Difference between pages "Cyrus-SASL" and "DVDless install"

From Wikislax
(Difference between pages)
Jump to: navigation, search
(Using ldapdb)
 
(Configuring NFS)
 
Line 1: Line 1:
 
{{RightTOC}}
 
{{RightTOC}}
  
== What is Cyrus-SASL ? ==
+
The (local) network is an additional choice to install Slackware from when your hardware has this capability. Installing from the local network is particularly fast and is a good choice when playing around with the installation. This page explains how to configure a Slackware server for this usage. It was inspired by the [http://alien.slackbook.org/dokuwiki/doku.php?id=slackware:pxe AlienBob's blog page] on the same topic. To install Slackware over the network we need :
  
[http://www.cyrusimap.org/#sasl SASL] is a protocol to manage authentication between clients and servers. It is used in messaging to authenticate clients to '''smtp pop3 imap ldap servers'''. SASL is specified in RFC 2222 (Simple Authentication and Security Layer). SASL defines how authentication information is exchanged, but lets other specifications define the authentication methods really used.
+
* A service to download the Slackware files during the Slackware setup. HTTP, FTP, or NFS can be used. In the example below we show how to use the NFS and FTP services included with Slackware.
 +
* A service implementing the TFTP protocol. TFTP is used to effectively download the bootstrap code from the server identified. We will use the TFTP protocol included with Slackware.
  
Among these, '''CRAM-MD5''' and its successor '''DIGEST-MD5''' use a shared secret (a password) and a challenge that affords proving that the other side owns the password without actually needing to send it over the wire. '''GSSAPI''' is the method for '''KERBEROS V5'''. '''PLAIN''' use a plaintext password. Microsoft Outlook Express uses only proprietary methods, '''LOGIN''' uses a base 64-coded plaintext password, '''NTLM''' is the Microsoft NT Lan Manager Authentication and '''SPA''' stands for secure password authentication.
+
* A service implementing the BOOTP protocol. BOOTP is used by the PXE firmware to identify on the network a server to download the bootloader code from. The DHCP server included with the Slackware distribution has this capability.
  
'''Cyrus-SASL''', an Open Source software developped by the Carnegie-Mellon University, implements the standard methods, and also includes plugins to handle proprietary authentication methods such as Microsoft '''NTLM/SPA'''.
+
== Configuring NFS ==
  
'''Cyrus-SASL''' offers several options to check the real passwords. '''saslauthd''' affords using the '''saslauthd''' daemon to check cleartext-only passwords against '''PAM''' (the system passwords and '''/etc/shadow'''), '''LDAP''', '''Kerberos''', and others. '''auxprop''' affords using external modules for passwords stored in an external '''SASLdb''' (using '''Berkeley db''') or '''SQL''' database, or in an '''LDAP''' directory.
+
NFS is SUN's Network File System. It is fast and can be used as a mount point, but depending on configuration may be unsecure and must be used locally only. Also, it uses some random port numbers that need to be fixed if firewalling. The directories used are defined in '''/etc/exports'''. Copy the content of the slackware DVD to a directory, for instance '''/var/pub/slackware64-14.2''', then edit /etc/exports as below. '''ro''' means read-only, '''sync''' makes sure that no asynchronous requests are made, '''insecure''' affords using different NFS ports from other NFS implementations, '''all_squash''' maps all uids and gids to the anonymous user for public access, '''no_subtree_check''' improves reliability in some circumstances. See '''man exports''' for more details.
  
== Installing Cyrus-SASL ==
+
# mkdir /mnt/dvd
 +
# mkdir /var/pub/slackware64-15.0
 +
# mount -o loop slackware64-15.0-install-dvd.iso /mnt/dvd
 +
# cp -a /mnt/dvd/slackware64 /var/pub/slackware64-15.0/
  
[http://www.cyrusimap.org/mediawiki/index.php/Downloads#SASL_Library Download], untar to /usr/local then install as below. The authentication methods used are '''CRAM-MD5''' (needed? for '''Thunderbird'''), '''DIGEST-MD5''', '''PLAIN''', '''LOGIN''' (needed for '''Microsoft Outlook Express'''), the password checking methods used are '''saslauthd''' (with PAM or LDAP) and '''ldapdb'''. There's support for OpenSSL (not sure if this is used as SASL includes its own encryption routines), and random number generation uses '''/dev/urandom''' to avoid  authentication severe slowdowns observed when using '''/dev/random''' (but should not be used for OTP of SRP).
+
# See exports(5) for a description.
 +
# This file contains a list of all directories exported to other computers.
 +
# It is used by rpc.nfsd and rpc.mountd.
 +
 +
/var/pub      192.168.0.1/24(ro,sync,insecure,all_squash,no_subtree_check)
  
# tar -C /usr/local -xvf cyrus-sasl-x.y.z.tar.gz
+
The NFS server is launched using '''/etc/rc.d/rc.nfsd'''. Make this script executable so as to use it on every boot. You can also '''start''' it to test it immediately. The NFS client is launched using '''/etc/rc.d/rc.rpc''' and affords using NFS mount points from other NFS servers. Make this script executable if you want to use it and have it started on every reboot. This can be handy to cross-test NFS machines. Otherwise it should not be necessary.
# cd /usr/local
 
# chmod -R go-w cyrus-sasl-x.y.z
 
# cd cyrus-sasl-x.y.z
 
# ./configure --help | less
 
# ./configure --libdir=/usr/local/lib64 --disable-alwaystrue --disable-checkapop \
 
--disable-otp --disable-gssapi --disable-anon --enable-login --with-devrandom=/dev/urandom \
 
--with-saslauthd=/var/state/saslauthd --with-openssl=/usr/local --with-ldap=/usr/local \
 
--enable-ldapdb
 
# make
 
# removepkg /var/log/packages/qca-cyrus-sasl-x.y.z_betat-x86_64-1
 
# removepkg /var/log/packages/cyrus-sasl-x.y.z-x86_64-2
 
# make install
 
# make clean
 
# mkdir /var/state/saslauthd
 
# ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
 
# ln -sf /usr/local/lib64/libsasl2.la /usr/lib64/libsasl2.la
 
# ln -sf /usr/local/lib64/libsasl2.so.3 /usr/lib64/libsasl2.so.2
 
# ldconfig
 
  
== Reinstalling OpenLDAP ==
+
# chmod u+x /etc/rc.d/rc.nfsd
 +
# chmod u+x /etc/rc.d/rc.rpc
  
There is a chicken-and-egg problem with OpenLDAP and Cyrus-SASL as they reference each other. At previous chapter we installed OpenLDAP without '''--enable-spasswd --with-cyrus-sasl'''. We now reinstall OpenLDAP with '''--enable-spasswd --with-cyrus-sasl''' :
+
== Configuring FTP ==
  
# cd /usr/local/openldap-x.y.z
+
As SSH affords encrypted authentication and transfers, FTP will be used on our site only for anonymous public downloads. FTP uses fixed port numbers so it is easy to firewall, but it is much slower than NFS. Slackware includes two FTPs : ProFTPd and vsFTP. We will use the latter. Using vsFTP requires very little configuration : setting the home directory of the ftp user to where we want our files to be downloaded from, uncommenting the correct '''ftp''' line in '''/etc/inetd.conf''' and '''/etc/rc.d/rc.inetd restart''', updating the firewall rules. For more details '''man vsftpd.conf'''.
  # make distclean
+
   
  # ./configure --help | less
+
  # usermod --home /var/pub ftp
  # ./configure --libdir=/usr/local/lib64 --mandir=/usr/local/man \
+
. . .
  --disable-ipv6 --with-tls --enable-spasswd --with-cyrus-sasl
+
  # Very Secure File Transfer Protocol (FTP) server.
# make depend
+
ftp    stream  tcp    nowait  root    /usr/sbin/tcpd  vsftpd
# make
+
. . .
# make test
+
# /etc/rc.d/rc.inetd restart
# make install
+
. . .
# make clean
+
# services on local network FTP BOOTP HTTP NNTP IMAP HTTPS SUBMIT VNC VOIP
 +
  iptables -A INPUT -p tcp -j ACCEPT --dport 20 -m state --state NEW -s 192.168.0.0/24
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 21 -m state --state NEW -s 192.168.0.0/24
  
== Configuring Cyrus-SASL ==
+
== Configuring TFTPBOOT ==
  
Applications that use SASL are advised to use an '''Application.conf''' file in '''/usr/lib/sasl2''', with a '''mech_list''' line defining a subset of the authentication methods defined for the site, and a '''pwcheck_method''' line defining the password checking method. If all authentication methods defined for the site can be used by the application then it is not necessary to use '''mech_list'''. log_level is between 0 and 7 (default 1, log unusual errors) and defines the verbosity of the logs produced under '''/var/log''' in files '''auth.log''', '''debug''', '''maillog''' and '''syslog'''.
+
TFTP is the trivial ftp protocol (for use on a local network). Let's create the '''tftp bootp''' file structure under the default '''/tftpboot''' directory. The directory where we store the bootloader files is '''/tftpboot/slackware64-15.0''' :
  
== Known issue ==
+
# mkdir /tftpboot
 +
# mkdir /tftpboot/slackware64-15.0
 +
# mkdir /tftpboot/slackware64-15.0/pxelinux.cfg
 +
# mount -o loop slackware64-15.0-install-dvd.iso /mnt/dvd
 +
# cp /usr/share/syslinux/pxelinux.0 /tftpboot/slackware64-15.0/
 +
# cp /mnt/dvd/isolinux/message.txt /tftpboot/slackware64-15.0/
 +
# cp /mnt/dvd/isolinux/f2.txt /tftpboot/slackware64-15.0/
 +
# cp -a /mnt/dvd/kernels /tftpboot/slackware64-15.0/
 +
# cp /mnt/dvd/usb-and-pxe-installers/pxelinux.cfg_default /tftpboot/slackware64-15.0/pxelinux.cfg/default
 +
# cp /mnt/dvd/isolinux/initrd.img /tftpboot/slackware64-15.0/
 +
# umount /mnt/dvd
  
Applications using SASL authentication (e.g. OpenLdap, Cyrus-IMAP) expect to find a ''GuessMyName.conf'' file in /usr/lib/sasl2 to work properly. If this file cannot be found, there will be messages ''_sasl_plugin_load failed on sasl_auxprop_plug_init for plugin:'' in /var/log/debug and ''auxpropfunc error invalid parameter supplied'' in /var/log/syslog. To find the name of the missing file, re-make install SASL after adding line '''_sasl_log (NULL, SASL_LOG_ERR, "File %s could not be fopened\n", filename);''' in lib/config.c just after the call to fopen. Known SASL configuration filenames are :
+
Tftpboot is handled by '''inetd'''. To activate it, uncomment the tftp line in '''/etc/inetd.conf''' then '''/etc/rc.d/rc.inetd restart''' or reboot.
  
* Cyrus.conf
+
tftp  dgram  udp    wait    root    /usr/sbin/in.tftpd  in.tftpd -s /tftpboot -r blksize
* INN.conf
 
* Sendmail.conf
 
* slapd.conf
 
  
== Using saslauthd ==
+
== Configuring DHCP ==
  
An Application.conf file to use '''saslauthd''' could be :
+
We configure '''/etc/dhcpd.conf''' as follows. Our subnet is '''192.168.0.0''', our network mask '''255.255.255.0''', our IP address is '''192.168.0.1''', our router address '''192.168.0.254'''. The IP DHCP range is '''192.168.0.3''' to '''192.168.0.253'''. For more details on other configuration possbilities, '''man dhcpd.conf'''.
  
  log_level: 0
+
  # dhcpd.conf
  mech_list: PLAIN LOGIN
+
#
  pwcheck_method: saslauthd
+
# Configuration file for ISC dhcpd (see 'man dhcpd.conf')
 +
 +
# If this DHCP server is the official DHCP server for the local
 +
# network, the authoritative directive should be uncommented.
 +
authoritative;
 +
ddns-update-style none;
 +
 +
# Allow bootp requests
 +
allow bootp;
 +
 +
# Point to the TFTP server:
 +
next-server 192.168.0.1;
 +
 +
  # Default lease is 1 week (604800 sec.)
 +
default-lease-time 604800;
 +
# Max lease is 4 weeks (2419200 sec.)
 +
max-lease-time 2419200;
 +
 +
subnet 192.168.0.0 netmask 255.255.255.0 {
 +
    option domain-name "studioware.com";
 +
    option broadcast-address 192.168.0.255;
 +
    option subnet-mask 255.255.255.0;
 +
    option domain-name-servers 192.168.0.1;
 +
    option routers 192.168.0.254;
 +
    range dynamic-bootp 192.168.0.3 192.168.0.253;
 +
    use-host-decl-names on;
 +
    if substring (option vendor-class-identifier, 0, 9) = "PXEClient" {
 +
      filename "/slackware64-14.2/pxelinux.0";
 +
    }
 +
  }
  
Specify the '''saslauthd''' options in file '''/etc/rc.d/rc.saslauthd'''. '''-a ldap''' affords using ldap and '''-n''' is the number of waiting processes. Put 0 to create authentication processes only on demand. chmod u+x /etc/rc.d/rc.saslauthd to afford automatically launching saslauthd at startup. For more saslauthd options, see the '''man saslauthd''' page.
+
Next is to create a script '''/etc/rc.d/rc.dhcpd''' to launch dhcp. Our bridged interface is '''br0''' :
  
  saslauthd_start() {
+
  #!/bin/sh
  # If saslauthd is not running, start it:
+
#
  if [ ! -r /var/state/saslauthd/saslauthd.pid ]; then
+
# /etc/rc.d/rc.dhcpd
    echo "Starting SASL authentication daemon:  /usr/local/sbin/saslauthd -a ldap -n 0"
+
#      This shell script takes care of starting and stopping
    /usr/local/sbin/saslauthd -a ldap -n 0
+
#      the ISC DHCPD service
 +
#
 +
 +
# Put the command line options here that you want to pass to dhcpd:
 +
DHCPD_OPTIONS="-q '''br0'''"
 +
 +
[ -x /usr/sbin/dhcpd ] || exit 0
 +
 +
[ -f /etc/dhcpd.conf ] || exit 0
 +
 +
start() {
 +
      # Start daemons.
 +
      echo -n "Starting dhcpd:  /usr/sbin/dhcpd $DHCPD_OPTIONS "
 +
      /usr/sbin/dhcpd $DHCPD_OPTIONS
 +
      echo
 +
}
 +
stop() {
 +
      # Stop daemons.
 +
      echo -n "Shutting down dhcpd: "
 +
      killall -TERM dhcpd
 +
      echo
 +
}
 +
status() {
 +
  PIDS=$(pidof dhcpd)
 +
  if [ "$PIDS" == "" ]; then
 +
    echo "dhcpd is not running!"
 +
  else
 +
    echo "dhcpd is running at pid(s) ${PIDS}."
 
   fi
 
   fi
 
  }
 
  }
 +
restart() {
 +
      stop
 +
      start
 +
}
 +
 +
# See how we were called.
 +
case "$1" in
 +
  start)
 +
        start
 +
        ;;
 +
  stop)
 +
        stop
 +
        ;;
 +
  restart)
 +
        stop
 +
        start
 +
        ;;
 +
  status)
 +
        status
 +
        ;;
 +
  *)
 +
        echo "Usage: $0 {start|stop|status|restart}"
 +
        ;;
 +
esac
 +
 +
exit 0
  
When using ldap, file '''/usr/local/etc/saslauthd.conf''' defines the LDAP access parameters :
+
Next is to make '''/etc/rc.d/rc.dhcpd''' executable, launch it from '''/etc/rc.d/rc.local''' and stop it from '''/etc/rc.d/rc.local_shutdown''' :
  
  ldap_auth_method: custom
+
  # chmod u+x rc.dhcpd
  ldap_authz: proxyUser
+
  . . .
  ldap_filter: cn=%u
+
  # start dhcpd
  ldap_id: proxyUser
+
  if [ -x /etc/rc.d/rc.dhcpd ]; then
  ldap_mech: DIGEST-MD5
+
        /etc/rc.d/rc.dhcpd start
  ldap_password: proxyUserPassword
+
  fi
  ldap_search_base: dc=domain,dc=com
+
  . . .
  ldap_servers: ldap://localhost
+
  # stop dhcpd
  ldap_use_sasl: yes
+
  if [ -x /etc/rc.d/rc.dhcpd ]; then
 +
    /etc/rc.d/rc.dhcpd stop
 +
  fi
  
Restart '''slapd''' and use '''testsaslauthd''' to make sure is works :
+
== Firewalling NFS ==
  
# killall slapd
+
Refer to [[IPTables]] for an introduction on packet filtering. NFS uses some random ports by defaults, that we need to fix if we want to be able to do proper packet filtering. To be precise, NFS uses sunrpc/111 and nfsd/2049, and random port numbers are used by other NFS daemons but it is possible to specify alternative port numbers on the command line or in the '''/etc/services''' file, to which we add :
# /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/
 
# testsaslauthd -u myUser -p myPassword
 
0: OK “Success.”
 
  
<u>Note</u> : as already noted above when introducing the password checking methods, '''saslauthd''' affords using only cleartext passwords (even if it uses digest-md5 when talking to slapd). So only the PLAIN and LOGIN mechanisms can be used with '''saslauthd'''. For security, any such connection should be encapsulated within TLS when used over the wire.
+
rpc.nfs-cb      32764/tcp  # RPC nfs callback
 +
rpc.nfs-cb      32764/udp  # RPC nfs callback
 +
status          32765/udp  # NFS status (listen)
 +
status          32765/tcp  # NFS status (listen)
 +
status          32766/udp  # NFS status (send)
 +
status          32766/tcp  # NFS status (send)
 +
mountd          32767/udp  # NFS mountd
 +
mountd          32767/tcp  # NFS mountd
 +
lockd          32768/udp  # NFS lock daemon/manager
 +
lockd          32768/tcp  # NFS lock daemon/manager
 +
rquotad        32769/udp  # NFS rquotad
 +
rquotad        32769/tcp  # NFS rquotad
  
== Using sasldb ==
+
The '''/etc/rc.d/rc.nfsd''' and '''/etc/rc.d/rc.rpc''' scripts are modified to specify port numbers on the command lines :
  
An Application.conf file to use sasldb could be:
+
if [ -x /usr/sbin/rpc.rquotad ]; then
 +
  echo "  /usr/sbin/rpc.rquotad '''-p 32769'''"
 +
  /usr/sbin/rpc.rquotad '''-p 32769'''
 +
fi
 +
 +
if [ -x /usr/sbin/rpc.mountd ]; then
 +
  echo "  /usr/sbin/rpc.mountd '''-p 32767'''"
 +
  /usr/sbin/rpc.mountd '''-p 32767'''
 +
fi
 +
 +
if ! ps axc | grep -q rpc.statd ; then
 +
  echo "Starting RPC NSM (Network Status Monitor): /sbin/rpc.statd '''-p 32765 -o 32766'''"
 +
  /sbin/rpc.statd '''-p 32765 -o 32766'''
 +
fi
  
auxprop_plugin: sasldb
+
To make the lock daemon listen on port '''32768''' only and set the nfs callback port to '''32764''' we need to create file '''/etc/sysctl.d/nfs.conf''' :
mech_list: CRAM-MD5 DIGEST-MD5 PLAIN LOGIN
 
pwcheck_method: auxprop
 
  
'''sasldb''' affords storing a list of users/passwords in the '''/etc/sasldb2''' password database. The tools to maintain this database are '''sasldblistusers2''', that affords listing the users, and '''saslpasswd2''', that affords adding or removing users/passwords. For more options, see the man pages. <u>Note</u> : when creating users, it might be necessary to append the domain name for the password checking to work.
+
fs.nfs.nlm_udpport=32768
 +
fs.nfs.nlm_tcpport=32768
 +
fs.nfs.nfs_callback_tcpport=32764
  
# saslpasswd2 -c myUser@myDomain.com
+
Last BOOTP and the NFS ports must be added to '''/etc/rc.d/rc.firewall''' :
Password:
 
# sasldblistusers2
 
myUser@myDomain.com: userPassword
 
# saslpasswd2 -d myUser@myDomain.com
 
  
== Using ldapdb ==
+
# by default no local traffic is allowed for network 192.168.0.0/24 on br0 interface
 +
# iptables -A INPUT -i br0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
 +
# iptables -A OUTPUT -o br0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
 +
 +
# BOOTP
 +
iptables -A INPUT -p udp -j ACCEPT --dport 69 -s 192.168.0.0/24
 +
 +
# NFS ports
 +
iptables -A INPUT -p udp -j ACCEPT --dport 111 -s 192.168.0.0/24
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 111 -m state --state NEW -s 192.168.0.0/24
 +
iptables -A INPUT -p udp -j ACCEPT --dport 2049 -s 192.168.0.0/24
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 2049 -m state --state NEW -s 192.168.0.0/24
 +
iptables -A INPUT -p udp -j ACCEPT --dport 32764 -s 192.168.0.0/24
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 32764 -m state --state NEW -s 192.168.0.0/24
 +
iptables -A INPUT -p udp -j ACCEPT --dport 32765 -s 192.168.0.0/24
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 32765 -m state --state NEW -s 192.168.0.0/24
 +
iptables -A INPUT -p udp -j ACCEPT --dport 32766 -s 192.168.0.0/24
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 32766 -m state --state NEW -s 192.168.0.0/24
 +
iptables -A INPUT -p udp -j ACCEPT --dport 32767 -s 192.168.0.0/24
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 32767 -m state --state NEW -s 192.168.0.0/24
 +
iptables -A INPUT -p udp -j ACCEPT --dport 32768 -s 192.168.0.0/24
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 32768 -m state --state NEW -s 192.168.0.0/24
 +
iptables -A INPUT -p udp -j ACCEPT --dport 32769 -s 192.168.0.0/24
 +
iptables -A INPUT -p tcp -j ACCEPT --dport 32769 -m state --state NEW -s 192.168.0.0/24
  
This is our preferred method, as it affords using the LDAP directory as a single and direct (saslauthd is not needed when using the ldapdb auxprop) source of authentication for all applications. We will use it later in this document for Sendmail and Cyrus-IMAP authentication. As we are authenticating against localhost we are using interprocess communication only so there is no need for encryption and we use the PLAIN mechanism. An Application.conf file to use '''ldapdb''' is as below :
+
== Slackware setup ==
  
auxprop_plugin: ldapdb
+
A few pieces of advice to make your Slackware setup from network easier :
ldapdb_id: proxyUser
 
ldapdb_mech: DIGEST-MD5
 
ldapdb_pw: proxyUserPassword
 
ldapdb_uri: ldap://localhost
 
log_level: 0
 
mech_list: PLAIN
 
pwcheck_method: auxprop
 
  
File '''/usr/local/lib/sasl2/slapd.conf''' tells slapd to use its own internal auxprop_plugin module slapd to authenticate proxyUser :
+
* For some reason Slackare might use an interface other than eth0. Just move the cable to the right slot or update (or remove) /etc/udev/rules.d/70-persistent-net.rules.
  
auxprop_plugin: slapd
+
* Slackware network setup uses NFS version 3 meaning that directory paths are absolute.
log_level: 0
 
mech_list: DIGEST-MD5
 
pwcheck_method: auxprop
 
  
As they contain sensitive information, the owner and rights of these files should be set so that they can be read only by their user ldap:ldap.
+
* The FTP directory paths are instead relative to the ftp user home directory.
  
 
<br/>
 
<br/>
  
{{pFoot|[[OpenLDAP]]|[[Main Page]]|[[Sendmail]]}}
+
{{pFoot|[[Managing partitions]]|[[Main Page]]|[[Installing Slackware]]}}

Revision as of 11:29, 5 January 2025

The (local) network is an additional choice to install Slackware from when your hardware has this capability. Installing from the local network is particularly fast and is a good choice when playing around with the installation. This page explains how to configure a Slackware server for this usage. It was inspired by the AlienBob's blog page on the same topic. To install Slackware over the network we need :

  • A service to download the Slackware files during the Slackware setup. HTTP, FTP, or NFS can be used. In the example below we show how to use the NFS and FTP services included with Slackware.
  • A service implementing the TFTP protocol. TFTP is used to effectively download the bootstrap code from the server identified. We will use the TFTP protocol included with Slackware.
  • A service implementing the BOOTP protocol. BOOTP is used by the PXE firmware to identify on the network a server to download the bootloader code from. The DHCP server included with the Slackware distribution has this capability.

Configuring NFS

NFS is SUN's Network File System. It is fast and can be used as a mount point, but depending on configuration may be unsecure and must be used locally only. Also, it uses some random port numbers that need to be fixed if firewalling. The directories used are defined in /etc/exports. Copy the content of the slackware DVD to a directory, for instance /var/pub/slackware64-14.2, then edit /etc/exports as below. ro means read-only, sync makes sure that no asynchronous requests are made, insecure affords using different NFS ports from other NFS implementations, all_squash maps all uids and gids to the anonymous user for public access, no_subtree_check improves reliability in some circumstances. See man exports for more details. 

# mkdir /mnt/dvd
# mkdir /var/pub/slackware64-15.0
# mount -o loop slackware64-15.0-install-dvd.iso /mnt/dvd
# cp -a /mnt/dvd/slackware64 /var/pub/slackware64-15.0/

# See exports(5) for a description.
# This file contains a list of all directories exported to other computers.
# It is used by rpc.nfsd and rpc.mountd.

/var/pub       192.168.0.1/24(ro,sync,insecure,all_squash,no_subtree_check)

The NFS server is launched using /etc/rc.d/rc.nfsd. Make this script executable so as to use it on every boot. You can also start it to test it immediately. The NFS client is launched using /etc/rc.d/rc.rpc and affords using NFS mount points from other NFS servers. Make this script executable if you want to use it and have it started on every reboot. This can be handy to cross-test NFS machines. Otherwise it should not be necessary. 

# chmod u+x /etc/rc.d/rc.nfsd
# chmod u+x /etc/rc.d/rc.rpc

Configuring FTP

As SSH affords encrypted authentication and transfers, FTP will be used on our site only for anonymous public downloads. FTP uses fixed port numbers so it is easy to firewall, but it is much slower than NFS. Slackware includes two FTPs : ProFTPd and vsFTP. We will use the latter. Using vsFTP requires very little configuration : setting the home directory of the ftp user to where we want our files to be downloaded from, uncommenting the correct ftp line in /etc/inetd.conf and /etc/rc.d/rc.inetd restart, updating the firewall rules. For more details man vsftpd.conf. 

# usermod --home /var/pub ftp
. . . 
# Very Secure File Transfer Protocol (FTP) server.
ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  vsftpd
. . .
# /etc/rc.d/rc.inetd restart
. . .
# services on local network FTP BOOTP HTTP NNTP IMAP HTTPS SUBMIT VNC VOIP
iptables -A INPUT -p tcp -j ACCEPT --dport 20 -m state --state NEW -s 192.168.0.0/24
iptables -A INPUT -p tcp -j ACCEPT --dport 21 -m state --state NEW -s 192.168.0.0/24

Configuring TFTPBOOT

TFTP is the trivial ftp protocol (for use on a local network). Let's create the tftp bootp file structure under the default /tftpboot directory. The directory where we store the bootloader files is /tftpboot/slackware64-15.0 : 

# mkdir /tftpboot
# mkdir /tftpboot/slackware64-15.0
# mkdir /tftpboot/slackware64-15.0/pxelinux.cfg
# mount -o loop slackware64-15.0-install-dvd.iso /mnt/dvd
# cp /usr/share/syslinux/pxelinux.0 /tftpboot/slackware64-15.0/
# cp /mnt/dvd/isolinux/message.txt /tftpboot/slackware64-15.0/
# cp /mnt/dvd/isolinux/f2.txt /tftpboot/slackware64-15.0/
# cp -a /mnt/dvd/kernels /tftpboot/slackware64-15.0/
# cp /mnt/dvd/usb-and-pxe-installers/pxelinux.cfg_default /tftpboot/slackware64-15.0/pxelinux.cfg/default
# cp /mnt/dvd/isolinux/initrd.img /tftpboot/slackware64-15.0/
# umount /mnt/dvd

Tftpboot is handled by inetd. To activate it, uncomment the tftp line in /etc/inetd.conf then /etc/rc.d/rc.inetd restart or reboot. 

tftp  dgram   udp     wait    root    /usr/sbin/in.tftpd  in.tftpd -s /tftpboot -r blksize

Configuring DHCP

We configure /etc/dhcpd.conf as follows. Our subnet is 192.168.0.0, our network mask 255.255.255.0, our IP address is 192.168.0.1, our router address 192.168.0.254. The IP DHCP range is 192.168.0.3 to 192.168.0.253. For more details on other configuration possbilities, man dhcpd.conf. 

# dhcpd.conf
#
# Configuration file for ISC dhcpd (see 'man dhcpd.conf')

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
ddns-update-style none;

# Allow bootp requests
allow bootp;

# Point to the TFTP server:
next-server 192.168.0.1;

# Default lease is 1 week (604800 sec.)
default-lease-time 604800;
# Max lease is 4 weeks (2419200 sec.)
max-lease-time 2419200;

subnet 192.168.0.0 netmask 255.255.255.0 {
    option domain-name "studioware.com";
    option broadcast-address 192.168.0.255;
    option subnet-mask 255.255.255.0;
    option domain-name-servers 192.168.0.1;
    option routers 192.168.0.254;
    range dynamic-bootp 192.168.0.3 192.168.0.253;
    use-host-decl-names on;
    if substring (option vendor-class-identifier, 0, 9) = "PXEClient" {
      filename "/slackware64-14.2/pxelinux.0";
    }
}

Next is to create a script /etc/rc.d/rc.dhcpd to launch dhcp. Our bridged interface is br0 : 

#!/bin/sh
#
# /etc/rc.d/rc.dhcpd
#      This shell script takes care of starting and stopping
#      the ISC DHCPD service
#

# Put the command line options here that you want to pass to dhcpd:
DHCPD_OPTIONS="-q br0"

[ -x /usr/sbin/dhcpd ] || exit 0

[ -f /etc/dhcpd.conf ] || exit 0

start() {
      # Start daemons.
      echo -n "Starting dhcpd:  /usr/sbin/dhcpd $DHCPD_OPTIONS "
      /usr/sbin/dhcpd $DHCPD_OPTIONS
      echo
}
stop() {
      # Stop daemons.
      echo -n "Shutting down dhcpd: "
      killall -TERM dhcpd
      echo
}
status() {
  PIDS=$(pidof dhcpd)
  if [ "$PIDS" == "" ]; then
    echo "dhcpd is not running!"
  else
    echo "dhcpd is running at pid(s) ${PIDS}."
  fi
}
restart() {
      stop
      start
}

# See how we were called.
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart)
        stop
        start
        ;;
  status)
        status
        ;;
  *)
        echo "Usage: $0 {start|stop|status|restart}"
        ;;
esac

exit 0

Next is to make /etc/rc.d/rc.dhcpd executable, launch it from /etc/rc.d/rc.local and stop it from /etc/rc.d/rc.local_shutdown : 

# chmod u+x rc.dhcpd
. . .
# start dhcpd
if [ -x /etc/rc.d/rc.dhcpd ]; then
        /etc/rc.d/rc.dhcpd start
fi
. . .
# stop dhcpd
if [ -x /etc/rc.d/rc.dhcpd ]; then
    /etc/rc.d/rc.dhcpd stop
fi

Firewalling NFS

Refer to IPTables for an introduction on packet filtering. NFS uses some random ports by defaults, that we need to fix if we want to be able to do proper packet filtering. To be precise, NFS uses sunrpc/111 and nfsd/2049, and random port numbers are used by other NFS daemons but it is possible to specify alternative port numbers on the command line or in the /etc/services file, to which we add : 

rpc.nfs-cb      32764/tcp  # RPC nfs callback
rpc.nfs-cb      32764/udp  # RPC nfs callback
status          32765/udp  # NFS status (listen)
status          32765/tcp  # NFS status (listen)
status          32766/udp  # NFS status (send)
status          32766/tcp  # NFS status (send)
mountd          32767/udp  # NFS mountd
mountd          32767/tcp  # NFS mountd
lockd           32768/udp  # NFS lock daemon/manager
lockd           32768/tcp  # NFS lock daemon/manager
rquotad         32769/udp  # NFS rquotad
rquotad         32769/tcp  # NFS rquotad

The /etc/rc.d/rc.nfsd and /etc/rc.d/rc.rpc scripts are modified to specify port numbers on the command lines : 

if [ -x /usr/sbin/rpc.rquotad ]; then
  echo "  /usr/sbin/rpc.rquotad -p 32769"
  /usr/sbin/rpc.rquotad -p 32769
fi

if [ -x /usr/sbin/rpc.mountd ]; then
  echo "  /usr/sbin/rpc.mountd -p 32767"
  /usr/sbin/rpc.mountd -p 32767
fi

if ! ps axc | grep -q rpc.statd ; then
  echo "Starting RPC NSM (Network Status Monitor):  /sbin/rpc.statd -p 32765 -o 32766"
  /sbin/rpc.statd -p 32765 -o 32766
fi

To make the lock daemon listen on port 32768 only and set the nfs callback port to 32764 we need to create file /etc/sysctl.d/nfs.conf : 

fs.nfs.nlm_udpport=32768
fs.nfs.nlm_tcpport=32768
fs.nfs.nfs_callback_tcpport=32764

Last BOOTP and the NFS ports must be added to /etc/rc.d/rc.firewall : 

# by default no local traffic is allowed for network 192.168.0.0/24 on br0 interface
# iptables -A INPUT -i br0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
# iptables -A OUTPUT -o br0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT

# BOOTP
iptables -A INPUT -p udp -j ACCEPT --dport 69 -s 192.168.0.0/24

# NFS ports
iptables -A INPUT -p udp -j ACCEPT --dport 111 -s 192.168.0.0/24
iptables -A INPUT -p tcp -j ACCEPT --dport 111 -m state --state NEW -s 192.168.0.0/24
iptables -A INPUT -p udp -j ACCEPT --dport 2049 -s 192.168.0.0/24
iptables -A INPUT -p tcp -j ACCEPT --dport 2049 -m state --state NEW -s 192.168.0.0/24
iptables -A INPUT -p udp -j ACCEPT --dport 32764 -s 192.168.0.0/24
iptables -A INPUT -p tcp -j ACCEPT --dport 32764 -m state --state NEW -s 192.168.0.0/24
iptables -A INPUT -p udp -j ACCEPT --dport 32765 -s 192.168.0.0/24
iptables -A INPUT -p tcp -j ACCEPT --dport 32765 -m state --state NEW -s 192.168.0.0/24
iptables -A INPUT -p udp -j ACCEPT --dport 32766 -s 192.168.0.0/24
iptables -A INPUT -p tcp -j ACCEPT --dport 32766 -m state --state NEW -s 192.168.0.0/24
iptables -A INPUT -p udp -j ACCEPT --dport 32767 -s 192.168.0.0/24
iptables -A INPUT -p tcp -j ACCEPT --dport 32767 -m state --state NEW -s 192.168.0.0/24
iptables -A INPUT -p udp -j ACCEPT --dport 32768 -s 192.168.0.0/24
iptables -A INPUT -p tcp -j ACCEPT --dport 32768 -m state --state NEW -s 192.168.0.0/24
iptables -A INPUT -p udp -j ACCEPT --dport 32769 -s 192.168.0.0/24
iptables -A INPUT -p tcp -j ACCEPT --dport 32769 -m state --state NEW -s 192.168.0.0/24

Slackware setup

A few pieces of advice to make your Slackware setup from network easier :

  • For some reason Slackare might use an interface other than eth0. Just move the cable to the right slot or update (or remove) /etc/udev/rules.d/70-persistent-net.rules.
  • Slackware network setup uses NFS version 3 meaning that directory paths are absolute.
  • The FTP directory paths are instead relative to the ftp user home directory.


Managing partitions Main Page Installing Slackware
Retrieved from "http://studioware.com/wikislax/index.php?title=Cyrus-SASL&oldid=94"