cit 470: advanced network and system administration

CIT 470: Advanced Network and System Administration Slide #1

CIT 470: Advanced Network and System Administration

Remote Administration


Topics

1. Network Access

2. SSH

3. Key-based Authentication

4. Console Access

5. X-Windows

6. VNC and NX

7. SSH tunneling


Network Access

Most tasks can be done from the shell.File management.

Disk/volume management.

Troubleshooting and viewing logs.

Installing/removing software.

Start/stop network services.

Reboot/shutdown.

All we need is a way to invoke a shell across the network.


telnet

Ubiquitous network terminal protocoltelnet hostname

Similar protocolsrlogin –l user hostname

rsh –l user hostname command

InsecureData, including passwords, sent in the clear.

rlogin/rsh use ~/.rhosts for access w/o passwords.


ssh

Secure Shell

Replacestelnet

ftp

rlogin

rsh

rcp


SSH Security Features


SSH: Protocols and Products

• OpenSSH• SSH Tectia• F-secure SSH• Putty• WinSCP

• SSH v1– Insecure, obsolete.

– Do not use.

• SSH v2– Current version.


SSH Features

Secure loginssh –l user host

Secure remote command executionssh –l user host command

Secure file transfersftp –l user hostscp file user@host:/tmp/myfile

Port forwardingssh –L 110:localhost:110 mailhost


The Problem of Passwords

1. Good passwords are hard to remember.

2. Password transferred to remote system.

3. Automating remote access with passwords is difficult.


Public Key Cryptography

Two keys– Private key known only to owner.– Public key available to anyone.

Applications– Confidentiality:

• Sender enciphers using recipient’s public key, • Receiver deciphers using their private key.

– Integrity/authentication: • Sender enciphers using own private key, • Recipient deciphers using sender’s public key.


Key-based Authentication

SSH uses public-key authenticationPrivate key stored in your machine.

Public key stored on remote machines.

Public-key login protocol1. Client sends server a login request.

2. Server issues a challenge.

3. Client responds with computation based on challenge and private key.

4. Server checks response with public key.


Using key-based authentication

1. Generate a public/private key pair.ssh-keygen

Encrypted key files: id_dsa, id_dsa.pub

2. Copy public key to remote hostCopy to ~/.ssh/authorized_keys.

3. Login to remote hostssh –l user remote


Keys are more secure than Passwords

1. Need to have two items to login: key file and passphrase.

2. Neither key nor passphrase is sent to remote host.

3. Machine-generated cryptographic keys are infeasible to guess, unlike passwords.


SSH Agent

Problem: you have to enter passphrase to decrypt the key each time you use ssh.

Solution: SSH Agent> ssh-agent $SHELL > ssh-add Enter passphrase for /home/jw/.ssh/id_dsa: ********

Identity added: /home/you/.ssh/id_dsa (/home/jw/.ssh/id_dsa)

> ssh –l jw host


SSH Agent Features

Agent support for entire session.Start ssh-agent on initial shell.X: ~/.xsession (Often enabled by default.)

Multiple keysssh-add keyfilessh-add –l

Remove keysssh-add –d keyfilessh-add –D


Remote Access when Server is Down

• Problem: No network access to host.

• Solutions:– Go to computer room and bring host up.– Specialized hardware (network boot / power).– Virtual machines.– Console servers.


Console Servers

Console– Main input / output device for computer.– Historically: serial terminal.– Typically: keyboard/mouse + monitor.

Server allows access to multiple consoles.– Console access: BIOS, Bootloader, Kernel– Eliminates need for keyboards, mice, monitors.– Serial line to each machine from server.– One user has R/W, other users have R access.


Console Hardware

Console servers solution– Commercial: Cisco, Cyclades,

Xyplex– Open source: Conserver +

serial expander card

Hardware issues– Connectors: DB-9, DB-25,

RJ-45– Encoding: 8N1, 7E1– Speeds: 9600 – 230k


X-Windows

• Network-based windowing system.

• Server– Handles user input and graphical display.– Runs on the machine with display unit.

• Client– Graphical applications are clients.– Can run on a different machine than server.

• Set DISPLAY environment variable.

• Or use –display command line option.


Window Manager

X client that provides features like:– Move, resize, iconify, and kill windows.– Window title bars.– Popup menus.

Example window managers– twm: Tab, primitive early window manager– mwm: Motif, found on commercial UNIXes– fvwm: Free, fast, very customizable.– WindowMaker: NeXT-like, see also AfterStep.


TWM Screenshot


FVWM Screenshot


WindowMaker


Desktops

CDECommon desktop env for commercial UNIXes.

GnomeStandard Linux desktop based on GTK+.

KDEWindows-like free desktop based on QT.

XfceLightweight desktop, also based on GTK+.


X-Windows Security

Why do we need security?An evil client can capture/create any X events.Even if you’re not using any network clients!

Host authenticationLimit who can start clients by IP address.Set by xhost + or xhost - commands.

Token authenticationOnly clients with token can access server.Set by the xauth command.


X-Windows Security

Tunneling + host authentication.All clients appear to be from localhost.

Therefore disable remote clients with xhost –

Use ssh client to tunnel X: ssh –X hostServer must have X11Forwarding set to yes.

Use echo DISPLAY to test if X forwarding is on.

Note that local users can still attack X session.


VNC: Virtual Network Computing


Why VNC?

1. Remote desktop access.

2. Helpdesk: control a remote desktop.

3. Persistent desktop.

4. Use same desktop from multiple clients.

5. Need Linux access from Windows.

6. Need Windows access from Linux.


What is VNC?

• Open remote desktop protocol.

• Many implementations– RealVNC: VNC from original researchers.– TightVNC: VNC with high compression.– VNCj: Java VNC, can run within web browser.– PalmVNC: VNC for Palm Pilots.– UltraVNC: enhanced VNC, only for Windows.


Using VNC

1. Start VNC server

UNIX: vncserver

Win: Start menu>Programs>RealVNC>VNCServer

2. Write down server name and display number.

It will look something like unix3:1

3. Start VNC client

UNIX: vncviewer

Win: Start menu>Programs>RealVNC>VNCViewer

4. Enter server and display to connect to (from step 2).

5. A VNC remote desktop should appear.


Configuring and Troubleshooting

• On UNIX, VNC stores files under ~/.vnc

• Configuration: xstartup– Indicates which X clients to start with server.– Typically includes vncconfig application.

• Configuration: passwd– Contains VNC server session password.

• Log files: host:display#.log– Any errors should appear in these logs.


Securing VNCVNC does not provide encryption.

Use ssh tunneling to encrypt login + data:ssh –L 5901:remotehost:5901 remotehost

vncviewer localhost:1


Tunneling

Tunneling: Encapsulation of one network protocol in another protocol– Carrier Protocol: protocol used by network

through which the information is travelling– Encapsulating Protocol: protocol (GRE, IPsec,

L2TP) that is wrapped around original data– Passenger Protocol: protocol that carries original

data


ssh Tunneling

SSH can tunnel TCP connections– Carrier Protocol: IP– Encapsulating Protocol: ssh– Passenger Protocol: TCP on a specific port

POP-3 forwardingssh -L 110:pop3host:110 -l user pop3host

– Uses ssh to login to pop3host as user– Creates tunnel from port 110 (leftmost port #) on localhost to port 110 (rightmost post #)of pop3host

– User configures mail client to use localhost as POP3 server, then proceeds as normal


NX

Advantages over VNC:Speed: fast enough to use over dialup.

Built-in ssh encryption.

DisadvantagesImmature code; hard to install + set up.

GPL client/server for Linux only.

Free Windows client; commercial server.


References1. Daniel J. Barrett, Robert G. Byrnes, Richard E. Silverman, SSH, The Secure Shell, 2nd edition,

O’Reilly, 2005.2. Conserver, http://www.conserver.com/3. John Fisher, “Secure X Windows,” CIAC 2316,

http://www.ciac.org/ciac/documents/ciac2316.html, 1995.4. David K.Z. Harris, “Zonker’s Greater Scroll of Console Knowledge,”

http://www.conserver.com/consoles/, 2005.5. Brian Hatch, “SSH Host Key Protection,” http://www.securityfocus.com/infocus/1806, 2004.6. No Machine NX, http://www.nomachine.com/7. OpenSSH, http://www.openssh.com/8. Real VNC, http://www.realvnc.com/9. RedHat, Red Hat Enterprise Linux 4 Reference Guide,

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/, 2005.10. Daniel Robbins, “OpenSSH key management,”

http://www-128.ibm.com/developerworks/library/l-keyc.html, 2001.11. runeb, “Crash Course in X Windows Security,” http://bau2.uibk.ac.at/matic/ccxsec.htm12. Carla Schroeder, Linux Cookbook, O’Reilly, 2004.13. Carla Schroeder, “FreeNX ups the Remote Linux Desktop Ante,” Enterprise Networking Planet,

http://www.enterprisenetworkingplanet.com/netos/print.php/3508951, 2005.14. Glen Turner, “Linux Remote Serial Console HOWTO,” http://www.tldp.org/HOWTO/Remote-

Serial-Console-HOWTO/index.html, 2003.15. Webmin, http://www.webmin.com/16. Window Managers for X, http://xwinman.org/

http://www.conserver.com/consoles/

http://www-128.ibm.com/developerworks/library/l-keyc.html

cit 470: advanced network and system administration

Documents

publicprivate key

pubcopy public key

senders public key

recipients public key

public key available

mailhostcomputer security

dcomputer security

user remotecomputer