SUSE Linux Enterprise Desktop Administration

1
SUSE Linux Enterprise Desktop Administration

• Chapter 5
• Manage the Network Configuration

2
Objectives

• Objective 1Manage the Network Configuration
  Information from YaST
• Objective 2Test the Network Connection with
  Command-Line Tools
• Objective 3Use SuSEfirewall2
• Objective 4Use Network Manager to Configure the
  Network
• Objective 5Provide Remote Access

3
Objective 1Manage the Network Configuration
Information from YaST

• The YaST module for configuring network cards and
  the network connection
• Can be accessed from the YaST Control Center
• See Figure 5-1
• To activate the network configuration module,
  select Network Devices gt Network Card
• Network setup methods
• User Controlled with Network Manager
• Traditional Method with ifup

4
Figure 5-1 The YaST module for configuring
network cards and the network connection
5
Figure 5-2 List of the detected network cards
6
Objective 1Manage the Network Configuration
Information from YaST (continued)

• Cards are usually autodetected by YaST
• And the correct kernel module is used
• Select the card you want to configure
• Then select Edit (see Figure 5-4)
• If the card is not recognized by YaST, the
  required module must be entered manually
• Use the Manual Network Card Configuration dialog
  to configure (see Figure 5-3)
• Network Configuration
• Kernel Module

7
Figure 5-3 Manual Network Card Configuration
dialog
8
Figure 5-4 Network Address Setup dialog
9
Objective 1Manage the Network Configuration
Information from YaST (continued)

• Network address options
• None Address Setup
• Automatic Address Setup (via DHCP)
• Static Address Setup
• Hostname and Name Server
• Routing
• Advanced
• Hostname and Name Server configuration
• See Figure 5-6

10
Figure 5-6 Hostname and Name Server Configuration
dialog
11
Objective 1Manage the Network Configuration
Information from YaST (continued)

• Routing configuration
• See Figure 5-7
• General configuration options (see Figure 5-8)
• Firewall Zone
• No Zone, All Traffic Blocked
• Internal Zone (Unprotected)
• Demilitarized Zone
• External Zone
• Device Activation
• MTU (Maximum Transfer Unit)

12
Figure 5-7 Routing Configuration dialog
13
Figure 5-8 General tab of the Network Address
Setup dialog
14
Objective 1Manage the Network Configuration
Information from YaST (continued)

• If you selected Wireless as a Device Type for a
  WLAN card
• A dialog appears where you can enter
  WLAN-specific configuration parameters
• WEP keys are entered in a separate dialog after
  selecting WEP Keys
• Verify that the Ethernet card is available in the
  computer using the ip command

15
Exercise 5-1 Manage the Network Configuration
Information from YaST

• In this exercise, change all important
  configuration information into static values
• Use the ip command to find out which IP address
  you are currently using
• Note your current hostname
• Then change the network configuration to a static
  IP address, using the values you found
• Use 10.0.0.254 as the default gateway and also as
  the address of the name server

16
Objective 2Test the Network Connection with
Command-Line Tools

• This objective will cover the following
• View and Change the Network Configuration with ip
• Test Network Connections
• Trace Network Packets

17
View and Change the Network Configuration with ip

• IP address setup
• To display the IP address setup of all
  interfaces, enter ip address show

18
View and Change the Network Configuration with ip
(continued)

• Device attributes
• If you are only interested in the device
  attributes and not in the IP address setup, you
  can enter ip link show

19
View and Change the Network Configuration with ip
(continued)

• Device statistics
• You can use the option -s with the ip command to
  display additional statistics information about
  the devices

20
View and Change the Network Configuration with ip
(continued)

• Routing table
• To view the current routing table, enter ip route
  show
• Assign an IP address to a device
• Delete the IP address from a device

21
View and Change the Network Configuration with ip
(continued)

• Change device attributes
• You can also change device attributes with the ip
  tool
• Basic command
• ip link set device attribute
• Set and delete routes
• Set a route to a different network
• Delete an entry from the routing table

22
Test Network Connections with ping

• Tool ping
• Lets you check network connections between two
  hosts in a simple way
• Sends special network packets to the target
  system and waits for a reply
• Basic syntax ping 10.0.0.10

23
Table 5-1 Options for ping
24
Trace Network Packets with traceroute

• traceroute
• Diagnosis tool primarily used to check the
  routing between different networks
• Sends packets with an increasing TTL value to the
  destination host
• Uses UDP packets, which are called datagrams
• Syntax traceroute hostname

25
Exercise 5-2 Test the Network Configuration

• In this exercise, you view the current network
  configuration with the ip command and test it
  using ping and traceroute
• Use ip to view the current IP address and current
  route
• Use ping to access your own IP address, that of
  the gateway, and that of www.novell.com
• Use traceroute to view the hops an IP packet
  takes to access www.novell.com

26
Objective 3Use SuSEfirewall2

• Packet filtering in Linux is done by the kernel
  and its netfilter framework
• SuSEfirewall2
• Consists of a number of scripts that set rules to
  filter IP packets using the program iptables
• Can be configured using the YaST Firewall module
• An alternative would be to edit the file
  /etc/sysconfig/SuSEfirewall2 with a text editor
• See Figure 5-9

27
Figure 5-9 YaST Firewall module
28
Figure 5-10 Assign desktop system interfaces to
the External Zone
29
Objective 3Use SuSEfirewall2 (continued)

• Allowing SSH services
• See Figure 5-11
• Changes are stored in the file /etc/sysconfig/SuSE
  firewall2

30
Figure 5-11 Allowing SSH service
31
Figure 5-12 Firewall configuration summary
32
Objective 4Use NetworkManager to Configure the
Network

• NetworkManager
• Allows you to change the network configuration
  according to your needs
• Without switching to the root account
• Runs as a root-user system level daemon
• Programs used
• /usr/sbin/NetworkManager
• /usr/sbin/NetworkManagerDispatcher
• NetworkManager will first try a wired and then a
  wireless adapter

33
Objective 4Use NetworkManager to Configure the
Network (continued)

• NetworkManager keeps two lists of wireless
  networks
• A trusted list and a preferred list
• NetworkManager applet
• Shows the current network configuration
• Also allows you to change the configuration
• To connect to a wireless network, select a
  wireless network entry
• Your computer will be disconnected from the wired
  network and connected to the wireless network

34
Figure 5-13 Switching to NetworkManager
35
Objective 4Use NetworkManager to Configure the
Network (continued)
Figure 5-14 NetworkManager applet
36
Objective 5Provide Remote Access

• This objective explains how to
• Use OpenSSH
• Configure VPN Connections
• Use VNC

37
Use OpenSSH

• SSH suite
• Developed to provide secure transmission by
  encrypting the authentication strings
• And all the other data exchanged between the
  hosts
• SUSE Linux Enterprise Desktop 10 installs the
  package OpenSSH by default
• Includes programs such as ssh, scp, and sftp as
  alternatives to Telnet, rlogin, rsh, rcp, and FTP

38
Use OpenSSH (continued)

• Cryptography basics
• Cryptography deals with procedures and techniques
  used to encrypt data
• And prove the authenticity of data
• Symmetric encryption
• DES (Data Encryption Standard)
• Triple DES
• IDEA
• Blowfish
• AES (Advanced Encryption Standard)

39
Use OpenSSH (continued)

• Cryptography basics (continued)
• Asymmetric encryption
• RSA
• DSA
• Diffie Hellman
• SSH features and architecture
• SSH features
• Login from a remote host
• Interactive or noninteractive command execution
  on remote hosts

40
Use OpenSSH (continued)

• SSH features and architecture (continued)
• SSH features (continued)
• File copying between different network hosts
  optional support for compressing data
• Cryptographically secured authentication and
  communication across insecure networks
• Automatic and transparent encryption of all
  communication
• Complete substitution of the r utilities
  rlogin, rsh, and rcp
• Port forwarding
• Tunneling

41
Use OpenSSH (continued)

• SSH features and architecture (continued)
• SSH protocol versions
• Protocol Version 1 (SSH1) (see Figure 5-16)
• Protocol Version 2 (SSH2) (see Figure 5-17)
• SSH authentication mechanism configuration
• SSH server can decrypt the session key generated
  and encrypted by the client only if it also has
  the private key
• Client can check if the public host key of the
  server really belongs to the server
• SSH currently does not use any directory services
  or any certificates for public key management

42
Figure 5-16 SSH Protocol Version 1 (SSH1)
43
Figure 5-17 SSH Protocol Version 2 (SSH2)
44
Use OpenSSH (continued)

• SSH features and architecture (continued)
• SSH authentication mechanism configuration
  (continued)
• The two most important mechanisms
• Public key (RSA/DSA) authentication
• Password authentication
• Configure the SSH server
• See Table 5-3
• Configuration file for the server is
  /etc/ssh/sshd_config

45
Use OpenSSH (continued)
Table 5-3 SSH Server configuration options
46
Use OpenSSH (continued)

• Configure the SSH client
• Edit the file /etc/ssh/ssh_config
• Users can edit their individual settings in the
  file /.ssh/config
• Ensure that only servers are accepted whose keys
  have been previously added to /.ssh/known_hosts
  or /etc/ssh/ssh_known_hosts
• Set the option StrictHostKeyChecking in the
  client configuration file (/.ssh/config) to yes

47
Use OpenSSH (continued)

• SSH-related commands
• See Table 5-4
• Basic syntax for ssh
• ssh options host command
• Basic syntax for scp is
• scp options sourcefile destinationfile
• SSH can also be used to protect unencrypted
  traffic, like POP3, by tunneling it through an
  SSH connection

48
Use OpenSSH (continued)
Table 5-4 SSH-related commands
49
Exercise 5-3 Practice Using OpenSSH

• Perform the following tasks
• Log in to your partners computer as root
• Execute the ps aux command on your partners
  computer without logging in to his or her
  computer
• Copy the /etc/hosts file from your partners
  computer to your /tmp directory
• Copy the /etc/hosts file from your computer to
  the home directory of geeko on your partners
  computer
• Using sftp, copy the /bin/date file from your
  partners computer to /home/geeko/ on your
  computer

50
Use OpenSSH (continued)

• Public key authentication management
• Public key authentication process
• Public key of the user has to be stored on the
  server in the home directory of the user account
  being accessed
• Public keys are stored on the server in the
  file/.ssh/authorized_keys
• The corresponding private key must be stored on
  the client computer
• The secret key should be protected by a passphrase

51
Use OpenSSH (continued)

• Public key authentication management (continued)
• Create a key pair
• Create a key pair with the ssh-keygen command
• A different key is required for SSH1 than for
  SSH2
• The keys are stored in the directory /.ssh
• Configure and use public key authentication
• For authentication using RSA or DSA keys, you
  need to copy the public key to the server
• And then append the public key to the file
  /.ssh/authorized_keys

52
Use OpenSSH (continued)

• Public key authentication management (continued)
• Configure and use public key authentication
  (continued)
• When authentication is done with keys, the
  passphrase is required when logging in to the
  server
• Or when copying with scp
• The ssh-agent can be used to avoid typing this
  passphrase upon each connection
• The ssh-agent serves as a wrapper for any other
  process
• You can also use the ssh-agent with a graphical
  login

53
Exercise 5-4 Perform Public Key Authentication

• Create an ssh-key pair, add the public key to the
  file geeko/.ssh/authorized_keys on your
  partners computer, and note the difference
  between logging in with and without a public key
• Then, use the ssh-agent to cache the private key
  and log in again to your partners machine as
  geeko
• As root, change the SSH server configuration to
  allow only public key authentication
• Restart sshd and, as root, try ssh geeko_at_localhost

54
Configure VPN Connections

• VPN and IPSec basics
• VPN (Virtual Private Network)
• Technology that uses one network infrastructure
  to carry the packets of another network
• A VPN does not necessarily have to encrypt the
  traffic, but encryption is used on most VPNs
• Technologies used to implement VPNs
• IPSec, OpenVPN, L2TP, HTTPS, and SSH

55
Configure VPN Connections (continued)
Figure 5-18 Virtual private network (VPN)
56
Configure VPN Connections (continued)

• Configure VPN connections with NetworkManager
• The NetworkManager applet makes it easy to
  connect to a VPN gateway
• See Figure 5-19
• An assistant guides you through the VPN
  configuration
• See Figure 5-20
• Types of VPN clients
• Novell VPN client, OpenVPN client, and Compatible
  Cisco VPN client (vpnc)
• See Figure 5-21

57
Configure VPN Connections (continued)
Figure 5-19 NetworkManager applet
58
Configure VPN Connections (continued)
Figure 5-20 Create VPN Connection wizard
59
Figure 5-21 Novell VPN client
60
Configure VPN Connections (continued)

• Configure VPN connections with NetworkManager
  (continued)
• GNOME keyring
• Application that allows you to store various
  credentials and protect them with a password
• Advantage of using the GNOME keyring
• You only have to remember one password to unlock
  the encrypted keyring
• Contains various usernames and corresponding
  passwords for different applications

61
Use VNC

• VNC (Virtual Network Computing)
• VNC server software component transmits the
  content of the screen to a remote computer
• Running the VNC viewer software
• Allows someone else to view your desktop
• Allows another user to interact with the mouse
  and keyboard
• Implementations used on SUSE Linux Enterprise
  Desktop 10 are TightVNC and vino
• See Figures 5-24 and 5-25

62
Use VNC (continued)
Figure 5-24 VNC remote desktop preferences
63
Use VNC (continued)
Figure 5-25 User is informed of the connection
request
64
Exercise 5-5 Use VNC

• In this exercise, you will work with a partner
• You start the VNC server using vino-preferences
  and allow your partner to connect to your desktop
  with vncviewer

65
Summary

• The Network Card module of YaST can be used to
  easily manage your network interface
  configuration
• Common IP configuration parameters include an IP
  address, subnet mask, hostname, name server
  (DNS), and WLAN settings for wireless network
  interfaces
• Network interface and IP information is stored in
  the /etc/sysconfig/network directory
• Different IP networks are connected to one
  another via routers

66
Summary (continued)

• After system initialization, you can use the ip
  command to view, configure, and manage your
  network interfaces, IP configuration, and routing
  table
• You can use the Firewall module of YaST to
  configure packet filtering on your network
  interfaces
• NetworkManager can be used to keep track of
  several wired and wireless networks on portable
  or laptop computers
• The SSH daemon (sshd) provides a secure
  alternative to telnet, rlogin, rsh, rcp, and FTP
  by encrypting traffic

67
Summary (continued)

• SSH uses a combination of asymmetric and
  symmetric encryption and supports several
  standard encryption algorithms
• You can configure the SSH type, authentication,
  and encryption types in the SSH server
  configuration file /etc/ssh/sshd_config
• You can generate asymmetric SSH encryption keys
  using the ssh-keygen command and view them using
  the ssh-keyscan command
• You can use the vino-preferences command to
  configure a VNC server