Update SSH, Firewall & FreeIPA

02-ssh-help.txt

@@ -101,3 +101,4 @@ Running  ssh-agent          OpenSSH Authentication Agent
 ssh-add -l
 ssh-add -L
 
+Could be multiple things; here are just a couple. 1. If you were using authorized_keys, were they copied to new user on Rocky? 2. Is sshd enabled on Rocky? systemctl status sshd 3. Firewall opened on Rocky? firewall-cmd --add-service=ssh --permanent 4. Permissions need reset on .ssh & authorized_keys; happens a lot more than you may realize. 5. Hopefully not root ssh login? Check /etc/ssh/sshd_config PasswordAuthentication PermitRootLogin Values

03-firewalld.txt

@@ -32,3 +32,5 @@ firewall-cmd --zone=internal --add-source=192.168.1.0/24
 firewall-cmd --zone=public --remove-service=ssh
 firewall-cmd --zone=public --remove-service=dhcpv6-client
 firewall-cmd --runtime-to-permanent
+firewall-cmd --add-service=cockpit --permanent
+firewall-cmd --reload

freeipa.md

@@ -1,39 +1,46 @@
+https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/index
 https://youtu.be/xzfHRJNjqDI
 https://www.freeipa.org/page/Howto/ISC_DHCPd_and_Dynamic_DNS_update
 # FreeIPA requires over 2Gb+ in /usr - Change to root, Check DNS
 systemd-resolve --status enp1s0
+firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps
 firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent
 dnf install freeipa-server freeipa-server-dns nfs-utils
 ipa-server-install --mkhomedir
 
-Setup complete
+Setup complete: Next steps:
-
-Next steps:
         1. You must make sure these network ports are open:
                 TCP Ports:
                   * 80, 443: HTTP/HTTPS
                   * 389, 636: LDAP/LDAPS
                   * 88, 464: kerberos
                   * 53: bind
+                  * 7389: Dogtag Certificate System - LDAP
                 UDP Ports:
                   * 88, 464: kerberos
                   * 53: bind
                   * 123: ntp
-
         2. You can now obtain a kerberos ticket using the command: 'kinit admin'
            This ticket will allow you to use the IPA tools (e.g., ipa user-add)
            and the web user interface.
-
 Be sure to back up the CA certificates stored in /root/cacert.p12
 These files are required to create replicas. The password for these
 files is the Directory Manager password
 The ipa-server-install command was successful
 
-#REBOOT
+reboot
+fips-mode-setup --enable
+reboot
+fips-mode-setup --check
+update-crypto-policies --show
 
 kinit admin
 klist
 
+# REPLICA - Server A can be installed with a CA and DNS services, while Replica A can be based on Server A's configuration but not host either DNS or CA services. Replica B can be added to the domain, also without CA or DNS services. At any time in the future, a CA or DNS service can be created and configured on Replica A or Replica B.
+
+__________________________________________________________
+
 # Setup for client:
 sudo yum -y install freeipa-client ipa-admintools
 firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps

misc.txt

@@ -53,7 +53,10 @@ sudo alsactl init
 pacmd list-cards
 sudo pacmd list-cards
 sudo apt-get install alsa-tools-gui
-
+---------------------------------------------
+sudo dnf install akmod-nvidia
+sudo dnf install xorg-x11-drv-nvidia-cuda
+---------------------------------------------
 source /etc/profile.d/bash_completion.sh
 
 cat >> ~/.inputrc <<'EOF'