530 likes | 679 Views
SUSE Linux Enterprise Server Administration (Course 3037). Chapter 10 Manage Remote Access. Objectives. Provide Secure Remote Access with OpenSSH Enable Remote Administration with YaST Configure a Network Installation. Provide Secure Remote Access with OpenSSH. Objectives
E N D
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 10 Manage Remote Access
Objectives • Provide Secure Remote Access with OpenSSH • Enable Remote Administration with YaST • Configure a Network Installation SUSE Linux Enterprise Server Administration (Course 3037)
Provide Secure Remote Access with OpenSSH • Objectives • Cryptography Basics • SSH Features and Architecture • How to Configure the SSH Client • SSH Client Commands • How to Configure the SSH Server • SSH Server Commands • Public Key Authentication Management SUSE Linux Enterprise Server Administration (Course 3037)
Cryptography Basics • Symmetric encryption • Same key is used for encryption and decryption • Key should be protected • Helps with high-speed transmission • Key length is very important • Technologies • DES (Data Encryption Standard) • 3DES (Triple DES) • IDEA • Blowfish • AES (Advanced Encryption Standard) SUSE Linux Enterprise Server Administration (Course 3037)
Cryptography Basics (continued) • Asymmetric encryption • Symmetric encryption problem • Securely transmitting the key • Uses two keys (private and public keys) • One is used for encryption and the other for decryption • Low-speed data transmission • Both techniques are often combined • Key for symmetric encryption is transmitted over an asymmetrically encrypted channel • Techniques • RSA, DSA, Diffie-Hellman SUSE Linux Enterprise Server Administration (Course 3037)
SSH Features and Architecture • SSH features • Basic functionality • Login from a remote host • Interactive or noninteractive command execution on remote hosts • Copying files between different network hosts • High-performance authentication and cryptographically secured communication on nonsecure networks • Automatic and transparent encryption of all communication • Complete substitution of “r” utilities: rlogin, rsh, and rcp • Port forwarding • Tunneling SUSE Linux Enterprise Server Administration (Course 3037)
SSH Features and Architecture (continued) • SSH features (continued) • Special features • Prevent security loopholes through IP, routing, and DNS spoofing • You can control the client by using system-wide and user-based configuration files • You can transmit any type of binary data between hosts • Optional support for compressing data is also available • There are up to six procedures available from the client for server authentication SUSE Linux Enterprise Server Administration (Course 3037)
SSH Features and Architecture (continued) • SSH protocol versions • Protocol version 1 (SSH1) • Protocol version 2 (SSH2) • SSH1 does not ensure the integrity of a connection • Insertion attack • HMAC (Keyed-Hash Message Authentication Code) • Guarantees integrity of a connection SUSE Linux Enterprise Server Administration (Course 3037)
SSH Features and Architecture (continued) SUSE Linux Enterprise Server Administration (Course 3037)
SSH Features and Architecture (continued) SUSE Linux Enterprise Server Administration (Course 3037)
SSH Features and Architecture (continued) SUSE Linux Enterprise Server Administration (Course 3037)
SSH Features and Architecture (continued) • SSH authentication mechanism configuration • Client checks if public host key of the server really belongs to the server • SSH currently does not use any directory services • Or any certificates • Random key pair can be easily created by anyone • Client “learns” server public host key • Server side mechanisms to authenticate clients • Host-based authentication • Authentication is based on configuration files /etc/hosts.equiv or /etc/, shosts.equiv, and/or ~/.rhosts or ~/.shosts SUSE Linux Enterprise Server Administration (Course 3037)
SSH Features and Architecture (continued) • SSH authentication mechanism configuration (continued) • Server side mechanisms to authenticate clients (continued) • Host-based RSA authentication • Public keys of clients are saved on server in the files ~/.ssh/known_hosts and /etc/ssh/ssh_known_hosts • Public key (RSA/DSA) authentication • User proves knowledge of his private key through a challenge-response procedure • Password authentication • Takes place through a UNIX user password • Transfer of the password is encrypted SUSE Linux Enterprise Server Administration (Course 3037)
SSH Features and Architecture (continued) • SSH authentication mechanism configuration (continued) • After successful authentication • A work environment is created on the server • Initialization routines are processed • Parameter X11 Forwarding • Determines whether or not graphical output is forwarded by default • SSH server configuration file • /etc/ssh/sshd_config SUSE Linux Enterprise Server Administration (Course 3037)
How to Configure the SSH Client • SSH client configuration file • /etc/ssh/ssh_config • Each user can edit his individual settings • In the file ~/.ssh/config • StrictHostKeyChecking option • Prevents client from simply entering new keys • From unknown servers without checking • Three values: yes, no, and ask (default) SUSE Linux Enterprise Server Administration (Course 3037)
SSH Client Commands SUSE Linux Enterprise Server Administration (Course 3037)
How to Configure the SSH Server • Configuration file • /etc/ssh/sshd_config SUSE Linux Enterprise Server Administration (Course 3037)
How to Configure the SSH Server (continued) SUSE Linux Enterprise Server Administration (Course 3037)
SSH Server Commands SUSE Linux Enterprise Server Administration (Course 3037)
Public Key Authentication Management • Public key authentication process • Client informs server of which public key is being used for authentication • Server checks to see if the public key is known • Server encrypts a random number using the public key and transfers this to the client • Client decrypts random number with its private key • Client sends the server an MD5 checksum that has calculated from the number • Server also calculates a checksum and, if they are identical, the user has authenticated successfully SUSE Linux Enterprise Server Administration (Course 3037)
Public Key Authentication Management (continued) • How to create a key pair • Use command ssh-keygen • A different key is required for SSH1 than for SSH2 • Use option -t keytypeto specify the type of key • Keys are stored in the files • ~/.ssh/identity (private key) • ~/.ssh/identity.pub (public key) • Command ssh-keygen -t rsa • Generates an RSA key pair • Keys are stored in ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub SUSE Linux Enterprise Server Administration (Course 3037)
Public Key Authentication Management (continued) • How to configure and use public key authentication • Authentication using RSA or DSA keys • Copy public key to the server • Append the public key to file ~/.ssh/authorized_keys • Example: scp .ssh/id_dsa.pub sun:geeko-pubkey • Launch the client to test the keys • You can use option -i to enter file name for private key • Password is still required when logging in to server • Enter password with the command ssh-add • You can also use the ssh-agent with a graphical login SUSE Linux Enterprise Server Administration (Course 3037)
Exercise 10-1 Manage Remote Connections with OpenSSH • In this exercise, you do the following: • Part I: Use SSH Utilities • Part II: Create a Trusted Connection Between Servers SUSE Linux Enterprise Server Administration (Course 3037)
Enable Remote Administration with YaST • Objectives • VNC and YaST Remote Administration • How to Configure Your Server for Remote Administration • How to Access Your Server for Remote Administration SUSE Linux Enterprise Server Administration (Course 3037)
VNC and YaST Remote Administration • VNC (virtual network computing) • Client-server solution • Allows a remote X server to be managed from anywhere on the Internet • Set VNC with YaST Remote Administration module • Connect to the server using • VNC client such as krdc (connect to hostname:5901) • VNC connection in Konqueror (vnc://hostname:5901) • Java-capable Web browser (http://hostname:5801) • Remote Administration is less secure than SSH SUSE Linux Enterprise Server Administration (Course 3037)
How to Configure Your Server for Remote Administration • Steps • Start the YaST Remote Administration module • Select Allow Remote Administration; select Finish • Close the dialog box by selecting OK • Close any open applications; then display a console pressing Ctrl+Alt+F2 • Log in as root with the appropriate password • Restart the display manager by entering rcxdm restart • Log in to the desktop as root or any other local user SUSE Linux Enterprise Server Administration (Course 3037)
How to Configure Your Server for Remote Administration (continued) SUSE Linux Enterprise Server Administration (Course 3037)
How to Configure Your Server for Remote Administration SUSE Linux Enterprise Server Administration (Course 3037)
How to Access Your Server for Remote Administration • Access the server from a Web browser • Open Web browser; then enter http://hostname:5801 • Directly access YaST by selecting Administration • Enter the root password; then select OK • Exit YaST; then close the session by selecting Disconnect SUSE Linux Enterprise Server Administration (Course 3037)
How to Access Your Server for Remote Administration (continued) SUSE Linux Enterprise Server Administration (Course 3037)
Exercise 10-2 Use Remote Administration • In this exercise, you do the following: • Part I: Remotely Access a Text-Based Version of YaST • Part II: Remotely Access the GUI Version of YaST • Part III: Configure Remote Administration with YaST • Part IV: Access Your Partner’s Server Remotely SUSE Linux Enterprise Server Administration (Course 3037)
Configure a Network Installation • Objectives • How to Prepare for the Installation • SUSE Linux Installation Basics • How to Configure an Installation Server SUSE Linux Enterprise Server Administration (Course 3037)
How to Prepare for the Installation • Consider the following: • Hardware compatibility • Verify that your hardware is compatible with SLES 9 at www.novell.com/partnerguide/section/481.html • File system types • Partitioning scheme • Plan for the appropriate partitions and partition sizes • Software package selection • Dual-boot system • Better to install SUSE Linux Enterprise Server 9 first SUSE Linux Enterprise Server Administration (Course 3037)
SUSE Linux Installation Basics • SUSE Linux lets you install from a variety of sources • Using a YaST GUI interface or a text-based interface • The role of Linuxrc • Defines installation settings and loads hardware drivers • Hands over control to YaST • Which starts the actual installation SUSE Linux Enterprise Server Administration (Course 3037)
SUSE Linux Installation Basics (continued) SUSE Linux Enterprise Server Administration (Course 3037)
SUSE Linux Installation Basics (continued) SUSE Linux Enterprise Server Administration (Course 3037)
SUSE Linux Installation Basics (continued) SUSE Linux Enterprise Server Administration (Course 3037)
SUSE Linux Installation Basics (continued) • Virtual consoles • You might need to access a command-line prompt • Called a shell promptin Linux • From a virtual console • Linux system provides six virtual consoles • X Window system is assigned console number 7 • Switch between virtual consoles by pressing Ctrl+Alt+Fx • Return to the X Window system by pressing Ctrl+Alt+F7 SUSE Linux Enterprise Server Administration (Course 3037)
SUSE Linux Installation Basics (continued) • YaST installation log files • /var/log/YaST2/y2log • View its contents entering the following: • more /var/log/YaST2/y2log • View the last few lines of the installation log file: • tail /var/log/YaST2/y2log SUSE Linux Enterprise Server Administration (Course 3037)
How to Configure an Installation Server • Steps • Start the YaST Installation Server module • Select the server type • Deactivate the automatic configuration of server services (conditional) • Enter directorywhere you want to copy the installation files • Continue by selecting Next • Configure the service type (HTTP or FTP, and NFS) • Continue by selecting Next SUSE Linux Enterprise Server Administration (Course 3037)
How to Configure an Installation Server (continued) SUSE Linux Enterprise Server Administration (Course 3037)
How to Configure an Installation Server (continued) SUSE Linux Enterprise Server Administration (Course 3037)
How to Configure an Installation Server (continued) • Steps (continued) • Configure an installation source by selecting Configure • Enter a name for the installation source • Select Use ISO Images Instead of CDs (conditional) • Select Prompt for additional CDs (conditional) • Announce as Installation Service with SLP (optional) • Continue by selecting Next • Insert the First CD SUSE Linux Enterprise Server Administration (Course 3037)
How to Configure an Installation Server (continued) SUSE Linux Enterprise Server Administration (Course 3037)
How to Configure an Installation Server (continued) • Steps (continued) • Continue following the prompts to remove and replace CDs • Edit the configured source (optional) • Change the server settings (optional) • Finalize the configuration by selecting Finish • Close the YaST Control Center (optional) SUSE Linux Enterprise Server Administration (Course 3037)
How to Start a Remote Installation • Steps • Insert the boot mediaand restart your computer • With the down-arrow key, scroll to and highlight Installation • Press F3; then select the service type (FTP, HTTP, NFS, or SLP) • Enter server and full path (conditional) • To directory where the installation files are stored • Select Installation • Follow installation prompts until complete SUSE Linux Enterprise Server Administration (Course 3037)
How to Start a Remote Installation (continued) SUSE Linux Enterprise Server Administration (Course 3037)
Exercise 10-3 Install SLES 9 from an Installation Server • In this exercise you will install SLES 9 from an Installation Server SUSE Linux Enterprise Server Administration (Course 3037)
Summary • SSH daemon (sshd) provides a secure alternative to telnet, r-tools, and FTP • By encrypting traffic • scp and sftp commands • Copy files between remote hosts using SSH • SSH uses a combination of asymmetric and symmetric encryption • SSH server configuration file /etc/ssh/sshd_config • ssh-keygen and ssh-keyscan commands • Generate and view asymmetric SSH keys SUSE Linux Enterprise Server Administration (Course 3037)
Summary (continued) • Use YaST Remote Administration module • To configure a VNC server • Before installing SLES, consider: • Server role • Hardware compatibility • Boot, partition, and filesystem configuration • Linuxrc • Provides a text-based installation program • YaST is used to perform a graphical installation SUSE Linux Enterprise Server Administration (Course 3037)