suse linux enterprise server administration (course 3037)

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 10Manage Remote Access

SUSE Linux Enterprise Server Administration (Course 3037)

ObjectivesProvide Secure Remote Access with OpenSSHEnable Remote Administration with YaSTConfigure a Network Installation


Provide Secure Remote Access with OpenSSHObjectivesCryptography BasicsSSH Features and ArchitectureHow to Configure the SSH ClientSSH Client CommandsHow to Configure the SSH ServerSSH Server CommandsPublic Key Authentication Management


Cryptography BasicsSymmetric encryptionSame key is used for encryption and decryptionKey should be protectedHelps with high-speed transmissionKey length is very importantTechnologiesDES (Data Encryption Standard)3DES (Triple DES)IDEABlowfishAES (Advanced Encryption Standard)


Cryptography Basics (continued)Asymmetric encryptionSymmetric encryption problemSecurely transmitting the keyUses two keys (private and public keys)One is used for encryption and the other for decryptionLow-speed data transmissionBoth techniques are often combinedKey for symmetric encryption is transmitted over an asymmetrically encrypted channelTechniquesRSA, DSA, Diffie-Hellman


SSH Features and ArchitectureSSH featuresBasic functionalityLogin from a remote hostInteractive or noninteractive command execution on remote hostsCopying files between different network hostsHigh-performance authentication and cryptographically secured communication on nonsecure networksAutomatic and transparent encryption of all communicationComplete substitution of r utilities: rlogin, rsh, and rcpPort forwardingTunneling


SSH Features and Architecture (continued)SSH features (continued)Special featuresPrevent security loopholes through IP, routing, and DNS spoofingYou can control the client by using system-wide and user-based configuration filesYou can transmit any type of binary data between hostsOptional support for compressing data is also availableThere are up to six procedures available from the client for server authentication


SSH Features and Architecture (continued)SSH protocol versionsProtocol version 1 (SSH1)Protocol version 2 (SSH2)SSH1 does not ensure the integrity of a connectionInsertion attackHMAC (Keyed-Hash Message Authentication Code)Guarantees integrity of a connection


SSH Features and Architecture (continued)


SSH Features and Architecture (continued)SSH authentication mechanism configurationClient checks if public host key of the server really belongs to the serverSSH currently does not use any directory servicesOr any certificatesRandom key pair can be easily created by anyoneClient learns server public host keyServer side mechanisms to authenticate clientsHost-based authenticationAuthentication is based on configuration files /etc/hosts.equiv or /etc/, shosts.equiv, and/or ~/.rhosts or ~/.shosts


SSH Features and Architecture (continued)SSH authentication mechanism configuration (continued)Server side mechanisms to authenticate clients (continued)Host-based RSA authenticationPublic keys of clients are saved on server in the files ~/.ssh/known_hosts and /etc/ssh/ssh_known_hostsPublic key (RSA/DSA) authenticationUser proves knowledge of his private key through a challenge-response procedurePassword authenticationTakes place through a UNIX user passwordTransfer of the password is encrypted


SSH Features and Architecture (continued)SSH authentication mechanism configuration (continued)After successful authenticationA work environment is created on the serverInitialization routines are processedParameter X11 ForwardingDetermines whether or not graphical output is forwarded by defaultSSH server configuration file/etc/ssh/sshd_config


How to Configure the SSH ClientSSH client configuration file/etc/ssh/ssh_configEach user can edit his individual settingsIn the file ~/.ssh/configStrictHostKeyChecking optionPrevents client from simply entering new keysFrom unknown servers without checkingThree values: yes, no, and ask (default)


SSH Client Commands


How to Configure the SSH ServerConfiguration file/etc/ssh/sshd_config


How to Configure the SSH Server (continued)


SSH Server Commands


Public Key Authentication ManagementPublic key authentication processClient informs server of which public key is being used for authenticationServer checks to see if the public key is knownServer encrypts a random number using the public key and transfers this to the clientClient decrypts random number with its private keyClient sends the server an MD5 checksum that has calculated from the numberServer also calculates a checksum and, if they are identical, the user has authenticated successfully


Public Key Authentication Management (continued)How to create a key pairUse command ssh-keygenA different key is required for SSH1 than for SSH2Use option -t keytype to specify the type of keyKeys are stored in the files~/.ssh/identity (private key)~/.ssh/identity.pub (public key)Command ssh-keygen -t rsaGenerates an RSA key pairKeys are stored in ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub


Public Key Authentication Management (continued)How to configure and use public key authenticationAuthentication using RSA or DSA keysCopy public key to the serverAppend the public key to file ~/.ssh/authorized_keysExample: scp .ssh/id_dsa.pub sun:geeko-pubkeyLaunch the client to test the keysYou can use option -i to enter file name for private keyPassword is still required when logging in to serverEnter password with the command ssh-addYou can also use the ssh-agent with a graphical login


Exercise 10-1 Manage Remote Connections with OpenSSHIn this exercise, you do the following:Part I: Use SSH UtilitiesPart II: Create a Trusted Connection Between Servers


Enable Remote Administration with YaSTObjectivesVNC and YaST Remote AdministrationHow to Configure Your Server for Remote AdministrationHow to Access Your Server for Remote Administration


VNC and YaST Remote AdministrationVNC (virtual network computing)Client-server solutionAllows a remote X server to be managed from anywhere on the InternetSet VNC with YaST Remote Administration moduleConnect to the server usingVNC client such as krdc (connect to hostname:5901)VNC connection in Konqueror (vnc://hostname:5901)Java-capable Web browser (http://hostname:5801)Remote Administration is less secure than SSH


How to Configure Your Server for Remote AdministrationStepsStart the YaST Remote Administration moduleSelect Allow Remote Administration; select FinishClose the dialog box by selecting OKClose any open applications; then display a console pressing Ctrl+Alt+F2Log in as root with the appropriate passwordRestart the display manager by entering rcxdm restartLog in to the desktop as root or any other local user


How to Configure Your Server for Remote Administration (continued)


How to Configure Your Server for Remote Administration


How to Access Your Server for Remote AdministrationAccess the server from a Web browserOpen Web browser; then enter http://hostname:5801Directly access YaST by selecting AdministrationEnter the root password; then select OKExit YaST; then close the session by selecting Disconnect


How to Access Your Server for Remote Administration (continued)


Exercise 10-2 Use Remote AdministrationIn this exercise, you do the following:Part I: Remotely Access a Text-Based Version of YaSTPart II: Remotely Access the GUI Version of YaSTPart III: Configure Remote Administration with YaSTPart IV: Access Your Partners Server Remotely


Configure a Network InstallationObjectivesHow to Prepare for the InstallationSUSE Linux Installation BasicsHow to Configure an Installation Server


How to Prepare for the InstallationConsider the following:Hardware compatibilityVerify that your hardware is compatible with SLES 9 at www.novell.com/partnerguide/section/481.htmlFile system typesPartitioning schemePlan for the appropriate partitions and partition sizesSoftware package selectionDual-boot systemBetter to install SUSE Linux Enterprise Server 9 first


SUSE Linux Installation BasicsSUSE Linux lets you install from a variety of sourcesUsing a YaST GUI interface or a text-based interfaceThe role of LinuxrcDefines installation settings and loads hardware driversHands over control to YaSTWhich starts the actual installation


SUSE Linux Installation Basics (continued)


SUSE Linux Installation Basics (continued)Virtual consolesYou might need to access a command-line promptCalled a shell prompt in LinuxFrom a virtual consoleLinux system provides six virtual consolesX Window system is assigned console number 7Switch between virtual consoles by pressing Ctrl+Alt+FxReturn to the X Window system by pressing Ctrl+Alt+F7


SUSE Linux Installation Basics (continued)YaST installation log files/var/log/YaST2/y2logView its contents entering the following: more /var/log/YaST2/y2logView the last few lines of the installation log file:tail /var/log/YaST2/y2log


How to Configure an Installation ServerStepsStart the YaST Installation Server moduleSelect the server typeDeactivate the automatic configuration of server services (conditional)Enter directory where you want to copy the installation filesContinue by selecting NextConfigure the service type (HTTP or FTP, and NFS)Continue by selecting Next


How to Configure an Installation Server (continued)


How to Configure an Installation Server (continued)Steps (continued)Configure an installation source by selecting ConfigureEnter a name for the installation sourceSelect Use ISO Images Instead of CDs (conditional)Select Prompt for additional CDs (conditional)Announce as Installation Service with SLP (optional)Continue by selecting NextInsert the First CD


How to Configure an Installation Server (continued)


How to Configure an Installation Server (continued)Steps (continued)Continue following the prompts to remove and replace CDsEdit the configured source (optional)Change the server settings (optional)Finalize the configuration by selecting FinishClose the YaST Control Center (optional)


How to Start a Remote InstallationStepsInsert the boot media and restart your computerWith the down-arrow key, scroll to and highlight InstallationPress F3; then select the service type (FTP, HTTP, NFS, or SLP)Enter server and full path (conditional)To directory where the installation files are storedSelect InstallationFollow installation prompts until complete


How to Start a Remote Installation (continued)


Exercise 10-3 Install SLES 9 from an Installation ServerIn this exercise you will install SLES 9 from an Installation Server


SummarySSH daemon (sshd) provides a secure alternative to telnet, r-tools, and FTP By encrypting trafficscp and sftp commandsCopy files between remote hosts using SSHSSH uses a combination of asymmetric and symmetric encryptionSSH server configuration file /etc/ssh/sshd_configssh-keygen and ssh-keyscan commandsGenerate and view asymmetric SSH keys


Summary (continued)Use YaST Remote Administration moduleTo configure a VNC serverBefore installing SLES, consider:Server roleHardware compatibilityBoot, partition, and filesystem configurationLinuxrcProvides a text-based installation programYaST is used to perform a graphical installation


Summary (continued)YaST may be used to set up an installation serverThat hosts the SLES media using the HTTP, FTP, or NFS protocol


suse linux enterprise server administration (course 3037)

Documents

server pub

transparent encryption

remote hostinteractive

remote hostscopying

public host key

type of binary data

certificatesrandom key

ssh1protocol version