I have an OpenSSH 5.9p1 server running on Ubuntu Precise 12.04 which accepts connections from both the internal network and the Internet. I'd like to require public key authentication for connections from the Internet, but accept either public key or password authentication for connections from the internal network. Can I configure OpenSSH to implement this?
I'd like to remove the rhgb and quiet kernel parameters which are used by default when the kernel is booted in CentOS 6, but I want this to apply to all currently installed kernels as well as any kernels installed in the future. I need to do this from a script, so manually editing files isn't an option and any file changes should be done as cleanly as possible.
In Debian/Ubuntu I would change GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub and then run update-grub. I can't find such a setting in /etc/sysconfig/grub or /etc/sysconfig/kernel however, nor is there an update-grub script.
I have WPA2 802.11x EAP authentication setup using FreeRADIUS 2.1.8 on Ubuntu 10.04.4 talking to OpenLDAP, and can successfully authenticate using PEAP/MSCHAPv2, TTLS/MSCHAPv2 and TTLS/PAP (both via the AP and using eapol_test). I am now trying to restrict access to specific SSIDs based on the LDAP groups which the user belongs to.
I have configured group membership checking in /etc/freeradius/modules/ldap like so:
groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=posixGroup)(memberUid=%{User-Name}))(&(objectClass=posixGroup)(uniquemember=%{User-Name})))"
and I have configured extraction of the SSID from Called-Station-Id into Called-Station-SSID based on the Mac Auth wiki page. In /etc/freeradius/eap.conf I have enabled copying attributes from the outer tunnel into the inner tunnel, and usage of the inner tunnel response in the outer tunnel (for both PEAP and TTLS). I had the same behaviour before changing these options however.
copy_request_to_tunnel = yes
use_tunneled_reply = yes
I'm running eapol_test like this to test the setup:
eapol_test -c peap-mschapv2.conf -a 172.16.0.16 -s testing123 -N 30:s:01-23-45-67-89-01:Example-EAP
with the following peap-mschapv2.conf file:
network={
ssid="Example-EAP"
key_mgmt=WPA-EAP
eap=PEAP
identity="mgorven"
anonymous_identity="anonymous"
password="foobar"
phase2="autheap=MSCHAPV2"
}
With the following in /etc/freeradius/users:
DEFAULT Ldap-Group == "employees"
and running freeradius-Xx, I can see that the LDAP group retrieval works, and that the SSID is extracted.
Debug: [ldap] performing search in dc=example,dc=com, with filter (&(cn=employees)(|(&(objectClass=posixGroup)(memberUid=mgorven))(&(objectClass=posixGroup)(uniquemember=mgorven))))
Debug: rlm_ldap::ldap_groupcmp: User found in group employees
...
Info: expand: %{7} -> Example-EAP
Next I try to only allow access to users in the employees group (regardless of SSID), so I put the following in /etc/freeradius/users:
DEFAULT Ldap-Group == "employees"
DEFAULT Auth-Type := Reject
But this immediately rejects the Access-Request in the outer tunnel because the anonymous user is not in the employees group. So I modify it to only match inner tunnel requests like so:
DEFAULT Ldap-Group == "employees"
DEFAULT FreeRADIUS-Proxied-To == "127.0.0.1"
Auth-Type := Reject, Reply-Message = "User does not belong to any groups which may access this SSID."
Now users which are in the employees group are authenticated, but so are users which are not in the employees group. I see the reject entry being matched, and the Reply-Message is set, but the client receives an Access-Accept.
Debug: rlm_ldap::ldap_groupcmp: Group employees not found or user is not a member.
Info: [files] users: Matched entry DEFAULT at line 209
Info: ++[files] returns ok
...
Auth: Login OK: [mgorven] (from client test port 0 cli 02-00-00-00-00-01 via TLS tunnel)
Info: WARNING: Empty section. Using default return values.
...
Info: [peap] Got tunneled reply code 2
Auth-Type := Reject
Reply-Message = "User does not belong to any groups which may access this SSID."
...
Info: [peap] Got tunneled reply RADIUS code 2
Auth-Type := Reject
Reply-Message = "User does not belong to any groups which may access this SSID."
...
Info: [peap] Tunneled authentication was successful.
Info: [peap] SUCCESS
Info: [peap] Saving tunneled attributes for later
...
Sending Access-Accept of id 11 to 172.16.2.44 port 60746
Reply-Message = "User does not belong to any groups which may access this SSID."
User-Name = "mgorven"
and eapol_test reports:
RADIUS message: code=2 (Access-Accept) identifier=11 length=233
Attribute 18 (Reply-Message) length=64
Value: 'User does not belong to any groups which may access this SSID.'
Attribute 1 (User-Name) length=9
Value: 'mgorven'
...
SUCCESS
Why isn't the request being rejected, and is this the right way to implement this?
I have a 500GiB ext4 filesystem on top of LUKS on top of an LVM LV. I want to resize the LV to 100GiB. I know how to resize ext4 on top of an LVM LV, but how do I deal with the LUKS volume?
mgorven@moab:~% sudo lvdisplay /dev/moab/backup
--- Logical volume ---
LV Name /dev/moab/backup
VG Name moab
LV UUID nQ3z1J-Pemd-uTEB-fazN-yEux-nOxP-QQair5
LV Write Access read/write
LV Status available
# open 1
LV Size 500.00 GiB
Current LE 128000
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 2048
Block device 252:3
mgorven@moab:~% sudo cryptsetup status backup
/dev/mapper/backup is active and is in use.
type: LUKS1
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/mapper/moab-backup
offset: 3072 sectors
size: 1048572928 sectors
mode: read/write
mgorven@moab:~% sudo tune2fs -l /dev/mapper/backup
tune2fs 1.42 (29-Nov-2011)
Filesystem volume name: backup
Last mounted on: /srv/backup
Filesystem UUID: 63877e0e-0549-4c73-8535-b7a81eb363ed
Filesystem magic number: 0xEF53
Filesystem revision #: 1 (dynamic)
Filesystem features: has_journal ext_attr resize_inode dir_index filetype extent flex_bg sparse_super large_file huge_file uninit_bg dir_nlink extra_isize
Filesystem flags: signed_directory_hash
Default mount options: (none)
Filesystem state: clean with errors
Errors behavior: Continue
Filesystem OS type: Linux
Inode count: 32768000
Block count: 131071616
Reserved block count: 0
Free blocks: 112894078
Free inodes: 32044830
First block: 0
Block size: 4096
Fragment size: 4096
Reserved GDT blocks: 992
Blocks per group: 32768
Fragments per group: 32768
Inodes per group: 8192
Inode blocks per group: 512
RAID stride: 128
RAID stripe width: 128
Flex block group size: 16
Filesystem created: Sun Mar 11 19:24:53 2012
Last mount time: Sat May 19 13:29:27 2012
Last write time: Fri Jun 1 11:07:22 2012
Mount count: 0
Maximum mount count: 100
Last checked: Fri Jun 1 11:03:50 2012
Check interval: 31104000 (12 months)
Next check after: Mon May 27 11:03:50 2013
Lifetime writes: 118 GB
Reserved blocks uid: 0 (user root)
Reserved blocks gid: 0 (group root)
First inode: 11
Inode size: 256
Required extra isize: 28
Desired extra isize: 28
Journal inode: 8
Default directory hash: half_md4
Directory Hash Seed: 383bcbc5-fde9-4720-b98e-2d6224713ecf
Journal backup: inode blocks