Remote Administration - PowerPoint PPT Presentation

1 / 36
About This Presentation
Title:

Remote Administration

Description:

CIT 470: Advanced Network and System Administration Remote Administration – PowerPoint PPT presentation

Number of Views:224
Avg rating:3.0/5.0
Slides: 37
Provided by: nku93
Category:

less

Transcript and Presenter's Notes

Title: Remote Administration


1
CIT 470 Advanced Network and System
Administration
  • Remote Administration

2
Topics
  1. Network Access
  2. SSH
  3. Key-based Authentication
  4. Console Access
  5. X-Windows
  6. VNC and NX
  7. SSH tunneling

3
Network Access
  • Most tasks can be done from the shell.
  • File management.
  • Disk/volume management.
  • Troubleshooting and viewing logs.
  • Installing/removing software.
  • Start/stop network services.
  • Reboot/shutdown.
  • All we need is a way to invoke a shell across the
    network.

4
telnet
  • Ubiquitous network terminal protocol
  • telnet hostname
  • Similar protocols
  • rlogin l user hostname
  • rsh l user hostname command
  • Insecure
  • Data, including passwords, sent in the clear.
  • rlogin/rsh use /.rhosts for access w/o passwords.

5
ssh
  • Secure Shell
  • Replaces
  • telnet
  • ftp
  • rlogin
  • rsh
  • rcp

6
SSH Security Features
7
SSH Protocols and Products
  • SSH v1
  • Insecure, obsolete.
  • Do not use.
  • SSH v2
  • Current version.
  • OpenSSH
  • SSH Tectia
  • F-secure SSH
  • Putty
  • WinSCP

8
SSH Features
  • Secure login
  • ssh l user host
  • Secure remote command execution
  • ssh l user host command
  • Secure file transfer
  • sftp l user host
  • scp file user_at_host/tmp/myfile
  • Port forwarding
  • ssh L 110localhost110 mailhost

9
The Problem of Passwords
  1. Good passwords are hard to remember.
  2. Password transferred to remote system.
  3. Automating remote access with passwords is
    difficult.

10
Public Key Cryptography
  • Two keys
  • Private key known only to owner.
  • Public key available to anyone.
  • Applications
  • Confidentiality
  • Sender enciphers using recipients public key,
  • Receiver deciphers using their private key.
  • Integrity/authentication
  • Sender enciphers using own private key,
  • Recipient deciphers using senders public key.

11
Key-based Authentication
  • SSH uses public-key authentication
  • Private key stored in your machine.
  • Public key stored on remote machines.
  • Public-key login protocol
  • Client sends server a login request.
  • Server issues a challenge.
  • Client responds with computation based on
    challenge and private key.
  • Server checks response with public key.

12
Using key-based authentication
  • Generate a public/private key pair.
  • ssh-keygen
  • Encrypted key files id_dsa, id_dsa.pub
  • Copy public key to remote host
  • Copy to /.ssh/authorized_keys.
  • Login to remote host
  • ssh l user remote

13
Keys are more secure than Passwords
  1. Need to have two items to login key file and
    passphrase.
  2. Neither key nor passphrase is sent to remote
    host.
  3. Machine-generated cryptographic keys are
    infeasible to guess, unlike passwords.

14
SSH Agent
  • Problem you have to enter passphrase to decrypt
    the key each time you use ssh.
  • Solution SSH Agent
  • gt ssh-agent SHELL
  • gt ssh-add Enter passphrase for /home/jw/.ssh/id_ds
    a
  • Identity added /home/you/.ssh/id_dsa
    (/home/jw/.ssh/id_dsa)
  • gt ssh l jw host

15
SSH Agent Features
  • Agent support for entire session.
  • Start ssh-agent on initial shell.
  • X /.xsession (Often enabled by default.)
  • Multiple keys
  • ssh-add keyfile
  • ssh-add l
  • Remove keys
  • ssh-add d keyfile
  • ssh-add D

16
Remote Access when Server is Down
  • Problem No network access to host.
  • Solutions
  • Go to computer room and bring host up.
  • Specialized hardware (network boot / power).
  • Virtual machines.
  • Console servers.

17
Console Servers
  • Console
  • Main input / output device for computer.
  • Historically serial terminal.
  • Typically keyboard/mouse monitor.
  • Server allows access to multiple consoles.
  • Console access BIOS, Bootloader, Kernel
  • Eliminates need for keyboards, mice, monitors.
  • Serial line to each machine from server.
  • One user has R/W, other users have R access.

18
Console Hardware
  • Console servers solution
  • Commercial Cisco, Cyclades, Xyplex
  • Open source Conserver serial expander card
  • Hardware issues
  • Connectors DB-9, DB-25, RJ-45
  • Encoding 8N1, 7E1
  • Speeds 9600 230k

19
X-Windows
  • Network-based windowing system.
  • Server
  • Handles user input and graphical display.
  • Runs on the machine with display unit.
  • Client
  • Graphical applications are clients.
  • Can run on a different machine than server.
  • Set DISPLAY environment variable.
  • Or use display command line option.

20
Window Manager
  • X client that provides features like
  • Move, resize, iconify, and kill windows.
  • Window title bars.
  • Popup menus.
  • Example window managers
  • twm Tab, primitive early window manager
  • mwm Motif, found on commercial UNIXes
  • fvwm Free, fast, very customizable.
  • WindowMaker NeXT-like, see also AfterStep.

21
TWM Screenshot
22
FVWM Screenshot
23
WindowMaker
24
Desktops
  • CDE
  • Common desktop env for commercial UNIXes.
  • Gnome
  • Standard Linux desktop based on GTK.
  • KDE
  • Windows-like free desktop based on QT.
  • Xfce
  • Lightweight desktop, also based on GTK.

25
X-Windows Security
  • Why do we need security?
  • An evil client can capture/create any X events.
  • Even if youre not using any network clients!
  • Host authentication
  • Limit who can start clients by IP address.
  • Set by xhost or xhost - commands.
  • Token authentication
  • Only clients with token can access server.
  • Set by the xauth command.

26
X-Windows Security
  • Tunneling host authentication.
  • All clients appear to be from localhost.
  • Therefore disable remote clients with xhost
  • Use ssh client to tunnel X ssh X host
  • Server must have X11Forwarding set to yes.
  • Use echo DISPLAY to test if X forwarding is on.
  • Note that local users can still attack X session.

27
VNC Virtual Network Computing
28
Why VNC?
  1. Remote desktop access.
  2. Helpdesk control a remote desktop.
  3. Persistent desktop.
  4. Use same desktop from multiple clients.
  5. Need Linux access from Windows.
  6. Need Windows access from Linux.

29
What is VNC?
  • Open remote desktop protocol.
  • Many implementations
  • RealVNC VNC from original researchers.
  • TightVNC VNC with high compression.
  • VNCj Java VNC, can run within web browser.
  • PalmVNC VNC for Palm Pilots.
  • UltraVNC enhanced VNC, only for Windows.

30
Using VNC
  • Start VNC server
  • UNIX vncserver
  • Win Start menugtProgramsgtRealVNCgtVNCServer
  • Write down server name and display number.
  • It will look something like unix31
  • Start VNC client
  • UNIX vncviewer
  • Win Start menugtProgramsgtRealVNCgtVNCViewer
  • Enter server and display to connect to (from step
    2).
  • A VNC remote desktop should appear.

31
Configuring and Troubleshooting
  • On UNIX, VNC stores files under /.vnc
  • Configuration xstartup
  • Indicates which X clients to start with server.
  • Typically includes vncconfig application.
  • Configuration passwd
  • Contains VNC server session password.
  • Log files hostdisplay.log
  • Any errors should appear in these logs.

32
Securing VNC
  • VNC does not provide encryption.
  • Use ssh tunneling to encrypt login data
  • ssh L 5901remotehost5901 remotehost
  • vncviewer localhost1

33
Tunneling
  • Tunneling Encapsulation of one network protocol
    in another protocol
  • Carrier Protocol protocol used by network
    through which the information is travelling
  • Encapsulating Protocol protocol (GRE, IPsec,
    L2TP) that is wrapped around original data
  • Passenger Protocol protocol that carries
    original data

34
ssh Tunneling
  • SSH can tunnel TCP connections
  • Carrier Protocol IP
  • Encapsulating Protocol ssh
  • Passenger Protocol TCP on a specific port
  • POP-3 forwarding
  • ssh -L 110pop3host110 -l user pop3host
  • Uses ssh to login to pop3host as user
  • Creates tunnel from port 110 (leftmost port ) on
    localhost to port 110 (rightmost post )of
    pop3host
  • User configures mail client to use localhost as
    POP3 server, then proceeds as normal

35
NX
  • Advantages over VNC
  • Speed fast enough to use over dialup.
  • Built-in ssh encryption.
  • Disadvantages
  • Immature code hard to install set up.
  • GPL client/server for Linux only.
  • Free Windows client commercial server.

36
References
  1. Daniel J. Barrett, Robert G. Byrnes, Richard
    E. Silverman, SSH, The Secure Shell, 2nd edition,
    OReilly, 2005.
  2. Conserver, http//www.conserver.com/
  3. John Fisher, Secure X Windows, CIAC 2316,
    http//www.ciac.org/ciac/documents/ciac2316.html,
    1995.
  4. David K.Z. Harris, Zonkers Greater Scroll of
    Console Knowledge, http//www.conserver.com/conso
    les/, 2005.
  5. Brian Hatch, SSH Host Key Protection,
    http//www.securityfocus.com/infocus/1806, 2004.
  6. No Machine NX, http//www.nomachine.com/
  7. OpenSSH, http//www.openssh.com/
  8. Real VNC, http//www.realvnc.com/
  9. RedHat, Red Hat Enterprise Linux 4 Reference
    Guide, http//www.redhat.com/docs/manuals/enterpri
    se/RHEL-4-Manual/ref-guide/, 2005.
  10. Daniel Robbins, OpenSSH key management,
    http//www-128.ibm.com/developerworks/library/l-ke
    yc.html, 2001.
  11. runeb, Crash Course in X Windows Security,
    http//bau2.uibk.ac.at/matic/ccxsec.htm
  12. Carla Schroeder, Linux Cookbook, OReilly, 2004.
  13. Carla Schroeder, FreeNX ups the Remote Linux
    Desktop Ante, Enterprise Networking Planet,
    http//www.enterprisenetworkingplanet.com/netos/pr
    int.php/3508951, 2005.
  14. Glen Turner, Linux Remote Serial Console HOWTO,
    http//www.tldp.org/HOWTO/Remote-Serial-Console-HO
    WTO/index.html, 2003.
  15. Webmin, http//www.webmin.com/
  16. Window Managers for X, http//xwinman.org/
Write a Comment
User Comments (0)
About PowerShow.com