advanced unix system administration
Post on 27-May-2015
2.434 Views
Preview:
TRANSCRIPT
1
THE SCO GROUP 2007
© The SCO Group, Inc. All Rights Reserved
OpenServer 6 Networking for OpenServer 5 AdministratorsJohn Boland SCO Support
2
Session Objectives
At the end of this session you should: Understand the ISL differences between OpenServer
6 and OpenServer 5 relating to Networking Be aware of how OpenServer 6 networking starts on
system boot Know how to enable tcp wrappers on inetd services Understand how netconfig(ADM) differs between
OpenServer 6 and OpenServer 5 Know how to configure and use ssh(1) Be able to configure a simple VPN using IPsec
3
Session Topics
The following topics will be covered OpenServer 6 Installation Network Configuration Manager differences OpenServer 6 Network Start-up Configured Network Services on OpenServer 6 tcpd(ADM) aka Tcpwrappers OpenServer 6 and OpenSSH Using IPSec to implement a VPN IP Filters Brief Overview
4
OpenServer 6 Installation
OpenServer 6.0.0 ISL Networking Differences: Samba, PPP and Kerberos installed at ISL IPX/SPX, SCO Gateway for Netware and Lan
Manager Client packages obsolete DHCP client configuration at ISL Only drivers for detected Network Cards (NICs) are
displayed at ISL Manual list only contains non-autodectable ISA NIC cards
5
OpenServer 6 Installation
OpenServer 5 Connectivity Package Selection
6
OpenServer 6 Installation
OpenServer 6 Connectivity Package Selection
7
OpenServer 6 Installation
Network Card Selection on OpenServer 5
8
OpenServer 6 Installation
Network Card Selection on OpenServer 6
9
Network Configuration Manager
OpenServer 5 Network Configuration Manager:
10
Network Configuration Manager
Network Configuration Manager Differences: No localhost entry Removed the IPX protocol NFS protocol configured by default (if installed) Only Auto-detected Network Cards are displayed No relink and reboot required when you add a card Removed WAN configuration Failover support added
11
Network Configuration Manager
Network Interface Card (NIC) Drivers and netconfig(ADM) NIC drivers are stored under
/etc/inst/nd/mdi Find out what nd driver package is installed using:
pkginfo –l nd Get the latest nd driver package (8.0.6e) at:
http://www.sco.com/support/update/download/release.php?rid=281 netconfig(ADM) uses PCI Board IDs to recognise cards resmgr | more
18 e1008g 8 6 4 18 4400 443f fcde0000 fcdfffff - - 4 0x8086100E 0x0002 0 2 034 net0 8 6 - - - - - - - - - 0x8086100E - - 2 –
grep 0x8086100E /etc/inst/nd/mdi/e1008g/*.bcfg/etc/inst/nd/mdi/e1008g/e1008g_100E.bcfg:BOARD_IDS="0x8086100E"
12
Network Configuration Manager
Automatic Network Failover and Backup cards Must have MP2 installed TA 110336: Not all NICs support failover. Check with:
grep "FAILOVER=true" /etc/inst/nd/mdi/<your nic driver>/*.bcfg
Can manually failover using netconfig(ADM) Automatic failback is not currently supported TA 126686: Cannot manually failback to the primary
NIC using netconfig(ADM). Instead you use:nd failback net0
Note that while some NICs failover on removal of cable, not all NICs do
13
Network Configuration Manager
Debugging netconfig(ADM): When you run netconfig(ADM) you are running:
/usr/lib/netcfg/bin/ncfgUI
netconfig(ADM) configuration files held under/usr/lib/netcfg
To trace problems uncomment:#cmdtrace on [ open /tmp/ncfgUI.log a+ ]
netconfig(ADM) also uses ndcfg(ADM) to do NIC configuration. The ndcfg log file is found at:
/usr/lib/netcfg/tmp/ndcfg.log
TA 110131: Troubleshooting NIC Installation
14
OpenServer 6 Network Start-up
/etc/inittab Network Start-up Entries• Initialize the socket subsystem in the kernel at sysinit
iks0::sysinit:/sbin/initsock -d > /dev/console 2>&1
• Configure STREAMS at sysinitsl::sysinit:/etc/slink -c /etc/strcf > /dev/console 2>&1
• Initialise the loopback interface at sysinitloop::sysinit:/usr/sbin/initialize -u lo0 > /dev/console 2>&1
• Load STREAMS modulesap1::sysinit:/sbin/autopush -f /etc/ap/sco.ap
• Start syslogd(ADM) to log local & remote messagesbchk::sysinit:/sbin/bcheckrc </dev/console >/dev/console 2>&1
15
OpenServer 6 Network Start-up
/etc/inittab Network Start-up Entries [contd]• The following entries will be described in greater
detail on the slides that follow:lli::sysinit:/etc/nd start < /dev/null > /dev/null 2>&1tcp::sysinit:/etc/tcp start < /dev/null > /dev/null 2>&1
……. ……. ………..r2:2:wait:/etc/rc2 1> /dev/console 2>&1 </dev/console
16
OpenServer 6 Network Start-up
Network Adapter Driver Script nd(ADM) /etc/nd is used to start and stop configured NICs It starts the dlpid(ADM) daemon which links each MDI
(MAC Driver Interface) driver to the common DLPI (Data Link Provider Interface)
The dlpi module is a bit like your OSI Data Link Layer The MDI interface sits between the card and the DLPI /etc/nd is started by entry in /etc/inittab
lli::sysinit:/etc/nd start < /dev/null > /dev/null 2>&1
nd(ADM) is updated by netconfig(ADM) when adding or removing NICs
17
OpenServer 6 Network Start-up
nd(ADM) [contd.] Never try to update or modify /etc/nd manually nd(ADM) man page incorrectly refers to
/etc/rc2.d/S35dlpi and
/etc/rc0.d/K97dlpi being used to start and stop nd
Can debug issues with /etc/nd by uncommenting:#cmdtrace on [ open /tmp/nd.log a+ ]
or
#cmdtrace on stderr
18
OpenServer 6 Network Start-up
TCP Start/Stop Script tcp(ADMN) /etc/tcp starts and stops TCP When starting in single-user mode (sysinit) it will:
Read /etc/default/tcp to get info incl. domain and gateway Call inconfig(ADM) to load default TCP kernel parameters Configure network interfaces with IP addresses using
/usr/sbin/initialize -U Will start syslogd(ADM) if not already started Set default route using the gateway entry from
/etc/default/tcp Start the streams error logging daemon, strerr(ADM) Start the Pseudo Random Number Generator Daemon
prngd(ADM)
19
OpenServer 6 Networking Start-up
Single User Mode start-up:
initinit
Initialize lo0Initialize lo0slinkslinkintisockintisock tcp starttcp startnd startnd startautopushautopush
dlpiddlpid Setup NICsSetup NICs
Domain and gateway
Domain and gateway initialize netxinitialize netx route addroute add strerr(ADM)strerr(ADM)
Setup TCP Kernel Params
Setup TCP Kernel Params prngd(ADM)prngd(ADM)
syslogdsyslogd
20
OpenServer 6 Network Start-up
tcp(ADMN) [contd] When starting in multi-user mode (rc2) it will also:
Start prngd(ADM) again Start inetd(ADMN), the Internet Super Server daemon Start pppd(ADMN) only if MST PPP is configured (off by
default) Start snmpd(ADMN), the snmp agent Start named(ADMN) if nameserver is config’d (off by default) Start sshd(8), the ssh daemon and if necessary generate
host keys (/etc/ssh/ssh_host*) Start any daemons listed in /etc/default/tcp (off by default) Start ntpd, lpd(ADMN) and aasd(ADMN) if configured (not by
default)
21
OpenServer 6 Network Start-up
tcp(ADMN) [contd] Issues the messages:
add net default: gateway 192.168.248.1Starting TCP services: prngd inetd snmpd sshd
The tcp(ADMN) man page incorrectly refers to ifconfig when it should refer to initialize
Existing sessions can continue to function after a tcp stop
Existing sessions are stopped by a tcp shutdown
Can debug the /etc/tcp shell script by addingset –x
22
OpenServer 6 Network Start-up
Networking services started by rc2(ADM) The /etc/rc2 script is invoked by init(M):
r2:2:wait:/etc/rc2 1> /dev/console 2>&1 </dev/console /etc/rc2 messages are logged to
/usr/adm/rc2.log Networking Services scripts called by rc2 include:
Can disable a service as follows:mv /etc/rc2.d/S87nfs /etc/rc2.d/s87nfsshutdown –y –g0 –i6
S85tcp S86rpc P86sendmail S87nfs S90nis
P90apacheS95docview S99cups S99nmbd S99smbd
23
OpenServer 6 Network Start-up
Network services started by traditional rc2(ADM) S85tcp
Symbolic link to /etc/tcp
S86rpc Symbolic link to /etc/rpcinit Starts rpcbind(ADMN), rwalld(NADM) and sprayd
P86sendmail (or MMDF equivalent) Starts sendmail(ADMN)
S87nfs Symbolic link to /etc/nfs Starts exportfs(NADM), nfsd(NADM), biod(NADM), mountd(NADM),
statd(1Mnfs), lockd(NADM), bootparamd(NADM) and pcnfsd(NADM)
S90nis Symbolic link to /etc/nis Not configured or started by default
24
OpenServer 6 Network Startup
Network services started by traditional rc2(ADM) P90apache
Starts the apache web server on port 80
S95docview Starts the OpenServer 6 documentation server on port 8457
S99cups Starts the CUPS Print server, cupsd(8) Remote admin is disabled by default (See TA 126211)
S99nmbd Starts the NetBIOS name service, nmbd(8)
S99smbd Starts the File and Print Server daemon, smbd(8)
25
OpenServer 6 default Network Services
Services controlled by inetd(ADMN) inetd is knows as a Super Server inetd is started by /etc/rc2.d/S85tcp (/etc/tcp) inetd configures the services listed in
/etc/inetd.conf
inetd reads /etc/services (and /etc/protocol) to get the name, aliases, port and protocol to use for each service
26
OpenServer 6 default Network Services
Services controlled by inetd(ADMN) On a traditional install inetd configures services including:
ftp stream tcp nowait root /etc/ftpd ftpd -atelnet stream tcp nowait NOLUID /etc/telnetd telnetdshell stream tcp nowait NOLUID /etc/rshd rshdlogin stream tcp nowait NOLUID /etc/rlogind rlogindexec stream tcp nowait NOLUID /etc/rexecd rexecdpop3 stream tcp nowait root /etc/popper popperimap stream tcp nowait root /etc/imapd imapdswat stream tcp nowait root /usr/sbin/swat swat
Can disable a service by commenting it out# telnet stream tcp nowait NOLUID /etc/telnetd telnetd
And then restarting inetd with a SIGHUPkill -1 `cat /etc/inetd.pid`
27
OpenServer 6 Networking Start-up
Multi-User Mode start-up:
rc2rc2
S87nfsS87nfsS86rpcS86rpcS85tcpS85tcp S99smbdS99smbdS99cupsS99cupsP90apacheP90apache
snmpdsnmpd sshdsshd namednamedinetdinetd pppdpppd
P86sendmailP86sendmail S90nisS90nis S95docviewS95docview S99nmbdS99nmbd
prngdprngd
lpdlpd ntpdntpdaasdaasd
28
OpenServer 6 Networking Start-up
Multi-User Mode start-up [contd]:
inetdinetd
rlogindrlogindtelnetdtelnetdftpdftpd pop3pop3rexecrexecrshdrshd
imapimap swatswat
29
OpenServer 6 and TCPWrappers
tcpd(ADM) aka tcpwrappers 7.6 Can be used to log and control access to inetd services To enable tcpwrappers on telnetd:
Edit /etc/inted.conf Comment out the entry:
telnet stream tcp nowait NOLUID /etc/telnetd telnetd
Uncomment the entry:# telnet stream tcp nowait NOLUID /etc/tcpd telnetd
Save the file Restart inetd using:
kill -1 `cat /etc/inetd.pid`
Telnet to the server and check syslog:Jul 11 17:26:14 jrbt5 telnetd[2102]: connect from jrbhp1
30
OpenServer 6 and TCPWrappers
Controlling Access using tcpd(ADM) hosts_access(SFF) control implemented using:
/etc/hosts.allow and
/etc/hosts.deny
These files contain no rules by default Access is controlled as follows:
Grant access if you match an entry in the /etc/hosts.allow file Deny access if you match an entry in the /etc/hosts.deny file Otherwise, grant access
31
OpenServer 6 and TCPWrappers
Controlling Access using tcpd(ADM) [contd] Entries in hosts.allow and hosts.deny are of the form:
daemon_list : client_list
daemon_list is a list of one or more daemon process names or wildcards
client_list is a list of one or more host names, host addresses, patterns or wildcards that will be matched against the client host name or address
There are two basic options: Deny all and add entries to /etc/hosts.allow (Mostly Closed) Allow all and add entries to /etc/hosts.deny (Mostly Open)
32
OpenServer 6 and TCPWrappers
Some hosts_access(SFF) examples: To deny everything, in /etc/hosts.deny add:
ALL: ALL
To allow everything leave /etc/hosts.allow empty To allow exceptions in /etc/hosts.allow add:
ftpd: .friendly.domain
telnetd: ALL@192.168.124.1
rlogind: 192.168.1.0/255.255.255.0
To report on blocked accessALL :ALL : spawn (echo Attempt from %h %a to %d at `date` |
tee -a /var/log/tcp.deny.log |mail jboland@sco.com )
33
OpenServer 6 and OpenSSH
OpenServer 6 MP2 ships with: OpenSSH_4.2p1 The package provides:
ssh(1) (aka slogin(1)) for secure, encrypted login and remote command execution
scp(1) for secure, encrypted remote copy sftp(1) for secure, encrypted file transfer
Can also be used for, among other things: Local Port Forwarding Dynamic Port Forwarding X11 Forwarding
34
OpenServer 6 and OpenSSH
OpenServer 6 ssh(1) Authentication: Host Based Authentication using
/etc/ssh/shosts.equiv and/or ~/.shosts /etc/ssh/ssh_known_hosts and/or ~/.ssh/known_hosts
RSA/DSA Authentication using: ~/.ssh/authorized_keys
Keyboard Username and Password authentication (default fallback)
Try avoid using SSH 1 as its less secure than SSH 2 Always use RSA and not DSA if possible
35
OpenServer 6 and OpenSSH
Windows to OpenServer 6.0.0 RSA Authentication: Use a Key Generator on your Windows PC to generate your
public and private keys and save the keys to a directory on your PC
On the OpenServer 6 system create the .ssh directory using:mkdir $HOME/.ssh
chmod 700 $HOME/.ssh
Create $HOME/.ssh/authorized_keys and add paste your public key into this file
On the Windows PC configure your ssh Terminal Emulator to use your private key
36
OpenServer 6 and OpenSSH
OpenServer 6 to OpenServer 6 RSA Authentication: On the “client” OpenServer 6 system generate keys using
ssh-keygen –t rsa
On the “server” OpenServer 6 system create the .ssh directory using:
mkdir $HOME/.ssh
chmod 700 $HOME/.ssh Create $HOME/.ssh/authorized_keys and add paste the
$HOME/.ssh/id_rsa.pub public key from the client OpenServer 6 system into this file
Login from the OpenServer 6 client system using:ssh <server_name> or ssh <user>@<server name>
37
OpenServer 6 and OpenSSH
OpenServer 6 ssh(1) Host Based Authentication: Host Based Authentication can use
/etc/ssh/shosts.equiv and/or ~/.shosts /etc/ssh/ssh_known_hosts and/or ~/.ssh/known_hosts
Server Side Configuration: Create $HOME/.shosts with
192.168.1.250 jboland
jrbosr6.it.sco.com jboland
jrbosr6 jboland
Edit /etc/ssh/sshd_config and change/addHostbasedAuthentication yes
IgnoreUserKnownHosts yes
IgnoreRhosts yes
38
OpenServer 6 and OpenSSH
OpenServer 6 ssh(1) Host Based Authentication: Server Side Configuration [contd]:
Restart sshd using:tcp restart
Client Side Configuration: Edit /etc/ssh/ssh_config and change/add
HostbasedAuthentication yes
EnableSSHKeysign yes
From the client login to the server using:ssh <server_name>
To debug usessh –v <server_name>
39
OpenServer 6 and OpenSSH
Uses for ssh Dynamic Port Forwarding: Dynamic Port forwarding allows forwarding of traffic
via a local SOCKS Proxy Server to a remote secure server using ssh(1)
The InternetThe InternetLocal SOCKS Proxy ServerLocal SOCKS Proxy Server
Secure ssh Server
Secure ssh Server
40
OpenServer 6 and OpenSSH
Setup Dynamic Port Forwarding on OpenServer 6: Setup a SOCKS Proxy Server as root using:
ssh –D 1080 jboland@<fqdn of OSR6 ssh server>
To configure Mozilla to use the SOCKS proxy: Run mozilla Select Edit -> Preferences… -> Advanced -> Proxies Click the “Manual Proxy Configuration” In the SOCKS Host: field put
localhost
In the Port: field put1080
Click on OK
41
OpenServer 6 and OpenSSH
Setting up Dynamic Port Forwarding on Windows: Setup a SOCKS Proxy Server using PuTTY as follows:
Launch PuTTY Enter the Host Name of the remote server Select Connection -> SSH -> Tunnels Enter 1080 in the source port field Click on the Dynamic Radio Button Click Add Click Open
42
OpenServer 6 and OpenSSH
Setting up Dynamic Port Forwarding on Windows: Configure Firefox to use the SOCKS Proxy as follows:
Launch Firefox Select Tools -> Options -> Advanced -> Networking Click on Settings Check the Manual proxy configuration: radio button Enter localhost in the SOCKS Host: field Enter 1080 in the source port field Click OK Click OK
Firefox is now configured to use the SOCKS Proxy
43
OpenServer 6 and OpenSSH
Setting up Dynamic Port Forwarding on Windows: Configure PuTTY to use the SOCKS Proxy as follows:
Launch PuTTY Enter the Host Name of the remote server Select Connection -> Proxy Check SOCKS 5 as the proxy type Enter 1080 for the port Click OK Click OK
PuTTY is now configured to use the SOCKS Proxy
44
OpenServer 6 and IPsec
What is IPsec: IPsec allows you to:
Encrypt IP packets between hosts and subnets Authenticate IP Packets between hosts and subnets Defined in http://www.ietf.org/rfc/rfc2401.txt
Authentication can be performed using Expanded IPsec headers, keys or certificates
IPsec requirements: OpenSSL 0.9.7 or later
openssl version
A configured and functioning network connection
45
OpenServer 6 and IPsec
IPsec Terminology: Two types of IPsec configuration:
Transport encrypts IP Data only Tunnel encrypts IP Data and IP Headers
Two types of Authentication protocol: Authentication Header (AH) does authentication only and is
not recommended Encapsulating Security Payload (ESP) does authentication
and encryption In an IPsec configuration file:
SAD is Security Association Database SPD is the Security Policy Database
46
OpenServer 6 and IPsec
To enable IPsec in the kernel: Edit
/etc/conf/pack.d/inet/space.c changing
int ipsec_enable = 0; to
int ipsec_enable = 1; Relink the kernel using:
/etc/conf/bin/idbuild –M inet Reboot the server using
shutdown –y –g0 –i6
47
OpenServer 6 and IPsec
Simple OSR6 to OSR6 IPsec configuration: On “sysa” create /etc/inet/sysa.ipsec.conf with:
add <sysa ip> <sysb ip> esp 0x10001-m transport
-E 3des-cbc "thescogp12341234thescogp" ;
add <sysb ip> <sysa ip> esp 0x10002-m transport
-E 3des-cbc "thescogp43214321thescogp" ;
spdadd <sysb ip>[any] <sysa ip>[any] tcp -P in ipsecesp/transport/<sysb ip>-<sysa ip>/use ;
spdadd <sysa ip>[any] <sysb ip>[any] tcp -P out ipsecesp/transport/<sysa ip>-<sysb ip>/use ;
48
OpenServer 6 and IPsec
Simple OSR6 to OSR6 IPsec configuration: On “sysb” create /etc/inet/sysb.ipsec.conf with:
add <sysa ip> <sysb ip> esp 0x10001-m transport
-E 3des-cbc "thescogp12341234thescogp" ;
add <sysb ip> <sysa ip> esp 0x10002-m transport
-E 3des-cbc "thescogp43214321thescogp" ;
spdadd <sysa ip>[any] <sysb ip>[any] tcp -P in ipsecesp/transport/<sysa ip>-<sysb ip>/use ;
spdadd <sysb ip>[any] <sysa ip>[any] tcp -P out ipsecesp/transport/<sysb ip>-<sysa ip>/use ;
49
OpenServer 6 and IPsec
Loading the IPsec configuration: On sysa run setkey(ADM):
ipseckey –f /etc/inet/sysa.ipsec.conf On sysb run setkey(ADM):
ipseckey –f /etc/inet/sysb.ipsec.conf To see the ESP traffic
tcpdump host sysa and sysb To see the ipsec network statistics run:
netstat -nsp ipsec To remove/flush the SAD and SPD entries use:
ipseckey –FIpseckey -FP
50
OpenServer 6 and IPsec
Using racoon for automatic key management Keys need to be changed to maintain security Manual changing of keys is time consuming and
prone to error racoon(ADM) is a daemon that manages keys (and
certificates) on behalf of IPsec racoon(ADM) uses the Internet Key Exchange (IKE)
protocol to exchange keys securely between hosts
51
OpenServer 6 and IPsec
To configure racoon(ADM): On sysa create the file /etc/inet/psk.txt with:
<sysb ip> <initial public shared key>
Make sure this file has perms 0400chmod 0400 /etc/inet/psk.txt
On sysa create the file /etc/inet/sysa.ipsec.conf with:spdadd <sysb ip>[any] <sysa ip>[any] tcp -P in ipsec
esp/tunnel/<sysb ip>-<sysa ip>/require ;
spdadd <sysa ip>[any] <sysb ip>[any] tcp -P out ipsec esp/tunnel/<sysa ip>-<sysb ip>/require;
Perform similar steps on sysb
52
OpenServer 6 and IPsec
To configure racoon(ADM) [contd]: On sysa create the file /etc/inet/racoon.conf with:
path pre_shared_key "/etc/inet/psk.txt" ;log debug;remote anonymous{ exchange_mode aggressive ; my_identifier address <sysa ip> ; lifetime time 1 hour ; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } proposal_check obey;}
53
OpenServer 6 and IPsec
To configure racoon(ADM) [contd]: On sysa create the file /etc/inet/racoon.conf with:
[contd]sainfo anonymous{ pfs_group 2; lifetime time 10 hour ;
encryption_algorithm 3des, blowfish; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ;}
Create a similar file on sysb
54
OpenServer 6 and IPsec
To start racoon Permissions need to be changed on /usr/sbin/racoon
chmod + x /usr/sbin/racoon Start racoon on sysa and sysb using
/usr/sbin/racoon & Configuration and Startup errors are logged in
/var/adm/syslog On sysa run setkey(ADM):
ipseckey –f /etc/inet/sysa.ipsec.conf On sysb run setkey(ADM):
ipseckey –f /etc/inet/sysb.ipsec.conf
55
OpenServer 6 and IPsec
To stop and restart racoon To stop racoon run:
kill -9 `cat /etc/inet/racoon.pid`
rm /tmp/.racoon
Restart using/usr/sbin/racoon &
56
OpenServer 6 and IPF
IP Filter Firewall Package for OpenServer 6.0.0 For a detailed HOW TO on firewall setup see:
http://osr600doc.sco.com/en/NET_tcp/ipf-howto.html
See also: ipf(ADMN), ipfilter(M) and ipnat(ADMN)
Enable IP Filter as root using:mkdev ipf
Display the current incoming and outgoing rules with:ipfstat -io
57
Session Objectives
You should now: Understand the ISL differences between OpenServer
6 and OpenServer 5 relating to Networking Understand how netconfig(ADM) differs between
OpenServer 6 and OpenServer 5 Be aware of how OpenServer 6 networking starts on
system boot Know how to enable tcp wrappers on inetd services Know how to configure and use ssh(1) Be able to configure a simple VPN using IPsec
58
Questions?
Any questions now?
For questions you think about later:
jboland@sco.com
top related