Search This Blog

Sunday, December 4, 2011

Encrypting SWAT (SAMBA Configuration) - PART4


By default SWAT is configured via an unencrypted web link using the Linux root account. When running SWAT in the unsecured mode above you should take the added precaution of using it from the Linux console whenever possible.
You can configure SWAT to work only with securely encrypted HTTP (HTTPS) versus the regular HTTP method shown above. Here is how it's done. (Please refer to the VPN section of Appendix I, "Miscellaneous Linux Topics," for more details on encryption methods.)

Create An stunnel User

You can create a stunnel user via the useradd command:
[root@bigboy tmp]# useradd stunnel

Create The Certificates

From the /etc/stunnel directory and create the encryption key certificate using the make command. Use all the defaults when prompted, but make sure you use the server's IP address when prompted for your server's Common Name or hostname.
[root@bigboy tmp]# cd /etc/stunnel
[root@bigboy stunnel]# make stunnel.pem
...
Common Name (eg, your name or your server's hostname) []:  172.16.1.200
...
[root@bigboy stunnel]#
Note: The resulting certificate has only a 365 day lifetime. Remember to repeat this process next year.

Modify Certificate File Permissions

The certificate needs to only be read by root and the stunnel user. Use the chmod and chgrp commands to do this.
[root@bigboy stunnel]# chmod 640 stunnel.pem
[root@bigboy stunnel]# chgrp stunnel stunnel.pem

[root@bigboy stunnel]# ll
-rw-r-----  1 root stunnel   1991 Jul 31 21:50 stunnel.pem
[root@bigboy stunnel]#

Create An /etc/stunnel/stunnel.conf Configuration File

You can configure the stunnel application to:
  • Intercept encrypted SSL traffic received on any TCP port
  • Decrypt this traffic
  • Funnel the unencrypted data to any application listening on another port.
For example, you can configure the /etc/stunnel/stunnel.conf file to intercept SSL traffic on the SWAT port 901 and funnel it decrypted to a SWAT daemon running on port 902. Here's how:
# Configure stunnel to run as user "stunnel" placing temporary 
# files in the /home/stunnel/ directory
chroot  = /home/stunnel/
pid     = /stunnel.pid
setuid  = stunnel
setgid  = stunnel
 
# Log all stunnel messages to /var/log/messages 
debug   = 7
output  = /var/log/messages
 
# Define where the SSL certificates can be found.
client  = no
cert    = /etc/stunnel/stunnel.pem
key     = /etc/stunnel/stunnel.pem

# Accept SSL connections on port 901 and funnel it to
# port 902 for swat. 
[swat]
accept   = 901
connect  = 902

Create A New /etc/xinetd.d File For Secure SWAT

To start, copy the swat file and name it swat-stunnel. We then configure the new file to be enabled, listening on port 902 and accepting connections only from localhost. We also make sure that the service is set to swat-stunnel.
[root@bigboy certs]# cd /etc/xinetd.d
[root@bigboy xinetd.d]# cp swat swat-stunnel
Your new swat-stunnel file should look like this:
service swat-stunnel
{
       port            = 902
       socket_type     = stream
       wait            = no
       only_from       = 127.0.0.1
       user            = root
       server          = /usr/sbin/swat
       log_on_failure  += USERID
       disable         = no
       bind            = 127.0.0.1
}

Disable SWAT in the /etc/xinetd.d/swat File

The stunnel daemon actually intercepts port 901 traffic on behalf of swat-stunnel. You'll need to disable SWAT to prevent a conflict.

Edit The /etc/services file To create a Secure SWAT entry

The xinetd daemon searches /etc/services file for ports and services that match those listed in each configuration file in the /etc/xinetd.d directory. If the daemon doesn't find a match it ignores the configuration file.
We now have to edit /etc/services to include our new swat-stunnel file like this.
swat-stunnel    902/tcp     # Samba Web Administration Tool (Stunnel)

Activate swat-stunnel

You can then start the new swat-stunnel application with the chkconfig command. You'll also need to shutdown regular swat beforehand.
[root@bigboy xinetd.d]# chkconfig swat off
[root@bigboy xinetd.d]# chkconfig swat-stunnel on

Start stunnel

Now start stunnel for the encryption to take place.
[root@bigboy xinetd.d]# stunnel
Note: In Fedora Core 2 you may get a cryptonet error when starting stunnel as in:
Unable to open "/dev/cryptonet"

This is caused by an incompatibility with the hwcrypto RPM used for hardware-, not software-based encryption. You need to uninstall hwcrypto to get stunnel to work correctly.
[root@bigboy xinetd.d]# rpm -e hwcrypto

You will then have to stop stunnel, restart xinetd and start stunnel again. After this, stunnel should begin to function correctly. Unfortunately stunnel doesn't have a startup script in the /etc/init.d directory and needs to be terminated manually using the pkill command.
[root@bigboy xinetd.d]# pkill stunnel
[root@bigboy xinetd.d]# stunnel

Making stunnel Start at Boot Time

As stunnel doesn't have a startup script, you'll need to add a reference to the stunnel program in your /etc/rc.local file for encrypted SWAT to work on your system. The easiest way to do this is using the which command and appending its output to the /etc/rc.local file.
[root@bigboy tmp]# which stunnel >> /etc/rc.local
Verify the contents of the /etc/rc.local file by using the cat command. The entry for stunnel should be at the very bottom.
[root@bigboy tmp]# cat /etc/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

/usr/sbin/stunnel
[root@bigboy tmp]#

Test Secure SWAT

Your Samba server should now be listening on both port 901 and 902 as shown by the netstat -an command that follows. The server will accept remote connections on port 901 only.
[root@bigboy xinetd.d]# netstat -an
...
...
tcp        0      0 0.0.0.0:901      0.0.0.0:*        LISTEN
tcp        0      0 127.0.0.:902     0.0.0.0:*        LISTEN
...
...
[root@bigboy xinetd.d]#

Test The Secure SWAT Login

Point your browser to the Samba server to make an HTTPS connection on port 901.
https://server-ip-address:901/
You will be prompted for the Linux root user username and password. There will be a delay of about 60 to 75 seconds with each login.

Troubleshooting Secure SWAT

Sometimes you'll make mistakes in the stunnel.conf file but changes to this file take effect only after stunnel has been restarted. Unfortunately, there is no stunnel script in the /etc/init.d directory to easily stop and restart it. You have to use the pkill command to stop it and the stunnel command to start it again:
[root@bigboy tmp]# pkill stunnel ; stunnel
Make sure the file permissions and ownership on the stunnel.pem file are correct and that SWAT is always permanently off, but swat-stunnel is permanently on.
You can also refer to, "Simple Network Troubleshooting", to isolate connectivity issues between the SWAT client and Samba server on TCP port 901 amongst other things.

No comments: