Category:I805 Authentication and Authorization: Difference between revisions

From ICO wiki
Jump to navigationJump to search
Lvosandi (talk | contribs)
No edit summary
Lphanvan (talk | contribs)
 
(36 intermediate revisions by 5 users not shown)
Line 1: Line 1:
=Authentication and Authorization=
=Authentication and Authorization=
Yubikey as PKI token howto: https://lauri.vosandi.com/2017/03/yubikey-for-ssh-auth.html
Yubikey as GPG token howto: https://lauri.vosandi.com/2017/03/yubikey-for-gpg.html


==General information==
==General information==
Line 24: Line 29:
https://echo360.e-ope.ee/ess/echo/presentation/54eb478c-f6ae-4629-b1e3-c43f5a2f6842?ec=true
https://echo360.e-ope.ee/ess/echo/presentation/54eb478c-f6ae-4629-b1e3-c43f5a2f6842?ec=true


==Biznisplan==
=Equipment=
 
Tasks, not necessarily all have to be covered. Pick the one you like the most:
 
* Play the red team: Kustas, Ender, Mikus
* Set up rocket.chat instead of IRC server: Meelis Hass
* Set up file synchronization with NextCloud:  Etienne
* Set up domain controller on hq Windows server: Mohanad/Madis
* Set up backup domain controller on rnd: Arti
* Reconfigure Gogs: <insert your name here>
* Reconfigure wiki: <insert your name here>
* Reconfigure mail server: Sheela
* Reconfigure webserver/MySQL: Joosep
* Set a blank smartcard as TLS client authentication token: Keijo?
* NFC card backups: Keijo
* OpenVPN with Estonian ID-card howto:  Ardi Vaba
* Set up OpenWrt wifi routers as access points with username/password authentication (like eduroam wireless network):  <insert your name here>
 
With Lauri/Belgin from Linux/Windows admin course:
 
* Set up domain controller /w MS AD/Samba:
* Set up fileserver with several shares: <insert your name>
* Use iMac and HP Probook at 412/411 for joining them to domain. Needs some network rewiring first, ask Lauri.
* Set up group policies, eg install software and configure VPN for HP Probook
 
With Viktor from Incident management course:
 
* Set up incident management software, configure to authenticate with  AD
 
ECTS: 4


Lecturers: Lauri Võsandi
* 3pcs Sun server in the college server room
* TP-Link WDR3600 wireless router routed to 172.16.*.*
* HP Probook dual-boot laptop
* iMac in 412, use admin/admin to log in with local account
* Robotics Club (wireless) network, routed to to 172.16.*.*
* 10pcs Yubikey Neo-s, currently posessed by Marvin, Madis Mägi, Artur O, Keijo


If you forget (local) Windows password use System Rescue CD to reset the password:
If you forget (local) Windows password use System Rescue CD to reset the password:
http://www.howtogeek.com/howto/windows-vista/change-your-forgotten-windows-password-with-the-linux-system-rescue-cd/
http://www.howtogeek.com/howto/windows-vista/change-your-forgotten-windows-password-with-the-linux-system-rescue-cd/


==Requirements==
=Requirements=


Every service should use accounts from Active Directory.
Every service should use accounts from Active Directory.
Line 78: Line 59:
Everybody should have a task, prepare a howto on the college wiki and have a topic for presentation:
Everybody should have a task, prepare a howto on the college wiki and have a topic for presentation:


* Mohanad - AD up and running, routing, howto for setting up Active Directory on Windows Server, creating accounts and groups
* Mohanad - AD up and running, routing, howto for setting up Active Directory on Windows Server; nagios accounts from AD, possibly with Kerberos SSO
* Etienne - NextCloud server set up, howto for configuring client/app
* Etienne - NextCloud server set up, howto for configuring client/app
* Taavi - Wiki accounts from AD, possibly using Kerberos SSO
* Taavi - Wiki accounts from AD, possibly using Kerberos SSO
Line 85: Line 66:
* Meelis - rocket.chat with accounts from AD via LDAP, possibly with Kerberos SSO, howto for configuring apps
* Meelis - rocket.chat with accounts from AD via LDAP, possibly with Kerberos SSO, howto for configuring apps
* Sheela - mailserver with accounts from AD via LDAP, with GSSAPI authentication, howto for configuring Thunderbird/Evolution
* Sheela - mailserver with accounts from AD via LDAP, with GSSAPI authentication, howto for configuring Thunderbird/Evolution
* Artur - mailserver with AD accounts via LDAP + e-mail encryption with GPG, howto for average users
* Ardi - OpenVPN with ID-card auth, isikukood from AD attribute, howto for configuring client
* Ardi - OpenVPN with ID-card auth, isikukood from AD attribute, howto for configuring client
* Marvin - secondary AD, routing, <insert topic of your interest>
* Marvin - secondary AD, routing, Samba backup DC?<insert topic of your interest>
* Arti - Samba as third DC, <insert topic of your interest>
* Arti - Samba as third DC, setting up fileserver on ZFS with SSD-s as journal/cache
* Kustas - pentest
* Kustas - pentest
* Ender - pentest
* Ender - pentest
* Mikus - pentest
* Mikus - pentest
* Artur - how are you going to pass the course?
* Keijo - how are you going to pass the course?
* Keijo - how are you going to pass the course?
* Anton - how are you going to pass the course?
* Anton - how are you going to pass the course?
* Tarvo - how are you going to pass the course?
* Tarvo - JIRA with accounts from AD via LDAP
* Ats - how are you going to pass the course?
* Ats - how are you going to pass the course?
* Nazmul - how are you going to pass the course?
* Nazmul - how are you going to pass the course?


=Presentations=
Presentation of up to 45min should cover what you did in order to get the service running in the desired state, what problems you had, how others can use your service and what can be done to improve the setup.
This should be more or less in logical order:
* 28. feb - Mohanad, Etienne
* 7. mar - Taavi, Madis, Artur
* 14. mar - backup slot
* 21. mar - Joosep, Meelis
* 5. apr - Sheela, Ardi
* 12. apr - backup slot
* 19. apr - Marvin, Arti
* 26. apr - Kustas & Ender


=Milestones=
=Milestones=
Line 129: Line 124:
Deadline 21. Feb
Deadline 21. Feb


Following services are using credentials from AD
Some services are using accounts from AD
 
* NextCloud - Etienne
* rocket.chat - Meelis
* nagios - Mohanad
* wiki - Taavi
* mailserver - Sheela


==Milestone 3==
==Milestone 3==
Line 141: Line 130:
Deadline 28. Feb
Deadline 28. Feb


Service owner has client application configured and knows how to configure them:
Service owner has client application configured and knows how to configure them
 
* NextCloud - app on smartphone, SPNEGO with web browser
* rocket.chat - app on smartphone, SPNEGO with web browser
* nagios - SPNEGO with web browser
* wiki - SPNEGO with web browser
* mailserver - Evolution or Thunderbird with SMTP/IMAP+GSSAPI


==Milestone 4==
==Milestone 4==


Deadline 7. Feb
Deadline 7. Mar


Manual page created on internal wiki for configuring the client application(s).
Preliminary manual page created on college wiki for configuring the client application(s).
Other students are using your service.
Other students are using your service.
==Milestone 5==
Keep services up and running, respond to incidents until 5th of June.
Server teardown on 5th of May. Wipe harddisks.
Everybody who has completed howto, presented their topic, co-operated with other students and not left all the responsibilities to the last minute will get a passing grade. Slackers have an opportunity to do a (hard) quiz about the topics presented to get a passing grade.
=Passing the course=
==Option A: Get busy early==
Get following done by the end of April:
* Present what you did in the lecture 45min max
* Make the necessary modifications, eg admin groups for nextcloud, wiki, gogs, jira; remove service accounts from domain users/admins group
* Submit your presentation by uploading it to Presentations folder shared at https://nextcloud.biz.wut.ee/
* Publish howto for setting up your service on internal wiki at https://wiki.biz.wut.ee/index.php/Main_Page
* Help others to make use of your service
* Publish howto for end users on internal wiki: https://wiki.biz.wut.ee/index.php/Main_Page
* Help fellow students to make use of your service
* Make use of others' services (!!!), report issues to service administrator
* Send Lauri an encrypted e-mail, howto coming up soon
Keep services up and running, respond to incidents until 12th of May.
Server teardown and '''hard deadline''' 12th of May:
Who hasn't done bullet points, including sending encrypted e-mail shall not pass!
==Option B: Quiz==
If you haven't done anything but you still want to pass please inform me early enough
so I can prepare exam questions here and we can have exam in June:
* What are the benefits of using hardware authentication token such as Yubikey
* What is two factor authentication
* In LDAP jargon what is common name, distinguished name, base DN?
* What are benefits provided by Kerberos protocol
* What software suites implement Kerberos?
* TLS protocol combines which crypto primitives? What are some properties of a TLS tunnel?
* More questions coming up later
== RED TEAM ==
Ender Phan: https://docs.google.com/presentation/d/1rH05bvqkaWYXeNwkC8XC5_UGRg2iUFltAodPaWRCIJc/edit?usp=sharing

Latest revision as of 12:06, 3 May 2017

Authentication and Authorization

Yubikey as PKI token howto: https://lauri.vosandi.com/2017/03/yubikey-for-ssh-auth.html

Yubikey as GPG token howto: https://lauri.vosandi.com/2017/03/yubikey-for-gpg.html


General information

In this course we continue where we left off with Firewalls and VPN/IPsec course.

Relevant topics for research and implementation in the lab. Lectures coming up for most of the topics:

  • File based password stores eg. /etc/shadow, .htaccess
  • Signing and encrypting e-mail using GPG
  • Active Directory protocols: LM, NTLM, Kerberos, GSSAPI, SPNEGO, LDAP
  • More TLS and client side authentication in particular
  • Filesystem permissions: access control lists, selinux, apparmor
  • RADIUS
  • Multi-factor authentication: smartcards, Yubikey, Mobile-ID, etc
  • Contactless cards
  • On the web: Cookies, OAuth, OpenID, iPizza,

Intro slides & video recording:

https://docs.google.com/presentation/d/1NzY8AspqZwrYxoJ3Qi-pBWsMDdiIUeA4lgZnwZGTMVg/edit?usp=sharing

https://echo360.e-ope.ee/ess/echo/presentation/54eb478c-f6ae-4629-b1e3-c43f5a2f6842?ec=true

Equipment

  • 3pcs Sun server in the college server room
  • TP-Link WDR3600 wireless router routed to 172.16.*.*
  • HP Probook dual-boot laptop
  • iMac in 412, use admin/admin to log in with local account
  • Robotics Club (wireless) network, routed to to 172.16.*.*
  • 10pcs Yubikey Neo-s, currently posessed by Marvin, Madis Mägi, Artur O, Keijo

If you forget (local) Windows password use System Rescue CD to reset the password: http://www.howtogeek.com/howto/windows-vista/change-your-forgotten-windows-password-with-the-linux-system-rescue-cd/

Requirements

Every service should use accounts from Active Directory. To achieve that try to use LDAP protocol first. Via LDAP you can retreieve the data about accounts. If the service machine is not joined to domain create a service account in AD to access LDAP interface first. It really depends on the software how you need to configure it.

For fileserver/SSH/FTP/mail server first join to domain using winbind: https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto#Join_AD_domain For NextCloud, rocket.chat, OwnCloud and most web services configure LDAP plugin to retrieve accounts from AD and LDAP bind authentication.


Responsibilities

Everybody should have a task, prepare a howto on the college wiki and have a topic for presentation:

  • Mohanad - AD up and running, routing, howto for setting up Active Directory on Windows Server; nagios accounts from AD, possibly with Kerberos SSO
  • Etienne - NextCloud server set up, howto for configuring client/app
  • Taavi - Wiki accounts from AD, possibly using Kerberos SSO
  • Madis Lugus - Gogs accounts from AD, possibly using Kerberos SSO and also SSH public keys from AD
  • Joosep - enos.itcollege.ee clone, web server and MySQL with accoutns from AD
  • Meelis - rocket.chat with accounts from AD via LDAP, possibly with Kerberos SSO, howto for configuring apps
  • Sheela - mailserver with accounts from AD via LDAP, with GSSAPI authentication, howto for configuring Thunderbird/Evolution
  • Artur - mailserver with AD accounts via LDAP + e-mail encryption with GPG, howto for average users
  • Ardi - OpenVPN with ID-card auth, isikukood from AD attribute, howto for configuring client
  • Marvin - secondary AD, routing, Samba backup DC?<insert topic of your interest>
  • Arti - Samba as third DC, setting up fileserver on ZFS with SSD-s as journal/cache
  • Kustas - pentest
  • Ender - pentest
  • Mikus - pentest
  • Keijo - how are you going to pass the course?
  • Anton - how are you going to pass the course?
  • Tarvo - JIRA with accounts from AD via LDAP
  • Ats - how are you going to pass the course?
  • Nazmul - how are you going to pass the course?

Presentations

Presentation of up to 45min should cover what you did in order to get the service running in the desired state, what problems you had, how others can use your service and what can be done to improve the setup.

This should be more or less in logical order:

  • 28. feb - Mohanad, Etienne
  • 7. mar - Taavi, Madis, Artur
  • 14. mar - backup slot
  • 21. mar - Joosep, Meelis
  • 5. apr - Sheela, Ardi
  • 12. apr - backup slot
  • 19. apr - Marvin, Arti
  • 26. apr - Kustas & Ender

Milestones

This is just to keep activities in sync

Milestone 1

Domain controller is working. In the internal network and over VPN connection blah.office.lan DNS requests work as expected.

On a Linux box command line users can authenticate with kerberos client utils:

 kinit username@OFFICE.LAN

On a Linux box command line users can fetch stuff via LDAP:

ldapsearch -b dc=office,dc=lan  -H ldap://dc-hq.office.lan -D lauri@office.lan -W

Also authenitcation with Kerberos should work:

ldapsearch -b dc=office,dc=lan  -H ldap://dc-hq.office.lan -Y GSSAPI

To make life easier configure /etc/ldap/ldap.conf, if properly configured short commands work:

ldapsearch


Milestone 2

Deadline 21. Feb

Some services are using accounts from AD

Milestone 3

Deadline 28. Feb

Service owner has client application configured and knows how to configure them

Milestone 4

Deadline 7. Mar

Preliminary manual page created on college wiki for configuring the client application(s). Other students are using your service.

Milestone 5

Keep services up and running, respond to incidents until 5th of June. Server teardown on 5th of May. Wipe harddisks.

Everybody who has completed howto, presented their topic, co-operated with other students and not left all the responsibilities to the last minute will get a passing grade. Slackers have an opportunity to do a (hard) quiz about the topics presented to get a passing grade.


Passing the course

Option A: Get busy early

Get following done by the end of April:

  • Present what you did in the lecture 45min max
  • Make the necessary modifications, eg admin groups for nextcloud, wiki, gogs, jira; remove service accounts from domain users/admins group
  • Submit your presentation by uploading it to Presentations folder shared at https://nextcloud.biz.wut.ee/
  • Publish howto for setting up your service on internal wiki at https://wiki.biz.wut.ee/index.php/Main_Page
  • Help others to make use of your service
  • Publish howto for end users on internal wiki: https://wiki.biz.wut.ee/index.php/Main_Page
  • Help fellow students to make use of your service
  • Make use of others' services (!!!), report issues to service administrator
  • Send Lauri an encrypted e-mail, howto coming up soon

Keep services up and running, respond to incidents until 12th of May. Server teardown and hard deadline 12th of May: Who hasn't done bullet points, including sending encrypted e-mail shall not pass!

Option B: Quiz

If you haven't done anything but you still want to pass please inform me early enough so I can prepare exam questions here and we can have exam in June:

  • What are the benefits of using hardware authentication token such as Yubikey
  • What is two factor authentication
  • In LDAP jargon what is common name, distinguished name, base DN?
  • What are benefits provided by Kerberos protocol
  • What software suites implement Kerberos?
  • TLS protocol combines which crypto primitives? What are some properties of a TLS tunnel?
  • More questions coming up later

RED TEAM

Ender Phan: https://docs.google.com/presentation/d/1rH05bvqkaWYXeNwkC8XC5_UGRg2iUFltAodPaWRCIJc/edit?usp=sharing

Pages in category "I805 Authentication and Authorization"

This category contains only the following page.