Unix Comp-145-Lecture11x
Download
Report
Transcript Unix Comp-145-Lecture11x
Unix Comp-145
LECTURE 11: UNIX’S NETWORKING TOOLS
BASED ON:
S. DAS, “YOUR UNIX: THE ULTIMATE GUIDE”, 2ND EDITION, MCGRAW HILL, 2006
CHAPT 14
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
1
NETWORKING TOOLS
• INTRO TO TCP/IP
• MAPPING DOMAIN NAMES TO IP ADDRESSES:
/etc/hosts & DNS
• COMMUNICATION ACROSS SYSTEMS: CLIENT/SERVER
• TESTING CONNECTIVITY USING ping
• USE OF telnet FOR REMOTE LOGIN
• USE OF SECURE SHELL (ssh) FOR REMOTE LOGIN
• WHY NEED CRYPTOGRAPHY?
• USE AND LIMITS OF ftp
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
2
Intro to TCP/IP
• TRANSFER CONTROL PROTOCOL OVER INTERNET PROTOCOL
– Initially developed on and for UNIX platform
– AROUND SINCE 1983
– A PACKET SWITCHING SYSTEM, NO DEDICATED CONNECTIONS BETWEEN
–
–
SENDER AND RECEIVER
TCP’S STANDARD = IETF’S RFC 793 (+RFC1323, RFC2581, ETC.)
IP’S STANDARD = IETF’S RFC 791 (+RFC 1826, 1853, 2549, 3768,
ETC)
• PACKETS
– EACH PACKET CONTAINS A PACKET SEQUENCE NUMBER, A CHECKSUM, PLUS A
HEADER THAT CONTAINS AT LEAST A SENDER ADDRESS & ONE OR MORE
RECIPIENT ADDRESSES.
– TRANSFERRED THROUGH NETWORK VIA ROUTERS –
INTELLIGENT DEVICES THAT INSPECT EACH PACKET AND DECIDE WHAT TO DO
NEXT (DELIVER PACKET LOCALLY OR FORWARD IT TO ANOTHER ROUTER.)
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
3
Intro to TCP/IP (Cont’d)
• HOST NAMES AND IP ADDRESSES
– HOST = COMPUTER IN NETWORK
– HOST IDENTIFIED BY hostname VALUE
– 2 FORMS OF HOST NAME:
o SIMPLE
sodapop
o FULLY QUALIFIED DOMAIN NAME (FQDN)
sodapop.brookdalecc.edu
– hostname COMMAND REVEALS THE HOST NAME
OF THE COMPUTER
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
4
Intro to TCP/IP (Cont’d)
• HOST NAMES AND IP ADDRESSES (CONT’D)
– EACH NETWORKED HOST ASSIGNED A NETWORK UNIQUE
IP ADDRESS.
o SET OF 4 DOT DELIMITED OCTETS, I.E., EACH OCTET
REPRESENTS A SEQUENCE OF 8 BITS OR 1 BYTE.
o MAX VALUE OF EACH OCTET IS 255
o FOR ROUTING EFFICIENCY, EACH IP ADDRESS IS DIVIDED
INTO A PREFIX AND A SUFFIX
PREFIX IDENTIFIES NETWORK TO WHICH COMPUTER IS
ATTACHED
SUFFIX IDENTIFIES NETWORK COMPUTER IS WITHIN
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
5
Intro to TCP/IP (Cont’d)
• HOST NAMES AND IP ADDRESSES (CONT’D)
– LIKE FQDN’S AN IP ADDRESS IS HIERARCHICAL
– ONLY IP ADDRESSES ARE CONSIDERED ROUTABLE.
– FULLY QUALIFIED DOMAIN NAMES MUST BE CONVERTED TO IP
ADDRESSES FOR A ROUTER TO EVALUATE.
– RESOLUTION OF FQDNS TO IP ADDRESSES PERFORMED BY
“RESOLVER”
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
6
MAPPING DOMAIN NAMES TO/FROM IP ADDRESSES
• /etc/host
– HOLDS NAME TO ADDRESS MAPPINGS IN SMALL NETWORKS.
– FILE OFTEN CALLED HOST FILE.
– SYNTAX: IP_ADDRESS
$ cat /etc/host
::1
localhost
127.0.0.1
localhost
localhost.brookdalecc.edu
localhost.brookdalecc.edu
– 127.0.0.1 = LOCAL (LOOP-BACK) ADDRESS.
• SOMETIMES USED BY SYSTEM ADMINISTRATORS TO STOP SITES THAT
ATTEMPT TO REDIRECT THEIR REQUESTS.
• CONSIDERED A DEAD-END ADDRESS, BUT SOME MALICIOUS CODE
CAN RUN SERVICES ON THE LOOPBACK ADDRESS
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
7
MAPPING DOMAIN NAMES TO/FROM IP ADDRESSES
DNS: DOMAIN NAME SYSTEM
–
–
–
–
USED IN LARGER NETWORKS,
DB THAT PROVIDES NAME TO ADDRESS MAPPING SERVICE.
HOSTNAMES ORGANIZED HIERARCHICALLY.
DISTRIBUTED DB COMPRISED OF VARIOUS HOSTS ON THE
INTERNET AND VARIOUS DOMAINS
– DELEGATION OF AUTHORITY AT INDIVIDUAL LEVELS IN HIERARCHY.
– THREE MAIN COMPONENTS OF DNS
• RESOLVER (MAPS A NAME TO AN IP ADDRESS)
• NAME SERVER
• DATABASE OF RESOURCE RECORDS (RRS)
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
8
MAPPING DOMAIN NAMES TO/FROM IP ADDRESSES
Partial DNS Hierarchy
int
12/09/2009 rwj
fr
BROOKDALE COMMUNITY COLLEGE
9
MAPPING DOMAIN NAMES TO/FROM IP ADDRESSES
DOMAINS EXPLAINED
–
–
–
–
TOP LEVEL DOMAINS: IMMEDIATELY SUBORDINATE TO ITS “.” ROOT
DOMAIN IS A LABEL OF THE DNS TREE.
EACH NODE ON THE DNS TREE REPRESENTS A DOMAIN.
DOMAIN NAME REPRESENTS AN ENTITY'S POSITION WITHIN THE
STRUCTURE OF THE DNS HIERARCHY
– DOMAINS UNDER THE TOP-LEVEL DOMAINS REPRESENT INDIVIDUAL
ORGANIZATIONS OR ENTITIES
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
10
MAPPING DOMAIN NAMES TO/FROM IP ADDRESSES
DOMAINS EXPLAINED
– DELEGATION OF AUTHORITY TO INDIVIDUAL LEVELS IN HIERARCHY,
FALLS TO ORGANIZATION’S NETWORK ADMIN.
– ZONE = GROUP OF DOMAINS AND SUB-DOMAINS FOR WHICH AN
ORGANIZATION HAS AUTHORITY
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
11
COMMUNICATION ACROSS SYSTEMS
CLIENT-SERVER PARADIGM
– ONE ENTITY MAKES A REQUEST, ANOTHER PARTY SERVICES THE
REQUEST
Request
Server
Client
Response
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
12
COMMUNICATION ACROSS SYSTEMS
CLIENT-SERVER PARADIGM IN UNIX
– SERVER PROGRAMS IN UNIX CALLED DAEMONS.
• RUN IN BACKGROUND
• LISTEN FOR INPUT FROM CLIENTS
• EXAMPLES:
– httpd – LISTENS FOR REQUESTS FOR WEB-PAGES
– sendmail – HANDLES E-MAIL
– inetd – HANDLES FTP AND TELNET REQUESTS
– ping – DOES NOT NEED A SERVER.
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
13
COMMUNICATION ACROSS SYSTEMS (cont’d)
• SERVERS COMMUNICATE VIA PORTS
o PORT IDs (numbers) DIVIDED INTO 3 RANGES:
FROM 0 THROUGH 1023 = WELL KNOWN PORTS
FROM 1024 THROUGH 49151 = REGISTERED PORTS
FROM 49152 THROUGH 65535 = DYNAMIC AND/OR PRIVATE PORTS
o “PORTS ARE USED IN THE TCP [RFC793] TO NAME THE ENDS
•
OF LOGICAL CONNECTIONS WHICH CARRY LONG TERM
CONVERSATIONS. FOR THE PURPOSE OF PROVIDING SERVICES TO
UNKNOWN CALLERS, A SERVICE CONTACT PORT IS DEFINED.” THE
LIST PUBLISHED BY IANA “SPECIFIES THE PORT USED BY THE
SERVER PROCESS AS ITS CONTACT PORT. THE CONTACT PORT IS
SOMETIMES CALLED THE "WELL-KNOWN PORT".” 1
PORT TYPES: TCP AND UDP (UNIVERSAL DATAGRAM PROTOCOL)
1:
HTTP://WWW.IANA.ORG/ASSIGNMENTS/PORT-NUMBERS, LAST UPDATED 12/8/09
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
14
COMMUNICATION ACROSS SYSTEMS (cont’d)
• “WELL-KNOWN” SERVER PORTS
SERVICE
FTP
SSH
TELNET
SMTP
HTTP
POP3
CLIENT PROGRAM
SERVER PORT #
ftp
ssh, scp, sftp, slogin
telnet
mailx, netscape
netscape, mozila,
firefox, opera, konqueror
fetchmail
21
22
23
25
80
110
A COMPLETE LIST PORTS THAT UNIX LISTENS ON FOUND IN /etc/services
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
15
COMMUNICATION ACROSS SYSTEMS (cont’d)
• CONNECTS TO NETWORK VIA NIC CARD
(NETWORK INTERFACE CARD) – OFTEN CALLED “NIC CARD”
• CARD ASSIGNED AN IP ADDRESS.
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
16
TESTING CONNECTIVITY USING PING (cont’d)
• USED TO TEST CONNECTIVITY
• PING SENDS 56 BYTE PACKETS TO REMOTE HOST WHOSE
NIC CARD ANSWERS BACK
$ ping sodapop
PING sodapop: 56 data bytes
64 bytes from sodapop.brookdalecc.edu (172.17.1.243):
icmp_seq=0. time=0. ms
64 bytes from sodapop.brookdalecc.edu (172.17.1.243):
icmp_seq=. time=0. ms
64 bytes from sodapop.brookdalecc.edu (172.17.1.243):
icmp_seq=. time=0. ms
64 bytes from sodapop.brookdalecc.edu (172.17.1.243):
icmp_seq=. time=0. ms
^C
--- sodapop PING statistics --4 packets transmitted, 4 packets received, 0% packet loss
round trip (ms) min/avg/max/stddev = 0.010/0.031/0.006
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
17
USE OF telnet FOR REMOTE LOGIN
• LOG IN TO A REMOTE MACHINE OVER AN IP NETWORK
[telnet <ip_address>]
• USER ID AND PASSWORD TRANSMITTED IN CLEAR TEXT
• LOCAL MACHINE ACTS LIKE A DUMB TERMINAL: ECHOES TO
TERMINAL WHAT IS SENT AND WHAT IS RECEIVED.
• “ESC_KEY” OR “CTL ]” – TEMPORARILY TRANSFERS USER
TO LOCAL MACHINE. PROMPT CHANGES telnet >
$ telnet 127.0.0.1
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Trying SRA secure login:
User (rjesmajian):
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
18
USE OF telnet FOR REMOTE LOGIN (cont’d)
• “esc_key” OR “ctl +]” – TEMPORARILY ENABLES USER TO
RUN COMMANDS ON LOCAL MACHINE. PROMPT CHANGES
telnet >
• USE “!” TO RUN COMMANDS ON LOCAL SYSTEM
telnet > !ls –l *.sh
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
19
USE OF telnet FOR REMOTE LOGIN (cont’d)
Microsoft telnet>
Microsoft Telnet> ctl+]
Welcome to Microsoft Telnet Client
Escape Character is 'CTRL+]'
Microsoft Telnet> ?/help
Commands may be abbreviated. Supported commands are:
c
- close
close current connection
d
- display
display operating parameters
o
- open hostname [port] connect to hostname (default port 23).
q
- quit
exit telnet
set - set
set options (type 'set ?' for a list)
sen - send
send strings to server
st
- status
print status information
u
- unset
unset options (type 'unset ?' for a
list)
?/h - help
print help information
Microsoft Telnet> !ls –l ~/*.sh
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
20
USE OF SECURE SHELL (ssh) FOR REMOTE LOGIN
• SECURELY LOG IN TO A REMOTE MACHINE OVER
AN IP NETWORK [ssh <RemoteMachineName>]
• DEVELOPED TO REPLACE telnet
• USES PUBLIC KEY (ASYMMETRIC) CRYPTOGRAPHIC
ALGORITHMS TO GENERATE A MATHEMATICALLY
RELATED PUBLIC-PRIVATE KEY PAIR
• KEY PAIR IS USED TO
— ESTABLISH TRUST, I.E., AUTHENTICATE USER & HOST
— ENCRYPT/DECRYPT PASSWORDS & DATA.
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
21
WHY NEED CRYPTOGRAPHY?
• ENCRYPTION/DECRYPTION PROVIDES DATA CONFIDENTIALITY
AND DATA INTEGRITY OVER AN INSECURE NETWORK
o DATA EXCHANGED IS ENCRYPTED BY SENDER, AND DECRYPTED BY
RECIPIENT USING SESSION KEY.
• MESSAGES & TRANSACTIONS CAN BE DIGITALLY SIGNED BY
ORIGINATOR TO PROVIDE DATA INTEGRITY AND
AUTHENTICATION
o POPULAR ALGORITHMS USED TO GENERATE DIGITAL SIGNATURES:
12/09/2009 rwj
RSA (INVENTED BY RIVEST, SHAMIR AND ADLEMEN)
DSA (DIGITAL SIGNATURE ALGORITHM)
BROOKDALE COMMUNITY COLLEGE
22
WHY NEED CRYPTOGRAPHY? (cont’d)
• 2 FORMS OF CRYPTOGRAPHY
o SYMMETRIC – 1 SECRET KEY
ADVANTAGE:
SIMPLE MATHEMATICAL ALGORITHM
KEY DETERMINED BETWEEN 2 PARTIES
DISADVANTAGE: KEY MANAGEMENT
USE:
MILITARY AND MOST MAJOR FIRMS FOR
INTERNAL COMMUNICATIONS
o ASYMMETRIC – 1 PUBLIC KEY AND 1 PRIVATE KEY
ADVANTAGE:
KEY MANAGEMENT
DISADVANTAGE: COMPLEX MATHEMATICAL ALGORITHM
MUST SUBSCRIBE TO PUBLIC KEY ADMINISTRATOR SERVICE
USE:
TELECOMS AND MOST MAJOR FIRMS FOR
EXTERNAL COMMUNICATIONS
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
23
WHY NEED CRYPTOGRAPHY?
(SYMMETRIC CRYPTOGRAPHY)
• DATA PROTECTION (VIA SYMMETRIC ENCRYPTION).
Sender’s
Secret Key
12/09/2009 rwj
Sender’s
Secret Key
BROOKDALE COMMUNITY COLLEGE
24
WHY NEED CRYPTOGRAPHY?
(ASYMMETRIC CRYPTOGRAPHY)
• DATA PROTECTION (VIA ASYMMETRIC ENCRYPTION).
THE RECIPIENT’S SECRET KEY IS THE MATHEMATICAL INVERSE FUNCTION OF SENDER’S PUBLIC KEY.
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
25
WHY NEED CRYPTOGRAPHY?
(DIGITAL SIGNATURES)(cont’d)
• MESSAGE AUTHENTICATION (VIA DIGITAL SIGNATURE).
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
26
WHY NEED CRYPTOGRAPHY?
(DIGITAL SIGNATURES)(cont’d)
• ORIGINATING A DIGITAL SIGNATURE
o A MESSAGE DIGEST (MD) IS GENERATED USING THE SENDER’S PRIVATE
KEY AND A MD CREATION ALGORITHM, I.E., A SET OF HASHING
ALGORITHMS.
• MESSAGE DIGEST = “SUMMARY” OF THE MESSAGE TO BE TRANSMITTED.
• MD’S MAIN PROPERTIES:
1.
2.
ALWAYS SMALLER THAN THE MESSAGE ITSELF
THE SLIGHTEST CHANGE IN THE MESSAGE PRODUCES A DIFFERENT DIGEST.
• THE MESSAGE DIGEST IS ENCRYPTED USING THE SENDER'S ASYMMETRIC
PRIVATE KEY. THE RESULTING ENCRYPTED MD = THE DIGITAL SIGNATURE.
o ATTACH THE COMPUTED DIGITAL SIGNATURE TO THE MESSAGE & SEND.
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
27
WHY NEED CRYPTOGRAPHY?
(DIGITAL SIGNATURES)(cont’d)
• VALIDATING A DIGITAL SIGNATURE ON RECEIPT
o USE THE SENDER'S PUBLIC KEY TO DECRYPT THE DIGITAL
SIGNATURE TO OBTAIN THE RECEIVED MD ASSUMED TO BE
GENERATED BY THE KNOWN SENDER.
o USE THE SAME MD ALGORITHM USED BY THE SENDER TO GENERATE
YOUR OWN MD OF THE RECEIVED MESSAGE.
o COMPARE THE 2 MD
1. IF EQUAL THEN MESSAGE IS UNALTERED & NOT FROM AN IMPOSTER.
2. IF NOT EQUAL, DISCARD MESSAGE AS UNTRUSTWORTHY, THE MESSAGE
HAS BEEN TAMPERED WITH BY A THIRD PARTY.
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
28
FILE TRANSFER PROTOCOL (FTP)
• LOG IN TO A REMOTE MACHINE OVER AN IP NETWORK TO
TRANSFER FILES [ftp <remoteMachineName>]
• AUTHORIZED REMOTE USER
(USER’S SIGN-ON CREDENTIALS (USERID/PWD) KNOWN BY REMOTE
SYSTEM)
• ANONYMOUS USER
(USERID= anonymous, PWD=USER E-MAIL ADDRESS)
11/19/2009 rwj
BROOKDALE COMMUNITY COLLEGE
29
FILE TRANSFER PROTOCOL (FTP)
• UPLOADS & DOWNLOADS 2 TYPES OF FILES:
ASCII (TEXT) & BINARY (ALL OTHER FILE ENCODINGS)
ftp> binary
200 Type set to I
ftp> put photo1.gif
• PREFACE COMMANDS WITH “!” TO RUN COMMAND ON LOCAL
MACHINE
ftp> !pwd
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
30
FILE TRANSFER PROTOCOL (FTP)(CONT’D)
• FTP COMMANDS FOR USE ON REMOTE SYSTEM:
!
cr
get
$
debug
glob
Account delete
hash
append dir
help
ascii
disconnect idle
bell
edit
image
binary epsv4
lcd
bye
exit
less
case
features lpage
cd
fget
lpwd
cdup
form
ls
chmod ftp
macdef
close
gate
mdelete
12/09/2009 rwj
mdir
nlist
mget
nmap
mkdir
ntrans
mls
open
mlsd
page
mlst
passive
mode
pdir
modtime pls
more
pmlsd
mput
preserve
mreget progress
msend prompt
newer proxy
BROOKDALE COMMUNITY COLLEGE
put
pwd
quit
quote
rate
rcvbuf
recv
reget
remopts
rename
reset
restart
rhelp
rmdir
rstatus
runique
send
sendport
set
site
size
sndbuf
status
struct
sunique
system
tenex
throttle
trace
type
umask
unset
usage
user
verbose
xferbuf
?
31
FILE TRANSFER PROTOCOL (FTP)(CONT’D)
• TO UPLOAD FILES ONTO REMOTE SYSTEM USE
put OR mput
o put - UPLOADS ONE FILE AT A TIME
ftp> binary
200 Type set to I.
ftp> put photo1.gif
o mput - UPLOADS ONE OR MORE FILES AT A TIME
ftp> binary
200 Type set to I.
ftp> mput photo*.gif
ftp> ascii
200 Type set to A.
ftp> mput mo*.sh
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
32
FILE TRANSFER PROTOCOL (FTP)(CONT’D)
• TO DOWNLOAD FILES FROM A REMOTE SYSTEM USE
get OR mget.
o get COMMAND DOWNLOADS ONE FILE AT A TIME
ftp> binary
200 Type set to I.
ftp> get photo1.gif
o mget DOWNLOADS ONE OR MORE FILES AT A TIME
ftp> binary
200 Type set to I.
ftp> mget photo*.gif
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
33
FILE TRANSFER PROTOCOL (FTP)(CONT’D)
• NORMALLY, prompt AND hash ARE INVOKED
IMMEDIATELY BEFORE get AND mget
o prompt
MAKES get AND mget BEHAVE NON-INTERACTIVELY, IF THE
INTERACTIVE MODE WAS ACTIVE.
ftp> prompt
Interactive mode off.
ftp>
o hash
EACH TIME A BLOCK OF DATA IS TRANSFERRED A “#” TO BE PRINTED.
ftp> hash
Hash mark printed on (1024 bytes/hash mark).
ftp>
12/09/2009 rwj
BROOKDALE COMMUNITY COLLEGE
34