CIT 470: Advanced Network and System Administration Remote Administration

CIT 470: Advanced Network and System Administration Remote Administration

CIT 470: Advanced Network and System Administration Remote Administration CIT 470: Advanced Network and System Administration Slide #1 Topics 1. Network Access 2. SSH 3. Key-based Authentication 4. Console Access 5. X-Windows 6. VNC and NX 7. SSH tunneling CIT 470: Advanced Network and System Administration Slide #2 Network Access Most tasks can be done from the shell. File management. Disk/volume management. Troubleshooting and viewing logs. Installing/removing software. Start/stop network services. Reboot/shutdown. All we need is a way to invoke a shell across the network. CIT 470: Advanced Network and System Administration Slide #3 1 telnet Ubiquitous network terminal protocol telnet hostname Similar protocols rlogin –l user hostname rsh –l user hostname command Insecure Data, including passwords, sent in the clear. rlogin/rsh use ~/.rhosts for access w/o passwords. CIT 470: Advanced Network and System Administration Slide #4 ssh Secure Shell Replaces telnet ftp rlogin rsh rcp CIT 470: Advanced Network and System Administration Slide #5 SSH Security Features CIT 470: Advanced Network and System Administration Slide #6 2 SSH: Protocols and Products • SSH v1 • OpenSSH – Insecure, obsolete. • SSH Tectia – Do not use. • F-secure SSH • SSH v2 • Putty – Current version. • WinSCP CIT 470: Advanced Network and System Administration Slide #7 SSH Features Secure login ssh –l user host Secure remote command execution ssh –l user host command Secure file transfer sftp –l user host scp file user@host:/tmp/myfile Port forwarding ssh –L 110:localhost:110 mailhost CIT 470: Advanced Network and System Administration Slide #8 The Problem of Passwords 1. Good passwords are hard to remember. 2. Password transferred to remote system. 3. Automating remote access with passwords is difficult. CIT 470: Advanced Network and System Administration Slide #9 3 Public Key Cryptography Two keys – Private key known only to owner. – Public key available to anyone. Applications – Confidentiality: • Sender enciphers using recipient’s public key, • Receiver deciphers using their private key. – Integrity/authentication: • Sender enciphers using own private key, • Recipient deciphers using sender’s public key. CIT 470: Advanced Network and System Administration Slide #10 Key-based Authentication SSH uses public-key authentication Private key stored in your machine. Public key stored on remote machines. Public-key login protocol 1. Client sends server a login request. 2. Server issues a challenge. 3. Client responds with computation based on challenge and private key. 4. Server checks response with public key. CIT 470: Advanced Network and System Administration Slide #11 Using key-based authentication 1. Generate a public/private key pair. ssh-keygen Encrypted key files: id_rsa, id_rsa.pub 2. Copy public key to remote host Copy to ~/.ssh/authorized_keys. 3. Login to remote host ssh –l user remote CIT 470: Advanced Network and System Administration Slide #12 4 Keys are more secure than Passwords 1. Need to have two items to login: key file and passphrase. 2. Neither key nor passphrase is sent to remote host. 3. Machine-generated cryptographic keys are infeasible to guess, unlike passwords. CIT 470: Advanced Network and System Administration Slide #13 SSH Agent Problem: you have to enter passphrase to decrypt the key each time you use ssh. Solution: SSH Agent > ssh-agent $SHELL > ssh-add Enter passphrase for /home/jw/.ssh/id_dsa: ******** Identity added: /home/you/.ssh/id_dsa (/home/jw/.ssh/id_dsa) > ssh –l jw host CIT 470: Advanced Network and System Administration Slide #14 SSH Agent Features Agent support for entire session. Start ssh-agent on initial shell. X: ~/.xsession (Often enabled by default.) Multiple keys ssh-add keyfile ssh-add –l Remove keys ssh-add –d keyfile ssh-add –D CIT 470: Advanced Network and System Administration Slide #15 5 Remote Access when Server is Down Problem: No network access to host. Solutions: – Go to computer room and bring host up. – Specialized hardware (network boot / power). – Virtual machines. – Console servers. CIT 470: Advanced Network and System Administration Slide #16 Console Servers Console – Main I/O device for computer. – Historically: serial terminal. – Typically: keyboard/mouse/screen. Server allows access to multiple consoles. – Console access: BIOS, Bootloader, Kernel – Eliminates need for keyboards, mice, monitors. – Serial line to each machine from server. – One user has R/W, other users have R access. CIT 470: Advanced Network and System Administration Slide #17 Console Hardware Console servers solution – Commercial: Cisco, Cyclades, Xyplex – Open source: Conserver + serial expander card Hardware issues – Connectors: DB-9, DB-25, RJ-45 – Encoding: 8N1, 7E1 – Speeds: 9600 – 230k CIT 470: Advanced Network and System Administration Slide #18 6 X-Windows Server – Handles user input and graphical display. – Runs on the machine with display unit. Clients (applications) – Can run on a different machine than server. • Set DISPLAY env var. • Use –display option. CIT 470: Advanced Network and System Administration Slide #19 Window Manager X client that provides features like: – Move, resize, iconify, and kill windows. – Window title bars. – Popup menus. Example window managers – twm: Tab, primitive early window manager – mwm: Motif, found on commercial UNIXes – fvwm: Free, fast, very customizable. – WindowMaker: NeXT-like, see also AfterStep. CIT 470: Advanced Network and System Administration Slide #20 TWM Screenshot CIT 470: Advanced Network and System Administration Slide #21 7 FVWM Screenshot CIT 470: Advanced Network and System Administration Slide #22 WindowMaker CIT 470: Advanced Network and System Administration Slide #23 Desktops CDE Common desktop env for commercial UNIXes. Gnome Standard Linux desktop based on GTK+. KDE Windows-like free desktop based on QT. Xfce Lightweight desktop, also based on GTK+. CIT 470: Advanced Network and System Administration Slide #24 8 X-Windows Security Why do we need security? An evil client can capture/create any X events. Even if you’re not using any network clients! Host authentication Limit who can start clients by IP address. Set by xhost + or xhost - commands. Token authentication Only clients with token can access server. Set by the xauth command. CIT 470: Advanced Network and System Administration Slide #25 X-Windows Security Tunneling + host authentication. All clients appear to be from localhost. Therefore disable remote clients with xhost – Use ssh client to tunnel X: ssh –X host Server must have X11Forwarding set to yes. Use echo DISPLAY to test if X forwarding is on. Note that local users can still attack X session. CIT 470: Advanced Network and System Administration Slide #26 VNC: Virtual Network Computing CIT 470: Advanced Network and System Administration Slide #27 9 Why VNC? 1. Remote desktop access. 2. Helpdesk: control a remote desktop. 3. Persistent desktop. 4. Use same desktop from multiple clients. 5. Need Linux access from Windows. 6. Need Windows access from Linux. CIT 470: Advanced Network and System Administration Slide #28 What is VNC? • Open remote desktop protocol. • Many implementations – RealVNC: VNC from original researchers. – TightVNC: VNC with high compression. – VNCj: Java VNC, can run within web browser. – PalmVNC: VNC for Palm Pilots. – UltraVNC: enhanced VNC, only for Windows. CIT 470: Advanced Network and System Administration Slide #29 Using VNC 1. Start VNC server UNIX: vncserver Win: Start menu>Programs>RealVNC>VNCServer 2. Write down server name and display number. It will look something like unix3:1 3. Start VNC client UNIX: vncviewer Win: Start menu>Programs>RealVNC>VNCViewer 4. Enter server and display to connect to (from step 2). 5. A VNC remote desktop should appear. CIT 470: Advanced Network and System Administration Slide #30 10 Configuring and Troubleshooting • On UNIX, VNC stores files under ~/.vnc • Configuration: xstartup – Indicates which X clients to start with server. – Typically includes vncconfig application. • Configuration: passwd – Contains VNC server session password. • Log files: host:display#.log – Any errors should appear in these logs. CIT 470: Advanced Network and System Administration Slide #31 Securing VNC VNC does not provide encryption. Use ssh tunneling to encrypt login + data: ssh –L 5901:remotehost:5901 remotehost vncviewer localhost:1 CIT 470: Advanced Network and System Administration Slide #32 Tunneling Tunneling: Encapsulation of one network protocol in another protocol – Carrier Protocol: protocol used by network through which the information is travelling – Encapsulating Protocol: protocol (GRE, IPsec, L2TP) that is wrapped around original data – Passenger Protocol: protocol that carries original data CIT 470: Advanced Network and System Administration Slide #33 11 ssh Tunneling SSH can tunnel TCP connections – Carrier Protocol: IP – Encapsulating Protocol: ssh – Passenger Protocol: TCP on a specific port POP-3 forwarding ssh -L 110:pop3host:110 -l user pop3host – Uses ssh to login to pop3host as user – Creates tunnel from port 110 (leftmost port #) on localhost to port 110 (rightmost post #)of pop3host – User configures mail client to use localhost as POP3 server, then proceeds as normal CIT 470: Advanced Network and System Administration Slide #34 NX Advantages over VNC: Speed: fast enough to use over dialup. Built-in ssh encryption. Disadvantages Immature code; hard to install + set up. GPL client/server for Linux only. Free Windows client; commercial server. CIT 470: Advanced Network

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    12 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us