydir/cvsweb.conf", '/conf/cvsweb/cvsweb.conf') {
        if (defined($_) && -r $_) {
                $config = $_;
                last;

15. Add redirect statement to httpd.conf for convenience:

Redirect /cvsweb http://server.company.test/cgi-bin/cvsweb

2010-11-05T22:49:00.003+03:00

Adding unsupported operating system IDs to SCVMM

Note: backup SCVMM database and stop vmmservice before applying changes.

OpenBSD

INSERT INTO [VirtualManagerDB].[dbo].[tbl_IL_OS] (OSId, Name, Description, Edition, ProductType, Version, Architecture, OSFlags, VMWareGuestId)
VALUES (NEWID(), 'OpenBSD 4.8-CURRENT (i386)', 'OpenBSD 4.8-CURRENT (i386)', NULL, NULL, NULL, 'x86', 0x15, 'freebsdGuest')

INSERT INTO [VirtualManagerDB].[dbo].[tbl_IL_OS] (OSId, Name, Description, Edition, ProductType, Version, Architecture, OSFlags, VMWareGuestId)
VALUES (NEWID(), 'OpenBSD 4.8-CURRENT (amd64)', 'OpenBSD 4.8-CURRENT (amd64)', NULL, NULL, NULL, 'amd64', 0x14, 'freebsd64Guest')

FreeBSD

INSERT INTO [VirtualManagerDB].[dbo].[tbl_IL_OS] (OSId, Name, Description, Edition, ProductType, Version, Architecture, OSFlags, VMWareGuestId)
VALUES (NEWID(), 'FreeBSD 8.1-RELEASE (i386)', 'FreeBSD 8.1-RELEASE (i386)', NULL, NULL, NULL, 'x86', 0x15, 'freebsdGuest')

INSERT INTO [VirtualManagerDB].[dbo].[tbl_IL_OS] (OSId, Name, Description, Edition, ProductType, Version, Architecture, OSFlags, VMWareGuestId)
VALUES (NEWID(), 'FreeBSD 8.1-RELEASE (amd64)', 'FreeBSD 8.1-RELEASE (amd64)', NULL, NULL, NULL, 'amd64', 0x14, 'freebsd64Guest')

Solaris

INSERT INTO [VirtualManagerDB].[dbo].[tbl_IL_OS] (OSId, Name, Description, Edition, ProductType, Version, Architecture, OSFlags, VMWareGuestId)
VALUES (NEWID(), 'Sun Solaris 10 10/09 (U8)', 'Sun Solaris 10 10/09 (U8)', NULL, NULL, NULL, 'amd64', 0x14, 'solaris10_64Guest')

INSERT INTO [VirtualManagerDB].[dbo].[tbl_IL_OS] (OSId, Name, Description, Edition, ProductType, Version, Architecture, OSFlags, VMWareGuestId)
VALUES (NEWID(), 'Oracle Solaris 10 9/10 (U9)', 'Oracle Solaris 10 9/10 (U9)', NULL, NULL, NULL, 'amd64', 0x14, 'solaris10_64Guest')

OpenSolaris

INSERT INTO [VirtualManagerDB].[dbo].[tbl_IL_OS] (OSId, Name, Description, Edition, ProductType, Version, Architecture, OSFlags, VMWareGuestId)
VALUES (NEWID(), 'OpenSolaris', 'OpenSolaris', NULL, NULL, NULL, 'amd64', 0x14, 'solaris10_64Guest')

2010-11-05T22:07:00.002+03:00

Booting Unix systems from Windows Deployment Server: OpenBSD

This approach, similar to the one described below in FreeBSD article, also uses modified pxeboot images for both x86 and x64 architectures.

1. Modify sys/stand/boot/boot.c

--- sys/stand/boot/boot.c.orig  Fri Nov  5 19:57:56 2010
+++ sys/stand/boot/boot.c       Wed Nov  3 03:28:04 2010
@@ -67,7 +67,7 @@
        devboot(bootdev, cmd.bootdev);
        strlcpy(cmd.image, kernelfile, sizeof(cmd.image));
        cmd.boothowto = 0;
-       cmd.conf = "/etc/boot.conf";
+       cmd.conf = "boot\\x86\\pxelinux\\OpenBSD\\boot.conf";
        cmd.addr = (void *)DEFAULT_KERNEL_ADDRESS;
        cmd.timeout = 5;

2. Build modified pxeboot for i386 architecture:

cd /sys/arch/i386/stand/pxeboot/ && make clean obj pxeboot

3. Copy pxeboot to the appropriate location on the deployment server (RemoteInstall\Boot\x86\pxelinux\OpenBSD)

4. Repeat the process for amd64 architecture; this time specify boot location for x64 architecture in sys/stand/boot/boot.c

--- sys/stand/boot/boot.c.orig  Fri Nov  5 19:57:56 2010
+++ sys/stand/boot/boot.c       Wed Nov  3 03:28:04 2010
@@ -67,7 +67,7 @@
        devboot(bootdev, cmd.bootdev);
        strlcpy(cmd.image, kernelfile, sizeof(cmd.image));
        cmd.boothowto = 0;
-       cmd.conf = "/etc/boot.conf";
+       cmd.conf = "boot\\x64\\pxelinux\\OpenBSD\\boot.conf";
        cmd.addr = (void *)DEFAULT_KERNEL_ADDRESS;
        cmd.timeout = 5;

Note: pxeboot built for i386 architecture will work on amd64 architecture, so there's no need to build it on amd64 platform.

5. After pxeboot files are copied to Boot\x86\pxelinux\OpenBSD and Boot\x64\pxelinux\OpenBSD locations on the deployment server, also copy bsd.rd from the distribution media to OpenBSD folders and create boot.conf file for both architectures:

set RISBoot=H:\RemoteInstall\Boot
for %a in (x86 x64) do <nul (set /p c=boot boot\%a\pxelinux\OpenBSD\bsd.rd)> %RISBoot%\%a\pxelinux\OpenBSD\boot.conf
:: i386 can be installed on x64
cd %RISBoot%\x64\pxelinux\OpenBSD && mklink /J i386 %RISBoot%\x86\pxelinux\OpenBSD

6. Add OpenBSD entries to pxelinux.cfg\default configuration files:

LABEL openbsd
    MENU LABEL OpenBSD/amd64
    PXE OpenBSD\pxeboot

    LABEL openbsd-i386
    MENU LABEL ^OpenBSD/i386
    PXE OpenBSD\i386\pxeboot

2010-11-05T17:48:00.007+03:00

Booting Unix systems from Windows Deployment Server: FreeBSD

1. Install Services for NFS:

servermanagercmd.exe -install FS-NFS-Services

2. Verify NFS server configuration:

nfsadmin server config

3. Create NFS distribution folder:

mkdir v:\nfs
nfsshare nfs=v:\nfs -o root unmapped=yes anonuid=65534  anongid=65534

4. Copy FreeBSD distribution files from the media. For example, create nfs\FreeBSD\%PROCESSOR_ARCHITECTURE%\8.2-RELEASE, and copy there contents of the 8.2-RELEASE along with boot and packages folders.

5. Make modified versions of FreeBSD's pxeboot for all required FreeBSD releases/architectures.

Sample patch for 8.2-RELEASE:

--- sys/boot/i386/libi386/pxe.h.orig    2011-05-04 14:12:52.000000000 +0400
+++ sys/boot/i386/libi386/pxe.h 2011-05-04 14:13:48.000000000 +0400
@@ -61,7 +61,7 @@
 #define        MAC_ARGS(mac)                                   \
        mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]

-#define        PXENFSROOTPATH  "/pxeroot"
+#define        PXENFSROOTPATH  "/nfs/FreeBSD/8.1-RELEASE/amd64"

 typedef struct {
        uint16_t                offset;

--- sys/boot/i386/libi386/pxe.c.orig    2011-05-04 14:16:45.000000000 +0400
+++ sys/boot/i386/libi386/pxe.c 2011-05-04 14:17:17.000000000 +0400
@@ -282,7 +282,7 @@
                bootp(pxe_sock, BOOTP_PXE);
                if (rootip.s_addr == 0)
                        rootip.s_addr = bootplayer.sip;
-               if (!rootpath[0])
+               if (!rootpath[1])
                        strcpy(rootpath, PXENFSROOTPATH);

                for (i = 0; rootpath[i] != '\0' && i < FNAME_SIZE; i++)

Note. For 8.0-RELEASE only change PXENFSROOTPATH in sys/boot/i386/libi386/pxe.h; there's no need to modify pxe.c.

6. Make everything in /sys/boot:

cd /sys/boot && make clean obj all

7. Create appropriate FreeBSD boot folders for all required releases & architectures on the deployment server, e.g. for 8.2-RELEASE:

set RISBoot=V:\RemoteInstall\Boot
for %a in (x86 x64) do  mkdir %RISBoot%\%a\pxelinux\FreeBSD_8_2
:: i386 can be installed on x64
cd %RISBoot%\x64\pxelinux\FreeBSD_8_2 && mklink /J i386 %RISBoot%\x86\pxelinux\FreeBSD_8_2

8. Copy modified pxeboot files from /usr/obj/usr/src/sys/boot/i386/pxeldr/pxeboot to appropriate FreeBSD boot folders on the deployment server.

9. Add FreeBSD entries to pxelinux.cfg\default configuration files, e.g. for 8.2-RELEASE:

    LABEL freebsd82
    MENU LABEL ^FreeBSD 8.2-RELEASE/amd64
    PXE FreeBSD_8_2\pxeboot

    LABEL freebsd82-i386
    MENU LABEL FreeBSD 8.2-RELEASE/i386
    PXE FreeBSD_8_2\i386\pxeboot

2010-11-04T13:14:00.010+03:00

Booting Unix systems from Windows Deployment Server: pxelinux

Squeezed and slightly modified version of the WDSLINUX wiki article.

1. Download and extract syslinux.

2. Run cmd.exe, cd to the syslinux folder and run the following commands (verify you set the RemoteInstallBootDir env variable to the right location, V:\RemoteInstall\Boot in my case):

set RemoteInstallBootDir=V:\RemoteInstall\Boot
for %d in (x86 x64) do  mkdir %RemoteInstallBootDir%\%d\pxelinux\pxelinux.cfg && (for %f in (core\pxelinux.0 com32\modules\chain.c32 com32\menu\menu.c32 com32\menu\vesamenu.c32) do copy %f %RemoteInstallBootDir%\%d\pxelinux)

3. Verify (save to a file if needed) current WDS configuration:

wdsutil /get-server /show:config

4. Configure WDS to use pxelinux.0 as boot program:

for %a in (x86 x64) do (for %p in (bootprogram n12bootprogram) do wdsutil /set-server /%p:boot\%a\pxelinux\pxelinux.0 /architecture:%a)

5. (Optional) Configure WDS architecture discovery, PXE prompt & answer policy:

wdsutil /set-server /answerclients:all /architecturediscovery:yes /pxepromptpolicy /known:optout /new:optout

6. Create default configuration file for x86 and x64 architectures (Boot\x86\pxelinux\pxelinux.cfg\default and Boot\x64\pxelinux\pxelinux.cfg\default in the RemoteInstall folder). Basic configuration:

DEFAULT menu.c32
ALLOWOPTIONS 0
NOESCAPE 1
PROMPT 0
TIMEOUT 60

MENU TITLE PXE boot options

LABEL wds
MENU DEFAULT
MENU LABEL ^Windows Deployment Services
PXE ..\pxeboot.n12

LABEL abortpxe
MENU LABEL ^Abort PXE boot
PXE ..\abortpxe.com

LABEL localhdd
MENU LABEL Boot from local hard ^disk
LOCALBOOT 0
TYPE 0x80

7. Test.

Notes.

There is no need to rename WDS boot files as described in WDSLINUX guide. The main reason for renaming WDS boot files was the SYSLINUX specifics in determination of boot image types: it can be determined from the boot image file extension (e.g. .bin, .0, .img) or from the configuration file command (e.g. PXE, LINUX):

The following commands are available after a LABEL statement:

    LINUX image   - Linux kernel image (default)
    BOOT image   - Bootstrap program (.bs, .bin)
    BSS image   - BSS image (.bss)
    PXE image   - PXE Network Bootstrap Program (.0)
    FDIMAGE image  - Floppy disk image (.img)
    COMBOOT image  - COMBOOT program (.com, .cbt)
    COM32 image   - COM32 program (.c32)
    CONFIG image  - New configuration file
        Using one of these keywords instead of KERNEL forces the
        filetype, regardless of the filename.

For more information, refer to the doc\syslinux.txt.

SYSLINUX does not interfere with ConfigMgr PXE service point if the latter is configured on the deployment server. Managed clients will use SMS boot images.

2010-11-03T19:32:00.011+03:00

Authenticating Unix SSH users against Windows Active Directory Domain Services (AD DS)

The following example shows how to setup AD DS Unix computer account in order to use Kerberos (GSSAPI, to be more precise) authentication in SSH daemon.

To make it clear, Windows part of the proccess will be performed using the PowerShell 2.0:

# Import the Active Directory module
Import-Module ActiveDirectory

# (Optional) Create group for unix computer accounts administrators, add uniadmin account to the group
New-ADGroup "Unix computers accounts administrators" Global -Description "Unix computers accounts administrators" -OtherAttributes @{mail="usg@company.test"} | Add-ADGroupMember -Members unixadmin

# (Optional) Create the OU for Unix computers accounts
New-ADOrganizationalUnit -Name "Unix computers" -Description "OU for Unix computers accounts & groups" -ManagedBy  "Unix computers accounts administrators" -Path 'dc=company,dc=test'

# (Optional) Create global group which will contain Unix computers accounts
New-ADGroup "Unix computers" Global -Path 'OU=Unix computers,dc=company,dc=test' -Description "Unix computers accounts" -ManagedBy "Unix computers accounts administrators"

# Create unix computer account with appropriate attributes and group membership
New-ADUser unixcomputer -UserPrincipalName "unixcomputer@company.test" -CannotChangePassword 1 -PasswordNeverExpires 1 -Enabled 1 -Path 'OU=Unix computers,dc=company,dc=test' -DisplayName "unixcomputer.company.test" -Description "Used for Kerberos authentication"  -Company "Company" -Department "IS&T" -Division "USG" -Country "US" -City "Raleigh" -AccountPassword (ConvertTo-SecureString -string "SomeRandomPass" -asplaintext -force) -passthru | Add-ADPrincipalGroupMembership -memberof "Unix Computers"

# Map Kerberos principal name to the user account, export keytab file
ktpass -princ host/unixcomputer.company.test@COMPANY.TEST -mapuser unixcomputer@company.test -pType KRB5_NT_PRINCIPAL +rndpass -out krb5.keytab

Verify SPN is created:

setspn -Q host/unixcomputer.company.test
Checking domain DC=company,DC=test
CN=unixcomputer,OU=Unix computers,DC=company,DC=test
        host/unixcomputer.company.test

Existing SPN found!

Securely copy generated keytab to the Unix computer.

Now the Unix counterpart of the process.

On OpenBSD copy the contents of krb5.keytab generated on Windows machine to /etc/kerberosV/krb5.keytab:

# ktutil copy ./krb5.keytab /etc/kerberosV/krb5.keytab

Verify keytab entry is added:

# ktutil list
FILE:/etc/kerberosV/krb5.keytab:

Vno  Type              Principal
  3  arcfour-hmac-md5  host/unixcomputer.company.test@COMPANY.TEST

Verify Kerberos:

$ kinit
user@COMPANY.TEST's Password:
$ klist

Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: user@COMPANY.TEST

  Issued           Expires          Principal
Nov  3 18:13:24  Nov  4 04:13:24  krbtgt/COMPANY.TEST@COMPANY.TEST

Configure sshd to use GSSAPI authentication:

# cf=/etc/ssh/sshd_config && mv $cf $cf.old && sed 's/.*GSSAPIAuthentication.*/GSSAPIAuthentication yes/' $cf.old > $cf && kill -HUP `cat /var/run/sshd

On FreeBSD copy the contents of krb5.keytab generated on Windows machine to to /etc/krb5.keytab:

# ktutil copy ./krb5.keytab /etc/krb5.keytab

Verify keytab entry is added:

# ktutil list
FILE:/etc/krb5.keytab:

Vno  Type              Principal
  3  arcfour-hmac-md5  host/unixcomputer.company.test@COMPANY.TEST

ktutil: krb5_kt_start_seq_get krb4:/etc/srvtab: open(/etc/srvtab): No such file or directory

Verify Kerberos:

$ kinit
user@COMPANY.TEST's Password:
$ klist

Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: user@COMPANY.TEST

  Issued           Expires          Principal
Nov  3 18:31:57  Nov  4 04:31:57  krbtgt/COMPANY.TEST@COMPANY.TEST

Configure sshd to use GSSAPI authentication:

# sed -i .bak 's/.*GSSAPIAuthentication.*/GSSAPIAuthentication yes/' /etc/ssh/sshd_config && kill -HUP `cat /var/run/sshd.pid`  && rm /etc/ssh/sshd_config.bak

On Solaris copy the contents of krb5.keytab generated on Windows machine to to /etc/krb5/krb5.keytab:

# ktutil
ktutil:  rkt ./krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    5   host/unixcomputer.company.test@COMPANY.TEST
ktutil:  wkt /etc/krb5/krb5.keytab
ktutil:  clear
ktutil:  rkt /etc/krb5/krb5.keytab
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    5   host/unixcomputer.company.test@COMPANY.TEST
ktutil:  exit

Verify Kerberos:

$ kinit
Password for user@COMPANY.TEST:
$ klist

Ticket cache: FILE:/tmp/krb5cc_1001
Default principal: user@COMPANY.TEST

Valid starting                Expires                Service principal
11/03/10 18:33:11  11/04/10 04:33:12  krbtgt/COMPANY.TEST@COMPANY.TEST
        renew until 11/10/10 18:33:11

Solaris sshd supports GSSAPI authentication by default.

GSSAPI-supporting Windows SSH Client

I'm using the latest development snapshot of PuTTY.

Troubleshooting

Normally, if Windows AD DS set up properly, Kerberos authentication of Unix user accounts against Windows AD DS should work right out of the box, i.e. default AD DS installation, default Unix settings no matter what flavor of Unix/Kerberos is used.

Typical problems (in ascending order of complexity):
1. Clock skew. Keep computer clock synchronized with a reliable source (NTP).
2. Kerberos encryption types. Make sure the keytab entry for the Unix host uses arcfour-hmac-md5 encryption type.
3. DNS records. SRV RRs used by Kerberos are registered by Net Logon service on domain controllers. Check if records are registered, check if the Unix resolver functions properly and points to the right DNS servers.

Tip. Run sshd in debug mode on port 2022: sshd -ddd -p 2022.

2010-11-03T04:13:00.006+03:00

CAPolicy.inf Windows AD CS confguration file mindmap

Link

2009-12-04T23:49:00.010+03:00

Tunnelbroker: securely updating tunnel's server endpoint using Cisco IOS "ip ddns" update method

1. Get tunnelbroker's certificate

Go to https://ipv4.tunnelbroker.net/. Export the certificate in X.509 Certificate (PEM) format, open it with text editor, copy contents.

2. (Cisco) Configure trustpoint:

cisco(config)#crypto pki trustpoint tunnelbroker
cisco(ca-trustpoint)#enrollment terminal pem
cisco(ca-trustpoint)#revocation-check none

3. Authenticate tunnelbroker's certificate (paste certificate)

cisco(config)#crypto pki authenticate tunnelbroker

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIJAPF6IlDmmdRhMA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEQMA4GA1UEBxMHRnJlbW9udDEg
MB4GA1UEChMXSHVycmljYW5lIEVsZWN0cmljLCBMTEMxDTALBgNVBAsTBElQdjYx
GTAXBgNVBAMTEHR1bm5lbGJyb2tlci5uZXQxGjAYBgkqhkiG9w0BCQEWC2lwdjZA
aGUubmV0MB4XDTExMDQyMjE3NDIyMFoXDTIxMDQxOTE3NDIyMFowgZwxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRAwDgYDVQQHEwdGcmVtb250MSAw
HgYDVQQKExdIdXJyaWNhbmUgRWxlY3RyaWMsIExMQzENMAsGA1UECxMESVB2NjEZ
MBcGA1UEAxMQdHVubmVsYnJva2VyLm5ldDEaMBgGCSqGSIb3DQEJARYLaXB2NkBo
ZS5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDe5nza8zQ/AiT+
ySc4mZYmLMcIrcU3q6ZEwIY5vHg2chzCJGCPQIwtBiexSZ7CWL8/GjdPWs6DoCut
DS6VlGGaRhJd0ppUOB3uZLcqnfY0/d40WpRFm49yAV3fmhQg744BKUz2+V23E3tP
n4UXq507dQ3RmNiZoS/T+DUbt1URXFZDIJmc4vjnYfGQhUzhbWZbC7J5fMFnTFSL
NWNou4drWwcApm4FjPfVr+tdanjGEs8bMGSbXo6BjtStiEy1yJ3QGyZLwuURcMMv
DV06/hc2Nv9MZPUaIPvXmNcSuVvY3MJiD1CiCWVmfiO3h7b5EmIWC+ZpO9L3Mk6/
j/MgWR6jAgMBAAGjMzAxMC8GA1UdEQQoMCaCEHR1bm5lbGJyb2tlci5uZXSCEiou
dHVubmVsYnJva2VyLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAXMG5ZOeyRCzIEPYP
tZKbr1N0CkiBHf+7bVqUqfifEte6S/edpUdzIzB9Wtt484Dt88cAeg4BH2z+Kx2C
lE9PxtTSMCInZIniuoLhaBP0BiRXEurTYdreFmen/S5cCkffVr+eJGk92lQQAdMr
kyz2kD1NCwCaEp1w9DYltDbfC2v8BSIiEKVvD72VW6E2r7AvW73s3+E3WcWbt6pV
qrKfFH4mKH0BR7nLzm5zduojCvIdH3GjelyLd7lUVR3N8Dz626tOzni/bzHpbH3T
dMlBIl3f7c41wcoFG5zSZf1mvgyOnSlOnNmlxMbnfnrIyIyfYz1L8UWqWZGbxJYH
EXcOrA==
-----END CERTIFICATE-----

Certificate has the following attributes:
       Fingerprint MD5: 1128B641 08E7E271 B2FFB7FF 91411952
      Fingerprint SHA1: 9EB44F27 6BCE5EF6 5D9D38CC A9252276 4318075C

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

4. Construct your tunnel source update URL.

https://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=AUTO&pass=MD5PASS&user_id=USERID&tunnel_id=GTUNID

Substitute MD5PASS, USERID and GTUNID with appropriate values:

MD5PASS is the MD5 hash of your password

md5 -dPassword
DC647EB65E6711E155375218212B3964


md5 utility for Windows: http://www.fourmilab.ch/md5/

USERID is your Tunnel Broker's userid (check your Hurricane Electric Free IPv6 Tunnel Broker account's main page)

GTUNID = Tunnel ID, obtain it from your tunnel settings (Login to your Hurricane Electric Free IPv6 Tunnel Broker account)

Sample URL: https://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=AUTO&pass=DC647EB65E6711E155375218212B3964&user_id=123457890abcd1234567890abcd12345&tunnel_id=12345

5. Configure ddns

cisco(config)#ip ddns update method tunnelbroker
cisco(DDNS-update-method)#HTTP
cisco(DDNS-HTTP)#add https://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=AUTO&pass=DC647EB65E6711E155375218212B3964&user_id=123457890abcd1234567890abcd12345&tunnel_id=12345

Hint: use Ctrl-V to enter "?" in the URL

cisco(DDNS-HTTP)#exit
cisco(DDNS-update-method)#interval maximum 28 0 0 0
cisco(DDNS-update-method)#exit
cisco(config)#int tunnel 0
cisco(config-if)#ip ddns update tunnelbroker
cisco(config-if)#end

Resulting config

crypto pki trustpoint tunnelbroker
 enrollment terminal pem
 revocation-check none
!
crypto pki certificate chain tunnelbroker
 certificate ca 00F17A2250E699D461
  308203F0 308202D8 A0030201 02020900 F17A2250 E699D461 300D0609 2A864886 
  F70D0101 05050030 819C310B 30090603 55040613 02555331 13301106 03550408 
  130A4361 6C69666F 726E6961 3110300E 06035504 07130746 72656D6F 6E743120 
  301E0603 55040A13 17487572 72696361 6E652045 6C656374 7269632C 204C4C43 
  310D300B 06035504 0B130449 50763631 19301706 03550403 13107475 6E6E656C 
  62726F6B 65722E6E 6574311A 30180609 2A864886 F70D0109 01160B69 70763640 
  68652E6E 6574301E 170D3131 30343232 31373432 32305A17 0D323130 34313931 
  37343232 305A3081 9C310B30 09060355 04061302 55533113 30110603 55040813 
  0A43616C 69666F72 6E696131 10300E06 03550407 13074672 656D6F6E 74312030 
  1E060355 040A1317 48757272 6963616E 6520456C 65637472 69632C20 4C4C4331 
  0D300B06 0355040B 13044950 76363119 30170603 55040313 1074756E 6E656C62 
  726F6B65 722E6E65 74311A30 1806092A 864886F7 0D010901 160B6970 76364068 
  652E6E65 74308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201 
  0A028201 0100DEE6 7CDAF334 3F0224FE C9273899 96262CC7 08ADC537 ABA644C0 
  8639BC78 36721CC2 24608F40 8C2D0627 B1499EC2 58BF3F1A 374F5ACE 83A02BAD 
  0D2E9594 619A4612 5DD29A54 381DEE64 B72A9DF6 34FDDE34 5A94459B 8F72015D 
  DF9A1420 EF8E0129 4CF6F95D B7137B4F 9F8517AB 9D3B750D D198D899 A12FD3F8 
  351BB755 115C5643 20999CE2 F8E761F1 90854CE1 6D665B0B B2797CC1 674C548B 
  356368BB 876B5B07 00A66E05 8CF7D5AF EB5D6A78 C612CF1B 30649B5E 8E818ED4 
  AD884CB5 C89DD01B 264BC2E5 1170C32F 0D5D3AFE 173636FF 4C64F51A 20FBD798 
  D712B95B D8DCC262 0F50A209 65667E23 B787B6F9 1262160B E6693BD2 F7324EBF 
  8FF32059 1EA30203 010001A3 33303130 2F060355 1D110428 30268210 74756E6E 
  656C6272 6F6B6572 2E6E6574 82122A2E 74756E6E 656C6272 6F6B6572 2E6E6574 
  300D0609 2A864886 F70D0101 05050003 82010100 5CC1B964 E7B2442C C810F60F 
  B5929BAF 53740A48 811DFFBB 6D5A94A9 F89F12D7 BA4BF79D A5477323 307D5ADB 
  78F380ED F3C7007A 0E011F6C FE2B1D82 944F4FC6 D4D23022 276489E2 BA82E168 
  13F40624 5712EAD3 61DADE16 67A7FD2E 5C0A47DF 56BF9E24 693DDA54 1001D32B 
  932CF690 3D4D0B00 9A129D70 F43625B4 36DF0B6B FC052222 10A56F0F BD955BA1 
  36AFB02F 5BBDECDF E13759C5 9BB7AA55 AAB29F14 7E26287D 0147B9CB CE6E7376 
  EA230AF2 1D1F71A3 7A5C8B77 B954551D CDF03CFA DBAB4ECE 78BF6F31 E96C7DD3 
  74C94122 5DDFEDCE 35C1CA05 1B9CD265 FD66BE0C 8E9D294E 9CD9A5C4 C6E77E7A 
  C8C88C9F 633D4BF1 45AA5991 9BC49607 11770EAC
   quit
!
ip ddns update method tunnelbroker
 HTTP
  add add https://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=AUTO&pass=DC647EB65E6711E155375218212B3964&user_id=123457890abcd1234567890abcd12345&tunnel_id=12345
 interval maximum 1 0 0 0
!
interface Tunnel0
 ip ddns update tunnelbroker

2009-11-29T18:15:00.006+03:00

Starlight 4.1.1 New Features Webinar

Starting at 7:32

2009-11-29T15:43:00.008+03:00

Computer Networks: The Heralds of Resource Sharing

Circa 1972.