Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Unit 419: Network Operating Systems
Remote and Central Management
Outline
Remote Management Remote Shell: Telnet, SSH Remote Desktop: X Window, VNC, Teamviewer
Central Management
System MAnagement
To manage one system, system administrator must login the system, launch one shell, and start to run various commands.
Several Terms
Console Terminal
Shell
Romote Shell
Login to the system through network
After user authentication, a shell is launched for this user.
The shell gets commands through network and runs these commands.
telnet
default tool for remote management in early days
telnet vs. TELNET TELNET is a protocol that provides “a general, bi-
directional, eight-bit byte oriented communications facility”
telnet is a program that supports the TELNET protocol over TCP.
7
The TELNET Protocol
Reference: RFC 854
TCP connection
data and control over the same connection.
Network Virtual Terminal intermediate representation of a generic terminal. provides a standard language for communication
of terminal control functions.TELNET
8
Network Virtual Terminal
NVT NVT
ServerProcess
TCP TCP
TELNET
Remote Login with telenet
The server to be managed must run a telnet server
Default port: 23
The administrator connect to the server with telnet client
telnet ip_or_name_of_the_server
10
Playing with TELNET
You can use the telnet program to play with the TELNET protocol.
telnet is a generic TCP client. Sends whatever you type to the TCP socket. Prints whatever comes back through the TCP
socket Useful for testing TCP servers (ASCII based
protocols).
Many Unix systems have these servers running (by default):
echo port 7TELNET
11
telnet hostname port
> telnet amele-2.cse.unr.edu 7Trying 134.197.40.246...Connected to amele-2.cse.unr.edu (134.197.40.246).
Escape character is '^]'.Hi mehmetHi mehmetstop itstop it^]telnet> quitConnection closed.
TELNET
Outline
Remote Management Remote Shell: Telnet, SSH Remote Desktop: X Window, VNC, Teamviewer
Central Management
13
What is SSH?
SSH – Secure Shell SSH is a protocol for secure remote login and
other secure network services over an insecure network
developed by SSH Communications Security Corp., Finland
two distributions are available:– commercial version– freeware (www.openssh.com)
specified in a set of Internet drafts
14
Major SSH components
SSH Transport Layer Protocol– provides server authentication, confidentiality, and integrity services– it may provide compression too– runs on top of any reliable transport layer (e.g., TCP)
SSH User Authentication Protocol– provides client-side user authentication– runs on top of the SSH Transport Layer Protocol
SSH Connection Protocol– multiplexes the secure tunnel provided by the SSH Transport Layer
and User Authentication Protocols into several logical channels– these logical channels can be used for a wide range of purposes
• secure interactive shell sessions• TCP port forwarding• carrying X11 connections
15
SSH security features
strong algorithms– uses well established strong algorithms for encryption,
integrity, key exchange, and public key management large key size
– requires encryption to be used with at least 128 bit keys– supports larger keys too
algorithm negotiation– encryption, integrity, key exchange, and public key
algorithms are negotiated– it is easy to switch to some other algorithm without modifying
the base protocol
16
SSH TLP – Overview
client server
TCP connection setup
SSH version string exchange
SSH key exchange(includes algorithm negotiation)
SSH data exchange
termination of the TCP connection
SS
H T
rans
port
Lay
er P
roto
col
17
Connection setup and version string exchange
TCP connection setup– the server listens on port 22– the client initiates the connection
SSH version string exchange– both side must send a version string of the following form:
“SSH-protoversion-softwareversion comments” \CR \LF– used to indicate the capabilities of an implementation– triggers compatibility extensions– current protocol version is 2.0– all packets that follow the version string exchange is sent using
the Binary Packet Protocol
SS
H T
rans
port
Lay
er P
roto
col
18
Binary Packet Protocol
– packet length: • length of the packet not including the MAC and the
packet length field
– padding length: • length of padding
– payload: • useful contents• might be compressed• max payload size is 32768
– random padding:• 4 – 255 bytes• total length of packet not including the MAC must
be multiple of max(8, cipher block size)• even if a stream cipher is used
– MAC:• message authentication code• computed over the clear packet and an implicit
sequence number
packet length (4)
padding length (1)
random padding
MAC
payload(may be
compressed)
compression
encryption
SS
H T
rans
port
Lay
er P
roto
col
19
Encryption
the encryption algorithm is negotiated during the key exchange supported algorithms
– 3des-cbc (required) (168 bit key)– blowfish-cbc (recommended)– twofish256-cbc (opt) / twofish192-cbc (opt) / twofish128-cbc (recomm)– aes256-cbc (opt) / aes192-cbc (opt) / aes128-cbc (recomm)– serpent256-cbc (opt) / serpent192-cbc (opt) / serpent128-cbc (opt)– arcfour (opt) (RC4)– idea-cbc (opt) / cast128-cbc (opt)
key and IV are also established during the key exchange all packets sent in one direction is considered a single data stream
– IV is passed from the end of one packet to the beginning of the next one encryption algorithm can be different in each direction
SS
H T
rans
port
Lay
er P
roto
col
20
MAC
MAC algorithm and key are negotiated during the key exchange supported algorithms
– hmac-sha1 (required) [MAC length = key length = 160 bits]– hmac-sha1-96 (recomm) [MAC length = 96, key length = 160 bits]– hmac-md5 (opt) [MAC length = key length = 128 bits]– hmac-md5-96 (opt) [MAC length = 96, key length = 128 bits]
MAC algorithms used in each direction can be different MAC = mac( key, seq. number | clear packet )
– sequence number is implicit, not sent with the packet– sequence number is represented on 4 bytes– sequence number initialized to 0 and incremented after each packet– it is never reset (even if keys and algs are renegotiated later)
SS
H T
rans
port
Lay
er P
roto
col
21
Key exchange - Overview
client server
execution of the selected key exchange protocol
SSH_MSG_KEXINIT
SSH_MSG_NEWKEYS
use
s n
ew
ke
ysa
nd
alg
orit
hm
sfo
r se
nd
ing
use
s n
ew
ke
ysa
nd
alg
orit
hm
sfo
r re
ceiv
ing
SS
H T
rans
port
Lay
er P
roto
col
22
Algorithm negotiation
SSH_MSG_KEXINIT– kex_algorithms (comma separated list of names)– server_host_key_algorithms– encryption_algorithms_client_to_server– encryption_algorithms_server_to_client– mac_algorithms_client_to_server– mac_algorithms_server_to_client– compression_algorithms_client_to_server– compression_algorithms_server_to_client– first_kex_packet_follows (boolean)– random cookie (16 bytes)
algorithm lists– the server list the algorithms it supports– the client lists the algorithms that it is willing to accept– algorithms are listed in order of preference– selection: first algorithm on the client’s list that is also on the server’s
list
SS
H T
rans
port
Lay
er P
roto
col
23
Deriving keys and IVs
any key exchange algorithm produces two values– a shared secret K– an exchange hash H
H from the first key exchange is used as the session ID keys and IVs are derived from K and H as follows:
– IV client to server = HASH( K | H | “A” | session ID )– IV server to client = HASH( K | H | “B” | session ID )– encryption key client to server = HASH( K | H | “C” | session ID )– encryption key server to client = HASH( K | H | “D” | session ID )– MAC key client to server = HASH( K | H | “E” | session ID )– MAC key server to client = HASH( K | H | “F” | session ID )
where HASH is the hash function specified by the key exchange method (e.g., diffie-hellman-group1-sha1)
if the key length is longer than the output of HASH…– K1 = HASH( K | H | X | session ID )– K2 = HASH( K | H | K1 )– K3 = HASH( K | H | K1 | K2 )– …– key = K1 | K2 | K3 | …S
SH
Tra
nspo
rt L
ayer
Pro
toco
l
24
Diffie-Hellman key exchange
1. – the client generates a random number x and computes e = gx mod p
– the client sends e to the server
2.– the server generates a random number y and computes f = gy mod p
– the server receives e from the client
– it computes K = ey mod p = gxy mod p and H = HASH( client version string | server version string | client kex init msg | server kex init msg | server host key Ksrv | e | f | K )
– it generates a signature s on H using the private part of the server host key (may involve additional hash computation on H)
– it sends ( Ksrv | f | s ) to the client
3.– the client verifies that Ksrv is really the host key of the server
– the client computes K = fx mod p = gxy mod p and the exchange hash H
– the client verifies the signature s on H
SS
H T
rans
port
Lay
er P
roto
col
25
Server authentication
based on the server’s host key Ksrv
the client must check that Ksrv is really the host key of the server models
– the client has a local database that associates each host name with the corresponding public host key
– the host name – to – key association is certified by a trusted CA and the server provides the necessary certificates or the client obtains them from elsewhere
– check fingerprint of the key over an external channel (e.g., phone)– best effort:
• accept host key without check when connecting the first time to the server• save the host key in the local database, and • check against the saved key on all future connections to the same server
SS
H T
rans
port
Lay
er P
roto
col
26
Key re-exchange
either party may initiate a key re-exchange – sending an SSH_MSG_KEXINIT packet when not
already doing a key exchange key re-exchange is processed identically to the
initial key exchange– except for the session ID, which will remain unchanged
algorithms may be changed keys and IVs are recomputed encryption contexts are reset it is recommended to change keys after each
gigabyte of transmitted data or after each hour of connection time
SS
H T
rans
port
Lay
er P
roto
col
27
Service request
after key exchange the client requests a service
services– ssh-userauth– ssh-connection
when the service starts, it has access to the session ID established during the first key exchange
SS
H T
rans
port
Lay
er P
roto
col
28
SSH – User Authentication Protocol
the protocol assumes that the underlying transport protocol provides integrity and confidentiality (e.g., SSH Transport Layer Protocol)
the protocol has access to the session ID the server should have a timeout for authentication and
disconnect if the authentication has not been accepted within the timeout period– recommended value is 10 minutes
the server should limit the number of failed authentication attempts a client may perform in a single session– recommended value is 20 attempts
three authentication methods are supported– publickey
– password
– hostbased
SS
H U
ser
Aut
hent
icat
ion
Pro
toco
l
29
User authentication overview
USERAUTH_REQUEST– user name– service name– method name– … method specific fields …
USERAUTH_FAILURE– list of authentication methods
that can continue– partial success flag
• TRUE: previous request was successful, but further authentication is needed
• FALSE: previous request was not successful
USERAUTH_SUCCESS(authentication is complete, the server starts the requested service)
client server
SSH_MSG_USERAUTH_REQUEST
SSH_MSG_USERAUTH_FAILURE(further authentication needed)
SSH_MSG_USERAUTH_REQUEST
SSH_MSG_USERAUTH_FAILURE(further authentication needed)
…
SSH_MSG_USERAUTH_REQUEST
SSH_MSG_USERAUTH_SUCCESS
SS
H U
ser
Aut
hent
icat
ion
Pro
toco
l
30
The “publickey” method
all implementations must support this method however, most local policies will not require
authentication with this method in the near future, as users don’t have public keys
authentication is based on demonstration of the knowledge of the private key (the client signs with the private key)
the server verifies that– the public key really belongs to the user specified in
the authentication request– the signature is correct
SS
H U
ser
Aut
hent
icat
ion
Pro
toco
l
31
The “publickey” method cont’d
SSH_MSG_USERAUTH_REQUEST– user name– service name– “publickey”– TRUE (a flag set to TRUE)– public key algorithm name (e.g., ssh-dss)– public key– signature (computed over the session ID and the data in the
request)
the server responds with SSH_MSG_USERAUTH_FAILURE if the request failed or more authentication is needed, or SSH_MSG_USERAUTH_SUCCESS otherwise
SS
H U
ser
Aut
hent
icat
ion
Pro
toco
l
32
The “publickey” method cont’d
using the private key– involves expensive computations– may require the user to type a password if the private key is
stored in encrypted form on the client machine in order to avoid unnecessary processing, the client
may check whether authentication using the public key would be acceptable– SSH_MSG_USERAUTH_REQUEST
• user name• service name• “publickey”• FALSE• public key algorithm name• public key
– if OK then the server responds with SSH_MSG_USERAUTH_PK_OK
SS
H U
ser
Aut
hent
icat
ion
Pro
toco
l
33
The “password” method
all implementations should support this method this method is likely the most widely used SSH_MSG_USERAUTH_REQUEST
– user name– service name– “password”– FALSE (a flag set to FALSE)– password (plaintext)
the server may respond with SSH_MSG_USERAUTH_FAILURE, SSH_MSG_USERAUTH_SUCCESS, or SSH_MSG_USERAUTH_PASSWD_CHANGEREQ
SS
H U
ser
Aut
hent
icat
ion
Pro
toco
l
34
The “password” method cont’d
changing the password– SSH_MSG_USERAUTH_REQUEST
• user name• service name• “password”• TRUE• old password (plaintext)• new password (plaintext)
SS
H U
ser
Aut
hent
icat
ion
Pro
toco
l
35
The “hostbased” method
authentication is based on the host where the user is coming from
this method is optional the client sends a signature that has
been generated with the private host key of the client
the server verifies that– the public key really belongs to the host
specified in the authentication request– the signature is correct
SS
H U
ser
Aut
hent
icat
ion
Pro
toco
l
36
The “hostbased” method cont’d
SSH_MSG_USERAUTH_REQUEST– user name– service name– “hostbased”– public key algorithm name– public key and certificates for client host – client host name– user name on client host– signature (computed over the session ID and
the data in the request)
SS
H U
ser
Aut
hent
icat
ion
Pro
toco
l
37
SSH – Connection Protocol
provides – interactive login sessions– remote execution of commands– forwarded TCP/IP connections– forwarded X11 connections
all these applications are implemented as “channels” all channels are multiplexed into the single encrypted
tunnel provided by the SSH Transport Layer Protocol channels are identified by channel numbers at both ends
of the connection channel numbers for the same channel at the client and
server sides may differ
SS
H C
onne
ctio
n P
roto
col
38
Channel mechanisms
opening a channel– SSH_MSG_CHANNEL_OPEN
• channel type• sender channel number• initial window size• maximum packet size• … channel type specific data …
– SSH_MSG_CHANNEL_OPEN_CONFIRMATION• recipient channel number (sender channel number from the open
request)• sender channel number• initial window size• maximum packet size• … channel type specific data …
– SSH_MSG_CHANNEL_OPEN_FAILURE• recipient channel number (sender channel number from the open
request)• reason code and additional textual information
SS
H C
onne
ctio
n P
roto
col
39
Channel mechanisms cont’d
data transfer over a channel– SSH_MSG_CHANNEL_DATA
• recipient channel number• data
– SSH_MSG_CHANNEL_WINDOW_ADJUST• recipient channel number• bytes to add to the window size
closing a channel– SSH_MSG_CHANNEL_EOF
• recipient channel number(sent if the party doesn’t want to send more data)
– SSH_MSG_CHANNEL_CLOSE• recipient channel(receiving party must respond with an SSH_MSG_CHANNEL_CLOSE, the channel is closed if the party has sent and received the closing
msg)
SS
H C
onne
ctio
n P
roto
col
40
Channel mechanisms cont’d
channel type specific requests– SSH_MSG_CHANNEL_REQUEST
• recipient channel number• request type• want reply flag (TRUE if reply is needed)• … request type specific data …
– SSH_MSG_CHANNEL_SUCCESS• recipient channel
– SSH_MSG_CHANNEL_FAILURE• recipient channel
SS
H C
onne
ctio
n P
roto
col
41
Example: Starting a remote shell
C S: SSH_MSG_CHANNEL_OPEN
• channel type = “session”• sender channel number = 5• initial window size• maximum packet size
C S: SSH_MSG_CHANNEL_OPEN_CONFIRMATION
• recipient channel number = 5• sender channel number = 21• initial window size• maximum packet size
SS
H C
onne
ctio
n P
roto
col
42
Example: Starting a remote shell cont’d
C S: SSH_MSG_CHANNEL_REQUEST
• recipient channel number = 21• request type = “pty-req” (pseudo terminal request)• want reply flag = TRUE• TERM environment variable value (e.g., vt100)• terminal width in characters (e.g., 80)• terminal height in rows (e.g., 24)• …
C S: SSH_MSG_CHANNEL_SUCCESS
• recipient channel number = 5
SS
H C
onne
ctio
n P
roto
col
43
Example: Starting a remote shell cont’d
C S: SSH_MSG_CHANNEL_REQUEST
• recipient channel number = 21• request type = “shell” • want reply flag = TRUE
C S: SSH_MSG_CHANNEL_SUCCESS
• recipient channel number = 5
C S: SSH_MSG_CHANNEL_DATA,
SSH_MSG_CHANNEL_WINDOW_ADJUST
…
SS
H C
onne
ctio
n P
roto
col
44
openssh server
free installation
sudo apt-get install openssh-server
configuration files /etc/ssh/sshd_config
log file /var/log/auth.log
45
Remote Management with SSH
run command remotely ssh name@server ”command”
scp --- secure rcp copy files between linux computers
sftp --- secure ftp
46
other stuffs
ssh-keygen: generate key-pair for ssh authentication users through public key
http://www.debian-administration.org/article/SSH_with_authentication_key_instead_of_password
Outline
Remote Management Remote Shell: Telnet, SSH Remote Desktop: X Window, VNC, Teamviewer
Central Management
X Window
The basis of GUI for Unix/Linux System free and cross-platform a standard for low-level GUI a protocol to create windows, handle input, draw
graphics, ...
not a window manager Based on the same X Window, various
desktops are developed for Linux Gnome KDE
X Window architecture
Server-Client Architecture
Separate user interface and application: the X Client handles all application logic the X Server handles all display output and user
input
A server handles requests from multiple clients, processes data as requested, and returns the results to the clients.
X inverts conventional www server and client relationship. (in www, web browser is the “client”, web site is the “server”)
Remote Management with X Window
X Client and X Server can run on different computer.
The computer used by the administrator will run X Server
The GUI tools on the computer to be managed will run as a X Client
Although the tools run and manage the computer to be managed, its GUI will show on the computer used by the administrator.
http://www.umbc.edu/hpcf/resources-tara/x-windows-server/
How X Window-based Remote Management works?
X Server and X Client understandards the meta data of the software GUI
X Server sends X Client the event of mouse movement (location), key click, etc.
X Client runs application logic and asks X Server to draw the screen
network traffic is low many interactions and many small packets
Remote Management with X Window + SSH
http://www.umbc.edu/hpcf/resources-tara/x-windows-server/
VNC
A remote desktop sharing protocol VNC = Virtual Network Computing VNC behaves as if taking continuous desktop
snapshots. It uses compression techniques to reduce the
required bandwidth, and transfers only the parts of the desktop that are
changed.
still, network traffic is heavy
VNC + SSH
Using VNC with an SSH tunnel and a password is quick and secure.
http://wiki.scinethpc.ca/wiki/images/3/36/Ttvnc.pdf
VNC-based Products
RealVNC http://www.realvnc.com/products/vnc/
TeamViewer http://www.teamviewer.com/en/index.aspx
TeamViewer
TeamViewer and NAT
TeamViewer claims that you can manage the computers behind NAT box.
Never use it!!!
To achieve this purpose, TeamViewer on the computer must connect to one server provided by TeamViewer.
That server acts as a gateway between you and the computer behind NAT box.
Although SSL can be used to encrypt data between the server and you (between the server and the computer behind NAT box), the server can see your screen in all time.
Outline
Remote Management Remote Shell: Telnet, SSH Remote Desktop: X Window, VNC, Teamviewer
Central Management Overview of Central Management Directory Service and LDAP (Lightweight Directory
Access Protocol ) Windows: Domain Controller Linux: Spacewalk, Centrify DirectManage, etc.
Remote vs Central Management
Remote != Central Management Remote management
Instead of the console of a computer, the administrator connects to this computer remotely (through network) and manages it through executing commands on this computer.
Central management store and manage all management-related
data/policy on a central server These management-related data/policy will be
distributed (through network) to and used by many computers
Examples of Central Management ?
Examples of Central Management DHCP Server
IP addresses of multiple computers distributed one: configure each computer manually
DNS Server mapping between domain name and IP address distributed one: edit /etc/hosts on each computer
Windows Domain Control user accounts, portal desktop, network policy, etc.
Linux Cluster one file system (installed software, configuration
files, etc.) shared by all nodes
What can be managed centrally?
Computers, printers, etc. Softwares User accounts Configurations Policy files ......
Benefits of Central Management
reduce the tasks of system administrators improve the experience of users
login all computers of the same domain portal desktop
huge amount of resources can be management easily and efficiently
Less inconsistency and confliction can be found and corrected easily
...
Weakness of Central Management
Central point of failure backup servers / cluster may be used to increase its
availability but once the central server is attacked successfully,
all information can be stolen
Common Approach for Central Management
Central server provides directory service the directory is similar to a database it contains all information related with management
LDAP (Lightweight Directory Access Protocol ) is used to access the directory service
Administrator uses LDAP (through network, possibly) to check and modify the management-related information
Computers use LDAP (through network) to get the configuration and policy files and apply these rules on themselves
Outline
Remote Management Remote Shell: Telnet, SSH Remote Desktop: X Window, VNC, Teamviewer
Central Management Overview of Central Management Directory Service and LDAP (Lightweight
Directory Access Protocol ) Windows: Domain Controller Linux: Spacewalk, Centrify DirectManage, etc.
Directories
A directory is a listing of information about objects arranged in some order that gives details about each object.
Common examples are a city telephone directory and a library card catalog.
In computer terms, a directory is a specialized database, also called a data repository, that stores typed and ordered information about objects.
A particular directory might list information about printers (the objects) consisting of typed information such as location (a formatted character string), speed in pages per minute (numeric), print streams supported (for example PostScript or ASCII), and so on.
Directory vs Database
A directory is often described as a database But it has special characteristics different from general
databases: They are accessed much more than they are updated. Hence they
are optimized for read access They are not suited for information that changes rapidly (e.g. number
of jobs in a printer queue) Many directory services don’t support transactions Directories normally limits the type of information that can be stored Databases use powerful query languages like SQL but Directories
normally use very simple access methods Hence directories can be optimized to economically provide more
applications with rapid access
X.500, DAP, LDAP
• X.500 directory model (OSI)• DAP is directory access protocol for this
(heavy/impractical)• LDAP is simplified strategy (used/practical)• LDAP comes from work at the University of
Michigan, including model implementations– UMICH refers people now to openldap.org
• LDAP v3 tech spec defined in RFC 3377
Strengths/Limitations
• LDAP is well suited for– Information that is referenced by many
entities and applications– Information that needs to be accessed
from more than one location• Roaming, e.g. by “Road Warriors”• Preference information for web “portals”
– Information that is read more often than it is written
• LDAP is not well suited for– Information that changes often (it is not a
relational database)– Information that is unstructured (it is not a
file system)
LDAP protocol
A message protocol used by directory clients and servers.
It defines several messages like bindRequest and searchRequest
There is LDAP API to be used by C and Java programs
All modern LDAP servers are based on LDAP version 3.
Clients and servers may or may not be on the same machine
Type of directories
Local: means nearby for example information about names, email addresses and so on for a department or for a workgroup
Global: Something is spread across the universe of interest. For example information about persons in an entire company.
Centralized: there is one directory server at one location. Local or remote clients can access it.
Distributed: information may be partitioned or replicated.
Directories advantages
Directory structure
LDAP architecture overview
A typical entry serialized in LDIF:dn: cn=John Doe,dc=example,dc=com
cn: John Doe
givenName: John
sn: Doe
telephoneNumber: +1 555 6789
telephoneNumber: +1 555 1234
mail: [email protected]
manager: cn=Barbara Doe,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
Distinguished Names
• Each object in the LDAP directory has a DN– uid=jheiss,ou=people,dc=example,dc=com– cn=users,ou=group,dc=example,dc=com
• Notice that the DNS name is example.com (specified by DC=Domain Component entries) for the domain
• OU is organizational unit• Each domain subdomain could create a tree
structure in LDAP (engr.example.com, sales.example.com, pre.engr.example.com, support.engr.example.com, etc)
S a m p l e N e w Y o r k D i r e c t o r y I n f o r m a t i o n T r e e
o u = D O H
c n = O F T A d m i n i s t r a t o r s
c n = E t h i c s A p p U s e r s
c n = E t h i c s A p p A d m i n i s t r a t o r s
o u = G r o u p s
u i d = b d i g m a n
u i d = j n o r t r u p
u i d = d s t r a z z e r i
o u = P e o p l e
c n = 1 B F l o o r P o s t s c r i p t P r i n t e r
c n = C o n f e r e n c e R o o m 1 B - A
o u = R e s o u r c e s
c n = O F T P o r t a l
c n = E t h i c s A p p l i c a t i o n
o u = A p p l i c a t i o n s
o u = O F T o u = T A X
o = N Y , c = U S
•Branched by agency
•Agencies in this example have branches containing:
•Groups which contain people
•People in the organization
•Resources such as printers and conference rooms
•Applications (where application specific info. could be maintained)
Sample DIT
S a m p l e U s e r O b j e c t
u i d = j n o r t r u p
c n : J i m N o r t r u pc n : J a m e s N o r t r u p
g i v e n n a m e : J i mg i v e n n a m e : J a m e s
s n : N o r t r u p
m a i l : j n o r t @ o f t . s t a t e . n y . u s
o u : N Y S O F T
t e l e p h o n e n u m b e r : 5 1 8 - 4 0 2 - 2 0 1 8
f a c s i m i l e t e l e p h o n e n u m b e r : 5 1 8 - 4 5 7 - 2 0 1 9
s t r e e t a d d r e s s :N Y S O F T $ E x e c u t i v e C h a m b e r , S t a t e C a p i t o l
u s e r c e r t i f i c a t e : X . 5 0 9 C e r t i f i c a t e
d n : u i d = j n o r t r u p , o u = P e o p l e , o u = N Y S O F T , o = N Y , c = U S •Objects contain attributes, e.g.,•uid (user ID)•cn (common name)•sn (surname)•mail (e-mail address)
•Attributes can be multi-valued, e.g., givenname of both James and Jim•This object contains
•white-pages information• X.509 certificate for PKI
Sample User Object
ObjectClass
A commonly used attribute is "objectClass".
Each record represents an object, and the attributes associated with that object are defined according to it's objectClass
The value of the objectClass attribute.
Object Type examples
Examples of objectClass: organization (needs a name and address) person (needs name, email, phone &
address) course (needs a CRN, instructor, mascot) cookie (needs name, cost & taste index)
Defining ObjectClass types
You can define what attributes are required for objects with a specific value for the objectclass attribute.
You can also define what attributes are allowed.
New records must adhere to these settings!
Multiple Values
Each attribute can have multiple values, for example we could have the following record:
DN: cn=Dave Hollinger, O=RPI, C=USCN: Dave HollingerCN: David HollingerEmail: [email protected]: [email protected]: [email protected]
Directory Information Flows
o = N Y , c = U S
o u = T A X o u = N Y S O F T
o u = D C J Sl = N e w Y o r k C i t y
o u = D O H
o = N Y , c = U S
O U = T A X
N Y T M a s t e r S u p p l i e r
T a x & F i n a n c eM a s t e r S u p p l i e r
R e p l i c a t i o n M a s t e r
R e p l i c a t i o n f r o m T a x& F i n a n c e S e r v e r t o
N Y T M a s t e r
D O H L e g a c y S y t e m
D O H I n f o r m a t i o n i nP r o p r i e t a r y F o r m a t
C D I F c o n v e r t e d t o L D A P a n dp l a c e d i n N Y T M a s t e r S u p p l i e r
D O H I n f o r m a t i o ns e n t t o O F T i n
C o m m o n D i r e c t o r yI n t e r c h a n g e F o r m a t
( C D I F )
F u l l t r e e r e p l i c a t e d f r o mM a s t e r S u p p l i e r t oR e p l i c a t i o n M a s t e r
o = N Y , c = U S
o u = T A X o u = N Y S O F T
o u = D C J Sl = N e w Y o r k C i t y
o u = D O H
T a x & F i n a n c e C o n s u m e r
o = N Y , c = U S
o u = T A X o u = N Y S O F T
o u = D C J Sl = N e w Y o r k C i t y
o u = D O H
N Y T R e p l i c a t i o n C o n s u m e r
o = N Y , c = U S
o u = T A X o u = N Y S O F T
o u = D C J Sl = N e w Y o r k C i t y
o u = D O H
F u l l t r e e r e p l i c a t e df r o m R e p l i c a t i o n
M a s t e r t o U s e rD i r e c t o r i e s
t h r o u g h o u t N Y T
F u l l t r e e r e p l i c a t e df r o m R e p l i c a t i o n
M a s t e r t o A g e n c yU s e r D i r e c t o r y
OIDs / Priv Ent Nums / IANA.org
• Entites have to register at IANA.org (or ANSI) to have unique numbers for building LDAP schema entries
• IANA's root is 1.3.6.1.4.1– Microsoft uses [1.3.6.1.4.1].311– UAB uses [1.3.6.1.4.1].7341
• www.iana.org/assignments/enterprise-numbers
• Companies build hierarchies of their own control under these root numbers
Basic Operations
Bind - authenticate, and specify LDAP protocol version, Start TLS - protect the connection with
Transport Layer Security (TLS), to have a more secure connection,
Search - search for and/or retrieve directory entries, Compare - test if a named entry contains a given attribute value, Add a new entry, Delete an entry, Modify an entry, Modify DN - move or rename an entry, Abandon - abort a previous request, Extended Operation - generic operation used to define other
operations, Unbind - close the connection, not the inverse of Bind.
Bind
authenticates the client to the server Bind sends the user's DN and password -
in clear text, so the connection should be protected using Transport Layer Security (TLS).
The server typically checks the password against the userPassword attribute in the named entry.
Bind also sets the LDAP protocol version. Normally clients should use LDAPv3.
Start TLS
establishes Transport Layer Security (the descendant of SSL) on the connection.
That can provide data confidentiality protection (hide the data) and/or data integrity protection (protect from tampering).
During TLS negotiation the server sends its X.509 certificate to prove its identity.
The client may also send a certificate to prove its identity.
Servers also often support the non-standard "LDAPS" ("Secure LDAP", commonly known as "LDAP over SSL") protocol on a separate port
Search and Compare
Parameters: baseObject - the DN (Distinguished Name) of the entry at
which to start the search, scope - baseObject (search just the named entry, typically
used to read one entry), singleLevel (entries immediately below the base DN), or wholeSubtree (the entire subtree starting at the base DN).
filter - how to examine each entry in the scope. E.g. (&(objectClass=person)(|(givenName=John)(mail=john*))) - search for persons who either have given name John or an e-mail address starting with john.
derefAliases - whether and how to follow alias entries (entries which refer to other entries),
attributes - which attributes to return in result entries. sizeLimit, timeLimit - max number of entries, and max
search time. typesOnly - return attribute types only, not attribute values.
Update operations
Add, Delete, Modify and Modify DN all require the DN of the entry to change
Modify takes a list of attributes to modify and the modifications to each: Delete the attribute or some values, add new values, or replace the current values with the new ones.
Add operations also can have additional attributes and values for those values.
Modify DN (move/rename entry) takes the new RDN (Relative Distinguished Name), optionally the new parent's DN, and a flag which says whether to delete the value(s) in the entry which match the old RDN. The server may support renaming of entire directory subtrees
An update operation is atomic: Other operations will see either the new entry or the old one.
Schemas The contents of the entries in a subtree is governed by a schema The schema defines the attribute types that directory entries can contain. An attribute definition includes a syntax, and most non-binary values in
LDAPv3 use UTF-8 string syntax For example, a "mail" attribute might contain the value "[email protected]". A "jpegPhoto" attribute would contain photograph(s) in binary JPEG/JFIF format. A "member" attribute contains the DNs of other directory entries.
Attribute definitions also include whether the attribute is single-valued or multi-valued, how to search/compare the attribute.
The schema defines object classes. Each entry must have an objectClass attribute, containing named classes defined in the schema.
e.g. a person, organization or domain. Server administrators can define their own schemas in addition to the
standard ones.
Schema Examples
attributetype ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' ) DESC 'RFC1274: user identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) )
Variations A lot of the server operation is left to the implementor or
administrator to decide. For example, data storage in the server is not specified
the server may use flat files, databases, or just be a gateway to some other server.
Access control is not standardized, though there has been work on it and there are commonly used models.
Users' passwords may be stored in their entries or elsewhere Most parts of LDAP are extensible. Examples: One can
define new operations. Controls may modify requests and responses, e.g. to request sorted search results. New search scopes and Bind methods can be defined. Attributes can have options that may modify their semantics.
Supporting vendors
• Apache (through Apache Directory Server) • Apple (through Open Directory/OpenLDAP) • AT&T • Banyan • Critical Path • eB2Bcom (through View500) • Fedora Directory Server • Hewlett-Packard • Identyx • IBM/Lotus • ISODE (through M-Vault server) • Microsoft (through Active Directory) • Netscape (now in Sun Microsystems and Red Hat products) • Novell (through eDirectory) • OctetString (through VDE server) • Oracle (through Oracle Internet Directory) • Radiant Logic (through RadiantOne Virtual Directory Server) • Red Hat Directory Server
Siemens AG (through DirX server) SGI and Sun (through the iPlanet and Sun ONE directory servers) Symlabs (through Directory Extender)
Outline
Remote Management Remote Shell: Telnet, SSH Remote Desktop: X Window, VNC, Teamviewer
Central Management Overview of Central Management Directory Service and LDAP (Lightweight Directory
Access Protocol ) Windows: Domain Control Linux: Spacewalk, Centrify DirectManage, etc.
Windows Domain and Workgroup
A Windows domain is a form of a computer network in which all user accounts, computers, printers and other security principals, are registered with a central database (called a directory service) located on one or cluster of central computers known as domain controllers.
Windows Workgroup?
Windows Domain Features
User Account Management and user Authentication
it takes place on domain controllers. Each person who uses computers within a domain receives a unique user account that can then be assigned access to resources within the domain.
Portal Desktop
Security Policy
Software Management
Active Directory
• Microsoft directory services • Uses LDAP• Uses Kerberos 5 for user authentication• Uses DNS
– locating Domain Controller
– build the directory
• Scalable and available architecture
Outline
Remote Management Remote Shell: Telnet, SSH Remote Desktop: X Window, VNC, Teamviewer
Central Management Overview of Central Management Directory Service and LDAP (Lightweight Directory
Access Protocol) Windows: Domain Controller Linux: Spacewalk, Centrify DirectManage, etc.
Spacewalk
Free & Open Source Systems Management Based on Active Directory Service
URL: http://spacewalk.redhat.com/
Spacewalk --- Main Window
Spacewalk Features
Inventory your systems (hardware and software information)
Install and update software on your systems
Collect and distribute your custom software packages into manageable groups
Provision (kickstart) your systems
Manage and deploy configuration files to your systems
Monitor your systems
Provision and start/stop/configure virtual guests
Distribute content across multiple geographical sites in an efficient manner.
Centrify DirectManage
Centralized Management and User Administration of UNIX, Linux, Mac, etc.
an integrated set of tools that centralize the discovery, management and user administration of UNIX, Linux and Mac systems through integration into Active Directory-based tools and processes.
URL: http://www.centrify.com/directmanage/centralized-
management-user-administration-unix-linux-mac.asp
Assignments
Remember to submit assignment 1 as soon as possible
Assignment 2 is available on course website gcc419.weebly.com Deadline: 11:59pm, 25 (SUN), August