SuSe 9.1 Server with CVS, Apache, SSL, PHP, Postgresql

Document Started 10/29/05 pvalentino  LINE BY LINE DETAILED INSTALLATION AND CONFIGURATION  CREATE GROUP FOR pvalentino USERS ####10 min#####: $ groupadd pvalentino  CREATE SU CAPABLE USERS: $ useradd -m -G wheel,pvalentino -s /bin/bash pvalentino $ useradd -m -G wheel,pvalentino -s /bin/bash jeff $ useradd -m -G wheel,pvalentino -s /bin/bash sue  $ passwd pvalentino $ passwd jeff $ passwd sue  STANDARD CVS USER ACCOUNTS:

If you are putting existing public key in for users as user root do the following steps:

$ useradd –m –G pvalentino –s /bin/bash username

$ passwd username

Logon to new shell as the new user

$ mkdir /home/username/.ssh

$ vi /home/username/.ssh/authorized_keys (ESC “i” then paste user’s public key in here and save – no extra white space)

$ usermod –g pvalentino username

$ chown –R username /home/username/.ssh

$ chgrp –R users /home/username/.ssh

$ chmod go-w ~ ~/.ssh ~/.ssh/authorized_keys (SSH will not work if anyone other than user has write permissions to these locations - This is also in pageant document)

DISABLE REMOTE ROOT ACCESS BY LIMITING SSH USERS (SuSe Specific)###20 min###: Added Line below to the file /etc/pam.d/sshd: auth required /lib/security/ item=user sense=deny file=/etc/sshusers onerr=succeed   $ vi /etc/sshusers  and added users, 1 per line, that should not have ssh access - in this case root and all service accounts  $ chmod 500 /etc/sshusers (must chmod to 600 when users must be added)  Also set "PermitRootLogin to no" in /etc/ssh/sshd_config file.  telnet and other methods are blocked both by firewall and removal of securetty entries i.e. /etc/securetty only includes entries for tty1 - tty6.   OPENSSL version 0.9.7d is preinstalled  INSTALL CVS VERSION 1.12.13 ###30 min###: psftp cvs-1.12.13.tar.gz up to home directory $ gzip -d cvs-1.12.13.tar.gz $ tar xvf cvs-1.12.13.tar $ cd to cvs-1.12.13 dir  no C compiler error therefore: downloaded requisite rpm packages from ###2hr 45min### installed in exact order: glibc-devel-2.3.3-98,gcc-3.3.3-41, automake-1.8.3-23.i586.rpm, m4-1.4o-622.i586.rpm, autoconf-2.59-75.i586.rpm, make-3.80-184.i586.rpm All packages are located in /home/pvalentino  For each package do: $ ./configure $ make $ make install Alternatively SEE GET SECURITY & SOFTWARE UPDATES BELOW  CONFIGURE CVS SERVER & TEST ###1 hour 30 min###: Define CVSROOT and PATH for SSH logons in /etc/bash.bashrc.local: CVSROOT=/cvsroot PATH=$PATH:/usr/local/bin export CVSROOT PATH  $ mkdir /cvsroot $ useradd -m -G pvalentino -s /bin/bash pvalentinocvs $ chown pvalentinocvs /cvsroot $ chgrp pvalentino /cvsroot $ chmod 770 /cvsroot  (Read, Write, Execute for group members and owner) Disabled remote shell access for pvalentinocvs user account as noted in DISABLE REMOTE ACCESS section of this document above.  Initialized CVS Repository with "cvs -d /cvsroot init" command  Followed and verified instructions from "Pageant as your login method for the pvalentino Discoveries CVS repository.doc" Created new module "tms" with TortoiseCVS Added contents of "tms" folder with TortoiseCVS Commited changes with TortoisCVS Performed checkout into new location for verification Performed tests for add, remove, checkout, update, and commit Added these configuration notes to the repository in servercfg module and commited them  CVS EMAIL NOTIFICATIONS: Downloaded cvssync from sourceforge and copied python script contents into /usr/bin/ updated loginfo in cvsroot admin files to call upon commits.   GET SECURITY & SOFTWARE UPDATES FOR OS ####1 hour####: install apt from dowloaded and installed the following rpm's $ rpm -ivh apt-libs-0.5.15cnc6-0.suse091.rb.5.i586.rpm $ rpm -ivh apt-0.5.15cnc6-0.suse091.rb.5.i586.rpm  Ran $ apt-get update $ apt-get upgrade  APACHE INSTALL (NOTE! apt-get commands are all on one line): $ apt-get install apache2 apache2-devel apache2-mod_perl apache2-mod_php4 apache2-prefork libapr0 perl-HTML-Parser perl-HTML-Tagset perl-Tie-IxHash perl-URI perl-libwww-perl php4  $ apt-get install php4-bcmath php4-zlib php4-yp php4-xslt php4-wddx php4-unixODBC php4-sysvshm php4-sysvsem php4-swf php4-sockets php4-snmp php4-shmop php4-session php4-servlet php4-qtdom php4-pgsql php4-pear php4-mysql php4-mime_magic php4-mhash php4-mcrypt php4-mcal php4-mbstring php4-ldap php4-imap php4-iconv php4-gmp php4-gettext php4-gd php4-ftp php4-filepro php4-fastcgi php4-exif php4-domxml php4-devel php4-curl php4-ctype php4-calendar php4-bz2 ImageMagick curl  $ chkconfig --add apache2  Edit /etc/mime.types. Comment out the following 2 lines:   # application/x-httpd-php                phtml pht php   # application/x-perl             pl pm  Edit /etc/apache2/httpd.conf.local and Add:   DirectoryIndex index.html index.htm index.shtml index.cgi index.php  Edit /etc/apache2/httpd.conf and comment out:   DirectoryIndex index.html index.htm  $ /etc/init.d/apache2 start  CONFIGURE APACHE FOR AUTOMATIC STARTUP ON BOOT TO RUNLEVEL 3 & 5 Easy Way $ chkconfig –-level 35 apachectl on  (this is for viewcvs instance of apache) $ chkconfig –-level 35 apache2 on Long Way Create symbolic link in /etc/rc3.d and /etc/rc5.d if they do not already exist $ cd /etc/rc3.d $ ln -s ../apache2 S14apache2 $ ln -s ../apachectl S14apachesvn (for the ViewCVS instance of Apache) $ cd /etc/rc5.d $ ln -s ../apache2 S14apache2 $ ln -s ../apachectl S14apachesvn (for the ViewCVS instance of Apache)  SETUP SSL TROUBLESHOOT & TEST###5 hours###: Create a RSA private key for Apache server (will be Triple-DES encrypted and PEM formatted):  $ openssl genrsa -des3 -out server.key 1024  Backup this server.key file and the pass-phrase in a secure location. You can see the details of this RSA private key by using the command: (root password was used)  $ openssl rsa -noout -text -in server.key  Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted):  $ openssl req -new -key server.key -out server.csr  Make sure you enter the FQDN ("") when OpenSSL prompts you for the "CommonName", i.e. when you generate the CSR for a website which will be later accessed via, enter "" here. You can see the details of this CSR by using  $ openssl req -noout -text -in server.csr  Create a RSA private key for the CA (will be Triple-DES encrypted and PEM formatted):   $ openssl genrsa -des3 -out ca.key 1024   Backup this ca.key file at a secure location. Remember the pass-phrase you entered . You can see the details of this RSA private key via the command: (root password used)  $ openssl rsa -noout -text -in ca.key   Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA (output will be PEM formatted):  $ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt   You can see the details of this Certificate via the command:   $ openssl x509 -noout -text -in ca.crt   Prepare a script for signing which is needed because the ``openssl ca'' command has some strange requirements and the default OpenSSL config doesn't allow one easily to use ``openssl ca'' directly. So a script named is distributed with the mod_ssl distribution (subdir pkg.contrib/). Use this script for signing. Downloaded custom script and placed in /usr/bin called  Now you can use this CA to sign server CSR's in order to create real SSL Certificates for use inside an Apache web server (assuming you already have a server.csr at hand):   $ server.csr   Now you have two files: server.key and server.crt. Use them as following inside your Apache's /etc/apache2/tms/apachetms.conf file:  SSLCertificateFile /pvalentinocerts/server.crt  SSLCertificateKeyFile /pvalentinocerts/server.key  The server.csr file is no longer needed.   PREVENT APACHE FROM REQUESTING PASSWORD ON EVERY REBOOT: Remove the encryption from the RSA private key (while keeping a backup copy of the original file):  $ cp server.key $ openssl rsa -in -out server.key   CREATE SSL CLIENT CERTS: $ openssl genrsa -des3 -out pvalentinoclient.key 1024   GENERATE CSR (NOT OPERATIONAL YET): $ openssl req -new -key pvalentinoclient.key -out pvalentinoclient.csr  GENERATE AND SIGN CLIENT CERT: $ openssl x509 -req -in pvalentinoclient.csr -out pvalentinoclient.crt -sha1 -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650  GENERATE A PKCS12 FILE FOR IMPORTING INTO CLIENT PC'S (NOT OPERATIONAL YET): $ openssl pkcs12 -export -in pvalentinoclient.crt -inkey pvalentinoclient.key -name "pvalentino Client Cert" -out pvalentinoclient.p12  $ openssl pkcs12 -in pvalentinoclient.p12 -clcerts -nokeys -info  CREATE A DER FORMAT CERT (Optional): $ openssl x509 -in client.req.crt -out client.der -outform DER  VERIFY THAT PRIVATE KEY AND CERTIFICATE MATCH: To check that the public key in your Certificate matches the public portion of your private key, you simply need to compare these numbers. To view the Certificate and the key run the commands:  $ openssl x509 -noout -text -in server.crt $ openssl rsa -noout -text -in server.key  The `modulus' and the `public exponent' portions in the key and the Certificate must match. As the public exponent is usually 65537 and it's difficult to visually check that the long modulus numbers are the same, you can use the following approach:  $ openssl x509 -noout -modulus -in pvalentinoclient.crt  openssl md5 $ openssl rsa -noout -modulus -in pvalentinoclient.key  openssl md5  This leaves you with two rather shorter numbers to compare. It is, in theory, possible that these numbers may be the same, without the modulus numbers being the same, but the chances of this are overwhelmingly remote.  Should you wish to check to which key or certificate a particular CSR belongs you can perform the same calculation on the CSR as follows:  $ openssl req -noout -modulus -in server.csr  openssl md5   UPDATE APACHE CONFIGURATION FILES ###2 hours###: added APACHE_CONF_INCLUDE_FILES paths in /etc/sysconfig/apache2 as follows: "/etc/apache2/httpd.conf.local" and APACHE_CONF_INCLUDE_DIRECTORIES "/etc/apache2/tms/"  REQUIRE CLIENT CERTIFICATE FOR SSL ACCESS: CREATE /etc/apache2/httpd.conf.local with: SSLProtocol +all SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL #require a client certificate which has been signed by this server SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificateFile /pvalentinocerts/ca.crt SSLCertificateFile /pvalentinocerts/server.crt  SSLCertificateKeyFile /pvalentinocerts/server.key    CREATE VIRTUAL SERVER FOR TMS: Create file and Add following lines to /etc/apache2/tms/apachetms.conf: #--------------------------------------------# # SSL Virtual Host Context #--------------------------------------------# Listen <VirtualHost>  # General setup for the virtual host DocumentRoot /www ServerAdmin ServerName  # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on  SSLCertificateFile /pvalentinocerts/server.crt  # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.)  SSLCertificateKeyFile /pvalentinocerts/server.key </VirtualHost>  <Directory /www> Allowoverride none Order allow,deny Allow from all </Directory>   SECURE THE CERTIFICATES AND PRIVATE KEYS: chmod 400 for all .crt and .key files in /pvalentinocerts  RESTART APACHE: $ /etc/init.d/apache2 restart  VERIFY SSL PORT IS LISTENING: $ netstat -ltin  should produce line as follows within output: tcp        0      0  *:*                     LISTEN  SETUP TIME SERVER: $ apt-get install netdate $ netdate tcp Created /var/spool/cron/tabs/root with:   #update time via ntp server   0 3,9,15,21 *** /usr/sbin/netdate Ran $ chmod 600 /var/spool/cron/tabs/root $ /etc/init.d/cron restart  ENABLE x509 CERTS for SSH ###2 hours###: Downloaded from the following two diff packages: openssh-3.8.1p1+x509h-x509-5.1.diff.gz, openssh-3.8.1p1+x509-5.1.diff.gz  Downloaded from  The following source: openssh-3.8p1.tar.gz  Used psftp to upload all 3 files to home directory   $ gzip -d  openssh-3.8p1.tar.gz $ tar xvf  openssh-3.8p1.tar $ cd openssh-3.8p1 $ zcat ../openssh-3.8.1p1+x509h-x509-5.1.diff.gz  patch -p 1 $ zcat ../openssh-3.8.1p1+x509-5.1.diff.gz  patch -p 1 $ ./configure $ make $ make install $ /etc/init.d/sshd restart  INSTALL POSTGRESQL SERVER:  $ apt-get install postgresql-server Edited /etc/sysconfig/postgresql to point to /pgsql/data for default directory $ /etc/init.d/postgresql start  Configure for automatic startup:  $ chkconfig –-level 35 postgresql on  

No comments: