Advanced UNIX System Administration

1

THE SCO GROUP 2007

© The SCO Group, Inc. All Rights Reserved

OpenServer 6 Networking for OpenServer 5 AdministratorsJohn Boland SCO Support

2

Session Objectives

At the end of this session you should: Understand the ISL differences between OpenServer

6 and OpenServer 5 relating to Networking Be aware of how OpenServer 6 networking starts on

system boot Know how to enable tcp wrappers on inetd services Understand how netconfig(ADM) differs between

OpenServer 6 and OpenServer 5 Know how to configure and use ssh(1) Be able to configure a simple VPN using IPsec

3

Session Topics

The following topics will be covered OpenServer 6 Installation Network Configuration Manager differences OpenServer 6 Network Start-up Configured Network Services on OpenServer 6 tcpd(ADM) aka Tcpwrappers OpenServer 6 and OpenSSH Using IPSec to implement a VPN IP Filters Brief Overview

4

OpenServer 6 Installation

OpenServer 6.0.0 ISL Networking Differences: Samba, PPP and Kerberos installed at ISL IPX/SPX, SCO Gateway for Netware and Lan

Manager Client packages obsolete DHCP client configuration at ISL Only drivers for detected Network Cards (NICs) are

displayed at ISL Manual list only contains non-autodectable ISA NIC cards

5


OpenServer 5 Connectivity Package Selection

6


OpenServer 6 Connectivity Package Selection

7


Network Card Selection on OpenServer 5

8


Network Card Selection on OpenServer 6

9

Network Configuration Manager

OpenServer 5 Network Configuration Manager:

10


Network Configuration Manager Differences: No localhost entry Removed the IPX protocol NFS protocol configured by default (if installed) Only Auto-detected Network Cards are displayed No relink and reboot required when you add a card Removed WAN configuration Failover support added

11


Network Interface Card (NIC) Drivers and netconfig(ADM) NIC drivers are stored under

/etc/inst/nd/mdi Find out what nd driver package is installed using:

pkginfo –l nd Get the latest nd driver package (8.0.6e) at:

http://www.sco.com/support/update/download/release.php?rid=281 netconfig(ADM) uses PCI Board IDs to recognise cards resmgr | more

18 e1008g 8 6 4 18 4400 443f fcde0000 fcdfffff - - 4 0x8086100E 0x0002 0 2 034 net0 8 6 - - - - - - - - - 0x8086100E - - 2 –

grep 0x8086100E /etc/inst/nd/mdi/e1008g/*.bcfg/etc/inst/nd/mdi/e1008g/e1008g_100E.bcfg:BOARD_IDS="0x8086100E"

12


Automatic Network Failover and Backup cards Must have MP2 installed TA 110336: Not all NICs support failover. Check with:

grep "FAILOVER=true" /etc/inst/nd/mdi/<your nic driver>/*.bcfg

Can manually failover using netconfig(ADM) Automatic failback is not currently supported TA 126686: Cannot manually failback to the primary

NIC using netconfig(ADM). Instead you use:nd failback net0

Note that while some NICs failover on removal of cable, not all NICs do

13


Debugging netconfig(ADM): When you run netconfig(ADM) you are running:

/usr/lib/netcfg/bin/ncfgUI

netconfig(ADM) configuration files held under/usr/lib/netcfg

To trace problems uncomment:#cmdtrace on [ open /tmp/ncfgUI.log a+ ]

netconfig(ADM) also uses ndcfg(ADM) to do NIC configuration. The ndcfg log file is found at:

/usr/lib/netcfg/tmp/ndcfg.log

TA 110131: Troubleshooting NIC Installation

14

OpenServer 6 Network Start-up

/etc/inittab Network Start-up Entries• Initialize the socket subsystem in the kernel at sysinit

iks0::sysinit:/sbin/initsock -d > /dev/console 2>&1

• Configure STREAMS at sysinitsl::sysinit:/etc/slink -c /etc/strcf > /dev/console 2>&1

• Initialise the loopback interface at sysinitloop::sysinit:/usr/sbin/initialize -u lo0 > /dev/console 2>&1

• Load STREAMS modulesap1::sysinit:/sbin/autopush -f /etc/ap/sco.ap

• Start syslogd(ADM) to log local & remote messagesbchk::sysinit:/sbin/bcheckrc </dev/console >/dev/console 2>&1

15


/etc/inittab Network Start-up Entries [contd]• The following entries will be described in greater

detail on the slides that follow:lli::sysinit:/etc/nd start < /dev/null > /dev/null 2>&1tcp::sysinit:/etc/tcp start < /dev/null > /dev/null 2>&1

……. ……. ………..r2:2:wait:/etc/rc2 1> /dev/console 2>&1 </dev/console

16


Network Adapter Driver Script nd(ADM) /etc/nd is used to start and stop configured NICs It starts the dlpid(ADM) daemon which links each MDI

(MAC Driver Interface) driver to the common DLPI (Data Link Provider Interface)

The dlpi module is a bit like your OSI Data Link Layer The MDI interface sits between the card and the DLPI /etc/nd is started by entry in /etc/inittab

lli::sysinit:/etc/nd start < /dev/null > /dev/null 2>&1

nd(ADM) is updated by netconfig(ADM) when adding or removing NICs

17


nd(ADM) [contd.] Never try to update or modify /etc/nd manually nd(ADM) man page incorrectly refers to

/etc/rc2.d/S35dlpi and

/etc/rc0.d/K97dlpi being used to start and stop nd

Can debug issues with /etc/nd by uncommenting:#cmdtrace on [ open /tmp/nd.log a+ ]

or

#cmdtrace on stderr

18


TCP Start/Stop Script tcp(ADMN) /etc/tcp starts and stops TCP When starting in single-user mode (sysinit) it will:

Read /etc/default/tcp to get info incl. domain and gateway Call inconfig(ADM) to load default TCP kernel parameters Configure network interfaces with IP addresses using

/usr/sbin/initialize -U Will start syslogd(ADM) if not already started Set default route using the gateway entry from

/etc/default/tcp Start the streams error logging daemon, strerr(ADM) Start the Pseudo Random Number Generator Daemon

prngd(ADM)

19

OpenServer 6 Networking Start-up

Single User Mode start-up:

initinit

Initialize lo0Initialize lo0slinkslinkintisockintisock tcp starttcp startnd startnd startautopushautopush

dlpiddlpid Setup NICsSetup NICs

Domain and gateway

Domain and gateway initialize netxinitialize netx route addroute add strerr(ADM)strerr(ADM)

Setup TCP Kernel Params

Setup TCP Kernel Params prngd(ADM)prngd(ADM)

syslogdsyslogd

20


tcp(ADMN) [contd] When starting in multi-user mode (rc2) it will also:

Start prngd(ADM) again Start inetd(ADMN), the Internet Super Server daemon Start pppd(ADMN) only if MST PPP is configured (off by

default) Start snmpd(ADMN), the snmp agent Start named(ADMN) if nameserver is config’d (off by default) Start sshd(8), the ssh daemon and if necessary generate

host keys (/etc/ssh/ssh_host*) Start any daemons listed in /etc/default/tcp (off by default) Start ntpd, lpd(ADMN) and aasd(ADMN) if configured (not by

default)

21


tcp(ADMN) [contd] Issues the messages:

add net default: gateway 192.168.248.1Starting TCP services: prngd inetd snmpd sshd

The tcp(ADMN) man page incorrectly refers to ifconfig when it should refer to initialize

Existing sessions can continue to function after a tcp stop

Existing sessions are stopped by a tcp shutdown

Can debug the /etc/tcp shell script by addingset –x

22


Networking services started by rc2(ADM) The /etc/rc2 script is invoked by init(M):

r2:2:wait:/etc/rc2 1> /dev/console 2>&1 </dev/console /etc/rc2 messages are logged to

/usr/adm/rc2.log Networking Services scripts called by rc2 include:

Can disable a service as follows:mv /etc/rc2.d/S87nfs /etc/rc2.d/s87nfsshutdown –y –g0 –i6

S85tcp S86rpc P86sendmail S87nfs S90nis

P90apacheS95docview S99cups S99nmbd S99smbd

23


Network services started by traditional rc2(ADM) S85tcp

Symbolic link to /etc/tcp

S86rpc Symbolic link to /etc/rpcinit Starts rpcbind(ADMN), rwalld(NADM) and sprayd

P86sendmail (or MMDF equivalent) Starts sendmail(ADMN)

S87nfs Symbolic link to /etc/nfs Starts exportfs(NADM), nfsd(NADM), biod(NADM), mountd(NADM),

statd(1Mnfs), lockd(NADM), bootparamd(NADM) and pcnfsd(NADM)

S90nis Symbolic link to /etc/nis Not configured or started by default

24

OpenServer 6 Network Startup

Network services started by traditional rc2(ADM) P90apache

Starts the apache web server on port 80

S95docview Starts the OpenServer 6 documentation server on port 8457

S99cups Starts the CUPS Print server, cupsd(8) Remote admin is disabled by default (See TA 126211)

S99nmbd Starts the NetBIOS name service, nmbd(8)

S99smbd Starts the File and Print Server daemon, smbd(8)

25

OpenServer 6 default Network Services

Services controlled by inetd(ADMN) inetd is knows as a Super Server inetd is started by /etc/rc2.d/S85tcp (/etc/tcp) inetd configures the services listed in

/etc/inetd.conf

inetd reads /etc/services (and /etc/protocol) to get the name, aliases, port and protocol to use for each service

26

OpenServer 6 default Network Services

Services controlled by inetd(ADMN) On a traditional install inetd configures services including:

ftp stream tcp nowait root /etc/ftpd ftpd -atelnet stream tcp nowait NOLUID /etc/telnetd telnetdshell stream tcp nowait NOLUID /etc/rshd rshdlogin stream tcp nowait NOLUID /etc/rlogind rlogindexec stream tcp nowait NOLUID /etc/rexecd rexecdpop3 stream tcp nowait root /etc/popper popperimap stream tcp nowait root /etc/imapd imapdswat stream tcp nowait root /usr/sbin/swat swat

Can disable a service by commenting it out# telnet stream tcp nowait NOLUID /etc/telnetd telnetd

And then restarting inetd with a SIGHUPkill -1 `cat /etc/inetd.pid`

27


Multi-User Mode start-up:

rc2rc2

S87nfsS87nfsS86rpcS86rpcS85tcpS85tcp S99smbdS99smbdS99cupsS99cupsP90apacheP90apache

snmpdsnmpd sshdsshd namednamedinetdinetd pppdpppd

P86sendmailP86sendmail S90nisS90nis S95docviewS95docview S99nmbdS99nmbd

prngdprngd

lpdlpd ntpdntpdaasdaasd

28


Multi-User Mode start-up [contd]:

inetdinetd

rlogindrlogindtelnetdtelnetdftpdftpd pop3pop3rexecrexecrshdrshd

imapimap swatswat

29

OpenServer 6 and TCPWrappers

tcpd(ADM) aka tcpwrappers 7.6 Can be used to log and control access to inetd services To enable tcpwrappers on telnetd:

Edit /etc/inted.conf Comment out the entry:

telnet stream tcp nowait NOLUID /etc/telnetd telnetd

Uncomment the entry:# telnet stream tcp nowait NOLUID /etc/tcpd telnetd

Save the file Restart inetd using:

kill -1 `cat /etc/inetd.pid`

Telnet to the server and check syslog:Jul 11 17:26:14 jrbt5 telnetd[2102]: connect from jrbhp1

30


Controlling Access using tcpd(ADM) hosts_access(SFF) control implemented using:

/etc/hosts.allow and

/etc/hosts.deny

These files contain no rules by default Access is controlled as follows:

Grant access if you match an entry in the /etc/hosts.allow file Deny access if you match an entry in the /etc/hosts.deny file Otherwise, grant access

31


Controlling Access using tcpd(ADM) [contd] Entries in hosts.allow and hosts.deny are of the form:

daemon_list : client_list

daemon_list is a list of one or more daemon process names or wildcards

client_list is a list of one or more host names, host addresses, patterns or wildcards that will be matched against the client host name or address

There are two basic options: Deny all and add entries to /etc/hosts.allow (Mostly Closed) Allow all and add entries to /etc/hosts.deny (Mostly Open)

32


Some hosts_access(SFF) examples: To deny everything, in /etc/hosts.deny add:

ALL: ALL

To allow everything leave /etc/hosts.allow empty To allow exceptions in /etc/hosts.allow add:

ftpd: .friendly.domain

telnetd: [email protected]

rlogind: 192.168.1.0/255.255.255.0

To report on blocked accessALL :ALL : spawn (echo Attempt from %h %a to %d at `date` |

tee -a /var/log/tcp.deny.log |mail [email protected] )

33

OpenServer 6 and OpenSSH

OpenServer 6 MP2 ships with: OpenSSH_4.2p1 The package provides:

ssh(1) (aka slogin(1)) for secure, encrypted login and remote command execution

scp(1) for secure, encrypted remote copy sftp(1) for secure, encrypted file transfer

Can also be used for, among other things: Local Port Forwarding Dynamic Port Forwarding X11 Forwarding

34


OpenServer 6 ssh(1) Authentication: Host Based Authentication using

/etc/ssh/shosts.equiv and/or ~/.shosts /etc/ssh/ssh_known_hosts and/or ~/.ssh/known_hosts

RSA/DSA Authentication using: ~/.ssh/authorized_keys

Keyboard Username and Password authentication (default fallback)

Try avoid using SSH 1 as its less secure than SSH 2 Always use RSA and not DSA if possible

35


Windows to OpenServer 6.0.0 RSA Authentication: Use a Key Generator on your Windows PC to generate your

public and private keys and save the keys to a directory on your PC

On the OpenServer 6 system create the .ssh directory using:mkdir $HOME/.ssh

chmod 700 $HOME/.ssh

Create $HOME/.ssh/authorized_keys and add paste your public key into this file

On the Windows PC configure your ssh Terminal Emulator to use your private key

36


OpenServer 6 to OpenServer 6 RSA Authentication: On the “client” OpenServer 6 system generate keys using

ssh-keygen –t rsa

On the “server” OpenServer 6 system create the .ssh directory using:

mkdir $HOME/.ssh

chmod 700 $HOME/.ssh Create $HOME/.ssh/authorized_keys and add paste the

$HOME/.ssh/id_rsa.pub public key from the client OpenServer 6 system into this file

Login from the OpenServer 6 client system using:ssh <server_name> or ssh <user>@<server name>

37


OpenServer 6 ssh(1) Host Based Authentication: Host Based Authentication can use

/etc/ssh/shosts.equiv and/or ~/.shosts /etc/ssh/ssh_known_hosts and/or ~/.ssh/known_hosts

Server Side Configuration: Create $HOME/.shosts with

192.168.1.250 jboland

jrbosr6.it.sco.com jboland

jrbosr6 jboland

Edit /etc/ssh/sshd_config and change/addHostbasedAuthentication yes

IgnoreUserKnownHosts yes

IgnoreRhosts yes

38


OpenServer 6 ssh(1) Host Based Authentication: Server Side Configuration [contd]:

Restart sshd using:tcp restart

Client Side Configuration: Edit /etc/ssh/ssh_config and change/add

HostbasedAuthentication yes

EnableSSHKeysign yes

From the client login to the server using:ssh <server_name>

To debug usessh –v <server_name>

39


Uses for ssh Dynamic Port Forwarding: Dynamic Port forwarding allows forwarding of traffic

via a local SOCKS Proxy Server to a remote secure server using ssh(1)

The InternetThe InternetLocal SOCKS Proxy ServerLocal SOCKS Proxy Server

Secure ssh Server

Secure ssh Server

40


Setup Dynamic Port Forwarding on OpenServer 6: Setup a SOCKS Proxy Server as root using:

ssh –D 1080 jboland@<fqdn of OSR6 ssh server>

To configure Mozilla to use the SOCKS proxy: Run mozilla Select Edit -> Preferences… -> Advanced -> Proxies Click the “Manual Proxy Configuration” In the SOCKS Host: field put

localhost

In the Port: field put1080

Click on OK

41


Setting up Dynamic Port Forwarding on Windows: Setup a SOCKS Proxy Server using PuTTY as follows:

Launch PuTTY Enter the Host Name of the remote server Select Connection -> SSH -> Tunnels Enter 1080 in the source port field Click on the Dynamic Radio Button Click Add Click Open

42


Setting up Dynamic Port Forwarding on Windows: Configure Firefox to use the SOCKS Proxy as follows:

Launch Firefox Select Tools -> Options -> Advanced -> Networking Click on Settings Check the Manual proxy configuration: radio button Enter localhost in the SOCKS Host: field Enter 1080 in the source port field Click OK Click OK

Firefox is now configured to use the SOCKS Proxy

43


Setting up Dynamic Port Forwarding on Windows: Configure PuTTY to use the SOCKS Proxy as follows:

Launch PuTTY Enter the Host Name of the remote server Select Connection -> Proxy Check SOCKS 5 as the proxy type Enter 1080 for the port Click OK Click OK

PuTTY is now configured to use the SOCKS Proxy

44

OpenServer 6 and IPsec

What is IPsec: IPsec allows you to:

Encrypt IP packets between hosts and subnets Authenticate IP Packets between hosts and subnets Defined in http://www.ietf.org/rfc/rfc2401.txt

Authentication can be performed using Expanded IPsec headers, keys or certificates

IPsec requirements: OpenSSL 0.9.7 or later

openssl version

A configured and functioning network connection

45


IPsec Terminology: Two types of IPsec configuration:

Transport encrypts IP Data only Tunnel encrypts IP Data and IP Headers

Two types of Authentication protocol: Authentication Header (AH) does authentication only and is

not recommended Encapsulating Security Payload (ESP) does authentication

and encryption In an IPsec configuration file:

SAD is Security Association Database SPD is the Security Policy Database

46


To enable IPsec in the kernel: Edit

/etc/conf/pack.d/inet/space.c changing

int ipsec_enable = 0; to

int ipsec_enable = 1; Relink the kernel using:

/etc/conf/bin/idbuild –M inet Reboot the server using

shutdown –y –g0 –i6

47


Simple OSR6 to OSR6 IPsec configuration: On “sysa” create /etc/inet/sysa.ipsec.conf with:

add <sysa ip> <sysb ip> esp 0x10001-m transport

-E 3des-cbc "thescogp12341234thescogp" ;

add <sysb ip> <sysa ip> esp 0x10002-m transport


spdadd <sysb ip>[any] <sysa ip>[any] tcp -P in ipsecesp/transport/<sysb ip>-<sysa ip>/use ;

spdadd <sysa ip>[any] <sysb ip>[any] tcp -P out ipsecesp/transport/<sysa ip>-<sysb ip>/use ;

48


Simple OSR6 to OSR6 IPsec configuration: On “sysb” create /etc/inet/sysb.ipsec.conf with:

add <sysa ip> <sysb ip> esp 0x10001-m transport


add <sysb ip> <sysa ip> esp 0x10002-m transport


spdadd <sysa ip>[any] <sysb ip>[any] tcp -P in ipsecesp/transport/<sysa ip>-<sysb ip>/use ;

spdadd <sysb ip>[any] <sysa ip>[any] tcp -P out ipsecesp/transport/<sysb ip>-<sysa ip>/use ;

49


Loading the IPsec configuration: On sysa run setkey(ADM):

ipseckey –f /etc/inet/sysa.ipsec.conf On sysb run setkey(ADM):

ipseckey –f /etc/inet/sysb.ipsec.conf To see the ESP traffic

tcpdump host sysa and sysb To see the ipsec network statistics run:

netstat -nsp ipsec To remove/flush the SAD and SPD entries use:

ipseckey –FIpseckey -FP

50


Using racoon for automatic key management Keys need to be changed to maintain security Manual changing of keys is time consuming and

prone to error racoon(ADM) is a daemon that manages keys (and

certificates) on behalf of IPsec racoon(ADM) uses the Internet Key Exchange (IKE)

protocol to exchange keys securely between hosts

51


To configure racoon(ADM): On sysa create the file /etc/inet/psk.txt with:

<sysb ip> <initial public shared key>

Make sure this file has perms 0400chmod 0400 /etc/inet/psk.txt

On sysa create the file /etc/inet/sysa.ipsec.conf with:spdadd <sysb ip>[any] <sysa ip>[any] tcp -P in ipsec

esp/tunnel/<sysb ip>-<sysa ip>/require ;

spdadd <sysa ip>[any] <sysb ip>[any] tcp -P out ipsec esp/tunnel/<sysa ip>-<sysb ip>/require;

Perform similar steps on sysb

52


To configure racoon(ADM) [contd]: On sysa create the file /etc/inet/racoon.conf with:

path pre_shared_key "/etc/inet/psk.txt" ;log debug;remote anonymous{ exchange_mode aggressive ; my_identifier address <sysa ip> ; lifetime time 1 hour ; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } proposal_check obey;}

53


To configure racoon(ADM) [contd]: On sysa create the file /etc/inet/racoon.conf with:

[contd]sainfo anonymous{ pfs_group 2; lifetime time 10 hour ;

encryption_algorithm 3des, blowfish; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ;}

Create a similar file on sysb

54


To start racoon Permissions need to be changed on /usr/sbin/racoon

chmod + x /usr/sbin/racoon Start racoon on sysa and sysb using

/usr/sbin/racoon & Configuration and Startup errors are logged in

/var/adm/syslog On sysa run setkey(ADM):

ipseckey –f /etc/inet/sysa.ipsec.conf On sysb run setkey(ADM):

ipseckey –f /etc/inet/sysb.ipsec.conf

55


To stop and restart racoon To stop racoon run:

kill -9 `cat /etc/inet/racoon.pid`

rm /tmp/.racoon

Restart using/usr/sbin/racoon &

56

OpenServer 6 and IPF

IP Filter Firewall Package for OpenServer 6.0.0 For a detailed HOW TO on firewall setup see:

http://osr600doc.sco.com/en/NET_tcp/ipf-howto.html

See also: ipf(ADMN), ipfilter(M) and ipnat(ADMN)

Enable IP Filter as root using:mkdev ipf

Display the current incoming and outgoing rules with:ipfstat -io

57

Session Objectives

You should now: Understand the ISL differences between OpenServer

6 and OpenServer 5 relating to Networking Understand how netconfig(ADM) differs between

OpenServer 6 and OpenServer 5 Be aware of how OpenServer 6 networking starts on

system boot Know how to enable tcp wrappers on inetd services Know how to configure and use ssh(1) Be able to configure a simple VPN using IPsec

58

Questions?

Any questions now?

For questions you think about later:

[email protected]

Documents

Advanced UNIX System Administration