diff options
| -rw-r--r-- | configs/kerberos/kdc.conf | 16 | ||||
| -rw-r--r-- | configs/kerberos/krb5.conf | 21 | ||||
| -rwxr-xr-x | kerberos | 6 | ||||
| -rwxr-xr-x | scripts/debian_roll | 30 |
4 files changed, 73 insertions, 0 deletions
diff --git a/configs/kerberos/kdc.conf b/configs/kerberos/kdc.conf new file mode 100644 index 0000000..baa19a0 --- /dev/null +++ b/configs/kerberos/kdc.conf @@ -0,0 +1,16 @@ +[kdcdefaults] + kdc_ports = 750,88 + +[realms] + HADES.HR = { + database_name = /var/lib/krb5kdc/principal + admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab + acl_file = /etc/krb5kdc/kadm5.acl + key_stash_file = /etc/krb5kdc/stash + kdc_ports = 750,88 + max_life = 10h 0m 0s + max_renewable_life = 7d 0h 0m 0s + master_key_type = des3-hmac-sha1 + #supported_enctypes = aes256-cts:normal aes128-cts:normal + default_principal_flags = +preauth + } diff --git a/configs/kerberos/krb5.conf b/configs/kerberos/krb5.conf new file mode 100644 index 0000000..61f51c1 --- /dev/null +++ b/configs/kerberos/krb5.conf @@ -0,0 +1,21 @@ +[libdefaults] + default_realm = HADES.HR + + # The following krb5.conf variables are only for MIT Kerberos. + kdc_timesync = 1 + ccache_type = 4 + forwardable = true + proxiable = true + + # The following libdefaults parameters are only for Heimdal Kerberos. + fcc-mit-ticketflags = true + +[realms] + HADES.HR = { + kdc = krb.hades.hr + admin_server = krb.hades.hr + } + +[domain_realm] + .hades.hr = HADES.HR + hades.hr = HADES.HR diff --git a/kerberos b/kerberos new file mode 100755 index 0000000..296f7eb --- /dev/null +++ b/kerberos @@ -0,0 +1,6 @@ +#!/bin/bash +set -e + +scripts/debian_roll kerberos +lxc-attach -n kerberos -v DEBIAN_FRONTEND=noninteractive -- apt-get -y install krb5-admin-server +scp configs/kerberos/krb5.conf root@??? diff --git a/scripts/debian_roll b/scripts/debian_roll new file mode 100755 index 0000000..56c5e5b --- /dev/null +++ b/scripts/debian_roll @@ -0,0 +1,30 @@ +#!/bin/bash +set -e + +NAME=$1 +USER=tom +PASS=durr + +# init +lxc-create -n $NAME -t download -- --dist debian --release buster --arch amd64 +lxc-start -n $NAME +# TODO maybe just info until ip shows up? +sleep 15 + +# install basics +lxc-attach -n $NAME -- apt update +lxc-attach -n $NAME -- apt dist-upgrade +lxc-attach -n $NAME -- apt install -y sudo openssh-server x11-xserver-utils + +# setup user +lxc-attach -n $NAME -- adduser $USER --gecos "" --disabled-password +lxc-attach -n $NAME -- bash -c 'echo -e "'$PASS'\n'$PASS'" | passwd $USER' + +# setup x11 forwarding +lxc-attach -n $NAME -- bash -c 'echo "AllowTcpForwarding yes" >> /etc/ssh/sshd_config' +lxc-attach -n $NAME -- bash -c 'echo "X11UseLocalhost yes" >> /etc/ssh/sshd_config' +lxc-attach -n $NAME -- bash -c 'echo "PermitRootLogin yes" >> /etc/ssh/sshd_config' +lxc-attach -n $NAME -- systemctl restart sshd + +# display info +lxc-info -n $NAME |