Transcript Public key

CIT 470: Advanced Network and
System Administration
Remote Administration
CIT 470: Advanced Network and System Administration
Slide #1
Topics
1.
2.
3.
4.
5.
6.
7.
Network Access
SSH
Key-based Authentication
Console Access
X-Windows
VNC and NX
SSH tunneling
CIT 470: Advanced Network and System Administration
Slide #2
Network Access
Most tasks can be done from the shell.
File management.
Disk/volume management.
Troubleshooting and viewing logs.
Installing/removing software.
Start/stop network services.
Reboot/shutdown.
All we need is a way to invoke a shell across
the network.
CIT 470: Advanced Network and System Administration
Slide #3
telnet
Ubiquitous network terminal protocol
telnet hostname
Similar protocols
rlogin –l user hostname
rsh –l user hostname command
Insecure
Data, including passwords, sent in the clear.
rlogin/rsh use ~/.rhosts for access w/o
passwords.
CIT 470: Advanced Network and System Administration
Slide #4
ssh
Secure Shell
Replaces
telnet
ftp
rlogin
rsh
rcp
CIT 470: Advanced Network and System Administration
Slide #5
SSH Security Features
CIT 470: Advanced Network and System Administration
Slide #6
SSH: Protocols and Products
• SSH v1
– Insecure, obsolete.
– Do not use.
• SSH v2
– Current version.
•
•
•
•
•
OpenSSH
SSH Tectia
F-secure SSH
Putty
WinSCP
CIT 470: Advanced Network and System Administration
Slide #7
SSH Features
Secure login
ssh –l user host
Secure remote command execution
ssh –l user host command
Secure file transfer
sftp –l user host
scp file user@host:/tmp/myfile
Port forwarding
ssh –L 110:localhost:110 mailhost
CIT 470: Advanced Network and System Administration
Slide #8
The Problem of Passwords
1. Good passwords are hard to remember.
2. Password transferred to remote system.
3. Automating remote access with passwords
is difficult.
CIT 470: Advanced Network and System Administration
Slide #9
Public Key Cryptography
Two keys
– Private key known only to owner.
– Public key available to anyone.
Applications
– Confidentiality:
• Sender enciphers using recipient’s public key,
• Receiver deciphers using their private key.
– Integrity/authentication:
• Sender enciphers using own private key,
• Recipient deciphers using sender’s public key.
CIT 470: Advanced Network and System Administration
Slide #10
Key-based Authentication
SSH uses public-key authentication
Private key stored in your machine.
Public key stored on remote machines.
Public-key login protocol
1. Client sends server a login request.
2. Server issues a challenge.
3. Client responds with computation based on
challenge and private key.
4. Server checks response with public key.
CIT 470: Advanced Network and System Administration
Slide #11
Using key-based authentication
1. Generate a public/private key pair.
ssh-keygen
Encrypted key files: id_rsa, id_rsa.pub
2. Copy public key to remote host
Copy to ~/.ssh/authorized_keys.
3. Login to remote host
ssh –l user remote
CIT 470: Advanced Network and System Administration
Slide #12
Keys are more secure than Passwords
1. Need to have two items to login: key file
and passphrase.
2. Neither key nor passphrase is sent to
remote host.
3. Machine-generated cryptographic keys are
infeasible to guess, unlike passwords.
CIT 470: Advanced Network and System Administration
Slide #13
SSH Agent
Problem: you have to enter passphrase to
decrypt the key each time you use ssh.
Solution: SSH Agent
> ssh-agent $SHELL
> ssh-add Enter passphrase for
/home/jw/.ssh/id_dsa: ********
Identity added:
/home/you/.ssh/id_dsa
(/home/jw/.ssh/id_dsa)
> ssh –l jw host
CIT 470: Advanced Network and System Administration
Slide #14
SSH Agent Features
Agent support for entire session.
Start ssh-agent on initial shell.
X: ~/.xsession (Often enabled by default.)
Multiple keys
ssh-add keyfile
ssh-add –l
Remove keys
ssh-add –d keyfile
ssh-add –D
CIT 470: Advanced Network and System Administration
Slide #15
Remote Access when Server is Down
Problem: No network access to host.
Solutions:
–
–
–
–
Go to computer room and bring host up.
Specialized hardware (network boot / power).
Virtual machines.
Console servers.
CIT 470: Advanced Network and System Administration
Slide #16
Console Servers
Console
– Main I/O device for computer.
– Historically: serial terminal.
– Typically: keyboard/mouse/screen.
Server allows access to multiple consoles.
–
–
–
–
Console access: BIOS, Bootloader, Kernel
Eliminates need for keyboards, mice, monitors.
Serial line to each machine from server.
One user has R/W, other users have R access.
CIT 470: Advanced Network and System Administration
Slide #17
Console Hardware
Console servers solution
– Commercial: Cisco, Cyclades,
Xyplex
– Open source: Conserver +
serial expander card
Hardware issues
– Connectors: DB-9, DB-25,
RJ-45
– Encoding: 8N1, 7E1
– Speeds: 9600 – 230k
CIT 470: Advanced Network and System Administration
Slide #18
X-Windows
Server
– Handles user input and
graphical display.
– Runs on the machine
with display unit.
Clients (applications)
– Can run on a different
machine than server.
• Set DISPLAY env var.
• Use –display option.
CIT 470: Advanced Network and System Administration
Slide #19
Window Manager
X client that provides features like:
– Move, resize, iconify, and kill windows.
– Window title bars.
– Popup menus.
Example window managers
–
–
–
–
twm: Tab, primitive early window manager
mwm: Motif, found on commercial UNIXes
fvwm: Free, fast, very customizable.
WindowMaker: NeXT-like, see also AfterStep.
CIT 470: Advanced Network and System Administration
Slide #20
TWM Screenshot
CIT 470: Advanced Network and System Administration
Slide #21
FVWM Screenshot
CIT 470: Advanced Network and System Administration
Slide #22
WindowMaker
CIT 470: Advanced Network and System Administration
Slide #23
Desktops
CDE
Common desktop env for commercial UNIXes.
Gnome
Standard Linux desktop based on GTK+.
KDE
Windows-like free desktop based on QT.
Xfce
Lightweight desktop, also based on GTK+.
CIT 470: Advanced Network and System Administration
Slide #24
X-Windows Security
Why do we need security?
An evil client can capture/create any X events.
Even if you’re not using any network clients!
Host authentication
Limit who can start clients by IP address.
Set by xhost + or xhost - commands.
Token authentication
Only clients with token can access server.
Set by the xauth command.
CIT 470: Advanced Network and System Administration
Slide #25
X-Windows Security
Tunneling + host authentication.
All clients appear to be from localhost.
Therefore disable remote clients with xhost –
Use ssh client to tunnel X: ssh –X host
Server must have X11Forwarding set to yes.
Use echo DISPLAY to test if X forwarding is on.
Note that local users can still attack X session.
CIT 470: Advanced Network and System Administration
Slide #26
VNC: Virtual Network Computing
CIT 470: Advanced Network and System Administration
Slide #27
Why VNC?
1.
2.
3.
4.
5.
6.
Remote desktop access.
Helpdesk: control a remote desktop.
Persistent desktop.
Use same desktop from multiple clients.
Need Linux access from Windows.
Need Windows access from Linux.
CIT 470: Advanced Network and System Administration
Slide #28
What is VNC?
• Open remote desktop protocol.
• Many implementations
–
–
–
–
–
RealVNC: VNC from original researchers.
TightVNC: VNC with high compression.
VNCj: Java VNC, can run within web browser.
PalmVNC: VNC for Palm Pilots.
UltraVNC: enhanced VNC, only for Windows.
CIT 470: Advanced Network and System Administration
Slide #29
Using VNC
1.
2.
3.
4.
5.
Start VNC server
UNIX: vncserver
Win: Start menu>Programs>RealVNC>VNCServer
Write down server name and display number.
It will look something like unix3:1
Start VNC client
UNIX: vncviewer
Win: Start menu>Programs>RealVNC>VNCViewer
Enter server and display to connect to (from step 2).
A VNC remote desktop should appear.
CIT 470: Advanced Network and System Administration
Slide #30
Configuring and Troubleshooting
• On UNIX, VNC stores files under ~/.vnc
• Configuration: xstartup
– Indicates which X clients to start with server.
– Typically includes vncconfig application.
• Configuration: passwd
– Contains VNC server session password.
• Log files: host:display#.log
– Any errors should appear in these logs.
CIT 470: Advanced Network and System Administration
Slide #31
Securing VNC
VNC does not provide encryption.
Use ssh tunneling to encrypt login + data:
ssh –L 5901:remotehost:5901 remotehost
vncviewer localhost:1
CIT 470: Advanced Network and System Administration
Slide #32
Tunneling
Tunneling: Encapsulation of one network
protocol in another protocol
– Carrier Protocol: protocol used by network
through which the information is travelling
– Encapsulating Protocol: protocol (GRE, IPsec,
L2TP) that is wrapped around original data
– Passenger Protocol: protocol that carries original
data
CIT 470: Advanced Network and System Administration
Slide #33
ssh Tunneling
SSH can tunnel TCP connections
– Carrier Protocol: IP
– Encapsulating Protocol: ssh
– Passenger Protocol: TCP on a specific port
POP-3 forwarding
ssh -L 110:pop3host:110 -l user pop3host
– Uses ssh to login to pop3host as user
– Creates tunnel from port 110 (leftmost port #) on
localhost to port 110 (rightmost post #)of pop3host
– User configures mail client to use localhost as POP3
server, then proceeds as normal
CIT 470: Advanced Network and System Administration
Slide #34
NX
Advantages over VNC:
Speed: fast enough to use over dialup.
Built-in ssh encryption.
Disadvantages
Immature code; hard to install + set up.
GPL client/server for Linux only.
Free Windows client; commercial server.
CIT 470: Advanced Network and System Administration
Slide #35
References
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
Daniel J. Barrett, Robert G. Byrnes, Richard E. Silverman, SSH, The Secure Shell, 2nd edition,
O’Reilly, 2005.
Conserver, http://www.conserver.com/
John Fisher, “Secure X Windows,” CIAC 2316,
http://www.ciac.org/ciac/documents/ciac2316.html, 1995.
David K.Z. Harris, “Zonker’s Greater Scroll of Console Knowledge,”
http://www.conserver.com/consoles/, 2005.
Brian Hatch, “SSH Host Key Protection,” http://www.securityfocus.com/infocus/1806, 2004.
No Machine NX, http://www.nomachine.com/
OpenSSH, http://www.openssh.com/
Real VNC, http://www.realvnc.com/
RedHat, Red Hat Enterprise Linux 4 Reference Guide,
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/, 2005.
Daniel Robbins, “OpenSSH key management,” http://www-128.ibm.com/developerworks/library/lkeyc.html, 2001.
runeb, “Crash Course in X Windows Security,” http://bau2.uibk.ac.at/matic/ccxsec.htm
Carla Schroeder, Linux Cookbook, O’Reilly, 2004.
Carla Schroeder, “FreeNX ups the Remote Linux Desktop Ante,” Enterprise Networking Planet,
http://www.enterprisenetworkingplanet.com/netos/print.php/3508951, 2005.
Glen Turner, “Linux Remote Serial Console HOWTO,” http://www.tldp.org/HOWTO/RemoteSerial-Console-HOWTO/index.html, 2003.
Webmin, http://www.webmin.com/
Window Managers for X, http://xwinman.org/
CIT 470: Advanced Network and System Administration
Slide #36