Absicherung NFS: Difference between revisions

From
Jump to navigation Jump to search
Line 13: Line 13:
accounting
accounting


• radiusd.conf Defines the configuration parameters for the RADIUS server. It includes references
<code>radiusd.conf</code> Defines the configuration parameters for the RADIUS server. It includes references
to all of the other configuration files.
to all of the other configuration files.


• clients.conf Defines information necessary to configure the RADIUS client, including IP
<code>clients.conf</code> Defines information necessary to configure the RADIUS client, including IP
addresses and shared secrets. This file is referenced from the radiusd.conf file.
addresses and shared secrets. This file is referenced from the radiusd.conf file.


• dictionary Defines local attributes for the RADIUS server. This file references the default
<code>dictionary</code> Defines local attributes for the RADIUS server. This file references the default
dictionary files. The default dictionary files include thousands of attribute definitions for over one
dictionary files. The default dictionary files include thousands of attribute definitions for over one
hundred vendors.
hundred vendors.


• proxy.conf Defines upstream home servers, including information on IP addresses and shared
<code>proxy.conf</code> Defines upstream home servers, including information on IP addresses and shared
secrets. It also defines Realms. The radiusd.conf file references the proxy.conf file.
secrets. It also defines Realms. The radiusd.conf file references the proxy.conf file.


• sites-enabled/default This is the default virtual server. This file handles authentication and
<code>sites-enabled/default</code> This is the default virtual server. This file handles authentication and
accounting requests. It contains a configuration designed to work with the largest number of
accounting requests. It contains a configuration designed to work with the largest number of
authentication protocols. The radiusd.conf file references the sites-enable/default file.
authentication protocols. The radiusd.conf file references the sites-enable/default file.


• sites-enabled/inner-tunnel This virtual server handles authentication methods that are
<code>sites-enabled/inner-tunnel</code> This virtual server handles authentication methods that are
carried inside of a TLS tunnel, as part of PEAP or EAP-TTLS authentication. The radiusd.conf file
carried inside of a TLS tunnel, as part of PEAP or EAP-TTLS authentication. The radiusd.conf file
references the sql.conf file.
references the sql.conf file.


• users The traditional RADIUS configuration file for users. This file format is similar to the format
<code>users</code> The traditional RADIUS configuration file for users. This file format is similar to the format
defined in 1993. The files file references the users file.
defined in 1993. The files file references the users file.


=== Implementierung ===
=== Implementierung ===


Ein Programm schreiben welches eine CSR erstellt wobei der private key im TPM erstellt wird, und anschliessend eine wpa-supplicant config erstellt. Aenlich wie hier nur fuer wired:
Ein Programm schreiben, welches eine CSR erstellt, wobei der private key im TPM erstellt wird und anschließend eine wpa-supplicant config erstellt. Ähnlich wie hier nur für wired:


https://wiki.archlinux.org/title/wpa_supplicant
https://wiki.archlinux.org/title/wpa_supplicant

Revision as of 07:43, 5 October 2022

Absicherung NFS

Plan

Step 1: Authentifizierung mit 802.1x. 1x Switch, 1x Client und 1x RADIUS Server

Step 2: CSR in TPM generieren oder Zertifikat mit Schluessel importieren.

Step 3: Zertifikat aus TPM fuer 802.1x verwenden.

Radius

RADIUS uses User Datagram Protocol (UDP) port 1812 for authentication and 1813 for accounting

radiusd.conf Defines the configuration parameters for the RADIUS server. It includes references to all of the other configuration files.

clients.conf Defines information necessary to configure the RADIUS client, including IP addresses and shared secrets. This file is referenced from the radiusd.conf file.

dictionary Defines local attributes for the RADIUS server. This file references the default dictionary files. The default dictionary files include thousands of attribute definitions for over one hundred vendors.

proxy.conf Defines upstream home servers, including information on IP addresses and shared secrets. It also defines Realms. The radiusd.conf file references the proxy.conf file.

sites-enabled/default This is the default virtual server. This file handles authentication and accounting requests. It contains a configuration designed to work with the largest number of authentication protocols. The radiusd.conf file references the sites-enable/default file.

sites-enabled/inner-tunnel This virtual server handles authentication methods that are carried inside of a TLS tunnel, as part of PEAP or EAP-TTLS authentication. The radiusd.conf file references the sql.conf file.

users The traditional RADIUS configuration file for users. This file format is similar to the format defined in 1993. The files file references the users file.

Implementierung

Ein Programm schreiben, welches eine CSR erstellt, wobei der private key im TPM erstellt wird und anschließend eine wpa-supplicant config erstellt. Ähnlich wie hier nur für wired:

https://wiki.archlinux.org/title/wpa_supplicant

cat > wpa_supplicant.conf <<EOF
network={
    ssid="SSID"
    key_mgmt=WPA-EAP
    eap=TLS
    identity="testing"
    ca_cert="/etc/pki/SSID/ca.pem"
    client_cert="/etc/pki/SSID/client.crt"
    private_key="pkcs11:model=Intel;manufacturer=Intel;serial=0000000000000000;token=label;id=%32%62%37%30%65%62%36%32%66%33%32%62%31%63%65%37;object=0;type=private;pin-value=userpin"
}
EOF

Ressourcen

https://tpm2-software.github.io/

https://github.com/tpm2-software/tpm2-pkcs11/blob/master/tools/tpm2_ptool.py

https://en.wikipedia.org/wiki/Xsupplicant