Monday 20 April 2015

Kerberized NFS in RHEL7/CentOS7

The problem with NFS is that it doesnot have host-based authentication. So NFS is vulnerable to man-in-the-middle attack. By using Kerberos, hosts are required to prove their identity before mounting, instead of blindly assuming that the IP they are connecting to is genuine.

For Kerberos Server configuration, refer to this post.

 NOTE: 1) Ensure that DNS Server or '/etc/hosts' file is configured for the network.
             2) Ensure that Time Synchronization is configured on all machines in the network.
             3) All commands are to be executed as 'root' user.

Consider the following scenario:

Kerberos Realm: MYCOMPANY.COM
DNS Domain Name: mycompany.com
Kerberos KDC: meru.mycompany.com
Kerberos Admin Server: meru.mycompany.com

NFS Server: server3.mycompany.com
NFS Client: server1.mycompany.com


Configure NFS Server (server3.mycompany.com):

1) Install packages.
[root@server3 ~]# yum -y install krb5-workstation krb5-libs

2) Edit the file '/etc/krb5.conf'. Make the following changes.
     
       default_realm = MYCOMPANY.COM
       [realms]
       MYCOMPANY.COM = {
       kdc = meru.mycompany.com
       admin_server = meru.mycompany.com
       }

       [domain_realm]
       .mycompany.com = MYCOMPANY.COM
       mycompany.com = MYCOMPANY.COM



   
3) Create nfs principal in the kerberos database and extract keys for the nfs server.
[root@server3 ~]# kadmin -p shabbir/admin -w shabbir
          kadmin:  addprinc -randkey nfs/server3.mycompany.com

          kadmin:  ktadd nfs/server3.mycompany.com
          kadmin:  quit

4) View Keytab entry.
[root@server3 ~]# klist -k

5) Edit the file '/etc/exports' and enable kerberos authentication.
       /home/shabbir   server1.mycompany.com(rw,sec=krb5)


6) Export the dir
[root@server3 ~]# exportfs -avr

7) Start NFS Secure Server and make sure firewall port is open.
[root@server3 ~]# systemctl start nfs-secure-server

[root@server3 ~]# firewall-cmd --zone=public --add-service=nfs --permanent 
[root@server3 ~]# firewall-cmd --reload


Configure NFS Client (server1.mycompany.com):

1) Install packages.
[root@server1 ~]# yum -y install krb5-workstation krb5-libs

2) Edit the file '/etc/krb5.conf'. Make the following changes.
     
       default_realm = MYCOMPANY.COM
       [realms]
       MYCOMPANY.COM = {
       kdc = meru.mycompany.com
       admin_server = meru.mycompany.com
       }

       [domain_realm]
       .mycompany.com = MYCOMPANY.COM
       mycompany.com = MYCOMPANY.COM



3) Create nfs principal in the kerberos database and extract keys for the nfs client.
[root@server1 ~]#     kadmin -p shabbir/admin -w shabbir
          kadmin:  addprinc -randkey nfs/server1.mycompany.com

          kadmin:  ktadd nfs/server1.mycompany.com
          kadmin:  quit

4) View Keytab entry.
[root@server1 ~]# klist -k

5) Start NFS Secure Service.
[root@server1 ~]# systemctl start nfs-secure


6) Mount the exported dir.
[root@server1 ~]# mount -t nfs4  -o sec=krb5  server3.mycompany.com:/home/shabbir  /mnt

7) Login as user 'shabbir' and obtain a  ticket. We assume that user principal for 'shabbir' exists in the Kerberos database.
[root@server1 ~]# su - shabbir
[shabbir@server1 ~]$ kinit shabbir
Password for shabbir@MYCOMPANY.COM:

8) View the ticket
[shabbir@server1 ~]$ klist
Ticket cache: KEYRING:persistent:0:0
Default principal: shabbir@MYCOMPANY.COM

Valid starting       Expires              Service principal
06/06/2015 15:16:28  06/07/2015 15:16:28  krbtgt/MYCOMPANY.COM@MYCOMPANY.COM
    renew until 06/06/2015 15:16:28


9) Access the mounted dir.
[shabbir@server1 ~]$ cd /mnt
[shabbir@server1 ~]$ touch foo123

10) Destroy the ticket.
[shabbir@server1 ~]$ kdestroy


8 comments:

  1. Replies
    1. SSN FULLZ AVAILABLE

      Fresh & valid spammed USA SSN+Dob Leads with DL available in bulk.

      >>1$ each SSN+DOB
      >>3$ each with SSN+DOB+DL
      >>5$ each for premium fullz (700+ credit score with replacement guarantee)

      Prices are negotiable in bulk order
      Serious buyer contact me no time wasters please
      Bulk order will be preferable

      CONTACT
      Telegram > @leadsupplier
      ICQ > 752822040
      Email > leads.sellers1212@gmail.com

      OTHER STUFF YOU CAN GET

      SSN+DOB Fullz
      CC's with CVV's (vbv & non-vbv)
      USA Photo ID'S (Front & back)

      All type of tutorials available
      (Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)

      SQL Injector
      Premium Accounts (Netflix, Pornhub, etc)
      Paypal Logins
      Bitcoin Cracker
      SMTP Linux Root
      DUMPS with pins track 1 and 2
      WU & Bank transfers
      Socks, rdp's, vpn
      Php mailer
      Server I.P's
      HQ Emails with passwords
      All types of tools & tutorials.. & much more

      Looking for long term business
      For trust full vendor, feel free to contact

      CONTACT
      Telegram > @leadsupplier
      ICQ > 752822040
      Email > leads.sellers1212@gmail.com

      Delete
  2. u didn't create kerberos database and not starting kadmin,krb5kdc.service

    ReplyDelete
  3. Before you design the game there are a few things you need to understand when designing games for the phone. Agen Bola

    ReplyDelete
  4. Here are some interesting stuff you can do in the GTA univers that you can't get away with in real life: Domino QQ

    ReplyDelete
  5. CrownQQ | Domino agent QQ | BandarQ | Domino99 Online Largest

    Who Is The Agent Bandarq, Domino 99, And The Trusted Online Poker City in Asia comes to all of you with exciting game games and exciting bonuses for all of you

    Bonus on CrownQQ:
    * Bonus rolling 0.5%, every week
    * Refferal Bonus 10% + 10%, lifetime
    * Bonus Jackpot, which you can get easily

    Featured Games CrownQQ:
    * Online Poker
    * BandarQ
    * Domino99
    * Bandar Sakong
    * Sakong
    * Bandar66
    * AduQ
    * Sakong

    More Info Visit:
    Website: AGEN BANDARQ CrownQQ
    BBM: 2B382398
    FB: AgentCrownqq
    Twitter: crown_qq

    ReplyDelete
  6. PERMAINAN ONLINE TERBESAR DI INDONESIA

    Website paling ternama dan paling terpercaya di Asia ^^
    Sistem pelayanan 24 Jam Non-Stop bersama dengan CS Berpengalaman respon tercepat :)
    Memiliki 9 Jenis game yang sangat digemari oleh seluruh peminat poker / domino

    - Adu Q
    - Bandar Q
    - Bandar Sakong
    - Bandar Poker
    - Poker
    - Domino 99
    - Capsa Susun
    - BANDAR66 / ADU BALAK
    - Perang Baccarat ( GAME TERBARU )

    Permainan Judi online yang menggunakan uang asli dan mendapatkan uang asli ^^
    * Minimal Deposit : 20.000
    * Minimal Withdraw : 20.000
    * Deposit dan Withdraw 24 jam Non stop ( Kecuali Bank offline / gangguan )
    * Bonus REFFERAL 15 % Seumur hidup tanpa syarat
    * Bonus ROLLINGAN 0.3 % Dibagikan 5 hari 1 kali
    * Proses Deposit & Withdraw PALING CEPAT
    * Sistem keamanan Terbaru & Terjamin
    * Poker Online Terpercaya
    * Live chat yang Responsive
    * Support lebih banyak bank LOKAL


    Contact Us

    Website SahabatQQ
    WA 1 : +85515769793
    WA 2 : +855972076840
    LINE : SAHABATQQ
    FACEBOOK : SahabatQQ Reborn
    TWITTER : SahabatQQ
    YM : cs2_sahabatqq@yahoo.com
    Kami Siap Melayani anda 24 jam Nonstop

    Daftar SahabatQQ


    Typesex69
    Ranseldunia
    Bodyfit45
    Cemesahabat

    ReplyDelete
  7. SSN FULLZ AVAILABLE

    Fresh & valid spammed USA SSN+Dob Leads with DL available in bulk.

    >>1$ each SSN+DOB
    >>3$ each with SSN+DOB+DL
    >>5$ each for premium fullz (700+ credit score with replacement guarantee)

    Prices are negotiable in bulk order
    Serious buyer contact me no time wasters please
    Bulk order will be preferable

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    OTHER STUFF YOU CAN GET

    SSN+DOB Fullz
    CC's with CVV's (vbv & non-vbv)
    USA Photo ID'S (Front & back)

    All type of tutorials available
    (Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)

    SQL Injector
    Premium Accounts (Netflix, Pornhub, etc)
    Paypal Logins
    Bitcoin Cracker
    SMTP Linux Root
    DUMPS with pins track 1 and 2
    WU & Bank transfers
    Socks, rdp's, vpn
    Php mailer
    Server I.P's
    HQ Emails with passwords
    All types of tools & tutorials.. & much more

    Looking for long term business
    For trust full vendor, feel free to contact

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    ReplyDelete