cit 470: advanced network and system administration
DESCRIPTION
CIT 470: Advanced Network and System Administration. Remote Administration. Topics. Network Access SSH Key-based Authentication Console Access X-Windows VNC and NX SSH tunneling. Network Access. Most tasks can be done from the shell. File management. Disk/volume management. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/1.jpg)
CIT 470: Advanced Network and System Administration Slide #1
CIT 470: Advanced Network and System Administration
Remote Administration
![Page 2: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/2.jpg)
CIT 470: Advanced Network and System Administration Slide #2
Topics
1. Network Access
2. SSH
3. Key-based Authentication
4. Console Access
5. X-Windows
6. VNC and NX
7. SSH tunneling
![Page 3: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/3.jpg)
CIT 470: Advanced Network and System Administration Slide #3
Network Access
Most tasks can be done from the shell.File management.
Disk/volume management.
Troubleshooting and viewing logs.
Installing/removing software.
Start/stop network services.
Reboot/shutdown.
All we need is a way to invoke a shell across the network.
![Page 4: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/4.jpg)
CIT 470: Advanced Network and System Administration Slide #4
telnet
Ubiquitous network terminal protocoltelnet hostname
Similar protocolsrlogin –l user hostname
rsh –l user hostname command
InsecureData, including passwords, sent in the clear.
rlogin/rsh use ~/.rhosts for access w/o passwords.
![Page 5: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/5.jpg)
CIT 470: Advanced Network and System Administration Slide #5
ssh
Secure Shell
Replacestelnet
ftp
rlogin
rsh
rcp
![Page 6: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/6.jpg)
CIT 470: Advanced Network and System Administration Slide #6
SSH Security Features
![Page 7: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/7.jpg)
CIT 470: Advanced Network and System Administration Slide #7
SSH: Protocols and Products
• OpenSSH• SSH Tectia• F-secure SSH• Putty• WinSCP
• SSH v1– Insecure, obsolete.
– Do not use.
• SSH v2– Current version.
![Page 8: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/8.jpg)
CIT 470: Advanced Network and System Administration Slide #8
SSH Features
Secure loginssh –l user host
Secure remote command executionssh –l user host command
Secure file transfersftp –l user hostscp file user@host:/tmp/myfile
Port forwardingssh –L 110:localhost:110 mailhost
![Page 9: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/9.jpg)
CIT 470: Advanced Network and System Administration Slide #9
The Problem of Passwords
1. Good passwords are hard to remember.
2. Password transferred to remote system.
3. Automating remote access with passwords is difficult.
![Page 10: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/10.jpg)
CIT 470: Advanced Network and System Administration Slide #10
Public Key Cryptography
Two keys– Private key known only to owner.– Public key available to anyone.
Applications– Confidentiality:
• Sender enciphers using recipient’s public key, • Receiver deciphers using their private key.
– Integrity/authentication: • Sender enciphers using own private key, • Recipient deciphers using sender’s public key.
![Page 11: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/11.jpg)
CIT 470: Advanced Network and System Administration Slide #11
Key-based Authentication
SSH uses public-key authenticationPrivate key stored in your machine.
Public key stored on remote machines.
Public-key login protocol1. Client sends server a login request.
2. Server issues a challenge.
3. Client responds with computation based on challenge and private key.
4. Server checks response with public key.
![Page 12: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/12.jpg)
CIT 470: Advanced Network and System Administration Slide #12
Using key-based authentication
1. Generate a public/private key pair.ssh-keygen
Encrypted key files: id_dsa, id_dsa.pub
2. Copy public key to remote hostCopy to ~/.ssh/authorized_keys.
3. Login to remote hostssh –l user remote
![Page 13: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/13.jpg)
CIT 470: Advanced Network and System Administration Slide #13
Keys are more secure than Passwords
1. Need to have two items to login: key file and passphrase.
2. Neither key nor passphrase is sent to remote host.
3. Machine-generated cryptographic keys are infeasible to guess, unlike passwords.
![Page 14: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/14.jpg)
CIT 470: Advanced Network and System Administration Slide #14
SSH Agent
Problem: you have to enter passphrase to decrypt the key each time you use ssh.
Solution: SSH Agent> ssh-agent $SHELL > ssh-add Enter passphrase for /home/jw/.ssh/id_dsa: ********
Identity added: /home/you/.ssh/id_dsa (/home/jw/.ssh/id_dsa)
> ssh –l jw host
![Page 15: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/15.jpg)
CIT 470: Advanced Network and System Administration Slide #15
SSH Agent Features
Agent support for entire session.Start ssh-agent on initial shell.X: ~/.xsession (Often enabled by default.)
Multiple keysssh-add keyfilessh-add –l
Remove keysssh-add –d keyfilessh-add –D
![Page 16: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/16.jpg)
CIT 470: Advanced Network and System Administration Slide #16
Remote Access when Server is Down
• Problem: No network access to host.
• Solutions:– Go to computer room and bring host up.– Specialized hardware (network boot / power).– Virtual machines.– Console servers.
![Page 17: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/17.jpg)
CIT 470: Advanced Network and System Administration Slide #17
Console Servers
Console– Main input / output device for computer.– Historically: serial terminal.– Typically: keyboard/mouse + monitor.
Server allows access to multiple consoles.– Console access: BIOS, Bootloader, Kernel– Eliminates need for keyboards, mice, monitors.– Serial line to each machine from server.– One user has R/W, other users have R access.
![Page 18: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/18.jpg)
CIT 470: Advanced Network and System Administration Slide #18
Console Hardware
Console servers solution– Commercial: Cisco, Cyclades,
Xyplex– Open source: Conserver +
serial expander card
Hardware issues– Connectors: DB-9, DB-25,
RJ-45– Encoding: 8N1, 7E1– Speeds: 9600 – 230k
![Page 19: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/19.jpg)
CIT 470: Advanced Network and System Administration Slide #19
X-Windows
• Network-based windowing system.
• Server– Handles user input and graphical display.– Runs on the machine with display unit.
• Client– Graphical applications are clients.– Can run on a different machine than server.
• Set DISPLAY environment variable.
• Or use –display command line option.
![Page 20: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/20.jpg)
CIT 470: Advanced Network and System Administration Slide #20
Window Manager
X client that provides features like:– Move, resize, iconify, and kill windows.– Window title bars.– Popup menus.
Example window managers– twm: Tab, primitive early window manager– mwm: Motif, found on commercial UNIXes– fvwm: Free, fast, very customizable.– WindowMaker: NeXT-like, see also AfterStep.
![Page 21: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/21.jpg)
CIT 470: Advanced Network and System Administration Slide #21
TWM Screenshot
![Page 22: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/22.jpg)
CIT 470: Advanced Network and System Administration Slide #22
FVWM Screenshot
![Page 23: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/23.jpg)
CIT 470: Advanced Network and System Administration Slide #23
WindowMaker
![Page 24: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/24.jpg)
CIT 470: Advanced Network and System Administration Slide #24
Desktops
CDECommon desktop env for commercial UNIXes.
GnomeStandard Linux desktop based on GTK+.
KDEWindows-like free desktop based on QT.
XfceLightweight desktop, also based on GTK+.
![Page 25: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/25.jpg)
CIT 470: Advanced Network and System Administration Slide #25
X-Windows Security
Why do we need security?An evil client can capture/create any X events.Even if you’re not using any network clients!
Host authenticationLimit who can start clients by IP address.Set by xhost + or xhost - commands.
Token authenticationOnly clients with token can access server.Set by the xauth command.
![Page 26: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/26.jpg)
CIT 470: Advanced Network and System Administration Slide #26
X-Windows Security
Tunneling + host authentication.All clients appear to be from localhost.
Therefore disable remote clients with xhost –
Use ssh client to tunnel X: ssh –X hostServer must have X11Forwarding set to yes.
Use echo DISPLAY to test if X forwarding is on.
Note that local users can still attack X session.
![Page 27: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/27.jpg)
CIT 470: Advanced Network and System Administration Slide #27
VNC: Virtual Network Computing
![Page 28: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/28.jpg)
CIT 470: Advanced Network and System Administration Slide #28
Why VNC?
1. Remote desktop access.
2. Helpdesk: control a remote desktop.
3. Persistent desktop.
4. Use same desktop from multiple clients.
5. Need Linux access from Windows.
6. Need Windows access from Linux.
![Page 29: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/29.jpg)
CIT 470: Advanced Network and System Administration Slide #29
What is VNC?
• Open remote desktop protocol.
• Many implementations– RealVNC: VNC from original researchers.– TightVNC: VNC with high compression.– VNCj: Java VNC, can run within web browser.– PalmVNC: VNC for Palm Pilots.– UltraVNC: enhanced VNC, only for Windows.
![Page 30: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/30.jpg)
CIT 470: Advanced Network and System Administration Slide #30
Using VNC
1. Start VNC server
UNIX: vncserver
Win: Start menu>Programs>RealVNC>VNCServer
2. Write down server name and display number.
It will look something like unix3:1
3. Start VNC client
UNIX: vncviewer
Win: Start menu>Programs>RealVNC>VNCViewer
4. Enter server and display to connect to (from step 2).
5. A VNC remote desktop should appear.
![Page 31: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/31.jpg)
CIT 470: Advanced Network and System Administration Slide #31
Configuring and Troubleshooting
• On UNIX, VNC stores files under ~/.vnc
• Configuration: xstartup– Indicates which X clients to start with server.– Typically includes vncconfig application.
• Configuration: passwd– Contains VNC server session password.
• Log files: host:display#.log– Any errors should appear in these logs.
![Page 32: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/32.jpg)
CIT 470: Advanced Network and System Administration Slide #32
Securing VNCVNC does not provide encryption.
Use ssh tunneling to encrypt login + data:ssh –L 5901:remotehost:5901 remotehost
vncviewer localhost:1
![Page 33: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/33.jpg)
CIT 470: Advanced Network and System Administration Slide #33
Tunneling
Tunneling: Encapsulation of one network protocol in another protocol– Carrier Protocol: protocol used by network
through which the information is travelling– Encapsulating Protocol: protocol (GRE, IPsec,
L2TP) that is wrapped around original data– Passenger Protocol: protocol that carries original
data
![Page 34: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/34.jpg)
CIT 470: Advanced Network and System Administration Slide #34
ssh Tunneling
SSH can tunnel TCP connections– Carrier Protocol: IP– Encapsulating Protocol: ssh– Passenger Protocol: TCP on a specific port
POP-3 forwardingssh -L 110:pop3host:110 -l user pop3host
– Uses ssh to login to pop3host as user– Creates tunnel from port 110 (leftmost port #) on localhost to port 110 (rightmost post #)of pop3host
– User configures mail client to use localhost as POP3 server, then proceeds as normal
![Page 35: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/35.jpg)
CIT 470: Advanced Network and System Administration Slide #35
NX
Advantages over VNC:Speed: fast enough to use over dialup.
Built-in ssh encryption.
DisadvantagesImmature code; hard to install + set up.
GPL client/server for Linux only.
Free Windows client; commercial server.
![Page 36: CIT 470: Advanced Network and System Administration](https://reader035.vdocuments.net/reader035/viewer/2022062800/56814073550346895dabf257/html5/thumbnails/36.jpg)
CIT 470: Advanced Network and System Administration Slide #36
References1. Daniel J. Barrett, Robert G. Byrnes, Richard E. Silverman, SSH, The Secure Shell, 2nd edition,
O’Reilly, 2005.2. Conserver, http://www.conserver.com/3. John Fisher, “Secure X Windows,” CIAC 2316,
http://www.ciac.org/ciac/documents/ciac2316.html, 1995.4. David K.Z. Harris, “Zonker’s Greater Scroll of Console Knowledge,”
http://www.conserver.com/consoles/, 2005.5. Brian Hatch, “SSH Host Key Protection,” http://www.securityfocus.com/infocus/1806, 2004.6. No Machine NX, http://www.nomachine.com/7. OpenSSH, http://www.openssh.com/8. Real VNC, http://www.realvnc.com/9. RedHat, Red Hat Enterprise Linux 4 Reference Guide,
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/, 2005.10. Daniel Robbins, “OpenSSH key management,”
http://www-128.ibm.com/developerworks/library/l-keyc.html, 2001.11. runeb, “Crash Course in X Windows Security,” http://bau2.uibk.ac.at/matic/ccxsec.htm12. Carla Schroeder, Linux Cookbook, O’Reilly, 2004.13. Carla Schroeder, “FreeNX ups the Remote Linux Desktop Ante,” Enterprise Networking Planet,
http://www.enterprisenetworkingplanet.com/netos/print.php/3508951, 2005.14. Glen Turner, “Linux Remote Serial Console HOWTO,” http://www.tldp.org/HOWTO/Remote-
Serial-Console-HOWTO/index.html, 2003.15. Webmin, http://www.webmin.com/16. Window Managers for X, http://xwinman.org/