HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems...
-
Upload
melvin-hall -
Category
Documents
-
view
219 -
download
0
Transcript of HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems...
![Page 1: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/1.jpg)
HP World 2005 Securing your
Unix environment
with HP Secure Shell
Steven E Protter
Senior Systems Administrator
I.S.N. Corporation
![Page 2: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/2.jpg)
Secure Shell Presentation Outline 1
• Presenter information– Qualifications and experience.– Warning !!– How he got here.
• What is HP Secure Shell– Advantages– Challenges– Components
![Page 3: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/3.jpg)
Secure Shell Presentation Outline 2
• Where do I get HP Secure Shell• How do I install HP Secure Shell• Why should I use HP Secure Shell
![Page 4: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/4.jpg)
Secure Shell Presentation Outline 3
• Step by step for installation and exchange of public keys.– Downloading the software.– Installation.– Exchanging public keys.
• Questions and (hopefully) answers
![Page 5: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/5.jpg)
Getting Started
![Page 6: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/6.jpg)
Qualifications and Experience 1
10 years of systems administration work on HP-UX 10.20, 11 and 11i v1
• Actual Experience with a disaster involving major loss of data.
• Five years of experience as a Linux administrator
• HP-UX CSA (Can pass a multiple choice examination)
• Two major Unix OS/Hardware conversions.
![Page 7: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/7.jpg)
Qualifications and Experience 2
• 14 ½ Years @ the Jewish United Fund
• Experience as a programmer.
• Systems Analyst• Software AG and
Oracle DBA
• HP-UX Administrator
• Married 10 years to a Russian American
• Recently moved to Israel
![Page 8: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/8.jpg)
Warning! Try this at your shop!
• I do not have complete knowledge on topic– Nobody can, its two complex.– Have made this work in a mixed HP-UX/Linux
environment.
• Can only understand Russian accented English.
• This is something you want to try at home.
![Page 9: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/9.jpg)
How Steve Protter Got here
• Found a call for presentations at http://forums.itrc.hp.com– Sent in two suggestions– Both were accepted
• Flew from Tel Aviv to Newark, NJ• Drove from Connecticut to San
Francisco– Made several consulting stops in route
![Page 10: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/10.jpg)
What is HP Secure Shell?
• Hewlett-Packard’s port of openssh• Open source product• More information @
http://www.openssh.org
![Page 11: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/11.jpg)
More Information
![Page 12: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/12.jpg)
Advantages of HP Secure Shell?
• Hewlett-Packard’s Port of openssh– Some bugs were fixed prior to HP release.– Released in depot format– Port insures smooth operation with HP-UX– Replaces insecure products such as rsh
and remesh– Session and passwords are encrypted
![Page 13: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/13.jpg)
Challenges of HP Secure Shell?
• Sometimes you have to wait for it.• The environment is slightly different
than what it replaces.• You can not completely remove the old
protocols and still do Ignite Imaging.• To be announced.
![Page 14: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/14.jpg)
Secure Shell Components 1
• ssh: Secure Shell– Replaces rsh, rexec, remesh, telnet
• sftp: Secure file transfer protocol – Common command set with ftp– Knows the difference between binary and
ascii files– No mput– Scriptable
![Page 15: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/15.jpg)
Secure Shell Components 2
• scp: Secure copy– Replaces rcp– Can copy large file systems– Makes my life easier
![Page 16: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/16.jpg)
How to get HP Secure Shell
• Core OS: It is/may be an install option• Application CD: Released every 6
months• http://www.hp.com/go/software
![Page 17: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/17.jpg)
http://www.hp.com/go/software
![Page 18: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/18.jpg)
http://www.hp.com/go/software
![Page 19: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/19.jpg)
How to get HP Secure Shell
![Page 20: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/20.jpg)
How to get HP Secure Shell
![Page 21: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/21.jpg)
How to get HP Secure Shell
![Page 22: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/22.jpg)
How to get HP Secure Shell
![Page 23: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/23.jpg)
How to get HP Secure Shell
• Use sftp to copy it to HP-9000 server or use a web browser on the box for download.
• Wed Jun 1 16:37:46 2005:/home/secsh• [8460#] ll• total 16420• -rw-r--r-- 1 root sys 8407040 Jun 1
23:48 T1471AA_A.04.00.000_HP-UX_B.11.11_32+64.depot
![Page 24: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/24.jpg)
Before you install
• Read the installation instructions– Not because you don’t know how to
swinstall.– Because there may be patch
recommendations and other helpful information.
![Page 25: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/25.jpg)
Patches
• 11i version 1 patches– Pam patch: PHCO_30402 – OS patch: PHCO_26466
swlist –l product | grep PHCO_30402
swlist –l product | grep PHCO_26466• Why? It may still install but give trouble later.
![Page 26: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/26.jpg)
How to install HP Secure Shell
swinstall -s /home/secsh/T1471AA_A.04.00.000_HP-UX_B.11.11_32+64.depot \*
![Page 27: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/27.jpg)
“The command line is the Systems Administrators
best friend.”
Steven E ProtterSenior Systems Administrator
ISN Corporation
![Page 28: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/28.jpg)
“Because someday it may beall you have.”
Steven E ProtterSenior Systems Administrator
ISN Corporation
![Page 29: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/29.jpg)
Situations with no GUI tools:
• Single User Mode (hpux –is)• LM mode (hpux –lm)
![Page 30: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/30.jpg)
Public Key Exchange
• Advantages:– Ease of administration– More secure than typing passwords– You don’t have to remember passwords– Works over multiple operating systems
![Page 31: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/31.jpg)
Public Key Exchange
• Challenges:– You may someday boot the wrong system– If a root password is compromised on one
system root access is granted on all systems with public key exchange.
![Page 32: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/32.jpg)
Public Key Exchange
• Tricks (ways to stay out of trouble):– Change the prompt to include system
name– Set terminal color in the environment
profile
![Page 33: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/33.jpg)
Public Key Exchange: Change prompt
• PS1=
[8476#] echo ${PS1}
Wed Jun 1 16:37:46 2005:$PWD [!#]
In /etc/profile
ENV=/.kshrc
![Page 34: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/34.jpg)
Public Key Exchange: Change prompt
vi /.kshrc
PS1=`date -u +%c `:`echo $LOGNAME@``hostname`‘ $PWD
[!#] '
![Page 35: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/35.jpg)
Public Key Exchange: Change prompt
• A prompt that lets you know where you are
Thu Jun 2 13:50:10 2005:root@eilat /root/
[1158#]
![Page 36: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/36.jpg)
Public Key Exchange: Generate keys
ssh-keygen -t dsa.
Press <ENTER> for the next 3 questions
This creates a directory called .ssh
cd .ssh
![Page 37: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/37.jpg)
Public Key Exchange
ls –la
-rw------- 1 root sys 668 Jun 2 09:03 id_dsa
-rw-r----- 1 root sys 600 Jun 2 09:03 id_dsa.pub
cat id_dsa.pub (just taking a look)
![Page 38: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/38.jpg)
Public Key Exchange: Home directory permissions
[1168#] env | grep HOME
HOME=/root/
Thu Jun 2 13:50:10 2005:root@eilat /root/.ssh
[1169#] chmod 755 $HOME
Thu Jun 2 13:50:10 2005:root@eilat /root/.ssh
![Page 39: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/39.jpg)
Public Key Exchange: Host setup
ssh hpwebThe authenticity of host 'hpweb (192.168.0.70)' can't be
established.
RSA key fingerprint is 97:1d:cb:bf:b3:54:9f:54:12:8f:2f:3a:aa:b9:10:7c.
Are you sure you want to continue connecting (yes/no)?
yes <enter>
Warning: Permanently added 'hpweb,192.168.0.70' (RSA) to the list of known hosts.
Password:
![Page 40: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/40.jpg)
Public Key Exchange: Host setup
cd .ssh
scp –p eilat:/$PWD/id_dsa.pub authorized_keys
<Generate a public key on second host>
cat id_dsa.pub >> authorized_keys
chmod 644 authorized_keys <optional depending on umask>
scp –p authorized_keys eilat:/$PWD
![Page 41: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/41.jpg)
Public Key Exchange: Host setup
ls –la before and after-rw-r----- 1 root sys 600 Jun 2 09:03 authorized_keys-rw-r----- 1 root sys 2020 Nov 21 2004 id.dat-rw------- 1 root sys 668 Apr 26 04:56 id_dsa-rw-r--r-- 1 root sys 600 Apr 26 04:56 id_dsa.pub-rw-r--r-- 1 root sys 3339 May 8 00:34 known_hosts-rw------- 1 root sys 1024 Feb 13 2004 prng_seed[8494#] cat id_dsa.pub >> authorized_keysThu Jun 2 14:20:20 2005:/root/.ssh-rw-r----- 1 root sys 1200 Jun 2 09:21 authorized_keys-rw-r----- 1 root sys 2020 Nov 21 2004 id.dat-rw------- 1 root sys 668 Apr 26 04:56 id_dsa-rw-r--r-- 1 root sys 600 Apr 26 04:56 id_dsa.pub-rw-r--r-- 1 root sys 3339 May 8 00:34 known_hosts-rw------- 1 root sys 1024 Feb 13 2004 prng_seed
![Page 42: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/42.jpg)
Public Key Exchange: Host setup
scp –p authorized_keys eilat:/$PWD
You will be prompted for a password.
Try it again, you should not be prompted for a password.
DONE!
![Page 43: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/43.jpg)
Public Key Exchange: Summary
• Permissions are crucial. – If prompted for a password when you think
you should not be prompted, go back and check permissions
![Page 44: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/44.jpg)
Questions & (Hopefully)Answers
![Page 45: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/45.jpg)
More Information
• http://forums.itrc.hp.com• http://docs.hp.com• http://itrc.hp.com• http://www.hp.com/go/software
![Page 46: HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation.](https://reader036.fdocuments.net/reader036/viewer/2022062407/56649eab5503460f94bb160f/html5/thumbnails/46.jpg)