Upload
martin-dickerson
View
222
Download
1
Embed Size (px)
Citation preview
Th
e S
aig
on
CT
T
Chapter 16
Remote Connectivity
Th
e S
aig
on
CT
T
ObjectivesObjectives
Explain :
telnet
rsh
ssh
Configure FTP
Th
e S
aig
on
CT
T
TelnetTelnet
Telnet is used to communicate to a host
through telnet protocol on default port 23
It operates on client/server basic. The client
requires an account on the server to login
Most telnet servers will not allow you
login as root because of security. You can
login as normal user and su to root
Th
e S
aig
on
CT
T
TelnetTelnet
telnet is insecure protocol : username and
password send from client to server across
network in clear text
why people still use it ? - telnet can be used
for debugging text based protocol : HTTP,
SMTP and POP
Th
e S
aig
on
CT
T
Relevant File - ~/.telnetrcRelevant File - ~/.telnetrc
When users has .telnetrc file in their
home directories, telnet will execute the
commands listed in this file.
# this is a comment
saigonctt send ayt
DEFAULT environ export USER
Th
e S
aig
on
CT
T
Telnet CommandsTelnet Commands
Command Format :
telnet [IP address|host name] [port]
If telnet is executed without options, it will be
started in command mode with prompt
“telnet>”
You can change to command mode by
“Ctrl-]” after connected.
Th
e S
aig
on
CT
T
Telnet CommandsTelnet Commands
?, h, help Lists commands with description
<command> ? More information of command (arg)
open <IP address> Open connection to the IP address or host name
close = quit Terminates connection from client
logout Requests server to terminate the connection
send Send a special character sequence to the server
status A brief status report of telnet
…
( See #man telnet for more commands )
Th
e S
aig
on
CT
T
The r CommandsThe r Commands
There are 3 programs :
rlogin Remote login
rsh Remote shell executes command
rcp Remote copy
Password NOT required if following files are configured:
/etc/hosts.equiv (system-wide)
$HOME/.rhosts (per-user)
( Entry : [+|-] [hostname] [username] )
Th
e S
aig
on
CT
T
The r CommandsThe r Commands
rlogin : similar to telnet
rlogin [-l username] <hostname>
rsh : executes cmd on remote host
rsh [-l username] <hostname> <cmd>
Shell meta-characters can be used in <cmd> To have rsh interpret the meta-characters on remote machine, put `quotation mark around them. If not quotes,meta-characters are interpreted on local machine :
# rsh –l minh saigonctt “cat ~/file” > local_file
# rsh –l minh saigonctt “cat ~/file” “>” remote_file
Th
e S
aig
on
CT
T
The r CommandsThe r Commands
rcp : copy files between machinesrcp <dir> <remote username>@<hostname>:<dir>
rcp <remote username>@<hostname>:<dir> <dir>
Example :rcp /home/file minh@saigonctt:/backup
rcp minh@saigonctt:/backup/file /home
rcp -r /etc minh@saigonctt:/backup/etc
rcp –p /etc minh@saigonctt:/backup/etc
Th
e S
aig
on
CT
T
Security of r CommandsSecurity of r Commands
centers around the idea of trusted users and hosts , NOT password authentication.• Trusted hosts are also known as equivalent hosts
• If NO hosts.equiv is present, NO hosts are trusted
• The .rhosts file is used to control access to an individual user account
• It grant/denies password-free access to an individual user account by means of .rhosts
• hosts.equiv does NOT work with root account but .rhosts does
Th
e S
aig
on
CT
T
SSH – Secure ShellSSH – Secure Shell
SSH originally authored by Tatu Ylonen in
Finland, replacement for telnet,
rlogin, rsh, rcp
Everything SSH send across network is
encrypted. SSH has become de-factor
standard for remote connection
SSH can hanlde X connection
Th
e S
aig
on
CT
T
SSH FeaturesSSH Features
Strong authentication with RSA, SecurID, S/Key, Kerberos and TIS
Secure X11 sessions
Arbitrary TCP/IP ports can be redirect through the encrypted channel in both directions
For forwarding, ssh captures on port 6010
Optional compression of all data with gzip
Complete replacement for rlogin, rsh, rcp
Th
e S
aig
on
CT
T
Component of SSH1Component of SSH1
sshd Server
ssh Client
scp Sercure copy files, replaces rcp
ssh-keygenCreates RSA keys (host key and authentication keys)
ssh-agent Authetication agent, used to hold RSA keys for authentication
ssh-add Used to register new key with the agent
make-ssh-known-hosts Used to create /etc/ssh/ssh_known_hosts file
Th
e S
aig
on
CT
T
Component of SSH2Component of SSH2
sshd2 Server
ssh2 Client
sftp-server2 SFTP Server (executed by
sshd2)
sftp2 SFTP Client (need ssh2)
scp2 Sercure copy files, replaces rcp
Th
e S
aig
on
CT
T
Component of SSH2Component of SSH2
ssh-keygen2 The utility for generating keys
ssh-agent2Authetication agent, used to hold
RSA keys for authentication
ssh-add2 Add identifier to the
authentication agent
ssh-askpass2 X11 utility for querying
password
Th
e S
aig
on
CT
T
SSH2 ChangesSSH2 Changes
SSH has been 98% rewritten
Supports other key-exchange methods
besides RSA : Diffie-Hellman key
exchange
Supports for DSA and other public key
algorithms besides RSA
Th
e S
aig
on
CT
T
SSH2 ChangesSSH2 Changes
New added features : sftp , the secure file
transfer protocol
More secure and allows integration into
public key infrastrures
Supports “subsystems”, platform-
independent module, built-in SOCKS, …
Th
e S
aig
on
CT
T
Install SSH1 – from OpenSSHInstall SSH1 – from OpenSSH
Because of legal reasons, SSH is not included by
default in Linux. You can download and install from
source code or from OpenSSH
OpenSSH suite includes :
• ssh (replaces telnet and rlogin)
• scp (replaces rcp)
• sftp (replaces ftp)
Th
e S
aig
on
CT
T
Install SSH1 – from OpenSSHInstall SSH1 – from OpenSSH
Server : openssh-server-xxx.rpm
(sshd, sshd_config, sftp-server, ...)
Client : openssh-clients-xxx.rpm
(ssh, ssh_config, sftp, ...)
Addtion tools : openssh-xxx.rpm
(scp, ssh-keygen, ...)
Th
e S
aig
on
CT
T
Configure SSH1Configure SSH1 Configure files :
Server : /etc/ssh/sshd_config
Client : /etc/ssh/ssh_config
These file contains keyword-value pairs, one per line, use ‘#’ as comment. Keyword are case sensitive :
# more /etc/ssh/sshd_config
Port 22
ListenAddress 0.0.0.0
PermitRootLogin yes
IgnoreRhosts yes
RhostsAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
...
Th
e S
aig
on
CT
T
File Transfer - ftpFile Transfer - ftp
ftp (file transfer protocol) provides service for file transfer from/to your computer.
All Linux distributions offer the wu-ftpd program, which is ftp daemon developed at Washington University.
wu-ftpd is the most common daemon on the Internet
Th
e S
aig
on
CT
T
FTP – Relevant FilesFTP – Relevant Files
/etc/ftpaccess
• /etc/ftphosts
/etc/ftpusers
/etc/ftpconversion
Th
e S
aig
on
CT
T
/etc/ftpaccess/etc/ftpaccess
It’s main configuration fileclass all real,guest,anonymous *
email root@localhost
loginfails 5
message /welcome.msg login
message .message cwd=*
compress yes all
tar yes all
chmod no guest,anonymous
delete no anonymous
rename no anonymous
…
Th
e S
aig
on
CT
T
/etc/ftphosts/etc/ftphosts
It’s used to allow or deny access to certain accounts from various hosts.
allow henry 10.1.2.3
deny fred example.org 10.2.3.*
Th
e S
aig
on
CT
T
/etc/ftpusers/etc/ftpusers
It contains login names of users who are NOT allow to login to your system
root
bin
daemon
adm
lp
news
uucp
…
Th
e S
aig
on
CT
T
ProftpdProftpd
It’s another powerful ftp server, not popular as wu-ftpd but easier to configure and more secure.
It can run as stand-alone server or from inetd
Relevant files :
/usr/sbin/in.proftpd : server daemon
/etc/proftpd.conf : main configuration file
Th
e S
aig
on
CT
T
/etc/proftpd.conf/etc/proftpd.conf
Th
e S
aig
on
CT
T
The End