Advanced UNIX System Administration

2,859 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,859
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
59
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Draft 1.0.0 Date: 10 th August 2007 Author jboland@sco.com Duration: Up to 4 hours depending on what exactly you want to demo Requirements: An installed OpenServer 6.0.0 system with 2 NICs, and installed OpenServer 6.0.0 system with a single NIC and a Windows XP system and Putty/Anzio to demo ssh and vpn connections.
  • Describe the objectives of the session.
  • Note that IP Filters is just a brief one slide description of what this feature can do.
  • This slide and the following 4 call out the major differences seen relating to Networking during install for someone who is familiar with OpenServer 5.0.7. Stress the last point about OpenServer 6 only listing NICs if on e of the nd drivers has detected the card. This leads some 5.0.7 Admins to think that the support NIC set on OpenServer 6 is poor when this is obviously not the case.
  • This is a screen shot of the 507 ISL Network Package selection Note IPX, SCO Gateway for Netware and Lan Manager Clients are in 507 but not in OpenServer 6.
  • This is the OpenServer 6.0.0 Connectivity package selection screen, Note that Samba, PPP and Kerberos have been added.
  • This is the OpenServer 5.0.7 ISL NIC Selection screen. Note that this ISL allows you to choose a driver for a card that may not be present in the OS.
  • This is the OpenServer 6.0.0 ISL NIC Selection screen that is displayed if and ONLY if the ISL has failed to detect a PCI NIC. All the NICs in the list are old ISA cards that cannot be autodected.
  • This slide shows the “old” OpenServer 5.0.7 Network Configuration Manager. Differences are discussed on the next slide.
  • This is a list of the major differences of the OpenServer 6 Network Congfiguration Manager. Stress that one of the big (non) issues that OoenServer 5.x customers have is that they believe that NIC support in OpenServer 6 is poor because of the list if cards displayed when it cannot auto-detect. Explain that this is because OpenServer 6 will only list drivers for old ISA cards if it cannot auto-detect a PCI NIC on the system. Note also that no relink or reboot required as nic drivers are Dynamically loadable. WAN configuration is no longer GUI based. There is only one PPP in OpenServer 6 and that is Morning Star PPP. For configuration info see: http://osr600doc.sco.com/en/man/html.MST_PPP/contents.MST_PPP.html And TA 126827 What implementation of PPP is shipped with OpenServer 6.0.0 and how can I configure it? NIC failover support is discussed in more detail on Slide 24
  • Say that if the Board ID of the NIC is changed by the vendor then Netconfig will not autodetect the card. It may be possible in such cases to hand edit the bcfg file to add the Board ID of the NIC and retry netconfig. DEMO: cd /etc/inst/nd/mdi and list the drivers pkginfo –l nd To find the driver used for net0 resmgr | grep net0 regmgr | grep “board id of net0” To see what bcfg file maps to the driver use: cd /etc/inst/nd/mdi/<driver_name> grep <board id> *.bcfg
  • This is a feature new to OpenServer 5 customers. Note that load balancing is not currently supported. Note also that it is not a good idea to implement a primary and backup on a dual port NIC. DEMO: Verify that the driver you are using supports FAILOVER On a server with two nics run ndtstat to show the MAC addresses of net0 and net1 Failover using netconfig Run ndstat again and show how the mac addr has changed Show using GUI netconfig that the primary has been marked as failed Run ifconfig –a to show the mac of net0 Use nd failback net0
  • It can be quite difficult to debug issues with netconfig(ADM) as it uses vtcl, tcl, ndcfg and tcp at different levels. You can turn on tracing as described in this slide but the logs can be difficult to read. I usually try and compare a working log with a broken to see what's different. Also recommend TA 110131 which has tips on troubleshooting NIC configuration on OpenServer 6. DEMO: Edit /usr/lib/netcfg/bin/ncfgUI and show how to turn on debug
  • The following 10 slides describe how networking is started on OpenServer 6.0.0. All network start-up is initiated from init(M) Early on during system initialisation (sysinit) kernel sockets are initialised by the initsock utility. initsock reads netconfig(SFF) to initialize the in-kernel socket system's mapping of socket families, types and protocols to device files. slink(ADMN) is used to configure STREAMS The Loopback interface is also initialised early on for other services that may require it Autopush loads some STREAMS modules bcheckrc(ADM) will start syslogd(ADM) as well as doing many other things not relevant to this discussion Don’t modify any of this. Useful to know when things go wrong DEMO: Open up /etc/inittab and discuss the entries
  • The real “meat” of Network Start-up on OpenServer 6.0.0 is performed by the three entries above and they are discussed in more detail on the following slides. DEMO: Discuss the entries using vi on /etc/inittab on one of the Demo servers.
  • nd(ADM) is used to link configured NICs into the networking stack at start-up. It is also updated by netconfig(ADM) when adding, modifying or removing NICs from the Server but how this is done is beyond the scope of this course.
  • Never under any circumstances try and manually modify /etc/nd as it may result in corruption of the Networking stacks and cause netconfig(ADM) to fail. All modifications should be performed using netconfig(ADM). The only exception is if you want to debug an issue with starting or stopping nd. DEMO: vi /etc/nd and show the #cmdtrace entries Uncomment and show the log that is generated when you stop tcp and then nd (NOTE: this needs to be done on the console) 3) Recomment the entry before continuing 4) Run ndstat –i to show entries with nd stopped and started on the console
  • tcp(ADM) is called in two places, once at sysint by init(M) and once by rc2(ADM) when the system goes multi-user. This slide describes what tcp does at sysint. Note that /etc/default/tcp is created using the info provided at ISL (domain, gateway etc). DEMO: cat /etc/default/tcp cat /etc/inet/inet.dfl to show TCP kernel params netstat –i to show interfaces ifconfig –a to show interfaces vi /etc/tcp and show what is happening in the script
  • This slide attempts to give a high level view of what networking services are started when you go into single user mode on OpenServer 6.
  • This slide describes what tcp(ADM) additionally does when started by rc2(ADM) when going into multi-user mode. Suggest to the audience that if they don’t need snmp(ADMN) they might want to edit /etc/tcp to stop it from starting by default.
  • When run on going multi user tcp issues the familiar messages: add net default: gateway xxx.xxx.xxx.xxx Starting TCP services: prngd inetd snmpd sshd Note netconfig(ADM) uses tcp stop when modifying TCP configuration or when adding, modifying or deleting NICs. In the unlikely event that there are start up issues with the tcp script you can debug with a set –x DEMO: tcp stop and show that existing connections are not stopped Run ifconfig -a Show how tcp shutdown does stop all connections Run ifconfig -a
  • When the system goes from Single user to Multi-user mode the rc2(ADM) script is invoked by init(M) to start a number of services including networking services as listed above. Note that this is the services started by a traditional install. These may vary for Improved and High Security Demo how a service can be disabled by moving it to a name with a lower case start letter. The following two slides describe these services started by rc2 in a little more detail. DEMO: Show the rc2 entry in /etc/inittab vi the /etc/rc2 script and show how it trawls /etc/rc2.d vi the log file /usr/adm/rc2.log Demo stoping NFS using mv /etc/rc2.d/S87nfs /etc/rc2.d/s87nfs shutdown –y –g0 –i6
  • First of two slides describing Network Services scripts called by rc2. Note that NIS is dependent on NFS and NFS is dependent on RPC.
  • Mention that even though Samba is not configured nmbd and smbd are started by default. Can disable using mkdev samba Which removed the entries from /etc/rc2.d. You will need to reboot to stop the existing daemons DEMO: ls –x /etc/rc2.d/*mbd mkdev samba amd select deactivate ls –x /etc/rc2.d/*mbd NOTE: deactivate does not stop SWAT (http://localhost:901) To disable swat see the inetd.conf file.
  • inetd(ADMN) is involved in the starting of many services like telnet, ftp, rlogin etc (but interestingly not ssh) The service started are listed in /etc/inetd.conf and inetd will read /etc/services and /etc/protocol to match the name of the service with aliases, ports and protocol. The next slide describes in more detail the services started by inetd. DEMO: Show where inetd is started in /etc/tcp vi /etc/inetd.conf vi /etc/services and /etc/protocol
  • This slide lists the services served by default on a traditional install. The slide also describes how to disable a service by commenting it out of /etc/inted.conf. DEMO: vi /etc/inetd.conf Comment out one of the telnetd service Establish a telnet connection to the server cat /etc/inetd.pid kill -1 the pid of inetd Try make a new connection to the box via telnet and it will fail But note that existing connections continue to function
  • This slide and the next one describe the additional networking services that are started when a system goes from single user to multi user mode.
  • Describe what tcpd is. Explain that they are called tcpwrappers because they wrap around secvices like rlogind, telnted etc to give an additional layer of protection. DEMO: vi /etc/inetd.conf Comment out the /etc/telnetd telnetd service Uncomment the /etc/tcpd telnetd service Save the file cat /etc/inetd.pid kill -1 the pid of inetd In a window do a tail –f on /usr/adm/syslog Telnet into the server and you should see a login notification as generated by tcpd
  • Describe how access control is implemented using the hosts.allow and hosts.deny files. Tcpd will always check hosts.allow before hosts.deny and will allow access if a match is made in hosts.allow even though hosts.deny may have an entry of ALL:ALL
  • Pattern matching is described in the hosts_access(SFF) man page. The following slide provides some simple examples and demos
  • The following demo assumes that telnetd is running with a tcp wrapper: DEMO: vi /etc/hosts.deny and add the line ALL:ALL Try to telnet into the server from a client and see that you are prevented from doing so Try the following lines in /etc/hosts.allow: telnetd: ALL@192.168.1.13 telnetd: 192.168.1.0/255.255.255.0 telnetd: .sco.com telnetd: .sco.com DENY Touch the file /var/log/tcp.access.log Add the entry telnetd: ALL : spawn (echo Attempt from %h %a to %d at `date` | tee -a /var/log/tcp.access.log | mail root)
  • This section of the session is a basic introduction to some of the features of ssh. This package is installed by default when you install OpenServer 6.0.0. We will do the demos with ssh but what we do also applies to sftp and scp.
  • When an ssh client connects to a server the server will first try to authenticate using host based authentication. If this fails it will try using RSA/DSA Authentication and if this fails it will fall back to using a user name and password. SSH1 is not considered as secure as ssh2 and should be avoided as it is prone to man in the middle (aka insertion) attacks. RSA is also considered more secure than DSA and should be used wherever possible ssh is also known as slogin(1) DEMO: Do an ssh from one server or from a windows PC to the server to demo a keyboard username and password authentication. Might also demo with the –v debug option to see what is going on in the background
  • This slide describes how to setup Windows to OpenServer 6 RSA Authentication DEMO: Generate your public and private keys (if you don’t already have one) either on the PC using a key generator like PuTTY Key Generator Login to your OpenServer 6.0.0 and mkdir $HOME/.ssh (if it does not already exist) chmod 700 $HOME/.ssh Create $HOME/.ssh/authorized_keys and paste the public key from the PC into this file On the PC modify SSH configuration to use the private key that was generated in 1) above NOTE: You could also generate the key on OpenServer 6 but it makes it a little trickier getting it onto the Windows PC
  • DEMO: Generate your public and private keys (if you don’t already have one) on the client using ssh-keygen –t rsa Login to your OpenServer 6.0.0 ssh server and mkdir $HOME/.ssh (if it does not already exist) chmod 700 $HOME/.ssh Create $HOME/.ssh/authorized_keys and paste the public key from the PC into this file From the client box do: ssh <server_name> Or ssh <user>@server_name> NOTE: Make sure when you paste the key that it’s a single line and not broken into multiple lines.
  • There are a number of ways to implement Host Based authentication and this slide and the one that follows describes just one of them. DEMO: Create $HOME/.shosts with the client machine name and user name that is going to login Edit the /etc/ssh/sshd_config as root and change/add: HostbasedAuthentication yes IgnoreUserKnownHosts yes IgnoreRhosts yes Continue onto the next slide
  • DEMO: 4) Restart sshd on the server side suing tcp restart 5) On the client you need to enable HostBasedAuthentication and EnableSSHKeysign in /etc/ssh/ssh_config 6) Now use ssh to login without the need for a password from the client to the server.
  • If you are on an unsecure PC, e.g. in an internet café, at SCO Forum etc and you want to be able to access servers inside your intranet in a safe and secure fashion then Dynamic Port Forwarding can be used to give you that secure access. Discuss the fact that ssh with Dynamic Port Forewarding can be used to create a SOCKS proxy server that is in effect a secure “tunnel” between the SOCKS Proxy and the Secure server you are connected to. It’s a poor mans VPN and can be useful in situations where you have no other alternatives. Note also that this will impact performance as all SOCKS traffic goes through the tunnel.
  • This slide describes how to setup the SOCKS Proxy using the –D option to ssh. 1080 is the port on which the server will run but this could be any unused port. Note that you need to be root to use reserved ports like 1080. The slide also describes how to configure Mozilla to use the Socks Proxy to connect via the tunnel to systems behind the remote secure server. DEMO: On dynamic port to the OpenServer 6 box run: ssh –D 1080 jboland@yoursshserver.xxx.com To prove that you can use the proxy run Mozilla and configure it to use a SOCKS proxy and then try and access a system on your Intranet.
  • This slide describes how to setup a SOCKS Proxy server using PuTTY. DEMO: Launch Putty and show how to setup the SOCKS proxy to the port setup in the last slide.
  • This slide describes how to configure Firefox to use SOCKS. For Explorer use: Tools -> Internet Options -> Connections -> LAN Settings And check the “Use a proxy server for your LAN” and then click Advanced to specify the SOCKS proxy. DEMO: Demo the configuration of Firefox (and Explorer if you have time) Prove that its working by attempting to access a URL on the intranet
  • This slide describes how to configure PuTTY to use SOCKS when trying to access a specified host. DEMO: Demo the configuration of PuTTY Prove that its working by attempting to access an IP on your intranet Show that without SOCKS you cannot access this IP address
  • Briefly describe what IPsec is
  • Explain some of the terminoology behind IPsec. Note that SCO doc mentions AH but this should not be used. Use ESP instead. Note that routers between hosts and networks will need to pass ESP packets for IPsec to function.
  • It maybe be worth it to have the config files “staged” on the servers to avoid having to load them each time for the demo. DEMO: Demo enabling IPsec on the two servers in the classroom Reboot the servers once the change has been made
  • Describe briefly what these entries do. Note that you may want to have this file pre-staged on both demo servers. DEMO: Create the file above on system a replacing <sysa ip> with the IP address of the server. (Note use IP addresses to make sure that DNS failures don’t “break” the configuration)
  • Note the only change between the files on sysa and sysb is the changing on in to out and out to in on the two spadd lines. DEMO: Add this file to sysb.
  • DEMO: Run ipseckey on sysa (Note that you may want to run a tcpdump once you have done this to show a session between sysa and sysb) Run ipseckey on sysb Run a tcpdump to look at the traffic between the servers. It should all be of type ESP. Run netstat to show ipsec stats Demo removal of SAD (-F) and SPD (-FP)
  • Describe why you should use racoon
  • DEMO: Configure psk.txt on sysa and sysb Make sure the perms on the file is 0400 Change/Create the sysa.ipsec.conf and sysb.ipsec.conf
  • DEMO: Create this file on sysa and sysb Note that this file is continued on the next slide
  • Note perms on /usr/sbin/racoon are wrong on openserver. Note also that the log debug ; option does not seem to work. DEMO: Do a tail –f /var/adm/syslog Start racoon and show attendees what is written to syslog on sysa and sysb Load in the SPD info using ipseckey Use tcpdump host sysa and sysb to show the traffic Do an ssh or rlogin between sysa and sysb to show that the traffic is encrypted Show also that syslog have a key generated entry
  • Note stopping racoon requires not only that you will -9 the process but that you also rm the /tmp/.racoon file. Note also that the log debug ; option does not seem to work. DEMO: Stop racoon with a kill -9 Try to restart without removing the /tmp/.racoon file
  • There is no time to cover this topic but it should be mentioned for completeness.
  • Summarise what has been covered in the session.
  • Advanced UNIX System Administration

    1. 1. OpenServer 6 Networking for OpenServer 5 Administrators John Boland SCO Support
    2. 2. Session Objectives <ul><li>At the end of this session you should: </li></ul><ul><ul><li>Understand the ISL differences between OpenServer 6 and OpenServer 5 relating to Networking </li></ul></ul><ul><ul><li>Be aware of how OpenServer 6 networking starts on system boot </li></ul></ul><ul><ul><li>Know how to enable tcp wrappers on inetd services </li></ul></ul><ul><ul><li>Understand how netconfig(ADM) differs between OpenServer 6 and OpenServer 5 </li></ul></ul><ul><ul><li>Know how to configure and use ssh(1) </li></ul></ul><ul><ul><li>Be able to configure a simple VPN using IPsec </li></ul></ul>
    3. 3. Session Topics <ul><li>The following topics will be covered </li></ul><ul><ul><li>OpenServer 6 Installation </li></ul></ul><ul><ul><li>Network Configuration Manager differences </li></ul></ul><ul><ul><li>OpenServer 6 Network Start-up </li></ul></ul><ul><ul><li>Configured Network Services on OpenServer 6 </li></ul></ul><ul><ul><li>tcpd(ADM) aka Tcpwrappers </li></ul></ul><ul><ul><li>OpenServer 6 and OpenSSH </li></ul></ul><ul><ul><li>Using IPSec to implement a VPN </li></ul></ul><ul><ul><li>IP Filters Brief Overview </li></ul></ul>
    4. 4. OpenServer 6 Installation <ul><li>OpenServer 6.0.0 ISL Networking Differences: </li></ul><ul><ul><li>Samba, PPP and Kerberos installed at ISL </li></ul></ul><ul><ul><li>IPX/SPX, SCO Gateway for Netware and Lan Manager Client packages obsolete </li></ul></ul><ul><ul><li>DHCP client configuration at ISL </li></ul></ul><ul><ul><li>Only drivers for detected Network Cards (NICs) are displayed at ISL </li></ul></ul><ul><ul><ul><li>Manual list only contains non-autodectable ISA NIC cards </li></ul></ul></ul>
    5. 5. OpenServer 6 Installation <ul><li>OpenServer 5 Connectivity Package Selection </li></ul>
    6. 6. OpenServer 6 Installation <ul><li>OpenServer 6 Connectivity Package Selection </li></ul>
    7. 7. OpenServer 6 Installation <ul><li>Network Card Selection on OpenServer 5 </li></ul>
    8. 8. OpenServer 6 Installation <ul><li>Network Card Selection on OpenServer 6 </li></ul>
    9. 9. Network Configuration Manager <ul><li>OpenServer 5 Network Configuration Manager: </li></ul>
    10. 10. Network Configuration Manager <ul><li>Network Configuration Manager Differences: </li></ul><ul><ul><li>No localhost entry </li></ul></ul><ul><ul><li>Removed the IPX protocol </li></ul></ul><ul><ul><li>NFS protocol configured by default (if installed) </li></ul></ul><ul><ul><li>Only Auto-detected Network Cards are displayed </li></ul></ul><ul><ul><li>No relink and reboot required when you add a card </li></ul></ul><ul><ul><li>Removed WAN configuration </li></ul></ul><ul><ul><li>Failover support added </li></ul></ul>
    11. 11. Network Configuration Manager <ul><li>Network Interface Card (NIC) Drivers and netconfig(ADM) </li></ul><ul><ul><li>NIC drivers are stored under </li></ul></ul><ul><ul><ul><li>/etc/inst/nd/mdi </li></ul></ul></ul><ul><ul><li>Find out what nd driver package is installed using: </li></ul></ul><ul><ul><ul><li>pkginfo –l nd </li></ul></ul></ul><ul><ul><li>Get the latest nd driver package (8.0.6e) at: </li></ul></ul><ul><ul><ul><li>http://www.sco.com/support/update/download/release.php?rid=281 </li></ul></ul></ul><ul><ul><li>netconfig(ADM) uses PCI Board IDs to recognise cards </li></ul></ul><ul><ul><li>resmgr | more </li></ul></ul><ul><ul><ul><li>18 e1008g 8 6 4 18 4400 443f fcde0000 fcdfffff - - 4 0x8086100E 0x0002 0 2 0 </li></ul></ul></ul><ul><ul><ul><li>34 net0 8 6 - - - - - - - - - 0x8086100E - - 2 – </li></ul></ul></ul><ul><ul><li>grep 0x8086100E /etc/inst/nd/mdi/e1008g/*.bcfg </li></ul></ul><ul><ul><ul><li>/etc/inst/nd/mdi/e1008g/e1008g_100E.bcfg:BOARD_IDS=&quot;0x8086100E&quot; </li></ul></ul></ul>
    12. 12. Network Configuration Manager <ul><li>Automatic Network Failover and Backup cards </li></ul><ul><ul><li>Must have MP2 installed </li></ul></ul><ul><ul><li>TA 110336: Not all NICs support failover. Check with: </li></ul></ul><ul><ul><ul><li>grep &quot;FAILOVER=true&quot; /etc/inst/nd/mdi/<your nic driver>/*.bcfg </li></ul></ul></ul><ul><ul><li>Can manually failover using netconfig(ADM) </li></ul></ul><ul><ul><li>Automatic failback is not currently supported </li></ul></ul><ul><ul><li>TA 126686: Cannot manually failback to the primary NIC using netconfig(ADM). Instead you use: </li></ul></ul><ul><ul><ul><li>nd failback net0 </li></ul></ul></ul><ul><ul><li>Note that while some NICs failover on removal of cable, not all NICs do </li></ul></ul>
    13. 13. Network Configuration Manager <ul><li>Debugging netconfig(ADM): </li></ul><ul><ul><li>When you run netconfig(ADM) you are running: </li></ul></ul><ul><ul><ul><li>/usr/lib/netcfg/bin/ncfgUI </li></ul></ul></ul><ul><ul><li>netconfig(ADM) configuration files held under </li></ul></ul><ul><ul><ul><li>/usr/lib/netcfg </li></ul></ul></ul><ul><ul><li>To trace problems uncomment: </li></ul></ul><ul><ul><ul><li>#cmdtrace on [ open /tmp/ncfgUI.log a+ ] </li></ul></ul></ul><ul><ul><li>netconfig(ADM) also uses ndcfg(ADM) to do NIC configuration. The ndcfg log file is found at: </li></ul></ul><ul><ul><ul><li>/usr/lib/netcfg/tmp/ndcfg.log </li></ul></ul></ul><ul><ul><li>TA 110131: Troubleshooting NIC Installation </li></ul></ul>
    14. 14. OpenServer 6 Network Start-up <ul><li>/etc/inittab Network Start-up Entries </li></ul><ul><ul><li>Initialize the socket subsystem in the kernel at sysinit </li></ul></ul><ul><ul><ul><li>iks0::sysinit:/sbin/initsock -d > /dev/console 2>&1 </li></ul></ul></ul><ul><ul><li>Configure STREAMS at sysinit </li></ul></ul><ul><ul><ul><li>sl::sysinit:/etc/slink -c /etc/strcf > /dev/console 2>&1 </li></ul></ul></ul><ul><ul><li>Initialise the loopback interface at sysinit </li></ul></ul><ul><ul><ul><li>loop::sysinit:/usr/sbin/initialize -u lo0 > /dev/console 2>&1 </li></ul></ul></ul><ul><ul><li>Load STREAMS modules </li></ul></ul><ul><ul><ul><li>ap1::sysinit:/sbin/autopush -f /etc/ap/sco.ap </li></ul></ul></ul><ul><ul><li>Start syslogd(ADM) to log local & remote messages </li></ul></ul><ul><ul><ul><li>bchk::sysinit:/sbin/bcheckrc </dev/console >/dev/console 2>&1 </li></ul></ul></ul>
    15. 15. OpenServer 6 Network Start-up <ul><li>/etc/inittab Network Start-up Entries [contd] </li></ul><ul><ul><li>The following entries will be described in greater detail on the slides that follow: </li></ul></ul><ul><ul><ul><li>lli::sysinit:/etc/nd start < /dev/null > /dev/null 2>&1 </li></ul></ul></ul><ul><ul><ul><li>tcp::sysinit:/etc/tcp start < /dev/null > /dev/null 2>&1 </li></ul></ul></ul><ul><ul><ul><li> …… . ……. ……….. </li></ul></ul></ul><ul><ul><ul><li>r2:2:wait:/etc/rc2 1> /dev/console 2>&1 </dev/console </li></ul></ul></ul>
    16. 16. OpenServer 6 Network Start-up <ul><li>Network Adapter Driver Script nd(ADM) </li></ul><ul><ul><li>/etc/nd is used to start and stop configured NICs </li></ul></ul><ul><ul><li>It starts the dlpid(ADM) daemon which links each MDI (MAC Driver Interface) driver to the common DLPI (Data Link Provider Interface) </li></ul></ul><ul><ul><li>The dlpi module is a bit like your OSI Data Link Layer </li></ul></ul><ul><ul><li>The MDI interface sits between the card and the DLPI </li></ul></ul><ul><ul><li>/etc/nd is started by entry in /etc/inittab </li></ul></ul><ul><ul><ul><li>lli::sysinit:/etc/nd start < /dev/null > /dev/null 2>&1 </li></ul></ul></ul><ul><ul><li>nd(ADM) is updated by netconfig(ADM) when adding or removing NICs </li></ul></ul>
    17. 17. OpenServer 6 Network Start-up <ul><li>nd(ADM) [contd.] </li></ul><ul><ul><li>Never try to update or modify /etc/nd manually </li></ul></ul><ul><ul><li>nd(ADM) man page incorrectly refers to </li></ul></ul><ul><ul><ul><li>/etc/rc2.d/S35dlpi and </li></ul></ul></ul><ul><ul><ul><li>/etc/rc0.d/K97dlpi being used to start and stop nd </li></ul></ul></ul><ul><ul><li>Can debug issues with /etc/nd by uncommenting: </li></ul></ul><ul><ul><ul><li>#cmdtrace on [ open /tmp/nd.log a+ ] </li></ul></ul></ul><ul><ul><ul><li>or </li></ul></ul></ul><ul><ul><ul><li>#cmdtrace on stderr </li></ul></ul></ul>
    18. 18. OpenServer 6 Network Start-up <ul><li>TCP Start/Stop Script tcp(ADMN) </li></ul><ul><ul><li>/etc/tcp starts and stops TCP </li></ul></ul><ul><ul><li>When starting in single-user mode (sysinit) it will: </li></ul></ul><ul><ul><ul><li>Read /etc/default/tcp to get info incl. domain and gateway </li></ul></ul></ul><ul><ul><ul><li>Call inconfig(ADM) to load default TCP kernel parameters </li></ul></ul></ul><ul><ul><ul><li>Configure network interfaces with IP addresses using </li></ul></ul></ul><ul><ul><ul><ul><li>/usr/sbin/initialize -U </li></ul></ul></ul></ul><ul><ul><ul><li>Will start syslogd(ADM) if not already started </li></ul></ul></ul><ul><ul><ul><li>Set default route using the gateway entry from /etc/default/tcp </li></ul></ul></ul><ul><ul><ul><li>Start the streams error logging daemon, strerr(ADM) </li></ul></ul></ul><ul><ul><ul><li>Start the Pseudo Random Number Generator Daemon prngd(ADM) </li></ul></ul></ul>
    19. 19. OpenServer 6 Networking Start-up <ul><li>Single User Mode start-up: </li></ul>init Initialize lo0 slink intisock tcp start nd start autopush dlpid Setup NICs Domain and gateway initialize netx route add strerr(ADM) Setup TCP Kernel Params prngd(ADM) syslogd
    20. 20. OpenServer 6 Network Start-up <ul><li>tcp(ADMN) [contd] </li></ul><ul><ul><li>When starting in multi-user mode (rc2) it will also: </li></ul></ul><ul><ul><ul><li>Start prngd(ADM) again </li></ul></ul></ul><ul><ul><ul><li>Start inetd(ADMN), the Internet Super Server daemon </li></ul></ul></ul><ul><ul><ul><li>Start pppd(ADMN) only if MST PPP is configured (off by default) </li></ul></ul></ul><ul><ul><ul><li>Start snmpd(ADMN), the snmp agent </li></ul></ul></ul><ul><ul><ul><li>Start named(ADMN) if nameserver is config’d (off by default) </li></ul></ul></ul><ul><ul><ul><li>Start sshd(8), the ssh daemon and if necessary generate host keys (/etc/ssh/ssh_host*) </li></ul></ul></ul><ul><ul><ul><li>Start any daemons listed in /etc/default/tcp (off by default) </li></ul></ul></ul><ul><ul><ul><li>Start ntpd, lpd(ADMN) and aasd(ADMN) if configured (not by default) </li></ul></ul></ul>
    21. 21. OpenServer 6 Network Start-up <ul><li>tcp(ADMN) [contd] </li></ul><ul><ul><li>Issues the messages: </li></ul></ul><ul><ul><ul><li>add net default: gateway 192.168.248.1 </li></ul></ul></ul><ul><ul><ul><li>Starting TCP services: prngd inetd snmpd sshd </li></ul></ul></ul><ul><ul><li>The tcp(ADMN) man page incorrectly refers to ifconfig when it should refer to initialize </li></ul></ul><ul><ul><li>Existing sessions can continue to function after a </li></ul></ul><ul><ul><ul><li>tcp stop </li></ul></ul></ul><ul><ul><li>Existing sessions are stopped by a </li></ul></ul><ul><ul><ul><li>tcp shutdown </li></ul></ul></ul><ul><ul><li>Can debug the /etc/tcp shell script by adding </li></ul></ul><ul><ul><ul><li>set –x </li></ul></ul></ul>
    22. 22. OpenServer 6 Network Start-up <ul><li>Networking services started by rc2(ADM) </li></ul><ul><ul><li>The /etc/rc2 script is invoked by init(M): </li></ul></ul><ul><ul><ul><li>r2:2:wait:/etc/rc2 1> /dev/console 2>&1 </dev/console </li></ul></ul></ul><ul><ul><li>/etc/rc2 messages are logged to </li></ul></ul><ul><ul><ul><li>/usr/adm/rc2.log </li></ul></ul></ul><ul><ul><li>Networking Services scripts called by rc2 include: </li></ul></ul><ul><ul><li>Can disable a service as follows: </li></ul></ul><ul><ul><ul><li>mv /etc/rc2.d/S87nfs /etc/rc2.d/s87nfs </li></ul></ul></ul><ul><ul><ul><li>shutdown –y –g0 –i6 </li></ul></ul></ul><ul><ul><ul><li>S85tcp </li></ul></ul></ul><ul><ul><ul><li>S86rpc </li></ul></ul></ul><ul><ul><ul><li>P86sendmail </li></ul></ul></ul><ul><ul><ul><li>S87nfs </li></ul></ul></ul><ul><ul><ul><li>S90nis </li></ul></ul></ul><ul><ul><ul><li>P90apache </li></ul></ul></ul><ul><ul><ul><li>S95docview </li></ul></ul></ul><ul><ul><ul><li>S99cups </li></ul></ul></ul><ul><ul><ul><li>S99nmbd </li></ul></ul></ul><ul><ul><ul><li>S99smbd </li></ul></ul></ul>
    23. 23. OpenServer 6 Network Start-up <ul><li>Network services started by traditional rc2(ADM) </li></ul><ul><ul><ul><li>S85tcp </li></ul></ul></ul><ul><ul><ul><ul><li>Symbolic link to /etc/tcp </li></ul></ul></ul></ul><ul><ul><ul><li>S86rpc </li></ul></ul></ul><ul><ul><ul><ul><li>Symbolic link to /etc/rpcinit </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Starts rpcbind(ADMN), rwalld(NADM) and sprayd </li></ul></ul></ul></ul><ul><ul><ul><li>P86sendmail (or MMDF equivalent) </li></ul></ul></ul><ul><ul><ul><ul><li>Starts sendmail(ADMN) </li></ul></ul></ul></ul><ul><ul><ul><li>S87nfs </li></ul></ul></ul><ul><ul><ul><ul><li>Symbolic link to /etc/nfs </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Starts exportfs(NADM), nfsd(NADM), biod(NADM), mountd(NADM), statd(1Mnfs), lockd(NADM), bootparamd(NADM) and pcnfsd(NADM) </li></ul></ul></ul></ul><ul><ul><ul><li>S90nis </li></ul></ul></ul><ul><ul><ul><ul><li>Symbolic link to /etc/nis </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Not configured or started by default </li></ul></ul></ul></ul>
    24. 24. OpenServer 6 Network Startup <ul><li>Network services started by traditional rc2(ADM) </li></ul><ul><ul><ul><li>P90apache </li></ul></ul></ul><ul><ul><ul><ul><li>Starts the apache web server on port 80 </li></ul></ul></ul></ul><ul><ul><ul><li>S95docview </li></ul></ul></ul><ul><ul><ul><ul><li>Starts the OpenServer 6 documentation server on port 8457 </li></ul></ul></ul></ul><ul><ul><ul><li>S99cups </li></ul></ul></ul><ul><ul><ul><ul><li>Starts the CUPS Print server, cupsd(8) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Remote admin is disabled by default (See TA 126211) </li></ul></ul></ul></ul><ul><ul><ul><li>S99nmbd </li></ul></ul></ul><ul><ul><ul><ul><li>Starts the NetBIOS name service, nmbd(8) </li></ul></ul></ul></ul><ul><ul><ul><li>S99smbd </li></ul></ul></ul><ul><ul><ul><ul><li>Starts the File and Print Server daemon, smbd(8) </li></ul></ul></ul></ul>
    25. 25. OpenServer 6 default Network Services <ul><li>Services controlled by inetd(ADMN) </li></ul><ul><ul><li>inetd is knows as a Super Server </li></ul></ul><ul><ul><li>inetd is started by /etc/rc2.d/S85tcp (/etc/tcp) </li></ul></ul><ul><ul><li>inetd configures the services listed in </li></ul></ul><ul><ul><ul><li>/etc/inetd.conf </li></ul></ul></ul><ul><ul><li>inetd reads /etc/services (and /etc/protocol) to get the name, aliases, port and protocol to use for each service </li></ul></ul>
    26. 26. OpenServer 6 default Network Services <ul><li>Services controlled by inetd(ADMN) </li></ul><ul><ul><li>On a traditional install inetd configures services including: </li></ul></ul><ul><ul><ul><li>ftp stream tcp nowait root /etc/ftpd ftpd -a </li></ul></ul></ul><ul><ul><ul><li>telnet stream tcp nowait NOLUID /etc/telnetd telnetd </li></ul></ul></ul><ul><ul><ul><li>shell stream tcp nowait NOLUID /etc/rshd rshd </li></ul></ul></ul><ul><ul><ul><li>login stream tcp nowait NOLUID /etc/rlogind rlogind </li></ul></ul></ul><ul><ul><ul><li>exec stream tcp nowait NOLUID /etc/rexecd rexecd </li></ul></ul></ul><ul><ul><ul><li>pop3 stream tcp nowait root /etc/popper popper </li></ul></ul></ul><ul><ul><ul><li>imap stream tcp nowait root /etc/imapd imapd </li></ul></ul></ul><ul><ul><ul><li>swat stream tcp nowait root /usr/sbin/swat swat </li></ul></ul></ul><ul><ul><li>Can disable a service by commenting it out </li></ul></ul><ul><ul><ul><li># telnet stream tcp nowait NOLUID /etc/telnetd telnetd </li></ul></ul></ul><ul><ul><li>And then restarting inetd with a SIGHUP </li></ul></ul><ul><ul><ul><li>kill -1 `cat /etc/inetd.pid` </li></ul></ul></ul>
    27. 27. OpenServer 6 Networking Start-up <ul><li>Multi-User Mode start-up: </li></ul>rc2 S87nfs S86rpc S85tcp S99smbd S99cups P90apache snmpd sshd named inetd pppd P86sendmail S90nis S95docview S99nmbd prngd lpd ntpd aasd
    28. 28. OpenServer 6 Networking Start-up <ul><li>Multi-User Mode start-up [contd]: </li></ul>inetd rlogind telnetd ftpd pop3 rexec rshd imap swat
    29. 29. OpenServer 6 and TCPWrappers <ul><li>tcpd(ADM) aka tcpwrappers 7.6 </li></ul><ul><ul><li>Can be used to log and control access to inetd services </li></ul></ul><ul><ul><li>To enable tcpwrappers on telnetd: </li></ul></ul><ul><ul><ul><li>Edit /etc/inted.conf </li></ul></ul></ul><ul><ul><ul><li>Comment out the entry: </li></ul></ul></ul><ul><ul><ul><ul><li>telnet stream tcp nowait NOLUID /etc/telnetd telnetd </li></ul></ul></ul></ul><ul><ul><ul><li>Uncomment the entry: </li></ul></ul></ul><ul><ul><ul><ul><li># telnet stream tcp nowait NOLUID /etc/tcpd telnetd </li></ul></ul></ul></ul><ul><ul><ul><li>Save the file </li></ul></ul></ul><ul><ul><ul><li>Restart inetd using: </li></ul></ul></ul><ul><ul><ul><ul><li>kill -1 `cat /etc/inetd.pid` </li></ul></ul></ul></ul><ul><ul><li>Telnet to the server and check syslog: </li></ul></ul><ul><ul><ul><li>Jul 11 17:26:14 jrbt5 telnetd[2102]: connect from jrbhp1 </li></ul></ul></ul>
    30. 30. OpenServer 6 and TCPWrappers <ul><li>Controlling Access using tcpd(ADM) </li></ul><ul><ul><li>hosts_access(SFF) control implemented using: </li></ul></ul><ul><ul><ul><li>/etc/hosts.allow and </li></ul></ul></ul><ul><ul><ul><li>/etc/hosts.deny </li></ul></ul></ul><ul><ul><li>These files contain no rules by default </li></ul></ul><ul><ul><li>Access is controlled as follows: </li></ul></ul><ul><ul><ul><li>Grant access if you match an entry in the /etc/hosts.allow file </li></ul></ul></ul><ul><ul><ul><li>Deny access if you match an entry in the /etc/hosts.deny file </li></ul></ul></ul><ul><ul><ul><li>Otherwise, grant access </li></ul></ul></ul>
    31. 31. OpenServer 6 and TCPWrappers <ul><li>Controlling Access using tcpd(ADM) [contd] </li></ul><ul><ul><li>Entries in hosts.allow and hosts.deny are of the form: </li></ul></ul><ul><ul><ul><li>daemon_list : client_list </li></ul></ul></ul><ul><ul><li>daemon_list is a list of one or more daemon process names or wildcards </li></ul></ul><ul><ul><li>client_list is a list of one or more host names, host addresses, patterns or wildcards that will be matched against the client host name or address </li></ul></ul><ul><ul><li>There are two basic options: </li></ul></ul><ul><ul><ul><li>Deny all and add entries to /etc/hosts.allow (Mostly Closed) </li></ul></ul></ul><ul><ul><ul><li>Allow all and add entries to /etc/hosts.deny (Mostly Open) </li></ul></ul></ul>
    32. 32. OpenServer 6 and TCPWrappers <ul><li>Some hosts_access(SFF) examples: </li></ul><ul><ul><li>To deny everything, in /etc/hosts.deny add: </li></ul></ul><ul><ul><ul><li>ALL: ALL </li></ul></ul></ul><ul><ul><li>To allow everything leave /etc/hosts.allow empty </li></ul></ul><ul><ul><li>To allow exceptions in /etc/hosts.allow add: </li></ul></ul><ul><ul><ul><li>ftpd: .friendly.domain </li></ul></ul></ul><ul><ul><ul><li>telnetd: ALL@192.168.124.1 </li></ul></ul></ul><ul><ul><ul><li>rlogind: 192.168.1.0/255.255.255.0 </li></ul></ul></ul><ul><ul><li>To report on blocked access </li></ul></ul><ul><ul><ul><li>ALL :ALL : spawn (echo Attempt from %h %a to %d at `date` | tee -a /var/log/tcp.deny.log |mail jboland@sco.com ) </li></ul></ul></ul>
    33. 33. OpenServer 6 and OpenSSH <ul><li>OpenServer 6 MP2 ships with: </li></ul><ul><ul><li>OpenSSH_4.2p1 </li></ul></ul><ul><ul><li>The package provides: </li></ul></ul><ul><ul><ul><li>ssh(1) (aka slogin(1)) for secure, encrypted login and remote command execution </li></ul></ul></ul><ul><ul><ul><li>scp(1) for secure, encrypted remote copy </li></ul></ul></ul><ul><ul><ul><li>sftp(1) for secure, encrypted file transfer </li></ul></ul></ul><ul><ul><li>Can also be used for, among other things: </li></ul></ul><ul><ul><ul><li>Local Port Forwarding </li></ul></ul></ul><ul><ul><ul><li>Dynamic Port Forwarding </li></ul></ul></ul><ul><ul><ul><li>X11 Forwarding </li></ul></ul></ul>
    34. 34. OpenServer 6 and OpenSSH <ul><li>OpenServer 6 ssh(1) Authentication: </li></ul><ul><ul><li>Host Based Authentication using </li></ul></ul><ul><ul><ul><li>/etc/ssh/shosts.equiv and/or ~/.shosts </li></ul></ul></ul><ul><ul><ul><li>/etc/ssh/ssh _ known _ hosts and/or ~/.ssh/known _ hosts </li></ul></ul></ul><ul><ul><li>RSA/DSA Authentication using: </li></ul></ul><ul><ul><ul><li>~/.ssh/authorized _ keys </li></ul></ul></ul><ul><ul><li>Keyboard Username and Password authentication (default fallback) </li></ul></ul><ul><ul><li>Try avoid using SSH 1 as its less secure than SSH 2 </li></ul></ul><ul><ul><li>Always use RSA and not DSA if possible </li></ul></ul>
    35. 35. OpenServer 6 and OpenSSH <ul><li>Windows to OpenServer 6.0.0 RSA Authentication: </li></ul><ul><ul><li>Use a Key Generator on your Windows PC to generate your public and private keys and save the keys to a directory on your PC </li></ul></ul><ul><ul><li>On the OpenServer 6 system create the .ssh directory using: </li></ul></ul><ul><ul><ul><ul><li>mkdir $HOME/.ssh </li></ul></ul></ul></ul><ul><ul><ul><ul><li>chmod 700 $HOME/.ssh </li></ul></ul></ul></ul><ul><ul><ul><li>Create $HOME/.ssh/authorized_keys and add paste your public key into this file </li></ul></ul></ul><ul><ul><li>On the Windows PC configure your ssh Terminal Emulator to use your private key </li></ul></ul>
    36. 36. OpenServer 6 and OpenSSH <ul><li>OpenServer 6 to OpenServer 6 RSA Authentication: </li></ul><ul><ul><li>On the “client” OpenServer 6 system generate keys using </li></ul></ul><ul><ul><ul><ul><li>ssh-keygen –t rsa </li></ul></ul></ul></ul><ul><ul><li>On the “server” OpenServer 6 system create the .ssh directory using: </li></ul></ul><ul><ul><ul><ul><li>mkdir $HOME/.ssh </li></ul></ul></ul></ul><ul><ul><ul><ul><li>chmod 700 $HOME/.ssh </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Create $HOME/.ssh/authorized_keys and add paste the $HOME/.ssh/id_rsa.pub public key from the client OpenServer 6 system into this file </li></ul></ul></ul></ul><ul><ul><li>Login from the OpenServer 6 client system using: </li></ul></ul><ul><ul><ul><ul><li>ssh <server_name> or ssh <user>@<server name> </li></ul></ul></ul></ul>
    37. 37. OpenServer 6 and OpenSSH <ul><li>OpenServer 6 ssh(1) Host Based Authentication: </li></ul><ul><ul><li>Host Based Authentication can use </li></ul></ul><ul><ul><ul><li>/etc/ssh/shosts.equiv and/or ~/.shosts </li></ul></ul></ul><ul><ul><ul><li>/etc/ssh/ssh _ known _ hosts and/or ~/.ssh/known _ hosts </li></ul></ul></ul><ul><ul><li>Server Side Configuration: </li></ul></ul><ul><ul><ul><li>Create $HOME/.shosts with </li></ul></ul></ul><ul><ul><ul><ul><li>192.168.1.250 jboland </li></ul></ul></ul></ul><ul><ul><ul><ul><li>jrbosr6.it.sco.com jboland </li></ul></ul></ul></ul><ul><ul><ul><ul><li>jrbosr6 jboland </li></ul></ul></ul></ul><ul><ul><ul><li>Edit /etc/ssh/sshd_config and change/add </li></ul></ul></ul><ul><ul><ul><ul><li>HostbasedAuthentication yes </li></ul></ul></ul></ul><ul><ul><ul><ul><li>IgnoreUserKnownHosts yes </li></ul></ul></ul></ul><ul><ul><ul><ul><li>IgnoreRhosts yes </li></ul></ul></ul></ul>
    38. 38. OpenServer 6 and OpenSSH <ul><li>OpenServer 6 ssh(1) Host Based Authentication: </li></ul><ul><ul><li>Server Side Configuration [contd]: </li></ul></ul><ul><ul><ul><li>Restart sshd using: </li></ul></ul></ul><ul><ul><ul><ul><li>tcp restart </li></ul></ul></ul></ul><ul><ul><li>Client Side Configuration: </li></ul></ul><ul><ul><ul><li>Edit /etc/ssh/ssh_config and change/add </li></ul></ul></ul><ul><ul><ul><ul><li>HostbasedAuthentication yes </li></ul></ul></ul></ul><ul><ul><ul><ul><li>EnableSSHKeysign yes </li></ul></ul></ul></ul><ul><ul><li>From the client login to the server using: </li></ul></ul><ul><ul><ul><li>ssh <server_name> </li></ul></ul></ul><ul><ul><li>To debug use </li></ul></ul><ul><ul><ul><li>ssh –v <server_name> </li></ul></ul></ul>
    39. 39. OpenServer 6 and OpenSSH <ul><li>Uses for ssh Dynamic Port Forwarding: </li></ul><ul><ul><li>Dynamic Port forwarding allows forwarding of traffic via a local SOCKS Proxy Server to a remote secure server using ssh(1) </li></ul></ul>The Internet Local SOCKS Proxy Server Secure ssh Server
    40. 40. OpenServer 6 and OpenSSH <ul><li>Setup Dynamic Port Forwarding on OpenServer 6: </li></ul><ul><ul><li>Setup a SOCKS Proxy Server as root using: </li></ul></ul><ul><ul><ul><li>ssh –D 1080 jboland@<fqdn of OSR6 ssh server> </li></ul></ul></ul><ul><ul><li>To configure Mozilla to use the SOCKS proxy: </li></ul></ul><ul><ul><ul><li>Run mozilla </li></ul></ul></ul><ul><ul><ul><li>Select Edit -> Preferences… -> Advanced -> Proxies </li></ul></ul></ul><ul><ul><ul><li>Click the “Manual Proxy Configuration” </li></ul></ul></ul><ul><ul><ul><li>In the SOCKS Host: field put </li></ul></ul></ul><ul><ul><ul><ul><li>localhost </li></ul></ul></ul></ul><ul><ul><ul><li>In the Port: field put </li></ul></ul></ul><ul><ul><ul><ul><li>1080 </li></ul></ul></ul></ul><ul><ul><ul><li>Click on OK </li></ul></ul></ul>
    41. 41. OpenServer 6 and OpenSSH <ul><li>Setting up Dynamic Port Forwarding on Windows: </li></ul><ul><ul><li>Setup a SOCKS Proxy Server using PuTTY as follows: </li></ul></ul><ul><ul><ul><li>Launch PuTTY </li></ul></ul></ul><ul><ul><ul><li>Enter the Host Name of the remote server </li></ul></ul></ul><ul><ul><ul><li>Select Connection -> SSH -> Tunnels </li></ul></ul></ul><ul><ul><ul><li>Enter 1080 in the source port field </li></ul></ul></ul><ul><ul><ul><li>Click on the Dynamic Radio Button </li></ul></ul></ul><ul><ul><ul><li>Click Add </li></ul></ul></ul><ul><ul><ul><li>Click Open </li></ul></ul></ul>
    42. 42. OpenServer 6 and OpenSSH <ul><li>Setting up Dynamic Port Forwarding on Windows: </li></ul><ul><ul><li>Configure Firefox to use the SOCKS Proxy as follows: </li></ul></ul><ul><ul><ul><li>Launch Firefox </li></ul></ul></ul><ul><ul><ul><li>Select Tools -> Options -> Advanced -> Networking </li></ul></ul></ul><ul><ul><ul><li>Click on Settings </li></ul></ul></ul><ul><ul><ul><li>Check the Manual proxy configuration: radio button </li></ul></ul></ul><ul><ul><ul><li>Enter localhost in the SOCKS Host: field </li></ul></ul></ul><ul><ul><ul><li>Enter 1080 in the source port field </li></ul></ul></ul><ul><ul><ul><li>Click OK </li></ul></ul></ul><ul><ul><ul><li>Click OK </li></ul></ul></ul><ul><ul><li>Firefox is now configured to use the SOCKS Proxy </li></ul></ul>
    43. 43. OpenServer 6 and OpenSSH <ul><li>Setting up Dynamic Port Forwarding on Windows: </li></ul><ul><ul><li>Configure PuTTY to use the SOCKS Proxy as follows: </li></ul></ul><ul><ul><ul><li>Launch PuTTY </li></ul></ul></ul><ul><ul><ul><li>Enter the Host Name of the remote server </li></ul></ul></ul><ul><ul><ul><li>Select Connection -> Proxy </li></ul></ul></ul><ul><ul><ul><li>Check SOCKS 5 as the proxy type </li></ul></ul></ul><ul><ul><ul><li>Enter 1080 for the port </li></ul></ul></ul><ul><ul><ul><li>Click OK </li></ul></ul></ul><ul><ul><ul><li>Click OK </li></ul></ul></ul><ul><ul><li>PuTTY is now configured to use the SOCKS Proxy </li></ul></ul>
    44. 44. OpenServer 6 and IPsec <ul><li>What is IPsec: </li></ul><ul><ul><li>IPsec allows you to: </li></ul></ul><ul><ul><ul><li>Encrypt IP packets between hosts and subnets </li></ul></ul></ul><ul><ul><ul><li>Authenticate IP Packets between hosts and subnets </li></ul></ul></ul><ul><ul><ul><li>Defined in http://www.ietf.org/rfc/rfc2401.txt </li></ul></ul></ul><ul><ul><li>Authentication can be performed using Expanded IPsec headers, keys or certificates </li></ul></ul><ul><ul><li>IPsec requirements: </li></ul></ul><ul><ul><ul><li>OpenSSL 0.9.7 or later </li></ul></ul></ul><ul><ul><ul><ul><li>openssl version </li></ul></ul></ul></ul><ul><ul><ul><li>A configured and functioning network connection </li></ul></ul></ul>
    45. 45. OpenServer 6 and IPsec <ul><li>IPsec Terminology: </li></ul><ul><ul><li>Two types of IPsec configuration: </li></ul></ul><ul><ul><ul><li>Transport encrypts IP Data only </li></ul></ul></ul><ul><ul><ul><li>Tunnel encrypts IP Data and IP Headers </li></ul></ul></ul><ul><ul><li>Two types of Authentication protocol: </li></ul></ul><ul><ul><ul><li>Authentication Header (AH) does authentication only and is not recommended </li></ul></ul></ul><ul><ul><ul><li>Encapsulating Security Payload (ESP) does authentication and encryption </li></ul></ul></ul><ul><ul><li>In an IPsec configuration file: </li></ul></ul><ul><ul><ul><li>SAD is Security Association Database </li></ul></ul></ul><ul><ul><ul><li>SPD is the Security Policy Database </li></ul></ul></ul>
    46. 46. OpenServer 6 and IPsec <ul><li>To enable IPsec in the kernel: </li></ul><ul><ul><li>Edit </li></ul></ul><ul><ul><ul><li>/etc/conf/pack.d/inet/space.c </li></ul></ul></ul><ul><ul><li>changing </li></ul></ul><ul><ul><ul><li>int ipsec_enable = 0; </li></ul></ul></ul><ul><ul><li>to </li></ul></ul><ul><ul><ul><li>int ipsec_enable = 1; </li></ul></ul></ul><ul><ul><li>Relink the kernel using: </li></ul></ul><ul><ul><ul><li>/etc/conf/bin/idbuild –M inet </li></ul></ul></ul><ul><ul><li>Reboot the server using </li></ul></ul><ul><ul><ul><li>shutdown –y –g0 –i6 </li></ul></ul></ul>
    47. 47. OpenServer 6 and IPsec <ul><li>Simple OSR6 to OSR6 IPsec configuration: </li></ul><ul><ul><li>On “sysa” create /etc/inet/sysa.ipsec.conf with: </li></ul></ul><ul><ul><ul><li>add <sysa ip> <sysb ip> esp 0x10001 </li></ul></ul></ul><ul><ul><ul><ul><li>-m transport </li></ul></ul></ul></ul><ul><ul><ul><ul><li>-E 3des-cbc &quot;thescogp12341234thescogp&quot; ; </li></ul></ul></ul></ul><ul><ul><ul><li>add <sysb ip> <sysa ip> esp 0x10002 </li></ul></ul></ul><ul><ul><ul><ul><li>-m transport </li></ul></ul></ul></ul><ul><ul><ul><ul><li>-E 3des-cbc &quot;thescogp43214321thescogp&quot; ; </li></ul></ul></ul></ul><ul><ul><ul><li>spdadd <sysb ip>[any] <sysa ip>[any] tcp -P in ipsec </li></ul></ul></ul><ul><ul><ul><ul><li>esp/transport/<sysb ip>-<sysa ip>/use ; </li></ul></ul></ul></ul><ul><ul><ul><li>spdadd <sysa ip>[any] <sysb ip>[any] tcp -P out ipsec </li></ul></ul></ul><ul><ul><ul><ul><li>esp/transport/<sysa ip>-<sysb ip>/use ; </li></ul></ul></ul></ul>
    48. 48. OpenServer 6 and IPsec <ul><li>Simple OSR6 to OSR6 IPsec configuration: </li></ul><ul><ul><li>On “sysb” create /etc/inet/sysb.ipsec.conf with: </li></ul></ul><ul><ul><ul><li>add <sysa ip> <sysb ip> esp 0x10001 </li></ul></ul></ul><ul><ul><ul><ul><li>-m transport </li></ul></ul></ul></ul><ul><ul><ul><ul><li>-E 3des-cbc &quot;thescogp12341234thescogp&quot; ; </li></ul></ul></ul></ul><ul><ul><ul><li>add <sysb ip> <sysa ip> esp 0x10002 </li></ul></ul></ul><ul><ul><ul><ul><li>-m transport </li></ul></ul></ul></ul><ul><ul><ul><ul><li>-E 3des-cbc &quot;thescogp43214321thescogp&quot; ; </li></ul></ul></ul></ul><ul><ul><ul><li>spdadd <sysa ip>[any] <sysb ip>[any] tcp -P in ipsec </li></ul></ul></ul><ul><ul><ul><ul><li>esp/transport/<sysa ip>-<sysb ip>/use ; </li></ul></ul></ul></ul><ul><ul><ul><li>spdadd <sysb ip>[any] <sysa ip>[any] tcp -P out ipsec </li></ul></ul></ul><ul><ul><ul><ul><li>esp/transport/<sysb ip>-<sysa ip>/use ; </li></ul></ul></ul></ul>
    49. 49. OpenServer 6 and IPsec <ul><li>Loading the IPsec configuration: </li></ul><ul><ul><li>On sysa run setkey(ADM): </li></ul></ul><ul><ul><ul><li>ipseckey –f /etc/inet/sysa.ipsec.conf </li></ul></ul></ul><ul><ul><li>On sysb run setkey(ADM): </li></ul></ul><ul><ul><ul><li>ipseckey –f /etc/inet/sysb.ipsec.conf </li></ul></ul></ul><ul><ul><li>To see the ESP traffic </li></ul></ul><ul><ul><ul><li>tcpdump host sysa and sysb </li></ul></ul></ul><ul><ul><li>To see the ipsec network statistics run: </li></ul></ul><ul><ul><ul><li>netstat -nsp ipsec </li></ul></ul></ul><ul><ul><li>To remove/flush the SAD and SPD entries use: </li></ul></ul><ul><ul><ul><li>ipseckey –F </li></ul></ul></ul><ul><ul><ul><li>Ipseckey -FP </li></ul></ul></ul>
    50. 50. OpenServer 6 and IPsec <ul><li>Using racoon for automatic key management </li></ul><ul><ul><li>Keys need to be changed to maintain security </li></ul></ul><ul><ul><li>Manual changing of keys is time consuming and prone to error </li></ul></ul><ul><ul><li>racoon(ADM) is a daemon that manages keys (and certificates) on behalf of IPsec </li></ul></ul><ul><ul><li>racoon(ADM) uses the Internet Key Exchange (IKE) protocol to exchange keys securely between hosts </li></ul></ul>
    51. 51. OpenServer 6 and IPsec <ul><li>To configure racoon(ADM): </li></ul><ul><ul><li>On sysa create the file /etc/inet/psk.txt with: </li></ul></ul><ul><ul><ul><li><sysb ip> <initial public shared key> </li></ul></ul></ul><ul><ul><li>Make sure this file has perms 0400 </li></ul></ul><ul><ul><ul><li>chmod 0400 /etc/inet/psk.txt </li></ul></ul></ul><ul><ul><li>On sysa create the file /etc/inet/sysa.ipsec.conf with: </li></ul></ul><ul><ul><ul><li>spdadd <sysb ip>[any] <sysa ip>[any] tcp -P in ipsec esp/tunnel/<sysb ip>-<sysa ip>/require ; </li></ul></ul></ul><ul><ul><ul><li>spdadd <sysa ip>[any] <sysb ip>[any] tcp -P out ipsec esp/tunnel/<sysa ip>-<sysb ip>/require; </li></ul></ul></ul><ul><ul><li>Perform similar steps on sysb </li></ul></ul>
    52. 52. OpenServer 6 and IPsec <ul><li>To configure racoon(ADM) [contd]: </li></ul><ul><ul><li>On sysa create the file /etc/inet/racoon.conf with: </li></ul></ul><ul><ul><ul><li>path pre_shared_key &quot;/etc/inet/psk.txt&quot; ; </li></ul></ul></ul><ul><ul><ul><li>log debug; </li></ul></ul></ul><ul><ul><ul><li>remote anonymous </li></ul></ul></ul><ul><ul><ul><li>{ </li></ul></ul></ul><ul><ul><ul><li>exchange_mode aggressive ; </li></ul></ul></ul><ul><ul><ul><li>my_identifier address <sysa ip> ; </li></ul></ul></ul><ul><ul><ul><li>lifetime time 1 hour ; </li></ul></ul></ul><ul><ul><ul><li>proposal { </li></ul></ul></ul><ul><ul><ul><li>encryption_algorithm 3des; </li></ul></ul></ul><ul><ul><ul><li>hash_algorithm sha1; </li></ul></ul></ul><ul><ul><ul><li>authentication_method pre_shared_key ; </li></ul></ul></ul><ul><ul><ul><li>dh_group 2 ; </li></ul></ul></ul><ul><ul><ul><li>} </li></ul></ul></ul><ul><ul><ul><li>proposal_check obey; </li></ul></ul></ul><ul><ul><ul><li>} </li></ul></ul></ul>
    53. 53. OpenServer 6 and IPsec <ul><li>To configure racoon(ADM) [contd]: </li></ul><ul><ul><li>On sysa create the file /etc/inet/racoon.conf with: [contd] </li></ul></ul><ul><ul><ul><li>sainfo anonymous </li></ul></ul></ul><ul><ul><ul><li>{ </li></ul></ul></ul><ul><ul><ul><li>pfs_group 2; </li></ul></ul></ul><ul><ul><ul><li>lifetime time 10 hour ; </li></ul></ul></ul><ul><ul><ul><li> encryption_algorithm 3des, blowfish; </li></ul></ul></ul><ul><ul><ul><li>authentication_algorithm hmac_sha1, hmac_md5 ; </li></ul></ul></ul><ul><ul><ul><li>compression_algorithm deflate ; </li></ul></ul></ul><ul><ul><ul><li>} </li></ul></ul></ul><ul><ul><li>Create a similar file on sysb </li></ul></ul>
    54. 54. OpenServer 6 and IPsec <ul><li>To start racoon </li></ul><ul><ul><li>Permissions need to be changed on /usr/sbin/racoon </li></ul></ul><ul><ul><ul><li>chmod + x /usr/sbin/racoon </li></ul></ul></ul><ul><ul><li>Start racoon on sysa and sysb using </li></ul></ul><ul><ul><ul><li>/usr/sbin/racoon & </li></ul></ul></ul><ul><ul><li>Configuration and Startup errors are logged in </li></ul></ul><ul><ul><ul><li>/var/adm/syslog </li></ul></ul></ul><ul><ul><li>On sysa run setkey(ADM): </li></ul></ul><ul><ul><ul><li>ipseckey –f /etc/inet/sysa.ipsec.conf </li></ul></ul></ul><ul><ul><li>On sysb run setkey(ADM): </li></ul></ul><ul><ul><ul><li>ipseckey –f /etc/inet/sysb.ipsec.conf </li></ul></ul></ul>
    55. 55. OpenServer 6 and IPsec <ul><li>To stop and restart racoon </li></ul><ul><ul><li>To stop racoon run: </li></ul></ul><ul><ul><ul><li>kill -9 `cat /etc/inet/racoon.pid` </li></ul></ul></ul><ul><ul><ul><li>rm /tmp/.racoon </li></ul></ul></ul><ul><ul><li>Restart using </li></ul></ul><ul><ul><ul><li>/usr/sbin/racoon & </li></ul></ul></ul>
    56. 56. OpenServer 6 and IPF <ul><li>IP Filter Firewall Package for OpenServer 6.0.0 </li></ul><ul><ul><li>For a detailed HOW TO on firewall setup see: </li></ul></ul><ul><ul><ul><li>http://osr600doc.sco.com/en/NET_tcp/ipf-howto.html </li></ul></ul></ul><ul><ul><li>See also: </li></ul></ul><ul><ul><ul><li>ipf(ADMN), ipfilter(M) and ipnat(ADMN) </li></ul></ul></ul><ul><ul><li>Enable IP Filter as root using: </li></ul></ul><ul><ul><ul><li>mkdev ipf </li></ul></ul></ul><ul><ul><li>Display the current incoming and outgoing rules with: </li></ul></ul><ul><ul><ul><li>ipfstat -io </li></ul></ul></ul>
    57. 57. Session Objectives <ul><li>You should now: </li></ul><ul><ul><li>Understand the ISL differences between OpenServer 6 and OpenServer 5 relating to Networking </li></ul></ul><ul><ul><li>Understand how netconfig(ADM) differs between OpenServer 6 and OpenServer 5 </li></ul></ul><ul><ul><li>Be aware of how OpenServer 6 networking starts on system boot </li></ul></ul><ul><ul><li>Know how to enable tcp wrappers on inetd services </li></ul></ul><ul><ul><li>Know how to configure and use ssh(1) </li></ul></ul><ul><ul><li>Be able to configure a simple VPN using IPsec </li></ul></ul>
    58. 58. Questions? <ul><li>Any questions now? </li></ul><ul><li>For questions you think about later: </li></ul><ul><ul><li>[email_address] </li></ul></ul>

    ×