Chapter 4 Installing Linux 103
Figure 4-10: The Red Hat firewall configuration screen
After the appropriate boxes have been checked, the networking portion of the installation is complete and additional information can be entered.
Additional installation information
2.3 Select appropriate parameters for Linux installation (e.g., language, time zones, keyboard, mouse)
At this point in the installation, the system asks for additional languages to be supported. This is a simple screen that allows an installer to select languages to be supported on the system above and beyond the native language that is selected very early in the installation. After this is completed, the system will ask for the installer to select the time zone of the system. This includes a world map, with a red “X” marking the city selected as the physical location of the system. This map is interactive, so if the city to be designated as the location of the system is illuminated by a yellow dot, the installer should simply point and click and the yellow dot will become a red “X” to denote its selection. If the system is going to be set to a UTC, or Universal Coordinated Time, then this option may also be selected at this point. After these additional settings are completed, the system moves to user accounts.
104 Part II Installation
Accounts and passwords
2.9 Select appropriate security settings (e.g., Shadow password, root password, umask value, password limitations and password rules)
2.10 Create users and passwords during installation
To enable users to logon to the system, user accounts and passwords must be created during or after installation. The first password and account that should be created is that of the root user. This is the most powerful account on the system and should only be used when other forms of accounts can’t perform the specific task. The root account is the equivalent of Supervisor or Administrator accounts in other network operating systems. Because the root account is the most powerful account on the system, it is especially important to use good password rules when creating it. Because the account name is already known, a weak password will make the system even easier to break into. Therefore, I highly recommend that you create a very secure password for the root account. Creating secure passwords is an art form. The rules about what to do and what not to do are highly detailed. In fact, entire books have been written on the subject of security, so if you are a system administrator and you want to create the absolute best passwords, use the tools at your disposal. To create a fairly safe password, you need to follow just a few of the most important rules, including:
Use letters, numbers, and special characters
Include at least eight total characters
Don’t use words that can be found in the dictionary
Don’t use dates of significance, such as a birthday or anniversary
Use the string in an unrepeated way
An example of a good password is g0-2b8k! — this meets the minimal length and does not have any pattern. Although it may seem hard to remember, it is the only way to create a password that is more secure than abc-123, which has been used on many systems before. User accounts should also employ these password rules, but most users will want to use passwords that are easier to remember. They can do so by substituting numbers for letters. In this way, a user can create the password !pa55-w0rd, which is much more secure than !pass-word. This may not be the best way to create passwords, but it does create memorable and harder-to-break passwords.
Sometimes the use of password rules ends up defeating the purpose of the passwords in the first place. Be very sure to use password rules that the users can live with. If a rule is too difficult, or if the users have passwords that are difficult to remember, chances are likely that they will write them down. This causes the password to be extremely unsecured. A better method of password security is to create difficult-to-break passwords that are easy for the users to remember. For situations that require more security, you may need to seek hardware solutions to provide the level of security that you want to achieve.
Chapter 4 Installing Linux 105
Figure 4-11 illustrates the root password and the user creation screen that Red Hat Linux uses during installation; other versions of Linux use a similar GUI screen. This utility creates the root password and perhaps a few user accounts — in order to prevent running as root all the time — and uses the asterisk to hide the passwords from prying eyes. After the passwords have been created, the next screen displays the manner in which they are stored, as shown in Figure 4-12.
Figure 4-11: The Red Hat account configuration screen
Figure 4-12 demonstrates that the Enable MD5 Passwords is checked in the screen, thus showing that MD5 encryption is to be used. MD5-based encryption is used to create a 128-bit “fingerprint” of the input. It is more secure than older versions and is recommended unless you have a specific need for backward compatibility with an older encryption method. More details are available in the Request for Comments: 1321 on MD5, available at www.faqs.org/rfcs/rfc1321.html.
The next item to configure is to enable or disable shadow passwords, which is activated by default, and is used to provide another layer of protection to the created passwords. Shadow passwords or Shadow Utilities provide more protection for the system’s authentication files by moving the encrypted passwords (normally found
106 Part II Installation
in /etc/passwd) to /etc/shadow, which is readable only by root. This file includes information about password aging, and prompts for passwords to be changed when they are too old. This feature is activated by default and should remain on for the added features and security that it provides for the system.
Figure 4-12: The Red Hat authentication configuration screen
Network Information Service (NIS) is used to log onto a UNIXor Linux-created domain. NIS is used for support of the NFS and controls access to network shares. This does not improve system security, but can be used to improve network security.
Lightweight Directory Access Protocol (LDAP) is a protocol for accessing online directory services and provides directory services in intranet or extranet systems. It can be used to control access to resources on the network in a way similar to NIS, or even DNS.
Kerberos is an authentication method that uses strong encryption. It is used as a network authentication protocol and uses secret-key cryptography to provide the strong encryption. It is used in the client/server environment to provide clients a