1 / 36

CIT 470: Advanced Network and System Administration

CIT 470: Advanced Network and System Administration. Remote Administration. Topics. Network Access SSH Key-based Authentication Console Access X-Windows VNC and NX SSH tunneling. Network Access. Most tasks can be done from the shell. File management. Disk/volume management.

damon
Download Presentation

CIT 470: Advanced Network and System Administration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIT 470: Advanced Network and System Administration Remote Administration CIT 470: Advanced Network and System Administration

  2. Topics • Network Access • SSH • Key-based Authentication • Console Access • X-Windows • VNC and NX • SSH tunneling CIT 470: Advanced Network and System Administration

  3. Network Access Most tasks can be done from the shell. File management. Disk/volume management. Troubleshooting and viewing logs. Installing/removing software. Start/stop network services. Reboot/shutdown. All we need is a way to invoke a shell across the network. CIT 470: Advanced Network and System Administration

  4. telnet Ubiquitous network terminal protocol telnet hostname Similar protocols rlogin –l user hostname rsh –l user hostname command Insecure Data, including passwords, sent in the clear. rlogin/rsh use ~/.rhosts for access w/o passwords. CIT 470: Advanced Network and System Administration

  5. ssh Secure Shell Replaces telnet ftp rlogin rsh rcp CIT 470: Advanced Network and System Administration

  6. SSH Security Features CIT 470: Advanced Network and System Administration

  7. OpenSSH SSH Tectia F-secure SSH Putty WinSCP SSH v1 Insecure, obsolete. Do not use. SSH v2 Current version. SSH: Protocols and Products CIT 470: Advanced Network and System Administration

  8. SSH Features Secure login ssh –l user host Secure remote command execution ssh –l user host command Secure file transfer sftp –l user host scp file user@host:/tmp/myfile Port forwarding ssh –L 110:localhost:110 mailhost CIT 470: Advanced Network and System Administration

  9. The Problem of Passwords • Good passwords are hard to remember. • Password transferred to remote system. • Automating remote access with passwords is difficult. CIT 470: Advanced Network and System Administration

  10. Public Key Cryptography Two keys • Private key known only to owner. • Public key available to anyone. Applications • Confidentiality: • Sender enciphers using recipient’s public key, • Receiver deciphers using their private key. • Integrity/authentication: • Sender enciphers using own private key, • Recipient deciphers using sender’s public key. CIT 470: Advanced Network and System Administration

  11. Key-based Authentication SSH uses public-key authentication Private key stored in your machine. Public key stored on remote machines. Public-key login protocol • Client sends server a login request. • Server issues a challenge. • Client responds with computation based on challenge and private key. • Server checks response with public key. CIT 470: Advanced Network and System Administration

  12. Using key-based authentication • Generate a public/private key pair. ssh-keygen Encrypted key files: id_dsa, id_dsa.pub • Copy public key to remote host Copy to ~/.ssh/authorized_keys. • Login to remote host ssh –l user remote CIT 470: Advanced Network and System Administration

  13. Keys are more secure than Passwords • Need to have two items to login: key file and passphrase. • Neither key nor passphrase is sent to remote host. • Machine-generated cryptographic keys are infeasible to guess, unlike passwords. CIT 470: Advanced Network and System Administration

  14. SSH Agent Problem: you have to enter passphrase to decrypt the key each time you use ssh. Solution: SSH Agent > ssh-agent $SHELL > ssh-add Enter passphrase for /home/jw/.ssh/id_dsa: ******** Identity added: /home/you/.ssh/id_dsa (/home/jw/.ssh/id_dsa) > ssh –l jw host CIT 470: Advanced Network and System Administration

  15. SSH Agent Features Agent support for entire session. Start ssh-agent on initial shell. X: ~/.xsession (Often enabled by default.) Multiple keys ssh-add keyfile ssh-add –l Remove keys ssh-add –d keyfile ssh-add –D CIT 470: Advanced Network and System Administration

  16. Remote Access when Server is Down • Problem: No network access to host. • Solutions: • Go to computer room and bring host up. • Specialized hardware (network boot / power). • Virtual machines. • Console servers. CIT 470: Advanced Network and System Administration

  17. Console Servers Console • Main input / output device for computer. • Historically: serial terminal. • Typically: keyboard/mouse + monitor. Server allows access to multiple consoles. • Console access: BIOS, Bootloader, Kernel • Eliminates need for keyboards, mice, monitors. • Serial line to each machine from server. • One user has R/W, other users have R access. CIT 470: Advanced Network and System Administration

  18. Console Hardware Console servers solution • Commercial: Cisco, Cyclades, Xyplex • Open source: Conserver + serial expander card Hardware issues • Connectors: DB-9, DB-25, RJ-45 • Encoding: 8N1, 7E1 • Speeds: 9600 – 230k CIT 470: Advanced Network and System Administration

  19. X-Windows • Network-based windowing system. • Server • Handles user input and graphical display. • Runs on the machine with display unit. • Client • Graphical applications are clients. • Can run on a different machine than server. • Set DISPLAY environment variable. • Or use –display command line option. CIT 470: Advanced Network and System Administration

  20. Window Manager X client that provides features like: • Move, resize, iconify, and kill windows. • Window title bars. • Popup menus. Example window managers • twm: Tab, primitive early window manager • mwm: Motif, found on commercial UNIXes • fvwm: Free, fast, very customizable. • WindowMaker: NeXT-like, see also AfterStep. CIT 470: Advanced Network and System Administration

  21. TWM Screenshot CIT 470: Advanced Network and System Administration

  22. FVWM Screenshot CIT 470: Advanced Network and System Administration

  23. WindowMaker CIT 470: Advanced Network and System Administration

  24. Desktops CDE Common desktop env for commercial UNIXes. Gnome Standard Linux desktop based on GTK+. KDE Windows-like free desktop based on QT. Xfce Lightweight desktop, also based on GTK+. CIT 470: Advanced Network and System Administration

  25. X-Windows Security Why do we need security? An evil client can capture/create any X events. Even if you’re not using any network clients! Host authentication Limit who can start clients by IP address. Set by xhost+ or xhost- commands. Token authentication Only clients with token can access server. Set by the xauth command. CIT 470: Advanced Network and System Administration

  26. X-Windows Security Tunneling + host authentication. All clients appear to be from localhost. Therefore disable remote clients with xhost – Use ssh client to tunnel X: ssh –X host Server must have X11Forwarding set to yes. Use echo DISPLAY to test if X forwarding is on. Note that local users can still attack X session. CIT 470: Advanced Network and System Administration

  27. VNC: Virtual Network Computing CIT 470: Advanced Network and System Administration

  28. Why VNC? • Remote desktop access. • Helpdesk: control a remote desktop. • Persistent desktop. • Use same desktop from multiple clients. • Need Linux access from Windows. • Need Windows access from Linux. CIT 470: Advanced Network and System Administration

  29. What is VNC? • Open remote desktop protocol. • Many implementations • RealVNC: VNC from original researchers. • TightVNC: VNC with high compression. • VNCj: Java VNC, can run within web browser. • PalmVNC: VNC for Palm Pilots. • UltraVNC: enhanced VNC, only for Windows. CIT 470: Advanced Network and System Administration

  30. Using VNC • Start VNC server UNIX: vncserver Win: Start menu>Programs>RealVNC>VNCServer • Write down server name and display number. It will look something like unix3:1 • Start VNC client UNIX: vncviewer Win: Start menu>Programs>RealVNC>VNCViewer • Enter server and display to connect to (from step 2). • A VNC remote desktop should appear. CIT 470: Advanced Network and System Administration

  31. Configuring and Troubleshooting • On UNIX, VNC stores files under ~/.vnc • Configuration: xstartup • Indicates which X clients to start with server. • Typically includes vncconfig application. • Configuration: passwd • Contains VNC server session password. • Log files: host:display#.log • Any errors should appear in these logs. CIT 470: Advanced Network and System Administration

  32. Securing VNC VNC does not provide encryption. Use ssh tunneling to encrypt login + data: ssh –L 5901:remotehost:5901 remotehost vncviewer localhost:1 CIT 470: Advanced Network and System Administration

  33. Tunneling Tunneling: Encapsulation of one network protocol in another protocol • Carrier Protocol: protocol used by network through which the information is travelling • Encapsulating Protocol: protocol (GRE, IPsec, L2TP) that is wrapped around original data • Passenger Protocol: protocol that carries original data CIT 470: Advanced Network and System Administration

  34. ssh Tunneling SSH can tunnel TCP connections • Carrier Protocol: IP • Encapsulating Protocol: ssh • Passenger Protocol: TCP on a specific port POP-3 forwarding ssh -L 110:pop3host:110 -l user pop3host • Uses ssh to login to pop3host as user • Creates tunnel from port 110 (leftmost port #) on localhost to port 110 (rightmost post #)of pop3host • User configures mail client to use localhost as POP3 server, then proceeds as normal CIT 470: Advanced Network and System Administration

  35. NX Advantages over VNC: Speed: fast enough to use over dialup. Built-in ssh encryption. Disadvantages Immature code; hard to install + set up. GPL client/server for Linux only. Free Windows client; commercial server. CIT 470: Advanced Network and System Administration

  36. References • Daniel J. Barrett, Robert G. Byrnes, Richard E. Silverman, SSH, The Secure Shell, 2nd edition, O’Reilly, 2005. • Conserver, http://www.conserver.com/ • John Fisher, “Secure X Windows,” CIAC 2316, http://www.ciac.org/ciac/documents/ciac2316.html, 1995. • David K.Z. Harris, “Zonker’s Greater Scroll of Console Knowledge,” http://www.conserver.com/consoles/, 2005. • Brian Hatch, “SSH Host Key Protection,” http://www.securityfocus.com/infocus/1806, 2004. • No Machine NX, http://www.nomachine.com/ • OpenSSH, http://www.openssh.com/ • Real VNC, http://www.realvnc.com/ • RedHat, Red Hat Enterprise Linux 4 Reference Guide, http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/, 2005. • Daniel Robbins, “OpenSSH key management,” http://www-128.ibm.com/developerworks/library/l-keyc.html, 2001. • runeb, “Crash Course in X Windows Security,” http://bau2.uibk.ac.at/matic/ccxsec.htm • Carla Schroeder, Linux Cookbook, O’Reilly, 2004. • Carla Schroeder, “FreeNX ups the Remote Linux Desktop Ante,” Enterprise Networking Planet, http://www.enterprisenetworkingplanet.com/netos/print.php/3508951, 2005. • Glen Turner, “Linux Remote Serial Console HOWTO,” http://www.tldp.org/HOWTO/Remote-Serial-Console-HOWTO/index.html, 2003. • Webmin, http://www.webmin.com/ • Window Managers for X, http://xwinman.org/ CIT 470: Advanced Network and System Administration

More Related