CIT 470: Advanced Network and System Administration Remote Administration

CIT 470: Advanced Network and System Administration Slide #1

Topics

1. Network Access 2. SSH 3. Key-based Authentication 4. Console Access 5. X-Windows 6. VNC and NX 7. SSH tunneling

CIT 470: Advanced Network and System Administration Slide #2

Network Access

Most tasks can be done from the shell. File management. Disk/volume management. Troubleshooting and viewing logs. Installing/removing software. Start/stop network services. Reboot/shutdown. All we need is a way to invoke a shell across the network.

CIT 470: Advanced Network and System Administration Slide #3

1 telnet

Ubiquitous network terminal protocol telnet hostname Similar protocols rlogin –l user hostname rsh –l user hostname command Insecure Data, including passwords, sent in the clear. rlogin/rsh use ~/.rhosts for access w/o passwords.

CIT 470: Advanced Network and System Administration Slide #4

ssh

Secure Shell Replaces telnet ftp rlogin rsh rcp

CIT 470: Advanced Network and System Administration Slide #5

SSH Security Features

CIT 470: Advanced Network and System Administration Slide #6

2 SSH: Protocols and Products

• SSH v1 • OpenSSH – Insecure, obsolete. • SSH Tectia – Do not use. • F-secure SSH • SSH v2 • Putty – Current version. • WinSCP

CIT 470: Advanced Network and System Administration Slide #7

SSH Features

Secure login ssh –l user host Secure remote command execution ssh –l user host command Secure file transfer sftp –l user host scp file user@host:/tmp/myfile Port forwarding ssh –L 110:localhost:110 mailhost

CIT 470: Advanced Network and System Administration Slide #8

The Problem of Passwords

1. Good passwords are hard to remember. 2. Password transferred to remote system. 3. Automating remote access with passwords is difficult.

CIT 470: Advanced Network and System Administration Slide #9

3 Public Key Cryptography

Two keys – Private key known only to owner. – Public key available to anyone. Applications – Confidentiality: • Sender enciphers using recipient’s public key, • Receiver deciphers using their private key. – Integrity/authentication: • Sender enciphers using own private key, • Recipient deciphers using sender’s public key.

CIT 470: Advanced Network and System Administration Slide #10

Key-based Authentication

SSH uses public-key authentication Private key stored in your machine. Public key stored on remote machines. Public-key login protocol 1. Client sends server a login request. 2. Server issues a challenge. 3. Client responds with computation based on challenge and private key. 4. Server checks response with public key.

CIT 470: Advanced Network and System Administration Slide #11

Using key-based authentication

1. Generate a public/private key pair. ssh-keygen Encrypted key files: id_rsa, id_rsa.pub 2. Copy public key to remote host Copy to ~/.ssh/authorized_keys. 3. Login to remote host ssh –l user remote

CIT 470: Advanced Network and System Administration Slide #12

4 Keys are more secure than Passwords

1. Need to have two items to login: key file and passphrase. 2. Neither key nor passphrase is sent to remote host. 3. Machine-generated cryptographic keys are infeasible to guess, unlike passwords.

CIT 470: Advanced Network and System Administration Slide #13

SSH Agent

Problem: you have to enter passphrase to decrypt the key each time you use ssh. Solution: SSH Agent > ssh-agent $SHELL > ssh-add Enter passphrase for /home/jw/.ssh/id_dsa: ******** Identity added: /home/you/.ssh/id_dsa (/home/jw/.ssh/id_dsa) > ssh –l jw host

CIT 470: Advanced Network and System Administration Slide #14

SSH Agent Features

Agent support for entire session. Start ssh-agent on initial shell. X: ~/.xsession (Often enabled by default.) Multiple keys ssh-add keyfile ssh-add –l Remove keys ssh-add –d keyfile ssh-add –D

CIT 470: Advanced Network and System Administration Slide #15

5 Remote Access when Server is Down

Problem: No network access to host. Solutions: – Go to computer room and bring host up. – Specialized hardware (network boot / power). – Virtual machines. – Console servers.

CIT 470: Advanced Network and System Administration Slide #16

Console Servers

Console – Main I/O device for computer. – Historically: serial terminal. – Typically: keyboard/mouse/screen. Server allows access to multiple consoles. – Console access: BIOS, Bootloader, Kernel – Eliminates need for keyboards, mice, monitors. – Serial line to each machine from server. – One user has R/W, other users have R access.

CIT 470: Advanced Network and System Administration Slide #17

Console Hardware

Console servers solution – Commercial: Cisco, Cyclades, Xyplex – Open source: Conserver + serial expander card Hardware issues – Connectors: DB-9, DB-25, RJ-45 – Encoding: 8N1, 7E1 – Speeds: 9600 – 230k

CIT 470: Advanced Network and System Administration Slide #18

6 X-Windows Server – Handles user input and graphical display. – Runs on the machine with display unit. Clients (applications) – Can run on a different machine than server. • Set DISPLAY env var. • Use –display option.

CIT 470: Advanced Network and System Administration Slide #19

Window Manager

X client that provides features like: – Move, resize, iconify, and kill windows. – Window title bars. – Popup menus. Example window managers – twm: Tab, primitive early window manager – mwm: Motif, found on commercial UNIXes – fvwm: Free, fast, very customizable. – WindowMaker: NeXT-like, see also AfterStep.

CIT 470: Advanced Network and System Administration Slide #20

TWM Screenshot

CIT 470: Advanced Network and System Administration Slide #21

7 FVWM Screenshot

CIT 470: Advanced Network and System Administration Slide #22

WindowMaker

CIT 470: Advanced Network and System Administration Slide #23

Desktops

CDE Common desktop env for commercial UNIXes. Gnome Standard Linux desktop based on GTK+. KDE Windows-like free desktop based on QT. Xfce Lightweight desktop, also based on GTK+.

CIT 470: Advanced Network and System Administration Slide #24

8 X-Windows Security

Why do we need security? An evil client can capture/create any X events. Even if you’re not using any network clients! Host authentication Limit who can start clients by IP address. Set by xhost + or xhost - commands. Token authentication Only clients with token can access server. Set by the xauth command.

CIT 470: Advanced Network and System Administration Slide #25

X-Windows Security

Tunneling + host authentication. All clients appear to be from localhost. Therefore disable remote clients with xhost – Use ssh client to tunnel X: ssh –X host Server must have X11Forwarding set to yes. Use echo DISPLAY to test if X forwarding is on. Note that local users can still attack X session.

CIT 470: Advanced Network and System Administration Slide #26

VNC: Virtual Network Computing

CIT 470: Advanced Network and System Administration Slide #27

9 Why VNC?

1. Remote desktop access. 2. Helpdesk: control a remote desktop. 3. Persistent desktop. 4. Use same desktop from multiple clients. 5. Need Linux access from Windows. 6. Need Windows access from Linux.

CIT 470: Advanced Network and System Administration Slide #28

What is VNC?

• Open remote desktop protocol. • Many implementations – RealVNC: VNC from original researchers. – TightVNC: VNC with high compression. – VNCj: Java VNC, can run within web browser. – PalmVNC: VNC for Palm Pilots. – UltraVNC: enhanced VNC, only for Windows.

CIT 470: Advanced Network and System Administration Slide #29

Using VNC

1. Start VNC server UNIX: vncserver Win: Start menu>Programs>RealVNC>VNCServer 2. Write down server name and display number. It will look something like unix3:1 3. Start VNC client UNIX: vncviewer Win: Start menu>Programs>RealVNC>VNCViewer 4. Enter server and display to connect to (from step 2). 5. A VNC remote desktop should appear.

CIT 470: Advanced Network and System Administration Slide #30

10 Configuring and Troubleshooting

• On UNIX, VNC stores files under ~/.vnc • Configuration: xstartup – Indicates which X clients to start with server. – Typically includes vncconfig application. • Configuration: passwd – Contains VNC server session password. • Log files: host:display#.log – Any errors should appear in these logs.

CIT 470: Advanced Network and System Administration Slide #31

Securing VNC VNC does not provide encryption. Use ssh tunneling to encrypt login + data: ssh –L 5901:remotehost:5901 remotehost vncviewer localhost:1

CIT 470: Advanced Network and System Administration Slide #32

Tunneling

Tunneling: Encapsulation of one network protocol in another protocol – Carrier Protocol: protocol used by network through which the information is travelling – Encapsulating Protocol: protocol (GRE, IPsec, L2TP) that is wrapped around original data – Passenger Protocol: protocol that carries original data

CIT 470: Advanced Network and System Administration Slide #33

11 ssh Tunneling

SSH can tunnel TCP connections – Carrier Protocol: IP – Encapsulating Protocol: ssh – Passenger Protocol: TCP on a specific port POP-3 forwarding ssh -L 110:pop3host:110 -l user pop3host – Uses ssh to login to pop3host as user – Creates tunnel from port 110 (leftmost port #) on localhost to port 110 (rightmost post #)of pop3host – User configures mail client to use localhost as POP3 server, then proceeds as normal

CIT 470: Advanced Network and System Administration Slide #34

NX

Advantages over VNC: Speed: fast enough to use over dialup. Built-in ssh encryption. Disadvantages Immature code; hard to install + set up. GPL client/server for Linux only. Free Windows client; commercial server.

CIT 470: Advanced Network and System Administration Slide #35

References

1. Daniel J. Barrett, Robert G. Byrnes, Richard E. Silverman, SSH, The Secure Shell, 2nd edition, O’Reilly, 2005. 2. Conserver, http://www.conserver.com/ 3. John Fisher, “Secure X Windows,” CIAC 2316, http://www.ciac.org/ciac/documents/ciac2316.html, 1995. 4. David K.Z. Harris, “Zonker’s Greater Scroll of Console Knowledge,” http://www.conserver.com/consoles/, 2005. 5. Brian Hatch, “SSH Host Key Protection,” http://www.securityfocus.com/infocus/1806, 2004. 6. No Machine NX, http://www.nomachine.com/ 7. OpenSSH, http://www.openssh.com/ 8. Real VNC, http://www.realvnc.com/ 9. RedHat, Red Hat Enterprise Linux 4 Reference Guide, http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/, 2005. 10. Daniel Robbins, “OpenSSH key management,” http://www-128.ibm.com/developerworks/library/l- keyc.html, 2001. 11. runeb, “Crash Course in X Windows Security,” http://bau2.uibk.ac.at/matic/ccxsec.htm 12. Carla Schroeder, Linux Cookbook, O’Reilly, 2004. 13. Carla Schroeder, “FreeNX ups the Remote Linux Desktop Ante,” Enterprise Networking Planet, http://www.enterprisenetworkingplanet.com/netos/print.php/3508951, 2005. 14. Glen Turner, “Linux Remote Serial Console HOWTO,” http://www.tldp.org/HOWTO/Remote- Serial-Console-HOWTO/index.html, 2003. 15. Webmin, http://www.webmin.com/ 16. Window Managers for X, http://xwinman.org/

CIT 470: Advanced Network and System Administration Slide #36

12