Final project report for "KDC software and configuration update" (348)

Project Description

Update kerberos software and configuration on the INF.ED.AC.UK (and FRIEND.INF.ED.AC.UK) KDC master and slaves. We run the version of krb5 that is shipped with Scientific Linux. This is somewhat out of date and has, in the past, resulted in unexpected version changes. We would like to use the krb5 packages built by IS, both to provide a newer version and give us complete control over what we run. Our configuration has also lagged along with the software versions. In particular, it would be nice to deploy incremental replication to the slaves, but this would be advisable only with newer versions. We should also add more modern encryption types to our KDC configuration. We will probably upgrade FRIEND.INF.ED.AC.UK first, and use our experience from that for INF.ED.AC.UK.

Project page

Project updates

Work Done

Hardware upgrades to site slaves

This wasn't part of the original project specification, but it fitted in with KDC work. All three site slaves were replaced with new hardware - Dell PowerEdge R220s.

Software upgrade

We had previously run the version of kerberos provided with Scientific Linux. This was less than ideal as it meant we had no control over upgrades (on one occasion the upstream version jumped from 1.x to 1.x+1). IS produce kerberos RPMs for EASE, so it made sense to take advantage of this. We upgraded to the latest IS 1.13 package for INF and FRIEND KDCs.

Encryption types

We updated our INF and FRIEND KDC configuration to support more modern encryption types. These changes take effect for any existing principals when the password is changed, or a new keytab is generated.

Incremental propagation

All our KDC slaves (INF and FRIEND) had previously been kept up to date with the master via an hourly replication process (which essentially consisted of replacing the database on the slaves with a full dump from the master). This was originally the only method available. Beginning with krb5-1.7 (and becoming more reliable with krb5-1.11), MIT kerberos supports incremental propagation (iprop).

This has now been implemented on all slaves. With this approach, the slaves are kept up to date by requesting updates from the master every two minutes.

Note that we could not easily use incremental propagation on the FRIEND slaves, as the configuration required is more challenging when the KDC is a client of a different realm than the one it serves. We could do this by using an alternative krb5.conf file, but the FRIEND realm sees comparatively few changes, so hourly propagation is sufficient.

Fail2Ban

This work came out of the password strength project but it fitted more naturally here. To protect our KDCs against brute-force attacks, we implemented Fail2Ban on INF and FRIEND - using iptables to block any IP address which exceeds a defined number of of authentication failures/attempts to authenticate against non-existent principals. Thanks to George for adding appropriate support to the iptables component and configuration.

Documentation

The KerberosOverview page has been updated

Effort spent

The total time spent on this project was 126.5 hours (~18 days).

Misc. Comments

Having a test realm (TEST.INF.ED.AC.UK) is invaluable for this kind of work, as we cannot experiment with a running service.

Future Considerations

All KDCs will be upgraded to SL7 this calendar year.

We need to start considering what changes we require to fully support IPv6 on our KDCs. See kerberos IPv6 wiki page.

We will continue to collaborate with our colleagues in IS with respect to kerberos versions, configuration and RPM packaging.

When making changes to the master KDC, we also need to consider that it hosts our wallet service.


-- TobyBlake - 29 Jun 2016
Topic revision: r2 - 30 Jun 2016 - 09:06:44 - TobyBlake
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies