CIT 470: Advanced Network and System Administration Remote Administration
CIT 470: Advanced Network and System Administration Slide #1
Topics
1. Network Access 2. SSH 3. Key-based Authentication 4. Console Access 5. X-Windows 6. VNC and NX 7. SSH tunneling
CIT 470: Advanced Network and System Administration Slide #2
Network Access
Most tasks can be done from the shell. File management. Disk/volume management. Troubleshooting and viewing logs. Installing/removing software. Start/stop network services. Reboot/shutdown. All we need is a way to invoke a shell across the network.
CIT 470: Advanced Network and System Administration Slide #3
1 telnet
Ubiquitous network terminal protocol telnet hostname Similar protocols rlogin –l user hostname rsh –l user hostname command Insecure Data, including passwords, sent in the clear. rlogin/rsh use ~/.rhosts for access w/o passwords.
CIT 470: Advanced Network and System Administration Slide #4
ssh
Secure Shell Replaces telnet ftp rlogin rsh rcp
CIT 470: Advanced Network and System Administration Slide #5
SSH Security Features
CIT 470: Advanced Network and System Administration Slide #6
2 SSH: Protocols and Products
• SSH v1 • OpenSSH – Insecure, obsolete. • SSH Tectia – Do not use. • F-secure SSH • SSH v2 • Putty – Current version. • WinSCP
CIT 470: Advanced Network and System Administration Slide #7
SSH Features
Secure login ssh –l user host Secure remote command execution ssh –l user host command Secure file transfer sftp –l user host scp file user@host:/tmp/myfile Port forwarding ssh –L 110:localhost:110 mailhost
CIT 470: Advanced Network and System Administration Slide #8
The Problem of Passwords
1. Good passwords are hard to remember. 2. Password transferred to remote system. 3. Automating remote access with passwords is difficult.
CIT 470: Advanced Network and System Administration Slide #9
3 Public Key Cryptography
Two keys – Private key known only to owner. – Public key available to anyone. Applications – Confidentiality: • Sender enciphers using recipient’s public key, • Receiver deciphers using their private key. – Integrity/authentication: • Sender enciphers using own private key, • Recipient deciphers using sender’s public key.
CIT 470: Advanced Network and System Administration Slide #10
Key-based Authentication
SSH uses public-key authentication Private key stored in your machine. Public key stored on remote machines. Public-key login protocol 1. Client sends server a login request. 2. Server issues a challenge. 3. Client responds with computation based on challenge and private key. 4. Server checks response with public key.
CIT 470: Advanced Network and System Administration Slide #11
Using key-based authentication
1. Generate a public/private key pair. ssh-keygen Encrypted key files: id_rsa, id_rsa.pub 2. Copy public key to remote host Copy to ~/.ssh/authorized_keys. 3. Login to remote host ssh –l user remote
CIT 470: Advanced Network and System Administration Slide #12
4 Keys are more secure than Passwords
1. Need to have two items to login: key file and passphrase. 2. Neither key nor passphrase is sent to remote host. 3. Machine-generated cryptographic keys are infeasible to guess, unlike passwords.
CIT 470: Advanced Network and System Administration Slide #13
SSH Agent
Problem: you have to enter passphrase to decrypt the key each time you use ssh. Solution: SSH Agent > ssh-agent $SHELL > ssh-add Enter passphrase for /home/jw/.ssh/id_dsa: ******** Identity added: /home/you/.ssh/id_dsa (/home/jw/.ssh/id_dsa) > ssh –l jw host
CIT 470: Advanced Network and System Administration Slide #14
SSH Agent Features
Agent support for entire session. Start ssh-agent on initial shell. X: ~/.xsession (Often enabled by default.) Multiple keys ssh-add keyfile ssh-add –l Remove keys ssh-add –d keyfile ssh-add –D
CIT 470: Advanced Network and System Administration Slide #15
5 Remote Access when Server is Down
Problem: No network access to host. Solutions: – Go to computer room and bring host up. – Specialized hardware (network boot / power). – Virtual machines. – Console servers.
CIT 470: Advanced Network and System Administration Slide #16
Console Servers
Console – Main I/O device for computer. – Historically: serial terminal. – Typically: keyboard/mouse/screen. Server allows access to multiple consoles. – Console access: BIOS, Bootloader, Kernel – Eliminates need for keyboards, mice, monitors. – Serial line to each machine from server. – One user has R/W, other users have R access.
CIT 470: Advanced Network and System Administration Slide #17
Console Hardware
Console servers solution – Commercial: Cisco, Cyclades, Xyplex – Open source: Conserver + serial expander card Hardware issues – Connectors: DB-9, DB-25, RJ-45 – Encoding: 8N1, 7E1 – Speeds: 9600 – 230k
CIT 470: Advanced Network and System Administration Slide #18
6 X-Windows Server – Handles user input and graphical display. – Runs on the machine with display unit. Clients (applications) – Can run on a different machine than server. • Set DISPLAY env var. • Use –display option.
CIT 470: Advanced Network and System Administration Slide #19
Window Manager
X client that provides features like: – Move, resize, iconify, and kill windows. – Window title bars. – Popup menus. Example window managers – twm: Tab, primitive early window manager – mwm: Motif, found on commercial UNIXes – fvwm: Free, fast, very customizable. – WindowMaker: NeXT-like, see also AfterStep.
CIT 470: Advanced Network and System Administration Slide #20
TWM Screenshot
CIT 470: Advanced Network and System Administration Slide #21
7 FVWM Screenshot
CIT 470: Advanced Network and System Administration Slide #22
WindowMaker
CIT 470: Advanced Network and System Administration Slide #23
Desktops
CDE Common desktop env for commercial UNIXes. Gnome Standard Linux desktop based on GTK+. KDE Windows-like free desktop based on QT. Xfce Lightweight desktop, also based on GTK+.
CIT 470: Advanced Network and System Administration Slide #24
8 X-Windows Security
Why do we need security? An evil client can capture/create any X events. Even if you’re not using any network clients! Host authentication Limit who can start clients by IP address. Set by xhost + or xhost - commands. Token authentication Only clients with token can access server. Set by the xauth command.
CIT 470: Advanced Network and System Administration Slide #25
X-Windows Security
Tunneling + host authentication. All clients appear to be from localhost. Therefore disable remote clients with xhost – Use ssh client to tunnel X: ssh –X host Server must have X11Forwarding set to yes. Use echo DISPLAY to test if X forwarding is on. Note that local users can still attack X session.
CIT 470: Advanced Network and System Administration Slide #26
VNC: Virtual Network Computing
CIT 470: Advanced Network and System Administration Slide #27
9 Why VNC?
1. Remote desktop access. 2. Helpdesk: control a remote desktop. 3. Persistent desktop. 4. Use same desktop from multiple clients. 5. Need Linux access from Windows. 6. Need Windows access from Linux.
CIT 470: Advanced Network and System Administration Slide #28
What is VNC?
• Open remote desktop protocol. • Many implementations – RealVNC: VNC from original researchers. – TightVNC: VNC with high compression. – VNCj: Java VNC, can run within web browser. – PalmVNC: VNC for Palm Pilots. – UltraVNC: enhanced VNC, only for Windows.
CIT 470: Advanced Network and System Administration Slide #29
Using VNC
1. Start VNC server UNIX: vncserver Win: Start menu>Programs>RealVNC>VNCServer 2. Write down server name and display number. It will look something like unix3:1 3. Start VNC client UNIX: vncviewer Win: Start menu>Programs>RealVNC>VNCViewer 4. Enter server and display to connect to (from step 2). 5. A VNC remote desktop should appear.
CIT 470: Advanced Network and System Administration Slide #30
10 Configuring and Troubleshooting
• On UNIX, VNC stores files under ~/.vnc • Configuration: xstartup – Indicates which X clients to start with server. – Typically includes vncconfig application. • Configuration: passwd – Contains VNC server session password. • Log files: host:display#.log – Any errors should appear in these logs.
CIT 470: Advanced Network and System Administration Slide #31
Securing VNC VNC does not provide encryption. Use ssh tunneling to encrypt login + data: ssh –L 5901:remotehost:5901 remotehost vncviewer localhost:1
CIT 470: Advanced Network and System Administration Slide #32
Tunneling
Tunneling: Encapsulation of one network protocol in another protocol – Carrier Protocol: protocol used by network through which the information is travelling – Encapsulating Protocol: protocol (GRE, IPsec, L2TP) that is wrapped around original data – Passenger Protocol: protocol that carries original data
CIT 470: Advanced Network and System Administration Slide #33
11 ssh Tunneling
SSH can tunnel TCP connections – Carrier Protocol: IP – Encapsulating Protocol: ssh – Passenger Protocol: TCP on a specific port POP-3 forwarding ssh -L 110:pop3host:110 -l user pop3host – Uses ssh to login to pop3host as user – Creates tunnel from port 110 (leftmost port #) on localhost to port 110 (rightmost post #)of pop3host – User configures mail client to use localhost as POP3 server, then proceeds as normal
CIT 470: Advanced Network and System Administration Slide #34
NX
Advantages over VNC: Speed: fast enough to use over dialup. Built-in ssh encryption. Disadvantages Immature code; hard to install + set up. GPL client/server for Linux only. Free Windows client; commercial server.
CIT 470: Advanced Network and System Administration Slide #35
References
1. Daniel J. Barrett, Robert G. Byrnes, Richard E. Silverman, SSH, The Secure Shell, 2nd edition, O’Reilly, 2005. 2. Conserver, http://www.conserver.com/ 3. John Fisher, “Secure X Windows,” CIAC 2316, http://www.ciac.org/ciac/documents/ciac2316.html, 1995. 4. David K.Z. Harris, “Zonker’s Greater Scroll of Console Knowledge,” http://www.conserver.com/consoles/, 2005. 5. Brian Hatch, “SSH Host Key Protection,” http://www.securityfocus.com/infocus/1806, 2004. 6. No Machine NX, http://www.nomachine.com/ 7. OpenSSH, http://www.openssh.com/ 8. Real VNC, http://www.realvnc.com/ 9. RedHat, Red Hat Enterprise Linux 4 Reference Guide, http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/, 2005. 10. Daniel Robbins, “OpenSSH key management,” http://www-128.ibm.com/developerworks/library/l- keyc.html, 2001. 11. runeb, “Crash Course in X Windows Security,” http://bau2.uibk.ac.at/matic/ccxsec.htm 12. Carla Schroeder, Linux Cookbook, O’Reilly, 2004. 13. Carla Schroeder, “FreeNX ups the Remote Linux Desktop Ante,” Enterprise Networking Planet, http://www.enterprisenetworkingplanet.com/netos/print.php/3508951, 2005. 14. Glen Turner, “Linux Remote Serial Console HOWTO,” http://www.tldp.org/HOWTO/Remote- Serial-Console-HOWTO/index.html, 2003. 15. Webmin, http://www.webmin.com/ 16. Window Managers for X, http://xwinman.org/
CIT 470: Advanced Network and System Administration Slide #36
12