Category:I805 Authentication and Authorization
Authentication and Authorization
In this course we continue where we left off with Firewalls and VPN/IPsec course.
Relevant topics for research and implementation in the lab. Lectures coming up for most of the topics:
- File based password stores eg. /etc/shadow, .htaccess
- Signing and encrypting e-mail using GPG
- Active Directory protocols: LM, NTLM, Kerberos, GSSAPI, SPNEGO, LDAP
- More TLS and client side authentication in particular
- Filesystem permissions: access control lists, selinux, apparmor
- Multi-factor authentication: smartcards, Yubikey, Mobile-ID, etc
- Contactless cards
- On the web: Cookies, OAuth, OpenID, iPizza,
Intro slides & video recording:
- 3pcs Sun server in the college server room
- TP-Link WDR3600 wireless router routed to 172.16.*.*
- HP Probook dual-boot laptop
- iMac in 412, use admin/admin to log in with local account
- Robotics Club (wireless) network, routed to to 172.16.*.*
- 10pcs Yubikey Neo-s, currently posessed by Marvin, Madis Mägi, Artur O, Keijo
If you forget (local) Windows password use System Rescue CD to reset the password: http://www.howtogeek.com/howto/windows-vista/change-your-forgotten-windows-password-with-the-linux-system-rescue-cd/
Every service should use accounts from Active Directory. To achieve that try to use LDAP protocol first. Via LDAP you can retreieve the data about accounts. If the service machine is not joined to domain create a service account in AD to access LDAP interface first. It really depends on the software how you need to configure it.
For fileserver/SSH/FTP/mail server first join to domain using winbind: https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto#Join_AD_domain For NextCloud, rocket.chat, OwnCloud and most web services configure LDAP plugin to retrieve accounts from AD and LDAP bind authentication.
Everybody should have a task, prepare a howto on the college wiki and have a topic for presentation:
- Mohanad - AD up and running, routing, howto for setting up Active Directory on Windows Server; nagios accounts from AD, possibly with Kerberos SSO
- Etienne - NextCloud server set up, howto for configuring client/app
- Taavi - Wiki accounts from AD, possibly using Kerberos SSO
- Madis Lugus - Gogs accounts from AD, possibly using Kerberos SSO and also SSH public keys from AD
- Joosep - enos.itcollege.ee clone, web server and MySQL with accoutns from AD
- Meelis - rocket.chat with accounts from AD via LDAP, possibly with Kerberos SSO, howto for configuring apps
- Sheela - mailserver with accounts from AD via LDAP, with GSSAPI authentication, howto for configuring Thunderbird/Evolution
- Artur - mailserver with AD accounts via LDAP + e-mail encryption with GPG, howto for average users
- Ardi - OpenVPN with ID-card auth, isikukood from AD attribute, howto for configuring client
- Marvin - secondary AD, routing, Samba backup DC?<insert topic of your interest>
- Arti - Samba as third DC, setting up fileserver on ZFS with SSD-s as journal/cache
- Kustas - pentest
- Ender - pentest
- Mikus - pentest
- Keijo - how are you going to pass the course?
- Anton - how are you going to pass the course?
- Tarvo - OpenVPN authentication using Estonian ID-card(s)
- Ats - how are you going to pass the course?
- Nazmul - how are you going to pass the course?
Presentation of up to 45min should cover what you did in order to get the service running in the desired state, what problems you had, how others can use your service and what can be done to improve the setup.
This should be more or less in logical order:
- 28. feb - Mohanad, Etienne
- 7. mar - Taavi, Madis, Artur
- 14. mar - backup slot
- 21. mar - Joosep, Meelis
- 5. apr - Sheela, Ardi
- 12. apr - backup slot
- 19. apr - Marvin, Arti
- 26. apr - Kustas & Ender
This is just to keep activities in sync
Domain controller is working. In the internal network and over VPN connection blah.office.lan DNS requests work as expected.
On a Linux box command line users can authenticate with kerberos client utils:
On a Linux box command line users can fetch stuff via LDAP:
ldapsearch -b dc=office,dc=lan -H ldap://dc-hq.office.lan -D firstname.lastname@example.org -W
Also authenitcation with Kerberos should work:
ldapsearch -b dc=office,dc=lan -H ldap://dc-hq.office.lan -Y GSSAPI
To make life easier configure /etc/ldap/ldap.conf, if properly configured short commands work:
Deadline 21. Feb
Some services are using accounts from AD
Deadline 28. Feb
Service owner has client application configured and knows how to configure them
Deadline 7. Mar
Preliminary manual page created on college wiki for configuring the client application(s). Other students are using your service.
Keep services up and running, respond to incidents until 5th of June. Server teardown on 5th of May. Wipe harddisks.
Everybody who has completed howto, presented their topic, co-operated with other students and not left all the responsibilities to the last minute will get a passing grade. Slackers have an opportunity to do a (hard) quiz about the topics presented to get a passing grade.
Pages in category "I805 Authentication and Authorization"
This category contains only the following page.