DOCSLIB.ORG

Reflection for Secure IT for UNIX

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Reflection for Secure IT for UNIX User's Guide Reflection for Secure IT for UNIX Version 8.0 SP2 Copyrights and Notices © 2016 Attachmate Corporation, a Micro Focus company. All rights reserved. No part of the documentation materials accompanying this Micro Focus software product may be reproduced, transmitted, transcribed, or translated into any language, in any form by any means, without the written permission of Micro Focus or its affiliates. The content of this document is protected under copyright law even if it is not distributed with software that includes an end user license agreement. The content of this document is furnished for informational use only, is subject to change without notice, and should not be construed as a commitment by Micro Focus. Micro Focus assumes no responsibility or liability for any errors or inaccuracies that may appear in the informational content contained in this document. Micro Focus, the Micro Focus logo, FileXpress, and Reflection are registered trademarks of Micro Focus or its subsidiaries or affiliated companies in the United Kingdom, United States and other countries. All other trademarks, trade names, or company names referenced herein are used for identification only and are the property of their respective owners. 1Installation 7 Which Package do I Need? . 8 Replace an Earlier Version or other Existing Secure Shell Program . 9 Install and Uninstall on Linux . 10 Set up High Availability Red Hat Clusters . 11 Install and Uninstall on Oracle Solaris 10 . 12 Install and Uninstall on Oracle Solaris 11. 13 Install and Uninstall on HP-UX. 17 Install and Uninstall on IBM AIX . 17 Migrate Settings from Existing Configuration Files. 18 Install Reflection PKI Services Manager . 20 2 Getting Started 23 Start and Stop the Server. 23 Make an SSH Connection . 24 Transfer Files Using sftp . 25 Transfer Files Using scp. 26 Understanding Secure Shell . 27 3 Configuration Files 29 Client Configuration Files . 29 Configuration File Format. 30 Host Stanzas . 30 Command Line Options . 31 Server Configuration Files . 31 Server Subconfiguration Files . 32 Subconfiguration File Samples . 33 4 Supported Cryptographic Algorithms 35 Encryption . 35 Data Integrity . 35 Digital Signatures . 36 Configuring Ciphers and MACs . 36 FIPS Mode . 37 5 Server Authentication 39 Public Key Authentication Overview. 39 Create a New Host Key . 40 Add a Key to the Client Known Hosts List . 41 Display the Fingerprint of the Host Public Key. .42 Server Certificate Authentication Overview . 42 Obtain Authentication Certificates . 43 Configure Server Certificate Authentication . 44 Kerberos (GSSAPI) Authentication . 47 Kerberos System Requirements . 48 Configure Kerberos Server and Client Authentication . 48 Contents 3 6 User Authentication 51 Password and Keyboard Interactive Authentication. 51 Configure Password Authentication. 52 Configure Keyboard Interactive Authentication . 52 Public Key Authentication. 53 Configure Public Key User Authentication . 53 Use the Key Agent . .55 Certificate Authentication for Users . 56 Configure Certificate Authentication for Users. 57 Pluggable Authentication Modules (PAM) . .59 Configure PAM Authentication . 60 RADIUS Authentication . 61 Configure RADIUS Authentication . 62 RSA SecurID Authentication . 62 Configure SecurID Authentication . 63 Configure Account Management on HP-UX Trusted Systems. 64 7 Secure File Transfer 65 Secure File Transfer (sftp) . 65 Use sftp Interactively . 66 Run sftp Batch Files . 66 Configuring the sftp Transfer Method (ASCII or Binary). 67 Secure File Copy (scp). 68 Smart Copy and Checkpoint Resume . .69 Configure Upload and Download Access. 70 Set File Permissions on Downloaded Files . .70 Set File Permissions on Uploaded Files . ..
Load more

Recommended publications
  • The Science DMZ
    The Science DMZ Brian Tierney, Eli Dart, Eric Pouyoul, Jason Zurawski ESnet Supporting Data-Intensive Research Workshop QuestNet 2013 Gold Coast, Australia July 2, 2013 What’s there to worry about? © Owen Humphreys/National Geographic Traveler Photo Contest 2013 7/2/13 2 Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science The Science DMZ in 1 Slide Consists of three key components, all required: “Friction free” network path • Highly capable network devices (wire-speed, deep queues) • Virtual circuit connectivity option • Security policy and enforcement specific to science workflows • Located at or near site perimeter if possible Dedicated, high-performance Data Transfer Nodes (DTNs) • Hardware, operating system, libraries all optimized for transfer • Includes optimized data transfer tools such as Globus Online and GridFTP Performance measurement/test node • perfSONAR Details at http://fasterdata.es.net/science-dmz/ Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science Overview Part 1: • What is ESnet? • Science DMZ Motivation • Science DMZ Architecture Part 2: • PerfSONAR • The Data Transfer Node • Data Transfer Tools Part 3: • Science DMZ Security Best Practices • Conclusions Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science The Energy Sciences Network (ESnet) A Department of Energy Facility Naonal Fiber footprint Distributed Team of 35 Science Data Network Internaonal Collaboraons Mul3ple 10G waves 5 Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science ESnetSC Supports Supports Research DOE at More Office than 300 of Institutions Science Across the U.S. Universities DOE laboratories The Office of Science supports: 27,000 Ph.D.s, graduate students, undergraduates, engineers, and technicians 26,000 users of open-access facilities 300 leading academic institutions 17 DOE laboratories 6 Lawrence Berkeley National Laboratory U.S.
    [Show full text]
  • Making Linux Protection Mechanisms Egalitarian with Userfs
    Making Linux Protection Mechanisms Egalitarian with UserFS Taesoo Kim and Nickolai Zeldovich MIT CSAIL ABSTRACT firewall rules, forcing applications to invent their own UserFS provides egalitarian OS protection mechanisms protection techniques like system call interposition [15], in Linux. UserFS allows any user—not just the system binary rewriting [30] or analysis [13, 45], or interposing administrator—to allocate Unix user IDs, to use chroot, on system accesses in a language runtime like Javascript. and to set up firewall rules in order to confine untrusted This paper presents the design of UserFS, a kernel code. One key idea in UserFS is representing user IDs as framework that allows any application to use traditional files in a /proc-like file system, thus allowing applica- OS protection mechanisms on a Unix system, and a proto- tions to manage user IDs like any other files, by setting type implementation of UserFS for Linux. UserFS makes permissions and passing file descriptors over Unix do- protection mechanisms egalitarian, so that any user—not main sockets. UserFS addresses several challenges in just the system administrator—can allocate new user IDs, making user IDs egalitarian, including accountability, re- set up firewall rules, and isolate processes using chroot. source allocation, persistence, and UID reuse. We have By using the operating system’s own protection mecha- ported several applications to take advantage of UserFS; nisms, applications can avoid race conditions and ambi- by changing just tens to hundreds of lines of code, we guities associated with system call interposition [14, 43], prevented attackers from exploiting application-level vul- can confine existing code without having to recompile or nerabilities, such as code injection or missing ACL checks rewrite it in a new language, and can enforce a coherent in a PHP-based wiki application.
    [Show full text]
  • Sandboxing 2 Change Root: Chroot()
    Sandboxing 2 Change Root: chroot() Oldest Unix isolation mechanism Make a process believe that some subtree is the entire file system File outside of this subtree simply don’t exist Sounds good, but. Sandboxing 2 2 / 47 Chroot Sandboxing 2 3 / 47 Limitations of Chroot Only root can invoke it. (Why?) Setting up minimum necessary environment can be painful The program to execute generally needs to live within the subtree, where it’s exposed Still vulnerable to root compromise Doesn’t protect network identity Sandboxing 2 4 / 47 Root versus Chroot Suppose an ordinary user could use chroot() Create a link to the sudo command Create /etc and /etc/passwd with a known root password Create links to any files you want to read or write Besides, root can escape from chroot() Sandboxing 2 5 / 47 Escaping Chroot What is the current directory? If it’s not under the chroot() tree, try chdir("../../..") Better escape: create device files On Unix, all (non-network) devices have filenames Even physical memory has a filename Create a physical memory device, open it, and change the kernel data structures to remove the restriction Create a disk device, and mount a file system on it. Then chroot() to the real root (On Unix systems, disks other than the root file system are “mounted” as a subtree somewhere) Sandboxing 2 6 / 47 Trying Chroot # mkdir /usr/sandbox /usr/sandbox/bin # cp /bin/sh /usr/sandbox/bin/sh # chroot /usr/sandbox /bin/sh chroot: /bin/sh: Exec format error # mkdir /usr/sandbox/libexec # cp /libexec/ld.elf_so /usr/sandbox/libexec # chroot /usr/sandbox
    [Show full text]
  • The Linux Command Line
    The Linux Command Line Fifth Internet Edition William Shotts A LinuxCommand.org Book Copyright ©2008-2019, William E. Shotts, Jr. This work is licensed under the Creative Commons Attribution-Noncommercial-No De- rivative Works 3.0 United States License. To view a copy of this license, visit the link above or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042. A version of this book is also available in printed form, published by No Starch Press. Copies may be purchased wherever fine books are sold. No Starch Press also offers elec- tronic formats for popular e-readers. They can be reached at: https://www.nostarch.com. Linux® is the registered trademark of Linus Torvalds. All other trademarks belong to their respective owners. This book is part of the LinuxCommand.org project, a site for Linux education and advo- cacy devoted to helping users of legacy operating systems migrate into the future. You may contact the LinuxCommand.org project at http://linuxcommand.org. Release History Version Date Description 19.01A January 28, 2019 Fifth Internet Edition (Corrected TOC) 19.01 January 17, 2019 Fifth Internet Edition. 17.10 October 19, 2017 Fourth Internet Edition. 16.07 July 28, 2016 Third Internet Edition. 13.07 July 6, 2013 Second Internet Edition. 09.12 December 14, 2009 First Internet Edition. Table of Contents Introduction....................................................................................................xvi Why Use the Command Line?......................................................................................xvi
    [Show full text]
  • Linux Networking Cookbook.Pdf
    Linux Networking Cookbook ™ Carla Schroder Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo Linux Networking Cookbook™ by Carla Schroder Copyright © 2008 O’Reilly Media, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (safari.oreilly.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 or [email protected]. Editor: Mike Loukides Indexer: John Bickelhaupt Production Editor: Sumita Mukherji Cover Designer: Karen Montgomery Copyeditor: Derek Di Matteo Interior Designer: David Futato Proofreader: Sumita Mukherji Illustrator: Jessamyn Read Printing History: November 2007: First Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. The Cookbook series designations, Linux Networking Cookbook, the image of a female blacksmith, and related trade dress are trademarks of O’Reilly Media, Inc. Java™ is a trademark of Sun Microsystems, Inc. .NET is a registered trademark of Microsoft Corporation. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
    [Show full text]
  • SUSE Linux Enterprise Server 12 Does Not Provide the Repair System Anymore
    General System Troubleshooting Sascha Wehnert Premium Service Engineer Attachmate Group Germany GmbH [email protected] What is this about? • This session will cover the following topics: ‒ How to speed up a service request ‒ How to gather system information using supportconfig ‒ Configure serial console in grub to trace kernel boot messages ‒ Accessing a non booting systems using the rescue system ‒ System crash situations and how to prepare (i586/x86_64 only) 2 The challenge of a service request • Complete service request description: “We need to increase our disk space.” 3 The challenge of a service request • Which SUSE® Linux Enterprise Server version? • Is this a physical or virtual environment? • If virtual, what virtualization solution is being used? • If physical, local SCSI RAID array? What hardware? • If using HBAs, dm-multipathing or iSCSI connected disks or a 3rd party solution? • Disk and system partition layout? • What has been done so far? What was achieved? What failed? • What information do I need in order to help? 4 What information would be needed? • SUSE Linux Enterprise Server version → /etc/SuSE-release, uname -a • Physical → dmidecode XEN → /proc/xen/xsd_port KVM → /proc/modules • Hardware information → hwinfo • Partition information → parted -l, /etc/fstab • Multipathing/iSCSI → multipath, iscsiadm • Console output or /var/log/YaST2/y2log in case YaST2 has been used 5 supportconfig • Since SUSE Linux Enterprise Server 10 SP4 included in default installation. • Maintained package, updates available via patch channels. For best results always have latest version installed from channels installed. • One single command to get (almost) everything. • Splits data into files separated by topic. • Can be modified to exclude certain data, either via /etc/supportconfig.conf or command options.
    [Show full text]
  • Scripting in Axis Network Cameras and Video Servers
    Scripting in Axis Network Cameras and Video Servers Table of Contents 1 INTRODUCTION .............................................................................................................5 2 EMBEDDED SCRIPTS ....................................................................................................6 2.1 PHP .....................................................................................................................................6 2.2 SHELL ..................................................................................................................................7 3 USING SCRIPTS IN AXIS CAMERA/VIDEO PRODUCTS ......................................8 3.1 UPLOADING SCRIPTS TO THE CAMERA/VIDEO SERVER:...................................................8 3.2 RUNNING SCRIPTS WITH THE TASK SCHEDULER...............................................................8 3.2.1 Syntax for /etc/task.list.....................................................................................................9 3.3 RUNNING SCRIPTS VIA A WEB SERVER..............................................................................11 3.3.1 To enable Telnet support ...............................................................................................12 3.4 INCLUDED HELPER APPLICATIONS ..................................................................................13 3.4.1 The image buffer - bufferd........................................................................................13 3.4.2 sftpclient.........................................................................................................................16
    [Show full text]
  • การติดตั้ง Webserver โดยใช้ Freebsd
    การติดต้งั WebServer โดยใช ้ FreeBSD 8.2 Rev001: Apr 1,2011 § การตดติ งั้ WebServer โดยใช ้ FreeBSD 8.2 § กรณีศกษาึ www.mu-ph.org โดย เสรมพิ นธั ุ ์ นตยิ นรา์ Email: [email protected] 1 เมษายน 2554 [** Rev01 : Apr 01,2011 **] * * * * * * * * * Objective: ต้องการทาํ WebServer ของ องค์กร ให้ทุกฝ่ ายในองค์กรม ี WebSite ใช้งาน โดยให้เนือท้ ฝี่ ่ ายละ 1 GBytes Specifications ของเครื่องที่ใช้ www# dmesg Copyright (c) 1992-2011 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 8.2-RELEASE #0: Fri Feb 18 02:24:46 UTC 2011 [email protected]:/usr/obj/usr/src/sys/GENERIC i386 Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Xeon(TM) CPU 2.40GHz (2392.06-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0xf29 Family = f Model = 2 Stepping = 9 Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI, MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE> Features2=0x4400<CNXT-ID,xTPR> real memory = 1073741824 (1024 MB) avail memory = 1036226560 (988 MB) ACPI APIC Table: <DELL PE1600SC> FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs FreeBSD/SMP: 4 package(s) x 1 core(s) cpu0 (BSP): APIC ID: 0 cpu1 (AP): APIC ID: 1 cpu2 (AP): APIC ID: 6 cpu3 (AP): APIC ID: 7 แบ่ง partition ดังนี ้ www# df Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/amrd0s1a 1012974 176512 755426 19% / devfs 1 1 0 100% /dev /dev/amrd0s1h 63488502 4 58409418 0% /backups /dev/amrd0s1g 1012974 12 931926 0% /tmp /dev/amrd0s1e 5077038 832996 3837880 18% /usr /dev/amrd0s1f 50777034 4 46714868 0% /usr/local/www /dev/amrd0s1d 15231278 278 14012498 0% /var www# โปรแกรมทลงี่ 1.
    [Show full text]
  • Guidance on Sftp Chroot Access
    Guidance On Sftp Chroot Access How comedic is Husein when tuberculose and untumbled Horace tango some bedstraw? Fucoid Sutherland revenge troubledly and alow, she regives her canvassing unfree unrecognisable. Sayer remains owlish: she phlebotomises her slaister distaste too glowingly? The server performs a chroot2 command to visit home loss of the ftp user. 13 2006 World Meteorological Organization WMO Guide to use of FTP and. Using sftp 199 Setting Permissions for File Uploads 200 244. CVE-2021-1145 A vulnerability in house Secure FTP SFTP of Cisco StarOS for Cisco. Match group yourgroupname ChrootDirectory home X11Forwarding no. Chroot A Linux command used to trace the root before It so often used for sandboxing. The Debian Administrator's Handbook. Selinux context to access on using ecr is to execute permissions of this is. Be replaced by sftp if possible ftp sftp access should be chrooted to. Both rsh and ssh require some coordination between the client and server. If you guidance on sftp chroot access is guidance on ams managed microsoft azure to chroot enforcements on. Are we in a chrooted jail and cannot access the hum system directly. Uses a Linux concept began as CHROOT to physically isolate each SFTP user to a violent part error the filesystem Thus art is lawn for an SFTP user to book another user's data. The file systems serving malware or are required so multiple queues and sftp on volatile data corruption, as having a long as efficiently run a long. The CA Access Control documentation uses the following file location. Guide following the Secure Configuration of another Hat Enterprise Linux.
    [Show full text]
  • The Linux Command Line
    The Linux Command Line Second Internet Edition William E. Shotts, Jr. A LinuxCommand.org Book Copyright ©2008-2013, William E. Shotts, Jr. This work is licensed under the Creative Commons Attribution-Noncommercial-No De- rivative Works 3.0 United States License. To view a copy of this license, visit the link above or send a letter to Creative Commons, 171 Second Street, Suite 300, San Fran- cisco, California, 94105, USA. Linux® is the registered trademark of Linus Torvalds. All other trademarks belong to their respective owners. This book is part of the LinuxCommand.org project, a site for Linux education and advo- cacy devoted to helping users of legacy operating systems migrate into the future. You may contact the LinuxCommand.org project at http://linuxcommand.org. This book is also available in printed form, published by No Starch Press and may be purchased wherever fine books are sold. No Starch Press also offers this book in elec- tronic formats for most popular e-readers: http://nostarch.com/tlcl.htm Release History Version Date Description 13.07 July 6, 2013 Second Internet Edition. 09.12 December 14, 2009 First Internet Edition. 09.11 November 19, 2009 Fourth draft with almost all reviewer feedback incorporated and edited through chapter 37. 09.10 October 3, 2009 Third draft with revised table formatting, partial application of reviewers feedback and edited through chapter 18. 09.08 August 12, 2009 Second draft incorporating the first editing pass. 09.07 July 18, 2009 Completed first draft. Table of Contents Introduction....................................................................................................xvi
    [Show full text]
  • Running Untrusted Application Code: Sandboxing Running Untrusted Code
    Running Untrusted Application Code: Sandboxing Running untrusted code We often need to run buggy/unstrusted code: programs from untrusted Internet sites: toolbars, viewers, codecs for media player old or insecure applications: ghostview, outlook legacy daemons: sendmail, bind honeypots Goal : if application “misbehaves,” kill it Approach: confinement Confinement : ensure application does not deviate from pre-approved behavior Can be implemented at many levels: Hardware : run application on isolated hw (air gap) difficult to manage Virtual machines : isolate OS’s on single hardware System call interposition : Isolates a process in a single operating system Isolating threads sharing same address space: Software Fault Isolation (SFI) Application specific: e.g. browser-based confinement Implementing confinement Key component: reference monitor Mediates requests from applications Implements protection policy Enforces isolation and confinement Must always be invoked: Every application request must be mediated Tamperproof : Reference monitor cannot be killed … or if killed, then monitored process is killed too Small enough to be analyzed and validated A simple example: chroot Often used for “guest” accounts on ftp sites To use do: (must be root) chroot /tmp/guest root dir “/” is now “/tmp/guest” su guest EUID set to “guest” Now “/tmp/guest” is added to file system accesses for applications in jail open(“/etc/passwd”, “r”) ⇒⇒⇒ open(“/tmp/guest/etc/passwd”, “r”) ⇒ application cannot access files outside of jail Jailkit Problem: all utility progs (ls, ps, vi) must live inside jail • jailkit project: auto builds files, libs, and dirs needed in jail environment • jk_init : creates jail environment • jk_check: checks jail env for security problems • checks for any modified programs, • checks for world writable directories, etc.
    [Show full text]
  • What Is It We Want in Containers Anyways?
    WHAT IS IT WE WANT IN CONTAINERS ANYWAYS? Vincent Batts @vbatts bit.ly/vbatts-containers-anyways bit.ly/252kBnL $> finger $(whoami) Login: vbatts Name: Vincent Batts Directory: /home/vbatts Shell: /bin/bash Such mail. Plan: OHMAN $> id -Gn devel opencontainers docker appc redhat golang slackware SO, WHY, CONTAINERS? Single Application Full System But Not a VM Except Maybe a VM Pods of applications Labels of services Non-root Desktop Applications OMG AND CATS https://www.flickr.com/photos/27549668@N03/ But wait, What does "container" mean to you? But wait, What does "container" mean to you? USE-CASE Reproducibility USE-CASE Ephemeral Environments USE-CASE Freedom from host restrictions USE-CASE Easy delivery USE-CASE Integrate to existing process USE-CASE Controls and knobs BUILD Dockerfile Source to Image (github.com/OpenShift/source-to-image) appc/acbuild (github.com/appc/acbuild) Your own Makefiles? SHARING registry (i.e. docker-registry, dockyard) Host it yourself (i.e. tarballs on an http server) Share recipes! TOOLS LXC / LXD lmctfy Docker systemd-nspawn runC bubblewrap TECH Namespaces Resource Controls Security and Isolation SYSTEMD systemd directives Security Slides (CoreOS Fest2016) SHELL unshare(1) mount(8) shared subtrees chroot(1) procfs, sysfs, tmpfs cgroup filesystem (not for the faint of heart) STANDARDS! Standard /ˈstandəd/ noun something used as a measure, norm, or model in comparative evaluations STANDARDS! Areas to Standardize: Packaging Runtime Networking Cloud Call to Action! Define your use-cases first Get involved in the conversations Ensure your container integration touchpoint stay generic, to avoid lock-in to a particular platform. PoC tooling for your integration VINCENT BATTS @VBATTS| [email protected] THANKS!.
    [Show full text]