SUSE Linux Enterprise Server Administration Course 3037

1
SUSE Linux Enterprise Server Administration
(Course 3037)

• Chapter 10
• Manage Remote Access

2
Objectives

• Provide Secure Remote Access with OpenSSH
• Enable Remote Administration with YaST
• Configure a Network Installation

3
Provide Secure Remote Access with OpenSSH

• Objectives
• Cryptography Basics
• SSH Features and Architecture
• How to Configure the SSH Client
• SSH Client Commands
• How to Configure the SSH Server
• SSH Server Commands
• Public Key Authentication Management

4
Cryptography Basics

• Symmetric encryption
• Same key is used for encryption and decryption
• Key should be protected
• Helps with high-speed transmission
• Key length is very important
• Technologies
• DES (Data Encryption Standard)
• 3DES (Triple DES)
• IDEA
• Blowfish
• AES (Advanced Encryption Standard)

5
Cryptography Basics (continued)

• Asymmetric encryption
• Symmetric encryption problem
• Securely transmitting the key
• Uses two keys (private and public keys)
• One is used for encryption and the other for
  decryption
• Low-speed data transmission
• Both techniques are often combined
• Key for symmetric encryption is transmitted over
  an asymmetrically encrypted channel
• Techniques
• RSA, DSA, Diffie-Hellman

6
SSH Features and Architecture

• SSH features
• Basic functionality
• Login from a remote host
• Interactive or noninteractive command execution
  on remote hosts
• Copying files between different network hosts
• High-performance authentication and
  cryptographically secured communication on
  nonsecure networks
• Automatic and transparent encryption of all
  communication
• Complete substitution of r utilities rlogin,
  rsh, and rcp
• Port forwarding
• Tunneling

7
SSH Features and Architecture (continued)

• SSH features (continued)
• Special features
• Prevent security loopholes through IP, routing,
  and DNS spoofing
• You can control the client by using system-wide
  and user-based configuration files
• You can transmit any type of binary data between
  hosts
• Optional support for compressing data is also
  available
• There are up to six procedures available from the
  client for server authentication

8
SSH Features and Architecture (continued)

• SSH protocol versions
• Protocol version 1 (SSH1)
• Protocol version 2 (SSH2)
• SSH1 does not ensure the integrity of a
  connection
• Insertion attack
• HMAC (Keyed-Hash Message Authentication Code)
• Guarantees integrity of a connection

9
SSH Features and Architecture (continued)
10
SSH Features and Architecture (continued)
11
SSH Features and Architecture (continued)
12
SSH Features and Architecture (continued)

• SSH authentication mechanism configuration
• Client checks if public host key of the server
  really belongs to the server
• SSH currently does not use any directory services
• Or any certificates
• Random key pair can be easily created by anyone
• Client learns server public host key
• Server side mechanisms to authenticate clients
• Host-based authentication
• Authentication is based on configuration files
  /etc/hosts.equiv or /etc/, shosts.equiv, and/or
  /.rhosts or /.shosts

13
SSH Features and Architecture (continued)

• SSH authentication mechanism configuration
  (continued)
• Server side mechanisms to authenticate clients
  (continued)
• Host-based RSA authentication
• Public keys of clients are saved on server in the
  files /.ssh/known_hosts and /etc/ssh/ssh_known_ho
  sts
• Public key (RSA/DSA) authentication
• User proves knowledge of his private key through
  a challenge-response procedure
• Password authentication
• Takes place through a UNIX user password
• Transfer of the password is encrypted

14
SSH Features and Architecture (continued)

• SSH authentication mechanism configuration
  (continued)
• After successful authentication
• A work environment is created on the server
• Initialization routines are processed
• Parameter X11 Forwarding
• Determines whether or not graphical output is
  forwarded by default
• SSH server configuration file
• /etc/ssh/sshd_config

15
How to Configure the SSH Client

• SSH client configuration file
• /etc/ssh/ssh_config
• Each user can edit his individual settings
• In the file /.ssh/config
• StrictHostKeyChecking option
• Prevents client from simply entering new keys
• From unknown servers without checking
• Three values yes, no, and ask (default)

16
SSH Client Commands
17
How to Configure the SSH Server

• Configuration file
• /etc/ssh/sshd_config

18
How to Configure the SSH Server (continued)
19
SSH Server Commands
20
Public Key Authentication Management

• Public key authentication process
• Client informs server of which public key is
  being used for authentication
• Server checks to see if the public key is known
• Server encrypts a random number using the public
  key and transfers this to the client
• Client decrypts random number with its private
  key
• Client sends the server an MD5 checksum that has
  calculated from the number
• Server also calculates a checksum and, if they
  are identical, the user has authenticated
  successfully

21
Public Key Authentication Management (continued)

• How to create a key pair
• Use command ssh-keygen
• A different key is required for SSH1 than for
  SSH2
• Use option -t keytype to specify the type of key
• Keys are stored in the files
• /.ssh/identity (private key)
• /.ssh/identity.pub (public key)
• Command ssh-keygen -t rsa
• Generates an RSA key pair
• Keys are stored in /.ssh/id_rsa and
  /.ssh/id_rsa.pub

22
Public Key Authentication Management (continued)

• How to configure and use public key
  authentication
• Authentication using RSA or DSA keys
• Copy public key to the server
• Append the public key to file /.ssh/authorized_ke
  ys
• Example scp .ssh/id_dsa.pub sungeeko-pubkey
• Launch the client to test the keys
• You can use option -i to enter file name for
  private key
• Password is still required when logging in to
  server
• Enter password with the command ssh-add
• You can also use the ssh-agent with a graphical
  login

23
Exercise 10-1 Manage Remote Connections with
OpenSSH

• In this exercise, you do the following
• Part I Use SSH Utilities
• Part II Create a Trusted Connection Between
  Servers

24
Enable Remote Administration with YaST

• Objectives
• VNC and YaST Remote Administration
• How to Configure Your Server for Remote
  Administration
• How to Access Your Server for Remote
  Administration

25
VNC and YaST Remote Administration

• VNC (virtual network computing)
• Client-server solution
• Allows a remote X server to be managed from
  anywhere on the Internet
• Set VNC with YaST Remote Administration module
• Connect to the server using
• VNC client such as krdc (connect to
  hostname5901)
• VNC connection in Konqueror (vnc//hostname5901)
• Java-capable Web browser (http//hostname5801)
• Remote Administration is less secure than SSH

26
How to Configure Your Server for Remote
Administration

• Steps
• Start the YaST Remote Administration module
• Select Allow Remote Administration select Finish
• Close the dialog box by selecting OK
• Close any open applications then display a
  console pressing CtrlAltF2
• Log in as root with the appropriate password
• Restart the display manager by entering rcxdm
  restart
• Log in to the desktop as root or any other local
  user

27
How to Configure Your Server for Remote
Administration (continued)
28
How to Configure Your Server for Remote
Administration
29
How to Access Your Server for Remote
Administration

• Access the server from a Web browser
• Open Web browser then enter http//hostname5801
• Directly access YaST by selecting Administration
• Enter the root password then select OK
• Exit YaST then close the session by selecting
  Disconnect

30
How to Access Your Server for Remote
Administration (continued)
31
Exercise 10-2 Use Remote Administration

• In this exercise, you do the following
• Part I Remotely Access a Text-Based Version of
  YaST
• Part II Remotely Access the GUI Version of YaST
• Part III Configure Remote Administration with
  YaST
• Part IV Access Your Partners Server Remotely

32
Configure a Network Installation

• Objectives
• How to Prepare for the Installation
• SUSE Linux Installation Basics
• How to Configure an Installation Server

33
How to Prepare for the Installation

• Consider the following
• Hardware compatibility
• Verify that your hardware is compatible with SLES
  9 at www.novell.com/partnerguide/section/481.html
• File system types
• Partitioning scheme
• Plan for the appropriate partitions and partition
  sizes
• Software package selection
• Dual-boot system
• Better to install SUSE Linux Enterprise Server 9
  first

34
SUSE Linux Installation Basics

• SUSE Linux lets you install from a variety of
  sources
• Using a YaST GUI interface or a text-based
  interface
• The role of Linuxrc
• Defines installation settings and loads hardware
  drivers
• Hands over control to YaST
• Which starts the actual installation

35
SUSE Linux Installation Basics (continued)
36
SUSE Linux Installation Basics (continued)
37
SUSE Linux Installation Basics (continued)
38
SUSE Linux Installation Basics (continued)

• Virtual consoles
• You might need to access a command-line prompt
• Called a shell prompt in Linux
• From a virtual console
• Linux system provides six virtual consoles
• X Window system is assigned console number 7
• Switch between virtual consoles by pressing
  CtrlAltFx
• Return to the X Window system by pressing
  CtrlAltF7

39
SUSE Linux Installation Basics (continued)

• YaST installation log files
• /var/log/YaST2/y2log
• View its contents entering the following
• more /var/log/YaST2/y2log
• View the last few lines of the installation log
  file
• tail /var/log/YaST2/y2log

40
How to Configure an Installation Server

• Steps
• Start the YaST Installation Server module
• Select the server type
• Deactivate the automatic configuration of server
  services (conditional)
• Enter directory where you want to copy the
  installation files
• Continue by selecting Next
• Configure the service type (HTTP or FTP, and NFS)
• Continue by selecting Next

41
How to Configure an Installation Server
(continued)
42
How to Configure an Installation Server
(continued)
43
How to Configure an Installation Server
(continued)

• Steps (continued)
• Configure an installation source by selecting
  Configure
• Enter a name for the installation source
• Select Use ISO Images Instead of CDs
  (conditional)
• Select Prompt for additional CDs (conditional)
• Announce as Installation Service with SLP
  (optional)
• Continue by selecting Next
• Insert the First CD

44
How to Configure an Installation Server
(continued)
45
How to Configure an Installation Server
(continued)

• Steps (continued)
• Continue following the prompts to remove and
  replace CDs
• Edit the configured source (optional)
• Change the server settings (optional)
• Finalize the configuration by selecting Finish
• Close the YaST Control Center (optional)

46
How to Start a Remote Installation

• Steps
• Insert the boot media and restart your computer
• With the down-arrow key, scroll to and highlight
  Installation
• Press F3 then select the service type (FTP,
  HTTP, NFS, or SLP)
• Enter server and full path (conditional)
• To directory where the installation files are
  stored
• Select Installation
• Follow installation prompts until complete

47
How to Start a Remote Installation (continued)
48
Exercise 10-3 Install SLES 9 from an Installation
Server

• In this exercise you will install SLES 9 from an
  Installation Server

49
Summary

• SSH daemon (sshd) provides a secure alternative
  to telnet, r-tools, and FTP
• By encrypting traffic
• scp and sftp commands
• Copy files between remote hosts using SSH
• SSH uses a combination of asymmetric and
  symmetric encryption
• SSH server configuration file /etc/ssh/sshd_config
  
• ssh-keygen and ssh-keyscan commands
• Generate and view asymmetric SSH keys

50
Summary (continued)

• Use YaST Remote Administration module
• To configure a VNC server
• Before installing SLES, consider
• Server role
• Hardware compatibility
• Boot, partition, and filesystem configuration
• Linuxrc
• Provides a text-based installation program
• YaST is used to perform a graphical installation

51
Summary (continued)

• YaST may be used to set up an installation server
• That hosts the SLES media using the HTTP, FTP, or
  NFS protocol