Unit 419: Network Operating Systems

Remote and Central Management

Outline

Remote Management Remote Shell: Telnet, SSH Remote Desktop: X Window, VNC, Teamviewer

Central Management

System MAnagement

To manage one system, system administrator must login the system, launch one shell, and start to run various commands.

Several Terms

Console Terminal

Shell

Romote Shell

Login to the system through network

After user authentication, a shell is launched for this user.

The shell gets commands through network and runs these commands.

telnet

default tool for remote management in early days

telnet vs. TELNET TELNET is a protocol that provides “a general, bi-

directional, eight-bit byte oriented communications facility”

telnet is a program that supports the TELNET protocol over TCP.

7

The TELNET Protocol

Reference: RFC 854

TCP connection

data and control over the same connection.

Network Virtual Terminal intermediate representation of a generic terminal. provides a standard language for communication

of terminal control functions.TELNET

8

Network Virtual Terminal

NVT NVT

ServerProcess

TCP TCP

TELNET

Remote Login with telenet

The server to be managed must run a telnet server

Default port: 23

The administrator connect to the server with telnet client

telnet ip_or_name_of_the_server

10

Playing with TELNET

You can use the telnet program to play with the TELNET protocol.

telnet is a generic TCP client. Sends whatever you type to the TCP socket. Prints whatever comes back through the TCP

socket Useful for testing TCP servers (ASCII based

protocols).

Many Unix systems have these servers running (by default):

echo port 7TELNET

11

telnet hostname port

> telnet amele-2.cse.unr.edu 7Trying 134.197.40.246...Connected to amele-2.cse.unr.edu (134.197.40.246).

Escape character is '^]'.Hi mehmetHi mehmetstop itstop it^]telnet> quitConnection closed.

TELNET

Outline

Remote Management Remote Shell: Telnet, SSH Remote Desktop: X Window, VNC, Teamviewer

Central Management

13

What is SSH?

SSH – Secure Shell SSH is a protocol for secure remote login and

other secure network services over an insecure network

developed by SSH Communications Security Corp., Finland

two distributions are available:– commercial version– freeware (www.openssh.com)

specified in a set of Internet drafts

14

Major SSH components

SSH Transport Layer Protocol– provides server authentication, confidentiality, and integrity services– it may provide compression too– runs on top of any reliable transport layer (e.g., TCP)

SSH User Authentication Protocol– provides client-side user authentication– runs on top of the SSH Transport Layer Protocol

SSH Connection Protocol– multiplexes the secure tunnel provided by the SSH Transport Layer

and User Authentication Protocols into several logical channels– these logical channels can be used for a wide range of purposes

• secure interactive shell sessions• TCP port forwarding• carrying X11 connections

15

SSH security features

strong algorithms– uses well established strong algorithms for encryption,

integrity, key exchange, and public key management large key size

– requires encryption to be used with at least 128 bit keys– supports larger keys too

algorithm negotiation– encryption, integrity, key exchange, and public key

algorithms are negotiated– it is easy to switch to some other algorithm without modifying

the base protocol

16

SSH TLP – Overview

client server

TCP connection setup

SSH version string exchange

SSH key exchange(includes algorithm negotiation)

SSH data exchange

termination of the TCP connection

SS

H T

rans

port

Lay

er P

roto

col

17

Connection setup and version string exchange

TCP connection setup– the server listens on port 22– the client initiates the connection

SSH version string exchange– both side must send a version string of the following form:

“SSH-protoversion-softwareversion comments” \CR \LF– used to indicate the capabilities of an implementation– triggers compatibility extensions– current protocol version is 2.0– all packets that follow the version string exchange is sent using

the Binary Packet Protocol

SS

H T

rans

port

Lay

er P

roto

col

18

Binary Packet Protocol

– packet length: • length of the packet not including the MAC and the

packet length field

– padding length: • length of padding

– payload: • useful contents• might be compressed• max payload size is 32768

– random padding:• 4 – 255 bytes• total length of packet not including the MAC must

be multiple of max(8, cipher block size)• even if a stream cipher is used

– MAC:• message authentication code• computed over the clear packet and an implicit

sequence number

packet length (4)

padding length (1)

random padding

MAC

payload(may be

compressed)

compression

encryption

SS

H T

rans

port

Lay

er P

roto

col

19

Encryption

the encryption algorithm is negotiated during the key exchange supported algorithms

– 3des-cbc (required) (168 bit key)– blowfish-cbc (recommended)– twofish256-cbc (opt) / twofish192-cbc (opt) / twofish128-cbc (recomm)– aes256-cbc (opt) / aes192-cbc (opt) / aes128-cbc (recomm)– serpent256-cbc (opt) / serpent192-cbc (opt) / serpent128-cbc (opt)– arcfour (opt) (RC4)– idea-cbc (opt) / cast128-cbc (opt)

key and IV are also established during the key exchange all packets sent in one direction is considered a single data stream

– IV is passed from the end of one packet to the beginning of the next one encryption algorithm can be different in each direction

SS

H T

rans

port

Lay

er P

roto

col

20

MAC

MAC algorithm and key are negotiated during the key exchange supported algorithms

– hmac-sha1 (required) [MAC length = key length = 160 bits]– hmac-sha1-96 (recomm) [MAC length = 96, key length = 160 bits]– hmac-md5 (opt) [MAC length = key length = 128 bits]– hmac-md5-96 (opt) [MAC length = 96, key length = 128 bits]

MAC algorithms used in each direction can be different MAC = mac( key, seq. number | clear packet )

– sequence number is implicit, not sent with the packet– sequence number is represented on 4 bytes– sequence number initialized to 0 and incremented after each packet– it is never reset (even if keys and algs are renegotiated later)

SS

H T

rans

port

Lay

er P

roto

col

21

Key exchange - Overview

client server

execution of the selected key exchange protocol

SSH_MSG_KEXINIT

SSH_MSG_NEWKEYS

use

s n

ew

ke

ysa

nd

alg

orit

hm

sfo

r se

nd

ing

use

s n

ew

ke

ysa

nd

alg

orit

hm

sfo

r re

ceiv

ing

SS

H T

rans

port

Lay

er P

roto

col

22

Algorithm negotiation

SSH_MSG_KEXINIT– kex_algorithms (comma separated list of names)– server_host_key_algorithms– encryption_algorithms_client_to_server– encryption_algorithms_server_to_client– mac_algorithms_client_to_server– mac_algorithms_server_to_client– compression_algorithms_client_to_server– compression_algorithms_server_to_client– first_kex_packet_follows (boolean)– random cookie (16 bytes)

algorithm lists– the server list the algorithms it supports– the client lists the algorithms that it is willing to accept– algorithms are listed in order of preference– selection: first algorithm on the client’s list that is also on the server’s

list

SS

H T

rans

port

Lay

er P

roto

col

23

Deriving keys and IVs

any key exchange algorithm produces two values– a shared secret K– an exchange hash H

H from the first key exchange is used as the session ID keys and IVs are derived from K and H as follows:

– IV client to server = HASH( K | H | “A” | session ID )– IV server to client = HASH( K | H | “B” | session ID )– encryption key client to server = HASH( K | H | “C” | session ID )– encryption key server to client = HASH( K | H | “D” | session ID )– MAC key client to server = HASH( K | H | “E” | session ID )– MAC key server to client = HASH( K | H | “F” | session ID )

where HASH is the hash function specified by the key exchange method (e.g., diffie-hellman-group1-sha1)

if the key length is longer than the output of HASH…– K1 = HASH( K | H | X | session ID )– K2 = HASH( K | H | K1 )– K3 = HASH( K | H | K1 | K2 )– …– key = K1 | K2 | K3 | …S

SH

Tra

nspo

rt L

ayer

Pro

toco

l

24

Diffie-Hellman key exchange

1. – the client generates a random number x and computes e = gx mod p

– the client sends e to the server

2.– the server generates a random number y and computes f = gy mod p

– the server receives e from the client

– it computes K = ey mod p = gxy mod p and H = HASH( client version string | server version string | client kex init msg | server kex init msg | server host key Ksrv | e | f | K )

– it generates a signature s on H using the private part of the server host key (may involve additional hash computation on H)

– it sends ( Ksrv | f | s ) to the client

3.– the client verifies that Ksrv is really the host key of the server

– the client computes K = fx mod p = gxy mod p and the exchange hash H

– the client verifies the signature s on H

SS

H T

rans

port

Lay

er P

roto

col

25

Server authentication

based on the server’s host key Ksrv

the client must check that Ksrv is really the host key of the server models

– the client has a local database that associates each host name with the corresponding public host key

– the host name – to – key association is certified by a trusted CA and the server provides the necessary certificates or the client obtains them from elsewhere

– check fingerprint of the key over an external channel (e.g., phone)– best effort:

• accept host key without check when connecting the first time to the server• save the host key in the local database, and • check against the saved key on all future connections to the same server

SS

H T

rans

port

Lay

er P

roto

col

26

Key re-exchange

either party may initiate a key re-exchange – sending an SSH_MSG_KEXINIT packet when not

already doing a key exchange key re-exchange is processed identically to the

initial key exchange– except for the session ID, which will remain unchanged

algorithms may be changed keys and IVs are recomputed encryption contexts are reset it is recommended to change keys after each

gigabyte of transmitted data or after each hour of connection time

SS

H T

rans

port

Lay

er P

roto

col

27

Service request

after key exchange the client requests a service

services– ssh-userauth– ssh-connection

when the service starts, it has access to the session ID established during the first key exchange

SS

H T

rans

port

Lay

er P

roto

col

28

SSH – User Authentication Protocol

the protocol assumes that the underlying transport protocol provides integrity and confidentiality (e.g., SSH Transport Layer Protocol)

the protocol has access to the session ID the server should have a timeout for authentication and

disconnect if the authentication has not been accepted within the timeout period– recommended value is 10 minutes

the server should limit the number of failed authentication attempts a client may perform in a single session– recommended value is 20 attempts

three authentication methods are supported– publickey

– password

– hostbased

SS

H U

ser

Aut

hent

icat

ion

Pro

toco

l

29

User authentication overview

USERAUTH_REQUEST– user name– service name– method name– … method specific fields …

USERAUTH_FAILURE– list of authentication methods

that can continue– partial success flag

• TRUE: previous request was successful, but further authentication is needed

• FALSE: previous request was not successful

USERAUTH_SUCCESS(authentication is complete, the server starts the requested service)

client server

SSH_MSG_USERAUTH_REQUEST

SSH_MSG_USERAUTH_FAILURE(further authentication needed)

SSH_MSG_USERAUTH_REQUEST

SSH_MSG_USERAUTH_FAILURE(further authentication needed)

…

SSH_MSG_USERAUTH_REQUEST

SSH_MSG_USERAUTH_SUCCESS

SS

H U

ser

Aut

hent

icat

ion

Pro

toco

l

30

The “publickey” method

all implementations must support this method however, most local policies will not require

authentication with this method in the near future, as users don’t have public keys

authentication is based on demonstration of the knowledge of the private key (the client signs with the private key)

the server verifies that– the public key really belongs to the user specified in

the authentication request– the signature is correct

SS

H U

ser

Aut

hent

icat

ion

Pro

toco

l

31

The “publickey” method cont’d

SSH_MSG_USERAUTH_REQUEST– user name– service name– “publickey”– TRUE (a flag set to TRUE)– public key algorithm name (e.g., ssh-dss)– public key– signature (computed over the session ID and the data in the

request)

the server responds with SSH_MSG_USERAUTH_FAILURE if the request failed or more authentication is needed, or SSH_MSG_USERAUTH_SUCCESS otherwise

SS

H U

ser

Aut

hent

icat

ion

Pro

toco

l

32

The “publickey” method cont’d

using the private key– involves expensive computations– may require the user to type a password if the private key is

stored in encrypted form on the client machine in order to avoid unnecessary processing, the client

may check whether authentication using the public key would be acceptable– SSH_MSG_USERAUTH_REQUEST

• user name• service name• “publickey”• FALSE• public key algorithm name• public key

– if OK then the server responds with SSH_MSG_USERAUTH_PK_OK

SS

H U

ser

Aut

hent

icat

ion

Pro

toco

l

33

The “password” method

all implementations should support this method this method is likely the most widely used SSH_MSG_USERAUTH_REQUEST

– user name– service name– “password”– FALSE (a flag set to FALSE)– password (plaintext)

the server may respond with SSH_MSG_USERAUTH_FAILURE, SSH_MSG_USERAUTH_SUCCESS, or SSH_MSG_USERAUTH_PASSWD_CHANGEREQ

SS

H U

ser

Aut

hent

icat

ion

Pro

toco

l

34

The “password” method cont’d

changing the password– SSH_MSG_USERAUTH_REQUEST

• user name• service name• “password”• TRUE• old password (plaintext)• new password (plaintext)

SS

H U

ser

Aut

hent

icat

ion

Pro

toco

l

35

The “hostbased” method

authentication is based on the host where the user is coming from

this method is optional the client sends a signature that has

been generated with the private host key of the client

the server verifies that– the public key really belongs to the host

specified in the authentication request– the signature is correct

SS

H U

ser

Aut

hent

icat

ion

Pro

toco

l

36

The “hostbased” method cont’d

SSH_MSG_USERAUTH_REQUEST– user name– service name– “hostbased”– public key algorithm name– public key and certificates for client host – client host name– user name on client host– signature (computed over the session ID and

the data in the request)

SS

H U

ser

Aut

hent

icat

ion

Pro

toco

l

37

SSH – Connection Protocol

provides – interactive login sessions– remote execution of commands– forwarded TCP/IP connections– forwarded X11 connections

all these applications are implemented as “channels” all channels are multiplexed into the single encrypted

tunnel provided by the SSH Transport Layer Protocol channels are identified by channel numbers at both ends

of the connection channel numbers for the same channel at the client and

server sides may differ

SS

H C

onne

ctio

n P

roto

col

38

Channel mechanisms

opening a channel– SSH_MSG_CHANNEL_OPEN

• channel type• sender channel number• initial window size• maximum packet size• … channel type specific data …

– SSH_MSG_CHANNEL_OPEN_CONFIRMATION• recipient channel number (sender channel number from the open

request)• sender channel number• initial window size• maximum packet size• … channel type specific data …

– SSH_MSG_CHANNEL_OPEN_FAILURE• recipient channel number (sender channel number from the open

request)• reason code and additional textual information

SS

H C

onne

ctio

n P

roto

col

39

Channel mechanisms cont’d

data transfer over a channel– SSH_MSG_CHANNEL_DATA

• recipient channel number• data

– SSH_MSG_CHANNEL_WINDOW_ADJUST• recipient channel number• bytes to add to the window size

closing a channel– SSH_MSG_CHANNEL_EOF

• recipient channel number(sent if the party doesn’t want to send more data)

– SSH_MSG_CHANNEL_CLOSE• recipient channel(receiving party must respond with an SSH_MSG_CHANNEL_CLOSE, the channel is closed if the party has sent and received the closing

msg)

SS

H C

onne

ctio

n P

roto

col

40

Channel mechanisms cont’d

channel type specific requests– SSH_MSG_CHANNEL_REQUEST

• recipient channel number• request type• want reply flag (TRUE if reply is needed)• … request type specific data …

– SSH_MSG_CHANNEL_SUCCESS• recipient channel

– SSH_MSG_CHANNEL_FAILURE• recipient channel

SS

H C

onne

ctio

n P

roto

col

41

Example: Starting a remote shell

C S: SSH_MSG_CHANNEL_OPEN

• channel type = “session”• sender channel number = 5• initial window size• maximum packet size

C S: SSH_MSG_CHANNEL_OPEN_CONFIRMATION

• recipient channel number = 5• sender channel number = 21• initial window size• maximum packet size

SS

H C

onne

ctio

n P

roto

col

42

Example: Starting a remote shell cont’d

C S: SSH_MSG_CHANNEL_REQUEST

• recipient channel number = 21• request type = “pty-req” (pseudo terminal request)• want reply flag = TRUE• TERM environment variable value (e.g., vt100)• terminal width in characters (e.g., 80)• terminal height in rows (e.g., 24)• …

C S: SSH_MSG_CHANNEL_SUCCESS

• recipient channel number = 5

SS

H C

onne

ctio

n P

roto

col

43

Example: Starting a remote shell cont’d

C S: SSH_MSG_CHANNEL_REQUEST

• recipient channel number = 21• request type = “shell” • want reply flag = TRUE

C S: SSH_MSG_CHANNEL_SUCCESS

• recipient channel number = 5

C S: SSH_MSG_CHANNEL_DATA,

SSH_MSG_CHANNEL_WINDOW_ADJUST

…

SS

H C

onne

ctio

n P

roto

col

44

openssh server

free installation

sudo apt-get install openssh-server

configuration files /etc/ssh/sshd_config

log file /var/log/auth.log

45

Remote Management with SSH

run command remotely ssh name@server ”command”

scp --- secure rcp copy files between linux computers

sftp --- secure ftp

46

other stuffs

ssh-keygen: generate key-pair for ssh authentication users through public key

http://www.debian-administration.org/article/SSH_with_authentication_key_instead_of_password

Outline

Remote Management Remote Shell: Telnet, SSH Remote Desktop: X Window, VNC, Teamviewer

Central Management

X Window

The basis of GUI for Unix/Linux System free and cross-platform a standard for low-level GUI a protocol to create windows, handle input, draw

graphics, ...

not a window manager Based on the same X Window, various

desktops are developed for Linux Gnome KDE

X Window architecture

Server-Client Architecture

Separate user interface and application: the X Client handles all application logic the X Server handles all display output and user

input

A server handles requests from multiple clients, processes data as requested, and returns the results to the clients.

X inverts conventional www server and client relationship. (in www, web browser is the “client”, web site is the “server”)

Remote Management with X Window

X Client and X Server can run on different computer.

The computer used by the administrator will run X Server

The GUI tools on the computer to be managed will run as a X Client

Although the tools run and manage the computer to be managed, its GUI will show on the computer used by the administrator.

http://www.umbc.edu/hpcf/resources-tara/x-windows-server/

How X Window-based Remote Management works?

X Server and X Client understandards the meta data of the software GUI

X Server sends X Client the event of mouse movement (location), key click, etc.

X Client runs application logic and asks X Server to draw the screen

network traffic is low many interactions and many small packets

Remote Management with X Window + SSH

http://www.umbc.edu/hpcf/resources-tara/x-windows-server/

VNC

A remote desktop sharing protocol VNC = Virtual Network Computing VNC behaves as if taking continuous desktop

snapshots. It uses compression techniques to reduce the

required bandwidth, and transfers only the parts of the desktop that are

changed.

still, network traffic is heavy

VNC + SSH

Using VNC with an SSH tunnel and a password is quick and secure.

http://wiki.scinethpc.ca/wiki/images/3/36/Ttvnc.pdf

VNC-based Products

RealVNC http://www.realvnc.com/products/vnc/

TeamViewer http://www.teamviewer.com/en/index.aspx

TeamViewer

TeamViewer and NAT

TeamViewer claims that you can manage the computers behind NAT box.

Never use it!!!

To achieve this purpose, TeamViewer on the computer must connect to one server provided by TeamViewer.

That server acts as a gateway between you and the computer behind NAT box.

Although SSL can be used to encrypt data between the server and you (between the server and the computer behind NAT box), the server can see your screen in all time.

Outline

Remote Management Remote Shell: Telnet, SSH Remote Desktop: X Window, VNC, Teamviewer

Central Management Overview of Central Management Directory Service and LDAP (Lightweight Directory

Access Protocol ) Windows: Domain Controller Linux: Spacewalk, Centrify DirectManage, etc.

Remote vs Central Management

Remote != Central Management Remote management

Instead of the console of a computer, the administrator connects to this computer remotely (through network) and manages it through executing commands on this computer.

Central management store and manage all management-related

data/policy on a central server These management-related data/policy will be

distributed (through network) to and used by many computers

Examples of Central Management ?

Examples of Central Management DHCP Server

IP addresses of multiple computers distributed one: configure each computer manually

DNS Server mapping between domain name and IP address distributed one: edit /etc/hosts on each computer

Windows Domain Control user accounts, portal desktop, network policy, etc.

Linux Cluster one file system (installed software, configuration

files, etc.) shared by all nodes

What can be managed centrally?

Computers, printers, etc. Softwares User accounts Configurations Policy files ......

Benefits of Central Management

reduce the tasks of system administrators improve the experience of users

login all computers of the same domain portal desktop

huge amount of resources can be management easily and efficiently

Less inconsistency and confliction can be found and corrected easily

...

Weakness of Central Management

Central point of failure backup servers / cluster may be used to increase its

availability but once the central server is attacked successfully,

all information can be stolen

Common Approach for Central Management

Central server provides directory service the directory is similar to a database it contains all information related with management

LDAP (Lightweight Directory Access Protocol ) is used to access the directory service

Administrator uses LDAP (through network, possibly) to check and modify the management-related information

Computers use LDAP (through network) to get the configuration and policy files and apply these rules on themselves

Outline

Remote Management Remote Shell: Telnet, SSH Remote Desktop: X Window, VNC, Teamviewer

Central Management Overview of Central Management Directory Service and LDAP (Lightweight

Directory Access Protocol ) Windows: Domain Controller Linux: Spacewalk, Centrify DirectManage, etc.

Directories

A directory is a listing of information about objects arranged in some order that gives details about each object.

Common examples are a city telephone directory and a library card catalog.

In computer terms, a directory is a specialized database, also called a data repository, that stores typed and ordered information about objects.

A particular directory might list information about printers (the objects) consisting of typed information such as location (a formatted character string), speed in pages per minute (numeric), print streams supported (for example PostScript or ASCII), and so on.

Directory vs Database

A directory is often described as a database But it has special characteristics different from general

databases: They are accessed much more than they are updated. Hence they

are optimized for read access They are not suited for information that changes rapidly (e.g. number

of jobs in a printer queue) Many directory services don’t support transactions Directories normally limits the type of information that can be stored Databases use powerful query languages like SQL but Directories

normally use very simple access methods Hence directories can be optimized to economically provide more

applications with rapid access

X.500, DAP, LDAP

• X.500 directory model (OSI)• DAP is directory access protocol for this

(heavy/impractical)• LDAP is simplified strategy (used/practical)• LDAP comes from work at the University of

Michigan, including model implementations– UMICH refers people now to openldap.org

• LDAP v3 tech spec defined in RFC 3377

Strengths/Limitations

• LDAP is well suited for– Information that is referenced by many

entities and applications– Information that needs to be accessed

from more than one location• Roaming, e.g. by “Road Warriors”• Preference information for web “portals”

– Information that is read more often than it is written

• LDAP is not well suited for– Information that changes often (it is not a

relational database)– Information that is unstructured (it is not a

file system)

LDAP protocol

A message protocol used by directory clients and servers.

It defines several messages like bindRequest and searchRequest

There is LDAP API to be used by C and Java programs

All modern LDAP servers are based on LDAP version 3.

Clients and servers may or may not be on the same machine

Type of directories

Local: means nearby for example information about names, email addresses and so on for a department or for a workgroup

Global: Something is spread across the universe of interest. For example information about persons in an entire company.

Centralized: there is one directory server at one location. Local or remote clients can access it.

Distributed: information may be partitioned or replicated.

Directories advantages

Directory structure

LDAP architecture overview

A typical entry serialized in LDIF:dn: cn=John Doe,dc=example,dc=com

cn: John Doe

givenName: John

sn: Doe

telephoneNumber: +1 555 6789

telephoneNumber: +1 555 1234

mail: john@example.com

manager: cn=Barbara Doe,dc=example,dc=com

objectClass: inetOrgPerson

objectClass: organizationalPerson

objectClass: person

objectClass: top

Distinguished Names

• Each object in the LDAP directory has a DN– uid=jheiss,ou=people,dc=example,dc=com– cn=users,ou=group,dc=example,dc=com

• Notice that the DNS name is example.com (specified by DC=Domain Component entries) for the domain

• OU is organizational unit• Each domain subdomain could create a tree

structure in LDAP (engr.example.com, sales.example.com, pre.engr.example.com, support.engr.example.com, etc)

S a m p l e N e w Y o r k D i r e c t o r y I n f o r m a t i o n T r e e

o u = D O H

c n = O F T A d m i n i s t r a t o r s

c n = E t h i c s A p p U s e r s

c n = E t h i c s A p p A d m i n i s t r a t o r s

o u = G r o u p s

u i d = b d i g m a n

u i d = j n o r t r u p

u i d = d s t r a z z e r i

o u = P e o p l e

c n = 1 B F l o o r P o s t s c r i p t P r i n t e r

c n = C o n f e r e n c e R o o m 1 B - A

o u = R e s o u r c e s

c n = O F T P o r t a l

c n = E t h i c s A p p l i c a t i o n

o u = A p p l i c a t i o n s

o u = O F T o u = T A X

o = N Y , c = U S

•Branched by agency

•Agencies in this example have branches containing:

•Groups which contain people

•People in the organization

•Resources such as printers and conference rooms

•Applications (where application specific info. could be maintained)

Sample DIT

S a m p l e U s e r O b j e c t

u i d = j n o r t r u p

c n : J i m N o r t r u pc n : J a m e s N o r t r u p

g i v e n n a m e : J i mg i v e n n a m e : J a m e s

s n : N o r t r u p

m a i l : j n o r t @ o f t . s t a t e . n y . u s

o u : N Y S O F T

t e l e p h o n e n u m b e r : 5 1 8 - 4 0 2 - 2 0 1 8

f a c s i m i l e t e l e p h o n e n u m b e r : 5 1 8 - 4 5 7 - 2 0 1 9

s t r e e t a d d r e s s :N Y S O F T $ E x e c u t i v e C h a m b e r , S t a t e C a p i t o l

u s e r c e r t i f i c a t e : X . 5 0 9 C e r t i f i c a t e

d n : u i d = j n o r t r u p , o u = P e o p l e , o u = N Y S O F T , o = N Y , c = U S •Objects contain attributes, e.g.,•uid (user ID)•cn (common name)•sn (surname)•mail (e-mail address)

•Attributes can be multi-valued, e.g., givenname of both James and Jim•This object contains

•white-pages information• X.509 certificate for PKI

Sample User Object

ObjectClass

A commonly used attribute is "objectClass".

Each record represents an object, and the attributes associated with that object are defined according to it's objectClass

The value of the objectClass attribute.

Object Type examples

Examples of objectClass: organization (needs a name and address) person (needs name, email, phone &

address) course (needs a CRN, instructor, mascot) cookie (needs name, cost & taste index)

Defining ObjectClass types

You can define what attributes are required for objects with a specific value for the objectclass attribute.

You can also define what attributes are allowed.

New records must adhere to these settings!

Multiple Values

Each attribute can have multiple values, for example we could have the following record:

DN: cn=Dave Hollinger, O=RPI, C=USCN: Dave HollingerCN: David HollingerEmail: hollingd@cs.rpi.eduEmail: hollid2@rpi.eduEmail: satan@hackers.org

Directory Information Flows

o = N Y , c = U S

o u = T A X o u = N Y S O F T

o u = D C J Sl = N e w Y o r k C i t y

o u = D O H

o = N Y , c = U S

O U = T A X

N Y T M a s t e r S u p p l i e r

T a x & F i n a n c eM a s t e r S u p p l i e r

R e p l i c a t i o n M a s t e r

R e p l i c a t i o n f r o m T a x& F i n a n c e S e r v e r t o

N Y T M a s t e r

D O H L e g a c y S y t e m

D O H I n f o r m a t i o n i nP r o p r i e t a r y F o r m a t

C D I F c o n v e r t e d t o L D A P a n dp l a c e d i n N Y T M a s t e r S u p p l i e r

D O H I n f o r m a t i o ns e n t t o O F T i n

C o m m o n D i r e c t o r yI n t e r c h a n g e F o r m a t

( C D I F )

F u l l t r e e r e p l i c a t e d f r o mM a s t e r S u p p l i e r t oR e p l i c a t i o n M a s t e r

o = N Y , c = U S

o u = T A X o u = N Y S O F T

o u = D C J Sl = N e w Y o r k C i t y

o u = D O H

T a x & F i n a n c e C o n s u m e r

o = N Y , c = U S

o u = T A X o u = N Y S O F T

o u = D C J Sl = N e w Y o r k C i t y

o u = D O H

N Y T R e p l i c a t i o n C o n s u m e r

o = N Y , c = U S

o u = T A X o u = N Y S O F T

o u = D C J Sl = N e w Y o r k C i t y

o u = D O H

F u l l t r e e r e p l i c a t e df r o m R e p l i c a t i o n

M a s t e r t o U s e rD i r e c t o r i e s

t h r o u g h o u t N Y T

F u l l t r e e r e p l i c a t e df r o m R e p l i c a t i o n

M a s t e r t o A g e n c yU s e r D i r e c t o r y

OIDs / Priv Ent Nums / IANA.org

• Entites have to register at IANA.org (or ANSI) to have unique numbers for building LDAP schema entries

• IANA's root is 1.3.6.1.4.1– Microsoft uses [1.3.6.1.4.1].311– UAB uses [1.3.6.1.4.1].7341

• www.iana.org/assignments/enterprise-numbers

• Companies build hierarchies of their own control under these root numbers

Basic Operations

Bind - authenticate, and specify LDAP protocol version, Start TLS - protect the connection with

Transport Layer Security (TLS), to have a more secure connection,

Search - search for and/or retrieve directory entries, Compare - test if a named entry contains a given attribute value, Add a new entry, Delete an entry, Modify an entry, Modify DN - move or rename an entry, Abandon - abort a previous request, Extended Operation - generic operation used to define other

operations, Unbind - close the connection, not the inverse of Bind.

Bind

authenticates the client to the server Bind sends the user's DN and password -

in clear text, so the connection should be protected using Transport Layer Security (TLS).

The server typically checks the password against the userPassword attribute in the named entry.

Bind also sets the LDAP protocol version. Normally clients should use LDAPv3.

Start TLS

establishes Transport Layer Security (the descendant of SSL) on the connection.

That can provide data confidentiality protection (hide the data) and/or data integrity protection (protect from tampering).

During TLS negotiation the server sends its X.509 certificate to prove its identity.

The client may also send a certificate to prove its identity.

Servers also often support the non-standard "LDAPS" ("Secure LDAP", commonly known as "LDAP over SSL") protocol on a separate port

Search and Compare

Parameters: baseObject - the DN (Distinguished Name) of the entry at

which to start the search, scope - baseObject (search just the named entry, typically

used to read one entry), singleLevel (entries immediately below the base DN), or wholeSubtree (the entire subtree starting at the base DN).

filter - how to examine each entry in the scope. E.g. (&(objectClass=person)(|(givenName=John)(mail=john*))) - search for persons who either have given name John or an e-mail address starting with john.

derefAliases - whether and how to follow alias entries (entries which refer to other entries),

attributes - which attributes to return in result entries. sizeLimit, timeLimit - max number of entries, and max

search time. typesOnly - return attribute types only, not attribute values.

Update operations

Add, Delete, Modify and Modify DN all require the DN of the entry to change

Modify takes a list of attributes to modify and the modifications to each: Delete the attribute or some values, add new values, or replace the current values with the new ones.

Add operations also can have additional attributes and values for those values.

Modify DN (move/rename entry) takes the new RDN (Relative Distinguished Name), optionally the new parent's DN, and a flag which says whether to delete the value(s) in the entry which match the old RDN. The server may support renaming of entire directory subtrees

An update operation is atomic: Other operations will see either the new entry or the old one.

Schemas The contents of the entries in a subtree is governed by a schema The schema defines the attribute types that directory entries can contain. An attribute definition includes a syntax, and most non-binary values in

LDAPv3 use UTF-8 string syntax For example, a "mail" attribute might contain the value "user@example.com". A "jpegPhoto" attribute would contain photograph(s) in binary JPEG/JFIF format. A "member" attribute contains the DNs of other directory entries.

Attribute definitions also include whether the attribute is single-valued or multi-valued, how to search/compare the attribute.

The schema defines object classes. Each entry must have an objectClass attribute, containing named classes defined in the schema.

e.g. a person, organization or domain. Server administrators can define their own schemas in addition to the

standard ones.

Schema Examples

attributetype ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' ) DESC 'RFC1274: user identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )

objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) )

Variations A lot of the server operation is left to the implementor or

administrator to decide. For example, data storage in the server is not specified

the server may use flat files, databases, or just be a gateway to some other server.

Access control is not standardized, though there has been work on it and there are commonly used models.

Users' passwords may be stored in their entries or elsewhere Most parts of LDAP are extensible. Examples: One can

define new operations. Controls may modify requests and responses, e.g. to request sorted search results. New search scopes and Bind methods can be defined. Attributes can have options that may modify their semantics.

Supporting vendors

• Apache (through Apache Directory Server) • Apple (through Open Directory/OpenLDAP) • AT&T • Banyan • Critical Path • eB2Bcom (through View500) • Fedora Directory Server • Hewlett-Packard • Identyx • IBM/Lotus • ISODE (through M-Vault server) • Microsoft (through Active Directory) • Netscape (now in Sun Microsystems and Red Hat products) • Novell (through eDirectory) • OctetString (through VDE server) • Oracle (through Oracle Internet Directory) • Radiant Logic (through RadiantOne Virtual Directory Server) • Red Hat Directory Server

Siemens AG (through DirX server) SGI and Sun (through the iPlanet and Sun ONE directory servers) Symlabs (through Directory Extender)

Outline

Remote Management Remote Shell: Telnet, SSH Remote Desktop: X Window, VNC, Teamviewer

Central Management Overview of Central Management Directory Service and LDAP (Lightweight Directory

Access Protocol ) Windows: Domain Control Linux: Spacewalk, Centrify DirectManage, etc.

Windows Domain and Workgroup

A Windows domain is a form of a computer network in which all user accounts, computers, printers and other security principals, are registered with a central database (called a directory service) located on one or cluster of central computers known as domain controllers.

Windows Workgroup?

Windows Domain Features

User Account Management and user Authentication

it takes place on domain controllers. Each person who uses computers within a domain receives a unique user account that can then be assigned access to resources within the domain.

Portal Desktop

Security Policy

Software Management

Active Directory

• Microsoft directory services • Uses LDAP• Uses Kerberos 5 for user authentication• Uses DNS

– locating Domain Controller

– build the directory

• Scalable and available architecture

Outline

Remote Management Remote Shell: Telnet, SSH Remote Desktop: X Window, VNC, Teamviewer

Central Management Overview of Central Management Directory Service and LDAP (Lightweight Directory

Access Protocol) Windows: Domain Controller Linux: Spacewalk, Centrify DirectManage, etc.

Spacewalk

Free & Open Source Systems Management Based on Active Directory Service

URL: http://spacewalk.redhat.com/

Spacewalk --- Main Window

Spacewalk Features

Inventory your systems (hardware and software information)

Install and update software on your systems

Collect and distribute your custom software packages into manageable groups

Provision (kickstart) your systems

Manage and deploy configuration files to your systems

Monitor your systems

Provision and start/stop/configure virtual guests

Distribute content across multiple geographical sites in an efficient manner.

Centrify DirectManage

Centralized Management and User Administration of UNIX, Linux, Mac, etc.

an integrated set of tools that centralize the discovery, management and user administration of UNIX, Linux and Mac systems through integration into Active Directory-based tools and processes.

URL: http://www.centrify.com/directmanage/centralized-

management-user-administration-unix-linux-mac.asp

Assignments

Remember to submit assignment 1 as soon as possible

xiuchao_wu@yahoo.com

Assignment 2 is available on course website gcc419.weebly.com Deadline: 11:59pm, 25 (SUN), August