ch16-remoteaccess
Transcript of ch16-remoteaccess
-
8/9/2019 ch16-remoteaccess
1/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102
SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
Chapter 16
Remote Connectivity
-
8/9/2019 ch16-remoteaccess
2/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102
SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
Objectives
Explain :
telnet
Rsh
ssh
Configure FTP
-
8/9/2019 ch16-remoteaccess
3/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102
SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
Telnet
Telnet is used to communicate to a hostthrough telnetprotocol on default port 23
It operates on client/server basic. The clientrequires an account on the server to login
Most telnetservers will not allow you login asrootbecause of security. You can login asnormal user and suto root.
-
8/9/2019 ch16-remoteaccess
4/28
-
8/9/2019 ch16-remoteaccess
5/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102
SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
Relevant File ~/.telnetrc
When users has .telnetrcfile in their home
directories, telnetwill execute the commandslisted in this file.
# this is a comment
command1command2
-
8/9/2019 ch16-remoteaccess
6/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102
SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
Telnet Commands
Command Format :
telnet [IP address|host name] [port]If telnet is executed withoutoptions, it will bestarted in command mode with prompt telnet>
You can change to command mode by Ctrl-]after connected.
-
8/9/2019 ch16-remoteaccess
7/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
Telnet Commands
?, h, helpLists commands with description
?More information of command (arg)
open Open connection to the IP
address or host nameclose = quitTerminates connection from client
logoutRequests server to terminate the connection
send Send a special character sequence to the server
statusA brief status report of telnet
( See #man telnetfor more commands )
-
8/9/2019 ch16-remoteaccess
8/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
TherCommands
There are 3 programs :
rlogin Remote login
rsh Remote shell executes command
rcp Remote copy
Password NOT required if following files areconfigured:
/etc/hosts.equiv (system-wide)$HOME/.rhosts (per-user)
( Entry : [+|-] [hostname] [username] )
-
8/9/2019 ch16-remoteaccess
9/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
TherCommands
rlogin : similar to telnet
rlogin [-l username]
rsh : executes cmd on remote host
rsh [-l username]
Shell meta-characters can be used in To haversh interpret the meta-characters on remote machine,put quotation mark around them. If not quotes,metacharacters are interpreted on local machine :
# rsh l minh saigonctt cat ~/file > local_file
# rsh l minh saigonctt cat ~/file >remote_file
-
8/9/2019 ch16-remoteaccess
10/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
TherCommands
rcp : copy files between machines
rcp @:
rcp @: Example :
rcp /home/file minh@saigonlab:/backup
rcp minh@saigonlab:/backup/file /homercp -r /etc minh@saigonlab:/backup/etc
rcp rp /etc minh@saigonlab:/backup/etc
-
8/9/2019 ch16-remoteaccess
11/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
SecurityofrCommands
centers around the idea oftrusted usersandhosts, NOT password authentication.
Trusted hosts are also known as equivalent hosts
IfNO hosts.equivis present, NO hosts are trusted
The .rhosts file is used to control access to anindividual user account
It grant/denies password-free access to anindividual user account by means of.rhosts
hosts.equivdoes NOT work with rootaccount but.rhosts does
-
8/9/2019 ch16-remoteaccess
12/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
SSH Secure Shell
SSH originally authored by Tatu Ylonen in
Finland, replacement for telnet, rlogin, rsh, rcpEverything SSH send across network isencrypted. SSH has become de-factorstandard for remote connection
SSH can handle X connection
-
8/9/2019 ch16-remoteaccess
13/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
SSH Features
Strong authentication with RSA, SecurID,S/Key, Kerberos and TIS
Secure X11 sessions
Arbitrary TCP/IP ports can be redirect throughthe encrypted channel in both directions
Optional compression of all data with gzip
Complete replacement for rlogin, rsh, rcp
-
8/9/2019 ch16-remoteaccess
14/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
ComponentofSSH1
sshd Server
ssh Client
scp Secure copy files, replaces rcp
ssh-keygen Creates RSA keys (host key andauthentication keys)
ssh-agentAuthentication agent, used to hold RSAkeys for authentication
ssh-add Used to register new key with the agent
make-ssh-known-hosts Used to create/etc/ssh/ssh_known_hosts file
-
8/9/2019 ch16-remoteaccess
15/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
ComponentofSSH2
sshd2 Server
ssh2 Client
sftp-server2 SFTP Server (executed by sshd2)
sftp2 SFTP Client (need ssh2)
scp2 Secure copy files, replaces rcp
-
8/9/2019 ch16-remoteaccess
16/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
ComponentofSSH2
ssh-keygen2 The utility for generating keys
ssh-agent2Authentication agent, used to holdRSA keys for authentication
ssh-add2Add identifier to the authenticationagent
ssh-askpass2 X11 utility for queryingpassword
-
8/9/2019 ch16-remoteaccess
17/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
SSH2 Changes
SSH has been 98% rewritten
Supports other key-exchange methodsbesides RSA :Diffie-Hellman key exchange
Supports forDSA and other public keyalgorithms besides RSA
New added features : sftp, the secure filetransfer protocol
-
8/9/2019 ch16-remoteaccess
18/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
SSH2 Changes
New added features : sftp, the secure file
transfer protocolMore secure and allows integration into publickey infrastrucres
Supports subsystems, platformindependentmodule, built-in SOCKS,
-
8/9/2019 ch16-remoteaccess
19/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
Install SSH1 from OpenSSH
Because of legal reasons, SSH is notincluded by default in Linux. You can download
and install from source code or from OpenSSH
OpenSSH suite includes :
ssh (replaces telnet and rlogin)
scp (replaces rcp)
sftp (replaces ftp)
-
8/9/2019 ch16-remoteaccess
20/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
Install SSH1 from OpenSSH
Server : openssh-server-xxx.rpm (sshd,
sshd_config, sftp-server,...)Client : openssh-clients-xxx.rpm (ssh,ssh_config, sftp, ...)
Addtion tools : openssh-xxx.rpm (scp, ssh-keygen, ...)
-
8/9/2019 ch16-remoteaccess
21/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
SSH1 Configure
Configurefiles :
Server : /etc/ssh/sshd_config
Client : /etc/ssh/ssh_config
These file contains keyword-value pairs, one per line, use #as comment. Keyword are case sensitive :
# more /etc/ssh/sshd_config
Port 22
ListenAddress 0.0.0.0
PermitRootLogin yes
I
gnoreRhosts yesRhostsAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
...
-
8/9/2019 ch16-remoteaccess
22/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
Using SSH
Using ssh is similar to telnet or rlogin.
Here are some examples for a server
named smallfry in your /etc/hosts file
[root@bigboy tmp]# ssh smallfry
[root@bigboy tmp]# ssh l peter smallfry
[root@bigboy tmp]# ssh l peter p 435 \
smallfry
-
8/9/2019 ch16-remoteaccess
23/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
File Transfer - ftp
ftp (file transfer protocol) provides service forfile transfer from/to your computer.
All Linux distributions offer the wu-ftpdprogram, which is ftp daemon developed atWashington University.
wu-ftpd is the most common daemon on theInternet
-
8/9/2019 ch16-remoteaccess
24/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
FTP Relevant Files
/etc/ftpaccess
/etc/ftphosts
/etc/ftpusers
/etc/ftpconversion
-
8/9/2019 ch16-remoteaccess
25/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
/etc/ftpaccess
Itsmain configuration fileclass all real,guest,anonymous *
email root@localhost
loginfails 5
message /welcome.msg loginmessage .message cwd=*
compress yes all
tar yes all
chmod no guest,anonymous
delete no anonymous
rename no anonymous
-
8/9/2019 ch16-remoteaccess
26/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
/etc/ftphosts
Its used to allow or deny access to certain
accounts from various hosts.
allow henry 10.1.2.3
deny fred example.org 10.2.3.*
-
8/9/2019 ch16-remoteaccess
27/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
/etc/ftpusers
Itcontainslogin namesofuserswhoareNOTallowtologin toyoursystem
root
bin
daemon
adm
lp
mail
news
uucp
-
8/9/2019 ch16-remoteaccess
28/28
SAIGONLAB 69-3 Nguyen Thi Nho, P9, Q.TBinh, Tp. HCM LPI 102SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tn Bnh, Tp. HCM LPI 102
Proftpd
Its another powerful ftp server, not popular aswu-ftpd but easier to configure and more
secure.It can run as stand-alone server or from inetd
Relevant files :
/usr/sbin/in.proftpd : server daemon
/etc/proftpd.conf : main configuration file