Chapter 7 Configuring Networking 245
TFTP
The commands that are used to transfer files between hosts using the Trivial File Transfer Protocol (TFTP) are tftp and utftp. This is the UDP or “best effort delivery” for downloading files. It does not provide all the tools of FTP but does provide the following switches and commands:
ascii
binary
connect
get
mode
put
quit
-w or -p Writes
-r or -g or -o Reads
A tftp command may look like this:
tftp server1
SNMP
The Simple Network Management Protocol (SNMP) is used to perform network management and the monitoring of network devices and their functions. Each device or client system running SNMP contains an information database which contains specific hardware, software and diagnostic information that can be relayed to an inquiring host. The specific service that runs SNMP on your Linux system is snmpd.
The full topic of SNMP is out of the scope of this book, but for the exam, know the purpose of the protocol.
Remote Access
3.15 Configure access rights (e.g., rlogin NIS, FTP, TFTP, SSH, Telnet)
One of the primary uses of Linux is to provide remote access to devices and other systems. A variety of utilities provide remote access; the most common utilities are rlogin, telnet, and SSH. These utilities allow a system to connect to a remote system and perform tasks as if they were actually physically located at the remote system. These programs must be active on both the local and remote system. This
246 Part III Configuration
requires a daemon to be running for the server host side. This daemon may be started manually for one-time access or at boot-up to provide remote access on a continual basis. You should realize that by providing remote access to a system, increases the security risk for that system for unauthorized access. To reduce the risk of unsecured remote access, I recommend that you use the most secure access methods as often as possible.
Rlogin
Remote login (rlogin) is a utility that allows an authorized user to log in to other Linux or UNIX machines on a network and perform tasks as if the user were physically located at the remote (often called the host) computer. The rlogin program uses the terminal type description from the local system and uses it on the remote system. The rlogin program uses rhost authorization method to provide security. The rhost authorization uses the combination of the hosts.equiv and .rhosts files to authenticate users. These files are used to list hosts and users, which are allowed by the local system (the system being accessed) to make a connection via rlogin and SSH. These files use the format of hostname [username]. The hostname uses the FQDN or address, +@netgroup, or the + wildcard, which allow all hosts for this field. The username may use the user name on the remote system, the +@netgroup, or the + wildcard, which allows all users for this field or have no entry at all. To create a connection to a system with rlogin, use the command switches in Table 7-5.
Table 7-5
rlogin Client Switches
Switch |
Description |
Example |
|
|
|
-D |
This enables socket debugging on the TCP sockets |
-D |
|
used for communication. |
|
|
|
|
-E |
Used to stop any character from being recognized |
-E |
|
as an escape character. |
|
|
|
|
-e |
Used to specify the character to be used as the |
-e character |
|
escape character. |
|
|
|
|
-l |
Used to specify an alternate user name for the |
-l username |
|
remote login. |
|
|
|
|
-t |
Used to change from the default terminal type, ansi, |
-t dumb or ansi |
|
and use the only other available terminal type, dumb. |
|
|
|
|
-8 |
The -8 option allows an eight-bit input data path at |
-8 |
|
all times. |
|
|
|
|
-K |
This turns off all Kerberos authentication if available. |
-K |
|
|
|
-L |
Used to allow the rlogin session to be run in litout |
-L |
|
mode, see tty4 for more information. |
|
Chapter 7 Configuring Networking 247
Switch |
Description |
Example |
|
|
|
-k |
This requests rlogin to obtain tickets for the . |
-k |
|
remote host-in-realm realm instead of the remote |
|
|
host’s realm as determined by krb_realmofhost |
|
|
|
|
-x |
The -x option turns on DES encryption for all data |
-x |
|
passed via the rlogin session. |
|
|
|
|
The rlogin command is not much use without the server side service running on the remote system. To provide this feature, the rlogin program requires the rlogind. The rlogind daemon is the server for rlogin and provides the authentication for connections. The server checks the remote system’s source TCP/IP port and if it isn’t in the range 512-1023, the server aborts the connection. Then the server checks the remote system source address and hostname. After this is completed, authentication takes place. The rlogind daemon is usually located at /usr/sbin/rlogind and is normally started with the inetd. Luckily, the rlogind daemon is started by the inetd by default. The inetd daemon listens for connections on certain Internet sockets in the /etc/inetd.conf and initiates the appropriate daemon.
The rlogin command and rlogind daemon are used to provide remote access to a system, however it has some issues with security, as some earlier versions allowed root access by mistake. Also, rlogin can only be used to connect UNIX, UNIX-like, and Microsoft systems.
Telnet
Telnet is used to communicate with another host by using the Telnet protocol. Telnet provides a standard method for terminal devices and terminal-oriented processes to interface. Telnet is commonly used by terminal emulation to connect to remote systems, which allows the connection to routers, switches, hubs, and printers. However, telnet can also be used for terminal-to-terminal communication.
To telnet to a host, server1 for example, simply enter the command:
telnet server1
You will then connect and should display a login prompt for you to authenticate with the system.
Telnet requires the telnetd daemon to connect to remote systems. The telnetd daemon is started by default by inetd, but telnetd must be enabled in the /etc/inetd.conf file. The inetd daemon listens for telnet information on port 23. When detected, it then activates the telnetd daemon and passes this traffic on.
248 Part III Configuration
Telnet can be used to provide remote access to many systems but not as secure as telnet sends passwords as clear text.
OpenSSH
The OpenSSH suite includes the secure shell (SSH) program, which replaces rlogin and telnet. The suite also has secure copy (SCP), which replaces rcp, and sftp, and ftp. Also included is sshd, which is the server side of the package, and the other basic utilities, such as ssh-add, ssh-agent, ssh-keygen, and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0. OpenSSH is available at www.openssh.com and is a free version of SSH. The following distributions currently support OpenSSH:
OpenBSD
Debian Linux
FreeBSD
Suse Linux
Redhat Linux
Mandrake Linux
BSDi BSD/OS
NetBSD
Computone
Conectiva Linux
Slackware Linux
Stallion
Cygwin
e-smith server and gateway
Engarde Linux
SSH obtains configuration data from the following sources (in this order):
Command line options
Users configuration file ($HOME/.ssh/config)
System-wide configuration file (/etc/ssh_config)
For each parameter, the first obtained value is used. The SSH client provides for connectivity to remote systems and uses the commands shown in Table 7-6.
Chapter 7 Configuring Networking 249
|
Table 7-6 |
|
SSH SWITCHES |
|
|
Switches |
Description |
|
|
-a |
Disables forwarding of the authentication agent connection. |
|
|
-A |
Enables forwarding of the authentication agent connection. |
|
|
-b bind_address |
Specifies the interface to transmit from machines with multiple |
|
interfaces or alias address. |
|
|
-c blowfish|3des |
Selects the cipher to use for encrypting the session. 3des is used |
|
by default. It is believed to be secure and is presumably more |
|
secure than the des cipher. |
|
|
-c cipher_spec |
For protocol version 2 a comma-separated list of ciphers can be |
|
specified in order of preference. |
|
|
-e ch|^ch|none |
Sets the escape character for sessions with a pty. |
|
|
-f |
Requests ssh to go to background just before command |
|
execution. This is useful if ssh is going to ask for passwords or |
|
pass-phrases, but the user wants it in the background. |
|
|
-g |
Allows remote hosts to connect to local forwarded ports. |
|
|
-i identity_file |
Selects the file from which the identity (private key) for RSA or |
|
DSA authentication is read. Default is $HOME/.ssh/identity in the |
|
user’s home directory. |
|
|
-k |
Disables forwarding of Kerberos tickets and AFS tokens. |
|
|
-l login_name |
Specifies the user to log in as on the remote machine. |
|
|
-m mac_spec |
For protocol version 2 a comma-separated list of MAC (message |
|
authentication code) algorithms can be specified in order of |
|
preference. |
|
|
-n |
This must be used when ssh is run in the background. A common |
|
trick is to use this to run X11 programs on a remote machine. |
|
|
-N |
Do not execute a remote command. |
|
|
-o option |
Can be used to give options in the format used in the config file. |
|
This is useful for specifying options for which there is no separate |
|
command-line flag. |
|
|
-p port |
Port to connect to on the remote host. |
|
|
-P |
Use a non-privileged port for outgoing connections. This can be |
|
used if your firewall does not permit connections from privileged |
|
ports. |
|
|
Continued
250 Part III Configuration
|
Table 7-6 (continued) |
|
|
Switches |
Description |
|
|
-q |
Quiet mode. Causes all warning and diagnostic messages to be |
|
suppressed. Only fatal errors are displayed. |
|
|
-s |
May be used to request invocation of a subsystem on the remote |
|
system. |
|
|
-t |
Force pseudo-tty allocation. This can be used to execute arbitrary |
|
screen-based programs on a remote machine, which can be very |
|
useful when implementing menu services. |
|
|
-T |
Disable pseudo-tty allocation. |
|
|
-v |
Verbose mode. Causes ssh to print debugging messages about its |
|
progress. |
|
|
-x |
Disables X11 forwarding. |
|
|
-X |
Enables X11 forwarding. |
|
|
-C |
Requests compression of all data (including stdin, stdout, stderr, |
|
and data for forwarded X11 and TCP/IP connections). |
|
|
-t |
Multiple -t options force tty allocation, even if ssh has no local tty. |
|
|
-L port:host:hostport |
Specifies that the given port on the local host is to be forwarded |
|
to the given host and port on the remote side. |
|
|
-R port:host:hostport |
Specifies that the given port on the remote host is to be |
|
forwarded to the given host and port on the local side. |
|
|
-1 |
Forces ssh to try protocol version 1 only. |
|
|
-2 |
Forces ssh to try protocol version 2 only. |
|
|
-4 |
Forces ssh to use IPv4 addresses only. |
|
|
-6 |
Forces ssh to use IPv6 addresses only. |
|
|
A standard SSH command may appear: ssh [-l login_name] [hostname | user@hostname] [command]
SSH requires the sshd daemon to connect to remote systems. It is normally started at boot from /etc/rc and uses a couple of protocol versions that provide varying security.
SSH protocol version 1: Each host has a host-specific RSA key (normally 1024 bits) used to identify the host. Additionally, when the daemon starts, it generates a server RSA key (normally 768 bits). This key is normally regenerated every hour if it has been used, and is never stored on disk.