Next Previous Contents

4. Boot Loaders

4.1 Concepts 1. Invocation

Invocation of the boot loader usually occurs in one of two ways:

o BIOS loads the first stage boot loader from the drive's MBR.

o BIOS loads another boot loader which then loads the first stage boot loader from a partition's boot sector.

The first stage boot loader is also known as Initial Program Loader (IPL). It must be less than 512 bytes in size, so it is fairly limited. It's primary job is to load a more functional boot loader (a.k.a. the second stage boot loader).

2. Configuration

There are two different ways to configure a boot loader:

o Install the first stage of the boot loader on the MBR. It can then be configured to pass control to any desired operating system.

o Install the first stage of the boot loader in the boot sector of a partition. Another boot loader is then installed on the MBR. This other boot loader must be configured to pass control to the Linux boot loader.

4.2 Lilo 1. Configuration File

o /etc/lilo.conf

Sample File: prompt # Present lilo prompt so user can interact with lilo

timeout=50 # Timeout in milliseconds to wait for user interactiondefault=linux # Default image to bootboot=/dev/hda6 # Specifies boot device (Location to install primary boot loader) # To install in the MBR, specify /dev/hdamap=/boot/map # Location of map fileinstall=/boot/boot.b # Location of Second stage boot loaderpassword=some_passwd # A password required to bootrestricted # Password only required if options are entered at boot promptmessage=/boot/message # Text message or splash screen (PCX) that will be displayed at boot time.linear

# Image definitionimage=/boot/vmlinuz-2.4.7-10 # Specifies location of the virtual memory compressed kernel label=linux initrd=/boot/initrd-2.4.7-10.img # Initial RAM Disk read-only root=/dev/hda9 # Location of root file system

other=/dev/hda1 # Image definition optional label=windows

See lilo.conf man page for an example.

2. Command Line Options

o -t - Test lilo configuration, but don't actually install.

o -v - Verbose

3. Boot Time arguments

Command line options can be entered at the boot prompt by appending it to the image that you are booting. For example:

linux root=/dev/hda5 mem=128M 1

Tells lilo to boot the kernel with a label of "linux" into runlevel 1 using /dev/hda5 as the root filesystem. It also states the machine has 128 MB of RAM.

If lilo has been password protected, you will be required to enter the password before booting.

4. Errors

The 'LILO' prompt itself can be used to help diagnose boot related errors. The number of letters presented at the LILO prompt can indicate the success or failure of the boot loader.

o L = First stage boot loaded and started. Usually indicates disk problems or invalid options in /etc/lilo.conf.

o LI = Second stage boot loaded from /boot, but /etc/lilo.conf has invalid parameters or /boot/boot.b was moved without re-running /sbin/lilo.

o LIL = Second stage loader started, but the descriptor table can't be loaded due to a bad disk or invalid parms in /etc/lilo.conf.

o LIL? = Second stage loaded at an incorrect address because of invalid parms in /etc/lilo.conf or /boot/boot.b was moved without re-running /sbin/lilo.

o LIL- = Descriptor table is corrupt. Caused by invalid parms in /etc/lilo.conf or /boot/boot.b was moved without re-running /sbin/lilo.

o LILO = All of LILO loaded correctly.

5. Limitations

o Must be installed on the 1st or 2nd IDE drive.

o Limited by BIOS (uses BIOS to load kernel off of disk).

o Must re-run /sbin/lilo every time you change your configuration.

6. Fixing a corrupt MBR

Use lilo to fix:

/sbin/lilo

7. Uninstalling LILO

When LILO overwrites an existing boot sector, it saves a copy of the original boot sector in /boot. The name of the original boot sector will be boot.MMmm where 'MM' is the major device number and 'mm' is the minor device number. So, the original boot sector from /dev/hda will be /boot/boot.0300.

To restore the original boot sector, use the dd command: dd if=/boot/boot.0300 of=/dev/hda bs=446 count=1

The original boot sector is actually 512 bytes in length, but the remaining bytes after 446 are part of the partition table and we don't want to overwrite that in case it's changed.

8. Initial RAM Disk

o Need: Allows necessary drivers to be loaded at boot time that aren't compiled directly into the kernel.

o Creation: Use mkinitrd to create the initial RAM disk:

o mkinitrd /boot/initrd-2.4.7-10 2.4.7-10

o Setup: Specify in /etc/lilo.conf file as shown above.

4.3 Grub 1. Features

o Command line interface available at boot prompt.

o Can boot from multiple file systems including ext2/3, Reiserfs, FAT, minix, and FFS

o Password protection using MD5

o Changes to configuration file take effect immediately. Don't have to re-install MBR.

2. Configuration File

o /boot/grub/grub.conf

Sample Configuration # grub.conf generated by anaconda#

# Note that you do not have to rerun grub after making changes to this file# NOTICE: You have a /boot partition. This means that# all kernel and initrd paths are relative to /boot/, eg.# root (hd0,0)# kernel /vmlinuz-version ro root=/dev/hdb5# initrd /initrd-version.img#boot=/dev/hdbdefault=0 # Default to First definition for bootingtimeout=10 # Time in seconds to wait for user interactionsplashimage=(hd1,0)/grub/splash.xpm.gz # Splash Screenpassword --md5 $1$簋饋菎$Z.............. # Password protection

title Red Hat Linux (2.4.17) # First definition root (hd1,0) kernel /vmlinuz-2.4.17 ro root=/dev/hdb5

title Red Hat Linux (2.4.17pre2-pk) # Second definition root (hd1,0) kernel /vmlinuz-2.4.17pre2-pk ro root=/dev/hdb5

title Red Hat Linux (2.4.17pre2) root (hd1,0) kernel /vmlinuz-2.4.17pre2 ro root=/dev/hdb5

title Windows 98SE rootnoverify (hd0,0) makeactive chainloader +1

3. Boot Time arguments

In order to pass arguments to the image being booted, you must enter menu editing mode, or enter the grub command line. If GRUB has been password protected, you'll need to enter 'p' followed by your password first.

To enter menu editing mode, select and entry and press 'e'. This will allow you to modify an existing boot setup and pass options to the kernel as well as init.

The GRUB command line allows you to create boot commands that don't exist in your grub.conf file. You can also run diagnostic tests and view the contents of files on your file systems.

4. Device Names according to Grub

o (fd0) - First floppy drive detected by BIOS

o (hd0) - First hard drive detected by BIOS (SCSI or IDE)

o (hd1,3) - Fourth partition on the 2nd hard drive detected by the BIOS

5. Fixing a corrupt MBR

Use grub-install to fix:

/sbin/grub-install /dev/hda

6. Multi-disk scenario

In this situation, we have a nameless OS installed on /dev/hda and Linux installed on /dev/hdb. We need to setup grub to boot both OSes. This involves installing the first stage of grub on the MBR of /dev/hda and the second stage of grub on the /boot partition of /dev/hdb. We will use the grub configuration file listed above. This scenario assumes you either have a working system or are running in rescue mode chroot'd to /mnt/sysimage.

o Launch a grub shell:

/sbin/grub

Note: The remaining steps will performed from within the "grub shell".

o Set the root device:

root (hd1,0)

o Specify where to install various boot stages:

install (hd1,0)/grub/stage1 d (hd0) (hd1,0)/grub/stage2 p (hd1,0)/grub/grub.conf

The above command line can be broken down as follows:

install <stage-1> d <install-disk> <stage-2> p <config file>

4.4 DOS Based 1. Loadlin - Capable of booting multiple OSes

2. Syslinux - Used by RH installation program.

Next Previous Contents

5. Boot up

5.1 Steps 1. BIOS loads first stage boot loader from the first sector of available disks (floppy,

hard drive, cd-rom, etc.)

2. First stage boot loader then loads the second stage boot loader.

3. Second stage boot loader allows user to choose what kernel to boot.

4. Chosen kernel then booted and devices are initialized.

5. Kernel then executes init process.

6. Init starts services according to /etc/inittab:

o rc.sysinit - System initialization scripts

1. Mounts /proc.

2. Configures Kernel parameters (via sysctl)

3. Configures system clock.

4. Sets host name.

5. Initialize USB and HID devices.

6. Configure PnP.

7. Determines module dependencies.

8. Setup any RAID devices.

9. Performs file system checks if needed.

10. Mounts file systems.

11. Starts user quotas.

12. Enable process accounting.

13. Starts swap.

14. Initialize serial ports.

15. Dump boot messages to /var/log/dmesg

16. Much more....

o rc - Configures services based on runlevel

1. Stop services that begin with "K" in /etc/rcX.d where X is the runlevel.

2. Start services that begin with "S" in /etc/rcX.d where X is the runlevel.

o rc.local - Configures any system specific information (deprecated).

o Other, runlevel specific services started according to /etc/inittab.

1. mingetty (except for runlevel 1).

2. xdm (runlevel 5).

5.2 /etc/inittab This file contains information needed by init to configure the system. Entries in the file have a specific format:

id:runlevel:style:command to run

1. id - A 1-4 character field the creates a unique identifier for the entry.

2. runlevel - Specifies the runlevel(s) that the entry applies to.

3. style - Specifies how the command is executed.

o respawn - Process is restarted if it ever dies.

o wait - Process is started once when the specified runlevel is entered. Init will wait for it to finish before proceeding.

o once - Process will be executed once when the specified runlevel is entered.

o boot - Process will be executed during system boot (runlevel field is ignored).

o bootwait - Same as boot, except init will wait for it to complete before continuing.

o initdefault - Specifies default run level (command field ignored).

o sysinit - Process executed during boot before any boot or bootwait entries.

o powerwait - Process executed when power goes down. Init waits for it to complete.

o powerfail - Same as powerwait, except init doesn't wait for it to complete.

o powerokwait - Executed when power is restored. Init waits for it to complete.

o powerfailnow - Executed when battery on UPS is almost dead.

o ctrlaltdel - Process executed when init receives SIGINT signal (CTRL+ALT+DEL was pressed).

4. command - Specifies process to execute.

5.3 Viewing boot up information. 1. Boot information displayed during boot up is stored in /var/log/dmesg.

2. Use 'dmesg' command to view.

5.4 Run Levels 0 - Halt (Don't set default runlevel to this!)1 - Single User mode2 - Multi-user mode without NFS3 - Full multi-user mode4 - Unused5 - X11 (with networking)6 - Reboot (Don't set default runlevel to this!)

5.5 Default Run Levels

1. Workstation/Laptop = 5

2. Server = 3

3. Custom with X = 5

4. Custom w/o X = 3

Next Previous Contents

6. Service Management

6.1 Types of services 1. System V services

o Managed by System V init scripts

o Scripts are stored in /etc/init.d

2. xinetd services

o Services started by the xinetd daemon.

o xinetd service control files located in /etc/xinetd.d

o Defaults for xinetd set in /etc/xinetd.conf

o xinetd itself is a System V service.

3. init services

o Configured in /etc/inittab.

o Provides respawn capability if service dies.

6.2 Management tools 1. System V services

o service - Start/Stop services (CLI).

Example: To restart Apache: service httpd stop

service httpd start

or

service httpd restart

o chkconfig - Configure services by runlevel (CLI). Doesn't affect currently running services. Defaults to runlevels 3,4, and 5 if none specified.

To enable Apache on runlevels 3, 4, and 5: chkconfig httpd on # If runlevels aren't specified, default is 345

To enable Apache only on runleves 3 & 5:

chkconfig --level 35 httpd on

o ntsysv - Configure services by runlevel (TUI).

Default is to configure current run level. Use "--level" option to specify a different runlevel.

o tksysv - Configure services by runlevel (GUI) (Deprecated).

2. xinetd services

o chkconfig - Configures running services. Takes effect immediately on xinetd services.

To start vsftp: chkconfig vsftp on

o Edit service configuration file in /etc/xinetd.d/ directly. To enable, specify "disable = no". To disable, specify "disable = yes". After changing file, xinetd must either be given a USR2 signal so it re-reads it's configuration file or be restarted.

o killall -USR2 xinetdo

3. init services

The only way to modify init based services is to edit /etc/inittab. After modifying the file, activate the changes by executing "init q".

Next Previous Contents

7. User & Group Administration

7.1 Adding Users 1. useradd

o Command line interface

o If not specified, defaults in /etc/defaults/useradd and /etc/login.defs are used.

o Defaults:

1. userid - lowest unused value >= UID_MIN in /etc/login.defs.

2. home directory - /home/<username>.

3. primary group - a group with the same name as the username.

4. shell - /bin/bash.

o Options:

o -u - userido -g - primary groupo -s - shello -d - home directoryo -c - comment (Commonly used to specify full name)o -m - make the home directory if it doesn't already existo -M - don't create the user's home directory regardless of the defaultso -G - a list of supplementary groups that the user will belong to (separate

with commas)o -n - don't create a group with the same name as the usero -r - create a system account (uid < UID_MIN in /etc/login.defs)o -D - displays defaults if no other options are giveno -b - change default home (when used with -D)o -g - change default group (when used with -D)o -s - change default shell (when used with -D)o

o Copies the contents of /etc/skel into user's home directory to setup the default user environment.

o Can specify a password with useradd using the -p option, but recommend using /usr/bin/passwd to set the user's password.

o Example - To add user "steve" using all of the defaults and set his password, type:

o useradd steveo passwd steveo

o Login names can contain alphanumeric, -, and _. Maximum length is 256.

2. redhat-config-users

o GUI

o Uses same defaults as useradd.

o Can specify password.

7.2 Modifying Users 1. usermod

o Command line interface.

o Options: Similar as useradd above.

o Example - To change steve's shell to /bin/ksh, type:

usermod -s /bin/ksh steve

2. redhat-config-users

7.3 Deleting Users 1. userdel

o Command line interface.

o Options.

-r - removes the user's home directory and mail spool.

o Example - To remove user steve, his home directory, and his mail spool, type:

userdel -r steve

2. redhat-config-users

7.4 Adding Groups 1. groupadd

o Command line interface

o If not specified, defaults in /etc/login.defs are used.

o Defaults:

1. groupid - lowest unused value >= GID_MIN in /etc/login.defs.

o Options:

o -g - groupido -r - create a system group (gid < GID_MIN in /etc/login.defs)o -f - exit with an error if group already existso

o Example - To add a group called "jedi" using the defaults, type:

groupadd jedi

2. redhat-config-users

7.5 Modifying Groups 1. groupmod

o Command line interface

o Options:

o -g - new groupido -n - new group nameo

o Example - To change the name of group "jedi" to "Jedi", type:

groupmod -n Jedi jedi

2. redhat-config-users

7.6 Deleting Groups 1. groupdel

o Command line interface

o Options: None

o Example - To remove group "Jedi", type:

groupdel Jedi

2. redhat-config-users

7.7 User environment configuration 1. Global

o /etc/profile

1. System wide environment setup for Bourne type shells (ksh, sh, bash, etc.)

2. Executed only for login shells.

3. Executes /etc/profile.d/*.sh

o /etc/bashrc

1. System wide functions and aliases for Bourne type shells (ksh, sh, bash, etc.)

2. Executed for all shell invocations.

o /etc/csh.login

1. System wide environment setup for C type shells (ksh, sh, bash, etc.)

2. Executed only for login shells.

3. Executes /etc/profile.d/*.csh

o /etc/csh.cshrc

1. System wide functions and aliases for C type shells (ksh, sh, bash, etc.)

2. Executed for all shell invocations.

2. Per User

Each user's home directory may contain several environment configuration files.

o .bashrc - Same as /etc/bashrc above.

o .bash_profile - same as /etc/profile above.

o .bash_logout - executed when the user logs out.

o .kde, .kderc - KDE configuration information.

o Desktop - GNOME configuration information.

o .xinitrc - Starts various X clients (not used in RH by default, see .Xclients instead).

o .Xclients - Executes .Xclients-default

o .Xclients-default - Starts the specified window manager

3. /etc/skel

This directory contains all of the default setup files that get copied to a users home directory when they are created.

7.8 User Private Groups Red Hat uses the user private groups scheme. With this scheme, each user has their own primary group in which they are the sole member. This allows for a default umask of 002.

7.9 Shadow file With traditional unix, user passwords were stored in the /etc/passwd file. Because this file has to be world readable in order for the system to function properly, it allowed everyone on the system to view the encrypted version of everyone's password. The shadow file fixes this

problem. The user's encrypted password is now stored in the /etc/shadow file which is only readable by root.

7.10 Communicating with users. 1. Determining who is Logged In

o users - Uses /var/run/utmp by default to determine who is logged. Can specify another file to use such as /var/log/wtmp.

o w - Uses /var/run/utmp to report who is logged in. Also displays if the user is idle and the last command executed by the user.

o who - Uses /var/run/utmp by default to determine who is logged. Can specify another file to use such as /var/log/wtmp. Also shows the tty the user is logged into, and the time he/she logged in.

2. User Related Commands

o tty - Displays the terminal that the tty command was executed on.

o wall - Sends a message to all users that are logged in locally.

o write - Creates a half-duplex communications with another user.

o mesg - Used to enable/disable incoming messages from other users. When disabled, it prevents other users from using the "write" command to talk to you.

7.11 User & Group Quotas 1. Overview

o Allow limitations to be set on the number of files and disk space used.

o Configured by user and/or group.

o ext2, ext3, and reiser file systems only (reiser supported as of RH 7.1).

o Kernel must be compiled with quota support (CONFIG_QUOTA=y).

o Enabled at boot time by rc.sysinit for any file system that has usrquota or grpquota listed in it's options field.

o Quota information maintained by kernel while system is running.

2. File System Configuration

o /etc/fstab

Must set usrquota/grpquota options in /etc/fstab. For example, to enable user and group quota's on /home: LABEL=/home /home ext3 defaults 1 2

should be changed to:

LABEL=/home /home ext3 defaults,usrquota,grpquota 1 2

o aquota.user & aquota.group

1. Exist in the root of each file system in which quotas are configured.

2. Store quota information.

3. Create with quotacheck:

quotacheck -vug /home

or

quotacheck -avug

To check all file systems that have quota's enabled in /etc/fstab.

quotacheck checks the current quota information for all users. It must be ran to collect initial quota information.

Options:

-a - scan all file systems with quotas enabled in /etc/fstab -v - verbose -g - scan for group quotas -u - scan for user quotas

3. Modifying quotas

edquota is used to modify user and group quotas.

o Users

edquota -u steve

Displays quota information for user steve in a text editor for editing. All file systems with quotas enabled are shown. Inode and block information can be changed.

o Groups

edquota -g users

Same as above only for group users instead.

o Prototypes

Once a user's quota has been configured, he/she can be used as a prototype for other users. For example, to use steve's quotas as a prototype for other users, type:

edquota -p steve luke darth yoda

This will copy steve's quota settings to luke, darth and yoda.

4. Enabling/Disabling Quotas

o To enable:

quotaon -ug /home

for a specific file system, or

quotaon -aug

for all file systems with quotas enabled in /etc/fstab

o To disable:

Same as quotaon, only use quotaoff instead.

5. Limits

o Soft

Maximum amount of space or files user/group can use.

o Hard

Only used if grace periods are in effect, otherwise they are ignored and soft limits are used to enforce file system limits.

o Grace Periods

If used, users may exceed their soft limits up to their hard limits for a period of days specified by the grace period. After the grace period expires, the user can no longer exceed their soft limit.

Grace periods are set using edquota -t.

6. Reporting

To report quota information, use repquota: repquota -arepquota -u /repquota -u steve

The first line shows quota information for all users and groups for all file systems. The second line shows user quota information for the / file system. The third line shows quota information for user steve on all file systems.

7. Quota Conversion

Changes were made to quotas in RH 7.1. To convert older quotas from pre RH 7.1, use the convertquota:

convertquota -ug /home

Converts old quotas in the /home file system to the new quotas. Note that the old quotas used quota.user and quota.group instead of aquota.user and aquota.group.

8. Quotas over NFS

Since NFS maps remote users to local users, set the quotas on the local users that you plan to map the remote users to.

Next Previous Contents

8. Network Administration

8.1 Utilities 1. ifconfig

ifconfig is used to configure network interfaces.

Example:

ifconfig eth0 192.168.1.10 netmask 255.255.255.0 up

This configures interface eth0 with an IP of 192.168.1.10/255.255.255.0. Note that "up" is assumed if left off. A default network mask will also be determined by the IP if it is not specified.

2. route

route is used configure routing information.

Example: route add -net 10.20.30.40 netmask 255.255.255.248 eth0route add -net 10.20.30.48 netmask 255.255.255.248 gw 10.20.30.41

The first line states that the route to network 10.20.30.40/255.255.255.248 is through our local interface eth0. The second line states that the route to network 10.20.30.48/255.255.255.248 is through gateway 10.20.30.41

3. arp

arp is used to administer the arp cache. It can view, add, and delete entries in the cache.

o View arp cache:

arp

This will display something like: Address HWtype HWaddress Flags Mask Iface192.168.1.1 ether 00:60:08:27:CE:A2 C eth0192.168.1.12 ether 00:80:5F:01:74:13 C eth0192.168.1.15 ether 00:60:08:27:CE:B2 CM eth0192.168.1.20 ether 00:A0:CC:25:9F:4C C eth0

The "C" flag means it's a complete entry. The "M" flag indicates it's an entry added manually and it is permanent.

o Add an entry:

arp -s 192.168.33.15 00:60:08:27:CE:B2

o Delete an entry:

arp -d 192.168.33.15

4. ping

ping is used to troubleshoot network/host connectivity. It uses ICMP echo request and echo reply to test the connectivity. If a host doesn't respond, it could be for any number of reasons:

o The remote host is down.

o The remote host is filtering ICMP packets.

o Some point in the network in-between the two hosts is down.

o A device in-between the two hosts is filtering ICMP packets.

Examples: ping 192.168.1.12ping -b 192.168.1.0

The first line pings a single host, 192.168.1.12. The second line performs a broadcast ping to all hosts on the 192.168.1.0 network.

5. traceroute

traceroute is also used to test network/host connectivity. However, it displays each hop along the way from the source to the destination. It can help you determine if the problem is with the remote host itself, or some point in-between the hosts.

Example:

traceroute 192.168.10.100

This will print a line for each hop in-between the local and remote host (192.168.10.100) as well as a line for the final destination up to a maximum of 30 hops.

6. netstat

netstat provides a lot of useful information, including:

o Routing tables.

o Interface statistics (dropped packets, buffer overruns, etc.)

o Network connections.

o Multicast memberships.

Examples: netstat -i # Display interface statisticsnetstat -lpe # Display all listening sockets and the programs that own themnetstat -r # Display routing informationnetstat -ape # Show all listening and non-listening sockets

7. netconfig

o TUI based.

o Used to configure network interface.

o Used by text based installation methods.

8. redhat-config-network

This is a GUI administration tool that allows you to configure several aspects of your networking: interfaces, boot protocols, host resolution, routing, and more.

9. ifup / ifdown

These shell script wrappers allow you to bring an interface up and take it down. They use the configuration information in the /etc/sysconfig directory to configure the interface specified.

For example, to bring up interface eth0, simply type:

ifup eth0

8.2 Configuring Interfaces 1. Configuration files

The configuration files for network interfaces all reside in /etc/sysconfig. For a complete description of these configuration files, see /usr/share/doc/initscripts-X.XX/sysconfig.txt where X.XX is the version of initscripts that you have installed.

o network

Options: NETWORKING=yesHOSTNAME=localhost.localdomain

The first option enables networking, and the second sets the host name. A default gateway can also be specified here using the "GATEWAY=" option, but it is usually specified in the "ifcfg-<device>" scripts for devices now.

o network-scripts/ifcfg-<device>

This contains the configuration options for a single interface.

1. For a device that uses DHCP, it may look like:

2. DEVICE=eth03. BOOTPROTO=dhcp4. ONBOOT=yes # Start at boot up?5. IPXPRIMARY_802_2="no"6. IPXACTIVE_802_2="no"7. IPXPRIMARY_802_3="no"8. IPXACTIVE_802_3="no"9. IPXPRIMARY_ETHERII="no"10. IPXACTIVE_ETHERII="no"11. IPXPRIMARY_SNAP="no"12. IPXACTIVE_SNAP="no"13. TYPE=Ethernet14. USERCTL=no # Allow users to control this interface?15. NETWORK=192.168.33.016. BROADCAST=192.168.33.255

17. PEERDNS=no # Should we modify /etc/resolv.conf if using DHCP or BOOTP?

18.

Most of the items above should be self explanatory. The only required options for a client using DHCP are "DEVICE" and "BOOTPROTO".

19. For a device using a statically assigned IP, it will look similar to this.

20. DEVICE=eth021. BOOTPROTO=static22. ONBOOT=yes # Start at boot up?23. IPXPRIMARY_802_2="no"24. IPXACTIVE_802_2="no"25. IPXPRIMARY_802_3="no"26. IPXACTIVE_802_3="no"27. IPXPRIMARY_ETHERII="no"28. IPXACTIVE_ETHERII="no"29. IPXPRIMARY_SNAP="no"30. IPXACTIVE_SNAP="no"31. TYPE=Ethernet32. USERCTL=no # Allow users to control this interface?33. NETWORK=192.168.33.034. BROADCAST=192.168.33.25535. PEERDNS=no # Should we modify /etc/resolv.conf if

using msdns?36. IPADDR=192.168.33.5037. GATEWAY=192.168.33.1 # Default Gateway38. NETMASK=255.255.255.039.

The only required options are "DEVICE" and "IPADDR". Most of the other options can be derived from the IPADDR if your network is configured based on network classes. If you aren't subnetting on an octet, a netmask is required.

2. Manual Configuration

One way to configure an interface is to edit the above files directly with a text editor. After you are done editing them,

execute an "ifdown" followed by an "ifup". This should reset your interfaces to the new values you've specified.

3. GUI Configuration

You can also use the "redhat-config-network" tool to configure your interfaces.

8.3 Configuring Routes 1. Configuration files

The configuration files for routing are also located under /etc/sysconfig.

o static-routes

This file contains static routing information that should be added to the routing tables when interfaces are brought up. It has the following format:

<device> host|net <arguments to route command>

For example:

eth0 net 10.20.30.0 netmask 255.0.0.0 gw 192.168.1.50

Adds a route to network 10.20.30.0/255.0.0.0 using the gateway at 192.168.1.50 to device eth0.

o network-scripts/ifcfg-<device>

For devices with static IPs, this file is typically used to specify the default gateway for the device (see Interface Configuration above).

2. Manual Configuration

Same as "Interface Manual Configuration" above.

3. GUI Configuration

Same as "Interface GUI Configuration" above.

8.4 Host Resolution

1. DNS

Host names can be resolved using DNS or through a local lookup file /etc/hosts. By default, /etc/hosts is consulted before performing a DNS lookup. However, the resolution order can be changed by modifying /etc/nsswitch.conf.

o /etc/hosts format:

o IP address Host Name Aliaseso

Example: 127.0.0.1 localhost192.168.1.1 gateway.somedomain.com gateway gate gw192.168.1.20 somehost.somedomain.com somehost some192.168.1.25 otherhost.somedomain.com otherhost

o /etc/resolv.conf

This contains the ip addresses of up to 3 DNS servers that will be consulted when trying to perform host name lookups.

Format: nameserver 192.168.1.2nameserver 192.168.1.3domain somedomain.comsearch somedomain.com otherdomain.com

The "domain" options specifies the local domain. If a host lookup is performed and a FQDN isn't specified, this domain is appended to the host name to create the FQDN. The "search" options specifies the order in which the domains should be queried if a host lookup is requested without specifying a FQDN. The "domain" and "search" options are mutually exclusive. If both are specified, the last one given is used.

2. NIS

COMPLETE ME!

3. LDAP

COMPLETE ME!

Next Previous Contents Next Previous Contents

9. Other System Administration

9.1 Date/Time 1. redhat-config-time

o a.k.a redhat-config-date, dateconfig

o GUI based.

o Set system time/date.

o Select timezone.

o Enable Network Time Protocol (NTP).

o Set whether hardware clock is set to UTC.

2. timeconfig

o TUI based.

o Select timezone.

o Set whether hardware clock is set to UTC.

3. date

o CLI based.

o Set system date/time.

4. hwclock

o Used to query/set hardware clock.

o Can sync the hardware clock to the system clock and vice-versa.

o Hardware clock used at boot up to set system clock, then never used again during normal operation.

o Hardware clock is synced to the system clock at shutdown.

9.2 Keyboard 1. kbdconfig

o TUI based.

o Sets the default keyboard map.

o Value stored in /etc/syconfig/keyboard (KEYTABLE="us").

2. kbdrate

Sets keyboard repeat rate and delay:

kbdrate -r30 -d0

Sets the repeat rate to 30 characters per second (the max) and a repeat delay of 250 ms (lowest possible).

9.3 Mouse 1. mouseconfig

o Configures file links and modifies configuration files necessary to use a mouse.

o TUI or CLI

o Modifies X Configuration file

o CLI Options:

o --modifyx # Modify X configuration fileo --device <dev> # Specify device to use for mouseo --noprobe # No automatic probing is doneo --emulthree # Enable 3 button emulationo --kickstart # Forces mouseconfig to run in non-interactive mode ando # probe for as much information about the mouse as possibleo

2. Xconfigurator

See section on X for more information.

9.4 Sound

1. sndconfig

o TUI based.

o Options:

o --noprobe # Prevent probing of PnP cardso --noautoconfig # Allow user to choose settings for cardo

9.5 RH System configuration files RH stores many sys config files under /etc/sysconfig:

Note: The following is taken from the sysconfig.txt file provided in Red Hat's initscripts (version 6.40) package. Obsolete options have been removed.

/etc/sysconfig/authconfig used by authconfig to store information about the system's user information and authentication setup; changes made to this file have no effect until the next time authconfig is run

USEHESIOD=no Whether or not the hesiod naming service is in use. If not set, authconfig examines the passwd setting in /etc/nsswitch.conf. USELDAP=no Whether or not LDAP is used as a naming service. If not set, authconfig examines the passwd setting in /etc/nsswitch.conf. USENIS=no Whether or not NIS is in use. If not set, authconfig examines the passwd setting in /etc/nsswitch.conf.

USEKERBEROS=no Whether or not Kerberos is in use. If not set, authconfig examines the settings in /etc/pam.d/system-auth. USELDAPAUTH=no Whether or not LDAP is being used for authentication. If not set, authconfig examines the settings in /etc/pam.d/system-auth. Note that this option is separate from USELDAP, and that neither implies the other. USEMD5=no

Whether or not MD5-based hashing should be used when setting passwords. If not set, authconfig examines the settings in /etc/pam.d/system-auth. This option affects authentication using both local files and LDAP. USESHADOW=no Whether or not shadow passwords are in use. If not set, authconfig checks for the existence of /etc/shadow. USESMBAUTH=no Whether or not SMB authentication is in use. If not set, authconfig examines the settings in /etc/pam.d/system-auth./etc/sysconfig/autofsck does not normally exist; if it does, it can influence a choice whether or not to fsck after a crash

AUTOFSCK_TIMEOUT=5 Number of seconds to wait for console user to make a choice AUTOFSCK_DEF_CHECK=no If the user does not respond, choose whether or not to fsck/etc/sysconfig/clock: UTC=true indicates that the clock is set to UTC; anything else indicates that it is set to local time ARC=true on alpha only indicates the ARC console's 42-year time offset is in effect; otherwise the normal Unix epoch is assumed ZONE="filename" indicates the zone file under /usr/share/zoneinfo that /etc/localtime is a copy of, for example: ZONE="US/Eastern"/etc/sysconfig/desktop: DESKTOP=GNOME|KDE|AnotherLevel This determines the display manager started by /etc/X11/prefdm/etc/sysconfig/init: BOOTUP=<some boot up mode> BOOTUP=color means new (as of RH6.0) boot display. BOOTUP=verbose means old style display Anything else means new display, but without ANSI-formatting LOGLEVEL=<a number> Sets the initial console logging level for the kernel. The default is 7. 8 means everything (including debugging); 1 means nothing except kernel panics. syslogd will override this once it starts. RES_COL=<a number>

Column of the screen to start status labels at. Defaults to 60 MOVE_TO_COL=<a command> A command to move the cursor to $RES_COL. Defaults to nasty ANSI sequences output by echo -e. SETCOLOR_SUCCESS=<a command> A command to set the color to a color indicating success. Defaults to nasty ANSI sequences output by echo -e setting the color to green. SETCOLOR_FAILURE=<a command> A command to set the color to a color indicating failure. Defaults to nasty ANSI sequences output by echo -e setting the color to red. SETCOLOR_WARNING=<a command> A command to set the color to a color indicating warning. Defaults to nasty ANSI sequences output by echo -e setting the color to yellow. SETCOLOR_NORMAL=<a command> A command to set the color to 'normal'. Defaults to nasty ANSI sequences output by echo -e. PROMPT=yes|no Set to 'no' to disable the key check for interactive mode./etc/sysconfig/keyboard: KEYTABLE=<keytable file> for example: KEYTABLE="/usr/lib/kbd/keytables/us.map"

If you dump a keymap (using 'dumpkeys') to /etc/sysconfig/console/default.kmap it will be loaded on bootup before file systems are mounted/checked. This could be useful if you need to emergency type the root password. This has to be a dumped keymap, as opposed to copying the shipped keymap files, as the shipped files include other maps from the /usr/lib/kbd/keytables directory.

KEYBOARDTYPE=sun|pc on SPARC only, sun means a sun keyboard is attached on /dev/kbd, pc means a PS/2 keyboard is on ps/2 port./etc/sysconfig/mouse: MOUSETYPE=microsoft|mouseman|mousesystems|ps/2|msbm|logibm|atibm| logitech|mmseries|mmhittab XEMU3=yes|no (emulate three buttons with two buttons whenever

necessary, most notably in X) DEVICE=<a device node> (the device of the mouse)

In addition, /dev/mouse points to the mouse device./etc/sysconfig/network: NETWORKING=yes|no HOSTNAME=<fqdn by default, but whatever hostname you want> GATEWAY=<gateway IP> GATEWAYDEV=<gateway device> (e.g. eth0) NISDOMAIN=<nis domain name> IPX=yes|no IPXAUTOPRIMARY=on|off (note, that MUST be on|off, not yes|no) IPXAUTOFRAME=on|off (again, not yes|no) IPXINTERNALNETNUM=<netnum> IPXINTERNALNODENUM=<nodenum>

NETWORKING_IPV6=yes|no Enable or disable global IPv6 initialization IPV6FORWARDING=yes|no Enable or disable global forwarding of incoming IPv6 packes on all interfaces. Note: Actual packet forwarding cannot be controlled per-device. IPV6INIT=yes|no Enable or disable IPv6 configuration for all interfaces. Use with caution!

IPV6_AUTOCONF=yes|no Sets the default for device-based autoconfiguration. Default: yes if IPV6FORWARDING=no, no if IPV6FORWARDING=yes IPV6_ROUTER=yes|no Sets the default for device-based Host/Router behaviour. Default: yes if IPV6FORWARDING=yes, no if IPV6FORWARDING=no IPV6_AUTOTUNNEL=yes|no Controls automatic IPv6 tunneling.

IPV6_TUNNELMODE=IP|NBMA [OPTIONAL: IP by default] Mode of tunnel setup IP: separate tunnel device mode (now recommeded) NBMA: NBMA-styled tunnel mode (now mostly obsolete)

All IPv6 options can be overridden in interface-specific configuration.

All the IPX stuff is optional, and should default to off./etc/sysconfig/static-routes: Contains lines of the form:

<device> host|net <arguments to route command>

<device> may be a device name to have the route brought up and down with the device, or "any" to have the correct devices calculated at run time.

For example:

eth0 host 192.168.2.2 eth0

adds a host route through eth0 to 192.168.2.2, while

any net 192.168.2.0 netmask 255.255.255.0 ppp0

adds a network route to the 192.168.2.0 network through ppp0./etc/sysconfig/static-routes-ipv6: Contains lines of the form:

<device> ipv6network ipv6gateway <tunneldevice> ipv6network

<device> must be a device name to have the route brought up and down with the device

For example:

eth0 fec0:0:0:2::/64 fec0:0:0:1:0:0:0:20 adds a route for IPv6 network fec0:0:0:2::/64 through fec0:0:0:1:0:0:0:20

eth0 2000::/3 3ffe:400:100:f101::1 eth0 3ffe::/16 3ffe:400:100:f101::1 so-called "default" route for clients

sit1 2000::/3

sit1 3ffe::/16 adds routes through virtual tunnel sit1/etc/sysconfig/routed: SILENT=yes|no EXPORT_GATEWAY=yes|no/etc/sysconfig/rawdevices: This is used for setting up raw device to block device mappings. It has the format: <rawdev> <major> <minor> <rawdev> <blockdev> For example: /dev/raw/raw1 /dev/sda1 /dev/raw/raw2 8 5/etc/sysconfig/pcmcia: PCMCIA=yes|no PCIC=i82365|tcic PCIC_OPTS=<socket driver (i82365 or tcic) timing parameters> CORE_OPTS=<pcmcia_core options> CARDMGR_OPTS=<cardmgr options>/etc/sysconfig/amd: ADIR=/.automount (normally never changed) MOUNTPTS='/net /etc/amd.conf' (standard automount stuff) AMDOPTS= (extra options for AMD)/etc/sysconfig/tape: DEV=/dev/nst0 Tape device. Use the non-rewinding one for these scripts.

For SCSI tapes this is /dev/nst#, where # is the number of the tape drive you want to use. If you only have one then use nst0.

For IDE tapes you use /dev/ht#, where # is the number of the tape drive you want to use (usually ht0).

For floppy tape drives use /dev/ftape.

ADMIN=root Person to mail to if the backup fails for any reason

SLEEP=5

Time to sleep between tape operations. Some drives need a bit more than others, but 5 seems to work for 8mm, 4mm, and DLT

BLOCKSIZE=32768 This worked fine for 8mm, then 4mm, and now DLT. An optimal setting is probably however much data your drive writes at one time.

SHORTDATE=$(date +%y:%m:%d:%H:%M) A short date string, used in backup log filenames.

DAY=$(date +log-%y:%m:%d) This is used for the log file directory.

DATE=$(date) Regular date string, used in log files.

LOGROOT=/var/log/backup Root of the logging directory

LIST=$LOGROOT/incremental-list This is the file name the incremental backup will use to store the incremental list. It will be $LIST-{some number}.

DOTCOUNT=$LOGROOT/.count For counting as you go to know which incremental list to use

COUNTER=$LOGROOT/counter-file For rewinding when done...might not use.

BACKUPTAB=/etc/backuptab The file in which we keep our list of backup(s) we want to make./etc/sysconfig/sendmail: DAEMON=yes|no yes implies -bd (i.e., listen on port 25 for new mail) QUEUE=1h given to sendmail as -q$QUEUE -q option is not given to sendmail if /etc/sysconfig/sendmail exists and QUEUE is empty or undefined./etc/sysconfig/i18n

LANG= set locale for all categories, can be any two letter ISO language code LC_CTYPE= localedata configuration for classification and conversion of characters LC_COLLATE= localedata configuration for collation (sort order) of strings LC_MESSAGES= localedata configuration for translation of yes and no messages LC_NUMERIC= localedata configuration for non-monetary numeric data LC_MONETARY= localedata configuration for monetary data LC_TIME= localedata configuration for date and time LC_ALL= localedata configuration overriding all of the above LANGUAGE= can be a : separated list of ISO language codes LINGUAS= can be a ' ' separated list of ISO language codes

The above variables are used in /etc/profile.d/lang.sh.

SYSFONT= any font that is legal when used as /usr/bin/consolechars -f $SYSFONT ... (See console-tools package for consolechars command)

UNIMAP= any SFM (screen font map, formerly called Unicode mapping table - see consolechars(8)) /usr/bin/consolechars -f $SYSFONT --sfm $UNIMAP

SYSFONTACM= any ACM (application charset map - see consolechars(8)) /usr/bin/consolechars -f $SYSFONT --acm $SYSFONTACM

The above is used by the /sbin/setsysfont command (which is run by rc.sysinit at boot time.)/etc/sysconfig/harddisks

/etc/sysconfig/harddiskhd[a-h] (for specific devices) These options are used to tune (E)IDE hard drives - read the hdparm man page for more information

USE_DMA=1 Set this to 1 to enable DMA. This might cause some data corruption on certain chipset / hard drive combinations. USE WITH CAUTION AND BACKUP.

This is used with the "-d" option

MULTIPLE_IO=16 Multiple sector I/O. a feature of most modern IDE hard drives, permitting the transfer of multiple sectors per I/O interrupt, rather than the usual one sector per interrupt. When this feature is enabled, it typically reduces operating system overhead for disk I/O by 30-50%. On many systems, it also provides increased data throughput of anywhere from 5% to 50%. Some drives, however (most notably the WD Caviar series), seem to run slower with multiple mode enabled. Under rare circumstances, such failures can result in massive filesystem corruption. USE WITH CAUTION AND BACKUP. This is the sector count for multiple sector I/O - the "-m" option

EIDE_32BIT=3 (E)IDE 32-bit I/O support (to interface card). USE WITH CAUTION.

LOOKAHEAD=1 Enable drive read-lookahead (safe)

EXTRA_PARAMS=<anything> Add any extra parameters you want to pass to hdparm here./etc/sysconfig/network-scripts/ifup:

/etc/sysconfig/network-scripts/ifdown: Symlinks to /sbin/ifup and /sbin/ifdown, respectively. These are the only two scripts "in" this directory that should be called directly; these two scripts call all the other scripts as needed. These symlinks are here for legacy purposes only -- they'll will probably be removed in future versions, so only /sbin/ifup and /sbin/ifdown should currently be used.

These scripts take one argument normally: the name of the device (e.g. eth0). They are called with a second argument of "boot" during the boot sequence so that devices that are not meant to be brought up on boot (ONBOOT=no, see below) can be ignored at that time./etc/sysconfig/network-scripts/init.ipv6-global: Not really a public file. Contains different basic settings that are set from /etc/rc.d/init.d/network at different stages of

network initialization./etc/sysconfig/network-scripts/network-functions: Not really a public file. Contains functions which the scripts use for bringing interfaces up and down. In particular, it contains most of the code for handling alternative interface configurations and interface change notification through netreport./etc/sysconfig/network-scripts/network-functions-ipv6: Not really a public file. Contains functions which the scripts use for bringing IPv6 on interfaces up and down, like addresses, routes, forwarding handling and static or automatic tunneling./etc/sysconfig/network-scripts/ifcfg-<interface-name> and

/etc/sysconfig/network-scripts/ifcfg-<interface-name>:<alias-name>: The first defines an interface, and the second contains only the parts of the definition that are different in a "alias" (or alternative) interface. For example, the network numbers might be different, but everything else might be the same, so only the network numbers would be in the alias file, but all the device information would be in the base ifcfg file.

The items that can be defined in an ifcfg file depend on the interface type. The really obvious ones I'm not going to bother to define; you can figure out what "IPADDR" is, I think... :-)

Base items: NAME=<friendly name for users to see> Most important for PPP. Only used in front ends. DEVICE=<name of physical device (except dynamically-allocated PPP devices where it is the "logical name")> IPADDR= NETMASK= GATEWAY= ONBOOT=yes|no USERCTL=yes|no BOOTPROTO=none|bootp|dhcp MTU= PEERDNS=yes|no modify /etc/resolv.conf if peer uses msdns extension (PPP only) or

DNS{1,2} are set, or if using pump or dhcpcd. default to "yes". DNS{1,2}=<ipaddress> provide DNS addresses that are dropped into the resolv.conf file if PEERDNS is not set to "no". FIREWALL_MODS=yes|no modify firewall to attempt to allow DNS through. Defaults to 'yes'.

If BOOTPROTO is not "none", then the only other item that must be set is the DEVICE item; all the rest will be determined by the boot protocol. No "dummy" entries need to be created.

Base items being deprecated: NETWORK=<will be calculated automatically with ifcalc> BROADCAST=<will be calculated automatically with ifcalc>

IPv6-only items for real interfaces: IPV6INIT=yes|no Enable or disable IPv6 configuration for this interface IPV6FORWARDING=yes|no Enable or disable global forwarding of incoming IPv6 packets Note! Obsolete in interface specification. IPV6ADDR=<ipv6address>/<prefixlength> specify primary static IPv6 address here Example: IPV6ADDR="3ffe:400:100:f101::1/64" IPV6ADDR_SECONDARIES=<list of ipv6 addresses> a list of secondary IPv6 addresses (perhaps useful for virtual hosting) Example: IPV6ADDR_SECONDARIES="3ffe:400:100:f101::10/64 3ffe:400:100:f101::11/64" IPV6_MTU="<MTU of link>" [optional] Note: Must be greater or equal to 1280. Optional, dedicated MTU of this link Example: IPV6_MTU="1280"

Special configuration options for multi-homed hosts etc. IPV6_ROUTER=yes|no: controls IPv6 autoconfiguration IPV6_AUTOCONF=yes|no: controls IPv6 autoconfiguration defaults: global IPV6FORWARDING=yes: IPV6_AUTOCONF=no, IPV6_ROUTER=yes

global IPV6FORWARDING=no: IPV6_AUTOCONF=yes

Optional settings for a 6to4 tunnel IPV6TO4INIT=yes|no Enable or disable 6to4 tunneling setup IPV6TO4_RELAY=<ipv4address> IPv4 address of the remote 6to4 relay IPV6TO4_IPV4ADDR=<ipv6address> [OPTIONAL] overwrite local IPv4 address which is accessable from the Internet (optional, in case of NAT or other special scenarios) IPV6TO4_ROUTING=<LAN-routing-setup-tokens> [OPTIONAL] a list of routing tokens to setup proper IPv6 routes on the LAN Example: IPV6TO4_ROUTING="eth0-:f101::0/64 eth1-:f102::0/64" Will create one route per eth0 and eth1, taking given SLA IPV6TO4_CONTROL_RADVD=yes|no [OPTIONAL] Enable signalling radvd that the 6to4 prefix has been changed IPV6TO4_RADVD_PIDFILE=<path-to-pid-file> [OPTIONAL] location of PID file to get PID for sending signal default is "/var/run/radvd/radvd.pid" Example: IPV6TO4_RADVD_PIDFILE="/some/other/location/radvd.pid"

IPv6-only items for automatic tunnel interface: Virtual interface name: sit0 IPV6INIT=yes|no Enable or disable IPv6 configuration for this interface Obsolete now, see IPV6_AUTOTUNNEL in /etc/sysconfig/network

IPv6-only items for static unnumbered tunnel interface: Virtual interface name: sit1.. IPV6INIT=yes|no Enable or disable IPv6 configuration for this interface IPV6TUNNELIPV4=<ipv4 address of foreign tunnel endpoint> specify IPv4 address of a foreign IPv6-in-IPv4 tunnel endpoint Example: IPV6TUNNELIPV4="195.226.187.50" IPV6ADDR=<ipv6address>/<prefixlength> [OPTIONAL] local IPv6 address of a numbered tunnel

Ethernet-only items: {IPXNETNUM,IPXPRIMARY,IPXACTIVE}_{802_2,802_3,ETHERII,SNAP} configuration matrix for IPX. Only used if IPX is active. Managed from /etc/sysconfig/network-scripts/ifup-ipx ARP=yes|no (adds 'arp' flag to ifconfig, for use with the ethertap device) Deprecated: PROMISC=yes|no (enable or disable promiscuous mode) ALLMULTI=yes|no (enable or disable all-multicast mode)

To properly set these, use the packet socket interface.

PPP/SLIP items: PERSIST=yes|no MODEMPORT=<device, say /dev/modem> LINESPEED=<speed, say 115200> DEFABORT=yes|no (tells netcfg whether or not to put default abort strings in when creating/editing the chat script and/or dip script for this interface) (meaningless with WVDIALSECT)

PPP-specific items WVDIALSECT=<list of sections from wvdial.conf to use> If this variable is set, then the chat script (if it exists) is ignored, and wvdial is used to open the PPP connection. DEFROUTE=yes|no (set this interface as default route? yes is default) DEBUG=yes|no (defaults to yes) turns on/off pppd and chat (if used) debugging. ESCAPECHARS=yes|no (simplified interface here doesn't let people specify which characters to escape; almost everyone can use asyncmap 00000000 anyway, and they can set PPPOPTIONS to asyncmap foobar if they want to set options perfectly) HARDFLOWCTL=yes|no (yes imples "modem crtscts" options) PPPOPTIONS=<arbitrary option string; is placed last on the command line, so it can override other options like asyncmap that were specified differently> PAPNAME=<"name $PAPNAME" on pppd command line> (note that the "remotename" option is always specified as the logical ppp device name, like "ppp0" (which might perhaps be the

physical device ppp1 if some other ppp device was brought up earlier...), which makes it easy to manage pap/chap files -- name/password pairs are associated with the logical ppp device name so that they can be managed together. REMIP=<remote ip address, normally unspecified> MTU= MRU= DISCONNECTTIMEOUT=<number of seconds, default currently 5> (time to wait before re-establishing the connection after a successfully-connected session terminates before attempting to establish a new connection.) RETRYTIMEOUT=<number of seconds, default currently 60> (time to wait before re-attempting to establish a connection after a previous attempt fails.) RETRYCONNECT=yes|no (defaults to yes) If this is yes, then we will re-run pppd if it exits with a "connect script failed" status. Otherwise, only one attempt is made to bring up the connection. Note that some connect scripts (for example, wvdial) might do their own retries (such as BUSY or NO DIALTONE conditions). MAXFAIL=<number> If this is set, this will cause ppp-watch to exit after the specified number of attempts. DEMAND=yes|no Switches on demand-dialing mode using pppd's "demand" option. IDLETIMEOUT=600 The amount of time the link needs to be inactive before pppd will bring it down automatically. BOOTTIMEOUT=30 The amount of time to wait at boot before giving up on the connection.

IPPP-specific items (ISDN) PROVIDER=<ProviderName> USER=<Login> PASSWORD=<Password> ENCAP=[syncppp|] DIALMODE=[manual|auto] SECURE=off|on

MSN=<> PHONE_IN=<Callback.Number> AREACODE=<> REGIONCODE=<> PHONE_OUT=<PhoneNumber> BUNDLING=off|on HUPTIMEOUT=<number> DNS1=<PrimaryDNS> DNS2=<SecondaryDNS> DOMAIN="" LAYER=[HDLC|] CALLBACK=off|on CHARGEHUP=<number> CHARGEINT=<number> CBHUP=<number> CBDELAY=<number> DIALMAX=<number> AUTH=[+pap] [-chap] IHUP=<> DELDEFAULTROUTE=[enabled|disabled] CBCP=off|on VJ=off|on VJCCOMP=off|on AC=off|on PC=off|on BSDCOMP=off|on CCP=off|on SLAVE_DEVICE=ippp[0-9]

ippp0 items being deprecated: BOOT=[on|off] will be converted to ONBOOT=[yes|no] by netconf LOCAL_IP= will be converted to IPADDR by netconf REMOTE_IP= will be converted to GATEWAY by netconf/etc/sysconfig/network-scripts/chat-<interface-name>: chat script for PPP or SLIP connection intended to establish the connection. For SLIP devices, a DIP script is written from the chat script; for PPP devices, the chat script is used directly./etc/sysconfig/network-scripts/dip-<interface-name> A write-only script created from the chat script by netcfg.

Do not modify this. In the future, this file may disappear by default and created on-the-fly from the chat script if it does not exist./etc/sysconfig/network-scripts/ifup-post Called when any network device EXCEPT a SLIP device comes up. Calls /etc/sysconfig/network-scripts/ifup-routes to bring up static routes that depend on that device. Calls /etc/sysconfig/network-scripts/ifup-aliases to bring up aliases for that device. Sets the hostname if it is not already set and a hostname can be found for the IP for that device. Sends SIGIO to any programs that have requested notification of network events.

Could be extended to fix up nameservice configuration, call arbitrary scripts, etc, as needed./etc/sysconfig/network-scripts/ifup-routes Set up static routes for a device./etc/sysconfig/network-scripts/ifup-aliases Bring up aliases for a device./etc/sysconfig/network-scripts/ifdhcpc-done Called by dhcpcd once dhcp configuration is complete; sets up /etc/resolv.conf from the version dhcpcd dropped in /etc/dhcpc/resolv.conf

9.6 File System Administration 1. Monitor Usage

o df - Report disk usage by file system.

o df -k # Show disk usage by file system in KBo df -h # Show disk usage by file system in the largest unit possibleo

o du - Report disk usage.

o du /etc # Report the number of KB use in /etc and all of it's subdirectories by file

o du -s /etc # Report the total number of KB used in /etc and all of it's subdirectories

o du /etc | sort -n -r # Display disk usage by directory in /etc and sort from largest to smallest

o du -a /etc | sort -n -r # Same as before, only list each file and directory in the report

o

2. Cleanup Unused Files

tmpwatch - Ran by cron daily to clean out temporary directories (e.g. /tmp & /var/tmp). The default installation deletes all files older than 10 days.

3. File System Corruption

e2fsck must be ran on non-journaled file systems if they are not unmounted cleanly. This fixes any meta data that is not in the proper state. e2fsck /dev/hda1

By default, the superblock is stored every 8192 blocks. If you have a corrupt superblock, this will cause e2fsck to fail unless you specify an alternate superblock to use: e2fsck -b 8193 /dev/hda1

4. Journaled File Systems

o Journaled file systems write critical information about file system operations to a journal before actually modifying files. In the event of an unclean shutdown, the file system can be recovered more quickly by reading the journal instead of performing fsck.

o 3 Journaling Options available in ext3

1. data=ordered - This is the default mode. Only meta data is journaled.

2. data=journaled - Meta data and data are journaled.

3. data=writeback - Not as good as "data=ordered", but allows for a quicker fsck than standard ext2.

o Converting from ext2 to ext3

Because of their close relation, it is fairly simple to upgrade from ext2 to ext3:

1. Modify file system type in /etc/fstab

2. Create the journal:

3. tune2fs -j /dev/hda14.

5. Verify that ext2 is either compiled into the kernel or create an initial ramdisk so it can be loaded as a module at boot time.

6. Verify that the file systems are indeed mounted as ext3 by checking /proc/mounts.

5. Monitor Permissions

o Keep a close watch on SUID and SGID files:

o find / -perm +6000 # Find all files that are either setuid or setgid

o find / -perm -2000 -o -perm -4000 # Same thingo

o Find files that don't have an owner or a group:

o find / -nouser -o -nogroupo

o Find all files and directories that are world writable:

o find / \( -type f -o -type d \) -a -perm -0002o find / \( -type f -o -type d \) -a -perm -2 # Same thing as aboveo

o Tripwire

1. Provides a fingerprint from critical files.

2. Tripwire can monitor all of the following:

File Size

atime (Last Access Time)

mtime (Last Modification Time)

ctime (Timestamp on Inode)

User

Group

Permissions

3. Configuration

Edit twcfg.txt and twpol.txt in order to define the policy for your system.

Run /etc/tripwire/twinstall.sh

Execute tripwire --init to create the initial database (stored in /var/lib/tripwire/<hostname>.twd).

To check the system against the database, run tripwire --check

To view an integrity check report, run twprint -m -r --twrfile <report_file>

To update the tripwire database according to the previously ran report, run tripwire --update --twrfile <report_file>

9.7 System Logging klogd handles kernel messages and syslogd handles messages sent from other sources such as system daemons.

1. Configuration

o /etc/syslog.conf - Primary Configuration file.

o Standard RH configuration creates these log files:

1. /var/log/secure - Logs authentication messages (e.g. xinetd services, failed ssh logins).

2. /var/log/xferlog - Logs FTP transactions.

3. /var/log/maillog - Logs mail transactions (SMTP, POP3, IMAP, etc.)

4. /var/log/messages - Logs most other system messages. This information usually includes:

Date and time of the message logged.

Name of the program or daemon that wrote the message.

The action or event that occurred.

The name of the host that this occurred on.

o /etc/syslog.conf - Primary Configuration file.

1. Format

2. # There must be at least one TAB separating the two entries below:

3. facility.priority log location4.

5. Facilities

11 authpriv - Security & authorization messages

11 cron - clock daemons such as crond and atd

11 daemon - other daemon messages

11 kern - Kernel messages

11 lpr - Printing related messages

11 mail - Mail system messages

11 news - News system mesages

11 syslog - Syslog messages

11 user - Generic user level messages

111 local[0-7]- Facilities reserved for local use

2. Priorities

11 debug - Debugging information

11 info - Informational messages

11 notice - A normal condition occurred that should be noticed

11 warning - Warning messages

11 err - An error occurred

11 crit - A critical error occurred

11 alert - An error occurred that requires immediate attention

11 emerg - Usually indicates a service (or the system) is no longer available

3. Example Configuration

4. mail.info /var/log/mail # Log all mail messages of priority info or greater

5. daemon.=emerg /var/log/emerg # Log all daemon messages with a priority of emergency

6. lpr.=!notice /var/log/lpr # Log all lpr messages where the priority isn't of notice level

7.

2. Log Rotation

o Log rotation is handled by /usr/sbin/logrotate which is part of the logrotate package.

o logrotate is executed daily by cron to check if any logs need rotating.

o Basic setup and log rotation of the default system logs are configured in /etc/logrotate.conf.

o Additional, package related, log rotation scripts are placed in /etc/logrotate.d.

3. Logwatch

o Runs daily.

o Primary configuration file is /etc/log.d/conf/logwatch.conf.

o Creates a daily report that is e-mail to the user specified (root by default).

4. Other System Logging

o /var/run/utmp - This file must always exist. It contains information about currently running processes. Used by many system utilities (e.g. who, w). You can prevent users from viewing who else is on the machine by removing permissions to this file.

o /var/log/wtmp - This file stores information about logins and logouts. It is used by init and login. To view information in this file, use the last command.

5. Process Control

o Nice Value - Affects the priority of a job. Can be altered using nice/renice commands.

1. nice - Can be used when launching a process to alter it's priority.

2. renice - Can be used on existing processes to alter their priority.

3. Examples:

4. nice +10 find / -name xyz # Give find command a lower priority than normal

5. renice -10 `pidof X` # Give X server a higher priority6.

o Jobs - Jobs excuted at the shell prompt normally run in the foreground. This prevents you from executing other commands from the same shell until the command returns. You can force jobs to run in the background by placing an "&" after the command.

Background jobs will not be terminated when a user logs out. However, any output from a background process that has not been redirected will be lost. tar zxvf linux-2.2.20.tar.gz &tar zxvf linux-2.2.20-ow2.tar.gz &top

The two 'tar' commands will execute in the background and 'top' will be executed in the foreground.

Job Control Commands:

1. fg - Bring a specified background job into the foreground.

2. fg %1 # Bring background job number 1 into the foreground3.

4. bg - Start a stopped background job.

5. bg %7 # Causes background job number 7 to resume execution

6.

7. jobs - List background jobs.

8. kill - You can also use job numbers with the kill command instead of process ids.

9. kill %4 # Kill background job number 410.

9.8 Creating a Swap File If you don't have a partition free to allocate additional swap space, you can create a swapfile on an existing file system.

The following example creates and enables a 16 MB swapfile called /var/swapfile: dd if=/dev/zero of=/var/swapfile bs=1024 count=16384mkswap /var/swapfileswapon /var/swapfile

Next Previous Contents Next Previous Contents

10. Package Management with RPM

10.1 Installation -i # Install a package.-U # Upgrade existing package or install if it doesn't already exist.-e # Remove a package.-F # Freshen. Only upgrade package if it's already installed.-v # Print verbose information-h # Use a hash mark (#) to indicate progress--nodeps # Don't perform a dependency check when installing or upgrading a package--replacefiles # Install package even if it overwrites existing files--replacepkgs # Install package even if it's already installed--oldpackage # Install package even if it's older than the one installed--force # Combination of --replacefiles, --replacepkgs, and --oldpackage

Examples: rpm -ivh groff-1.17.1-3.i386.rpm # Install groff from local file sytsemrpm -Uvh groff-1.17.2-3.i386.rpm # Upgrade groff from local file systemrpm -e groff # Remove groff

# Install groff from anonymous ftp server

rpm -ivh ftp://somehost.com/rpms/groff-1.17.1-3.i386.rpm

# Install groff from non-anonymous ftp serverrpm -ivh ftp://<user>:<password>@somehost.com/rpms/groff-1.17.1-3.i386.rpm

10.2 Verification --checksig <package> # Verify md5 and gpg signatures.-K <package> # Same as --checksig.--nogpg # Don't verify gpg signature (must be used with --checksig).-V <package> # Verify installed files against package info and report changes.-Va # Verify all packages

10.3 Query -q <package> # Returns package version.-qf <file> # Returns name of package that owns file.-ql <package> # Returns list of files own by package.-qi <package> # Returns package info.-qpi <package> # Returns info of uninstalled package-qpl <package> # Returns list of files in an uninstalled package

10.4 Source RPMs Source RPMS install their contents into /usr/src/redhat. They contain everything necessary to build a binary package from the source (source code, init scripts, config files, man pages, documentation, etc.)

/usr/src/redhat:

SOURCES - Contains source code and patches necessary to build rpm.

BUILD - A work directory used to build the rpm.

SPECS - Holds the spec files which describe how to build the rpm.

SRPMS - Stores the completed source RPM after it's built.

RPMS - Stores the completed binary RPM after it's built.

10.5 Spec Files

The RPM spec file contains the necessary instructions required to build an RPM. It contains many sections: Preamble # Contains package informationPrep # Prepares source code for building (unpacking, patching, etc.)Build # Steps taken to build sourceInstall # Commands used to install packageInstall & Uninstall Scripts # Scripts that install/uninstall package from a systemVerify # Extra verification steps to take when verifying packagesClean # Cleanup scriptFile List # List of files in the package

10.6 Build Options -bp # Only execute prep stage-bl # verify all files exist-bc # Execute only the build stage-bi # Execute only the install section-bs # Only build SRPM-ba # Build binary and source RPMs-bb # Build binary RPM only

Next Previous Contents Next Previous Contents

11. PCMCIA

11.1 Support PCMCIA support is currently included in the kernel, but it's better supported by the kernel modules located at http://pcmcia-cs.sourceforge.net

11.2 Device Management 1. cardmgr

o Monitors PCMCIA sockets for card insertion and removal.

o Looks up cards in database when inserted and loads appropriate kernel module.

o Can execute preconfigured commands upon insertion or removal.

o Unloads kernel module upon removal.

2. cardctl

o Monitor and control PCMCIA sockets.

o Non-root users can only view information about sockets.

o Commands:

1. status - Display socket status.

2. config - Display socket configuration (includes power settings, IRQs, ioports).

3. ident - Display card identification.

4. suspend - Shutdown and disable power for socket.

5. resume - Restore power to socket and re-configure for use.

6. reset - Send reset signal to device.

7. eject - Notifies all drivers that this card will be ejected and then cuts power.

8. insert - Notify all drivers that a card has just been inserted.

9. scheme - Display scheme if none is specified, otherwise reconfigure PCMCIA to the new scheme specified.

3. PCMCIA drivers

o Automatically loads devices and configures ioports to nonconflicting values.

o Can specify ioports not to use in /etc/pcmcia/config.opts

o Can view loaded cards in /var/lib/pcmcia/stab.

Next Previous Contents Next Previous Contents

12. RAID

12.1 Overview Stands for Redundant Array of Inexpensive Disks or Redundant Array of Independent Disks. It uses multiple disks to increase performance and/or reduce the chances of data loss due to hardware failure.

12.2 Supported Versions 1. Striping (RAID 0)

o No Redundancy

o Fastest read/write performance.

o Requires 2 or more disks.

2. Mirroring (RAID 1)

o Requires 2 or more disks.

o Fast read performance.

o Requires 2x actual storage size requirements.

3. Data and Parity Striping (RAID 5)

o Requires 3 or more disks.

o More efficient use of disk space than RAID 1.

12.3 Partition Type Set partition type to 0xFD for auto detection of RAID devices (use option 't' in fdisk).

12.4 Configuration File ( /etc/raidtab ) See raidtab man page for an example.

Sample file: ### RAID 1raiddev /dev/md0raid-level 1 # Mirroring

nr-raid-disks 3 # Number of disks to usenr-spare-disks 1 # Hot standby in case another failspersistent-superblock 1 # Required for auto detectionchunk-size 32 # In KB

device /dev/hda3raid-disk 0device /dev/hdb3raid-disk 1device /dev/hde5raid-disk 2device /dev/hdc4spare-disk 0

### RAID 5raiddev /dev/md1raid-level 5 # Data and parity stripingnr-raid-disks 3 # Number of disks to usenr-spare-disks 1 # Hot standby in case another failspersistent-superblock 1 # Required for auto detectionchunk-size 32 # In KBparity-algorithm right-symmetric

device /dev/sda1raid-disk 0device /dev/sdb3raid-disk 1device /dev/sdc5raid-disk 2device /dev/sdd4spare-disk 0

12.5 Initializing RAID devices mkraid /dev/md0mkraid /dev/md1NOTE: mkraid also causes necessary RAID modules to be loaded by kernel as if raidstart had been executed.

12.6 Formatting RAID devices

mke2fs -b 4096 -R stride=8 /dev/md0mke2fs -b 4096 -R stride=8 /dev/md1

"-R" is used to set RAID related options for the file system. Stride is the number of blocks per chunk. In the previous examples we are using a 32K chunk size with a 4K block size, so stride has to be 8 (4K * 8 = 32K).

12.7 RAID 5 parity options Specify parity algorithm with the "parity-algorithm" option in /etc/raidtab. Possible values are:

1. left-asymmetric

2. right-asymmetric

3. left-symmetric

4. right-symmetric

Left-symmetric offers the maximum performance on typical disks with rotating platters.

12.8 Auto detection of RAID arrays Requires:

1. Partition type must be set to 0xFD.

2. Auto detection must be turned on in kernel.

3. Must specify "persistent-superblock 1" in /etc/raidtab

Next Previous Contents Next Previous Contents

13. Advanced Power Management (APM)

13.1 Overview 1. Monitor and control system battery on laptops.

2. Can be used on workstations to implement "standby" and "suspend" power modes.

13.2 Viewing power status 1. /proc/apm

2. apm

o With no options, reports power status.

o -s - Put machine in suspend mode.

o -S - Put machine in standby mode.

13.3 Options Specified in /etc/sysconfig/apmd

Next Previous Contents Next Previous Contents

14. Kernel

14.1 Types 1. Monolithic

o Drivers compiled into kernel directly.

o Uses more memory because unused drivers take up space.

o Generally slows system down due to memory usage.

o However, communicates with hardware faster.

2. Modular

o Drivers are compiled as modules.

o Uses less memory since only necessary drivers can be loaded.

o More flexible because more drivers can be compiled as modules.

14.2 Modules 1. Overview

o Auto loaded by kmod (a kernel thread).

o Module options specified in /etc/modules.conf

o install module <command> # Specify command to use to install modules (default: insmod)

o remove module <command> # Specify command to use to remove modules (default: rmmod)

o alias eth0 tulip # Creates an alias for the tulip moduleo options tulip irq=9 # Pass IRQ that device is using to moduleo pre-install tulip <command> # Execute <command> before loading

the tulip moduleo post-install tulip <command> # Execute <command> after loading the

tulip moduleo pre-remove tulip <command> # Execute <command> before

removing the tulip moduleo post-remove tulip <command> # Execute <command> after removing

the tulip moduleo

2. Dependencies

depmod -a - Build dependencies for all modules

3. Managing

o Viewing

o lsmodo cat /proc/moduleso

o Loading

o modprobe tulip # Load a single moduleo modprobe -t net \* # Load all modules in "net" categoryo modprobe \* # Load all moduleso

o Unloading

o modprobe -r 3c503 # Unload 3c503 module

o rmmod -r 3c503 # Unload 3c503 module and all of it's dependencieso

14.3 Installing From Source 1. Required Packages

o kernel-headers

o kernel-source

o dev86

o make

o glibc-devel

o cpp

o ncurses (For "make menuconfig")

o ncurses-devel (For "make menuconfig")

o binutils

o gcc

NOTE: A working X installation is required if you wish to use "make xconfig

2. Installation steps

3. cd /usr/src4. bzcat linux-2.4.17.tar.bz | tar xvf -5. cd linux6. make config | make menuconfig | make xconfig7. make dep8. make clean9. make bzImage10. make modules (if modular kernel)11. make modules_install (if modular kernel)12. cp System.map /boot/System.map-2.4.1713. cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.1714. cp .config /boot/config-2.4.1715. mkinitrd /boot/initrd-<version> <kernel version> # Depending on kernel

configuration

16. Update LILO or GRUB17. Reboot into new kernel

18. new-kernel-pkg

New to RH 7.2 is a script called "new-kernel-pkg". This script performs several of the necessary kernel installation steps such as building module dependencies, creating an initial ramdisk, and updating the grub configuration.

For example, to install kernel 2.4.18, build modules dependencies, and create an initial ramdisk, execute the following command: new-kernel-pkg --install --depmod --mkinitrd 2.4.18

NOTE: If you are using lilo, you will have to manually update it's configuration file.

14.4 Installing from RPM 1. Required Packages

o kernel

o kernel-pcmcia-cs (for laptops)

2. Packages that may need to be upgraded

o mkinitrd

o SysVinit

o initscripts

3. Optional Packages

o kernel-headers

o kernel-source

o kernel-doc

o kernel-debug

4. Install Steps

5. rpm -Uvh mkinitrd-<version>.rpm # If necessary6. rpm -Uvh SysVinit-<version>.rpm # If necessary

7. rpm -Uvh initscripts-<version>.rpm # If necessary8. rpm -Uvh kernel-headers-<version>.rpm # Optional9. rpm -Uvh kernel-source-<version>.rpm # Optional10. rpm -ivh kernel-<version>.rpm --force11. rpm -ivh kernel-pcmcia-cs-<version>.rpm --force # For laptops12. mkinitrd /boot/initrd-<version> <kernel version> # Depending on kernel

configuration13. Update LILO or GRUB14. Reboot into new kernel

NOTE: It is recommended that you install and not upgrade the kernel and kernel-pcmcia-cs packages. That way if the new kernel doesn't work, you can boot into a previous kernel that does.

14.5 Adding a module to an already

compiled kernel For those times where you need to add a new driver to a modular kernel, you can just compile the needed module and install it without recompiling the entire kernel. Just follow these steps:cd /usr/src/linuxmake config | make menuconfig | make xconfig(Choose the driver as a module)make depmake modulesmake modules_installdepmod -aYou should now be able to use the new module.

Next Previous Contents Next Previous Contents

15. PAM

15.1 Files 1. Configuration files located in /etc/pam.d.

2. Separate configuration file for each service that uses pam.

3. Modules located in /lib/security.

15.2 Module Types 1. auth

Prompts for user identification.

2. account

Account based restrictions (time of day, tty, host, etc.) a.k.a. login restrictions.

3. session

Session oriented limits (file sizes, # of processes, etc.) and tasks performed before/after users logs in.

4. password

Password management (updating).

15.3 Module Control Flags 1. required

This test must pass in order for the overall check to succeed. The remaining tests are still performed even if this one fails.

2. requisite

This test must pass in order for the overall check to succeed. However, unlike 'required', no other tests are performed if this one fails.

3. sufficient

This test doesn't have to pass for the overall check to succeed. However, if it does pass, it grants immediate access. If it's failed, the remaining tests are still performed as with 'required'.

4. optional

This test has no effect on the overall check.

15.4 Custom PAM Example This example limits who can use SSH based on a list of users.

1. In /etc/pam.d/sshd, add the following line:

2. auth required /lib/security/pam_listfile.so onerr=fail item=user sense=allow file=/etc/sshd_users

The above will allow a user to login via sshd if they are listed in the /etc/sshd_users file. The options specified have the following meanings:

o onerr=fail - If an error occurs (file specified isn't found, or an improperly formatted entry is found in the file), fail this test. This will deny the user access via sshd. The other possible option for "onerr" is "succeed".

o item=user - This states that we are testing or verifying the user's login name.

o sense=allow - This means that if the user is found in the file specified, this test succeeds. This will allow the user access if all other PAM tests succeed as well. The other possible option for "sense" is "deny".

o file=/etc/sshd_users - This specifies the file that will contain the list of users (one per line) that are allowed to access sshd.

15.5 Time Based Restrictions These examples will limit the login times of certain users. See /etc/security/time.conf for more information/examples. In order to place time restrictions on user logins, the following must be placed in /etc/pam.d/login: account required /lib/security/pam_time.soThe remaining lines should be placed in /etc/security/time.conf.

1. Only allow user steve to login during on weekdays between 7 am and 5 pm.

2. login;*;steve;Wd0700-1700

3. Allow users Bilbo & Frodo to login on all days between 8 am and 5 pm except for Sunday.

4. login;*;bilbo|frodo;AlSu0800-1700

If a day is specified more than once, it is unset. So in the above example, Sunday is specified twice (Al = All days, Su = Sunday). This causes it to be unset, so this rule

applies to all days except Sunday.

15.6 Access Based Restrictions /etc/security/access.conf can be used to restrict access by terminal or host. The following must be placed in /etc/pam.d/login in order for these examples to work: account required /lib/security/pam_access.so

1. Deny steve login access on all terminals except for tty1:

2. -:steve:ALL EXCEPT tty1

3. Users in the group jedi are only allowed to login from a local terminal:

4. -:jedi:ALL EXCEPT LOCAL

5. Allow user gandalf to only login from a trusted server:

6. -:gandalf:ALL EXCEPT trusted.somedomain.com

Next Previous Contents Next Previous Contents

16. Cron & At

16.1 Overview 1. Cron & at provides a way to schedule tasks.

2. Packages

o vixie-cron - Provides crond daemon and crontab editing utilities.

o crontabs - Provides default root crontab files.

o at - Provides atd daemon and command line utilities.

16.2 Crontab Files User or system defined files that contain a command to execute and the time to execute it. Crond wakes every minute to see if any crontab files have changed and re-reads them if they have.

1. User crontabs

o Stored as /var/spool/cron/<user>

o View with: crontab -l

o Edit with: crontab -e

o Edit a specific users crontab(root only): crontab -u <user>

2. System crontabs

o /etc/crontab

Crontab file that configures when scripts in cron.hourly, cron.daily, cron.weekly, and cron.monthly are executed.

o /etc/cron.d

This directory contains actual crontab files that are configured just like user crontab files.

o /etc/cron.hourly

Scripts in this directory are executed on the first minute of every new hour.

o /etc/cron.daily

Scripts in this directory are executed at 4:02 AM every day.

o /etc/cron.weekly

Scripts in this directory are executed at 4:22 AM every Sunday.

o /etc/cron.monthly

Scripts in this directory are executed at 4:42 AM on the first day of the month.

3. Crontab Format

4. <minute> <hour> <day of month> <month> <day of week> <command to execute>

Valid values:

Minute - 0-59Hour - 0-23Day of Month - 1-31

Month - 1-12 *or* - Jan, Feb, Apr, etc.Day of Week - 0-7 (0 or 7 = Sunday) *or* - Sun, Mon, Tue, Wed, Thu, Fri, Sat

Can specify comma separate lists and ranges for each parameter but only in a numeric format (e.g. 1-5 is ok for day of week, but not Mon-Fri).

# To execute foo every 5 minutes.0,5,10,15,20,25,30,35,40,45,50,55 * * * * foo# - OR -*/5 * * * * foo# Executes bar during the bottom of every hour# during working hours on week days.30 8-5 * * 1-5 bar

16.3 At Jobs 1. "at" jobs are configured from the command prompt. No crontab style files.

2. At uses the existing environment that the "at" command was executed in to run the specified command(s) at the indicated time. This typically makes at jobs easier/quicker to setup than crontab jobs because the environment is already configured for the job.

3. Examples

4. at 8:00 am March 12 # Execute specified commands at 8:00 am on March 12th

5. at now +3 hours # Execute specified commands 3 hours from now6. at 9:30 pm -f ~/cmds # Execute commands in the ~/cmds file at 9:30 pm

After specifying a time, the user is prompted for the commands to execute unless the "-f" option is used to specify a file containing the commands to execute.

7. Managing At Jobs

o atq - List pending jobs for a user.

o atrm - Delete pending jobs.

o atrm 1 # Remove job number 1 from pending queueo

o batch - Execute specified command when system load levels are low enough to permit it.

16.4 Access Control 1. /etc/cron.allow

If it exists, a user must be listed in this file in order to use crontab.

2. /etc/cron.deny

If it exists, a user must not be listed in this file in order to user crontab.

3. /etc/at.allow

Same as cron.allow, only for "at".

4. /etc/at.deny

Same as cron.deny, only for "at".

Next Previous Contents Next Previous Contents

17. Sendmail

17.1 Packages 1. sendmail

Contains the actual binaries and configuration files.

2. sendmail-cf

This package is required if you every want to reconfigure sendmail.

3. sendmail-doc

Contains documentation about sendmail.

Examples for the various configuration files are provided in /usr/share/doc/sendmail/README.cf.

17.2 Configuration Files

1. /etc/sendmail.cf

o Primary configuration file for sendmail.

o It's recommended that you don't edit this file by hand.

o Edit /etc/mail/sendmail.mc instead and regenerate /etc/sendmail.cf from it.

o mv /etc/sendmail.cf /etc/sendmail.cf.oldo m4 /etc/mail/sendmail.mc > /etc/sendmail.cfo

2. /etc/mail/sendmail.mc

o Used to generate /etc/sendmail.cf (see above).

o Easier to configure than /etc/sendmail.cf

o Default Redhat /etc/mail/sendmail.mc:

o divert(-1)o dnl This is the sendmail macro config file. If you make changes to this

file,o dnl you need the sendmail-cf rpm installed and then have to generate ao dnl new /etc/sendmail.cf by running the following command:o dnlo dnl m4 /etc/mail/sendmail.mc > /etc/sendmail.cfo dnlo include(`/usr/share/sendmail-cf/m4/cf.m4')o VERSIONID(`linux setup for Red Hat Linux')dnlo OSTYPE(`linux')o define(`confDEF_USER_ID',``8:12'')dnlo undefine(`UUCP_RELAY')dnlo undefine(`BITNET_RELAY')dnlo define(`confAUTO_REBUILD')dnlo define(`confTO_CONNECT', `1m')dnlo define(`confTRY_NULL_MX_LIST',true)dnlo define(`confDONT_PROBE_INTERFACES',true)dnlo define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnlo define(`ALIAS_FILE', `/etc/aliases')dnlo dnl define(`STATUS_FILE', `/etc/mail/statistics')dnlo define(`UUCP_MAILER_MAX', `2000000')dnlo define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl

o define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl

o define(`confAUTH_OPTIONS', `A')dnlo dnl TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnlo dnl define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN

PLAIN')dnlo dnl define(`confTO_QUEUEWARN', `4h')dnlo dnl define(`confTO_QUEUERETURN', `5d')dnlo dnl define(`confQUEUE_LA', `12')dnlo dnl define(`confREFUSE_LA', `18')dnlo dnl FEATURE(delay_checks)dnlo FEATURE(`no_default_msa',`dnl')dnlo FEATURE(`smrsh',`/usr/sbin/smrsh')dnlo FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnlo FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnlo FEATURE(redirect)dnlo FEATURE(always_add_domain)dnlo FEATURE(use_cw_file)dnlo FEATURE(use_ct_file)dnlo FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnlo FEATURE(`access_db',`hash -o /etc/mail/access.db')dnlo FEATURE(`blacklist_recipients')dnlo EXPOSED_USER(`root')dnlo dnl This changes sendmail to only listen on the loopback device

127.0.0.1o dnl and not on any other network devices. Comment this out if you wanto dnl to accept email over the network.o DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')o dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requireso dnl a kernel patcho dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6,

Family=inet6')o dnl We strongly recommend to comment this one out if you want to

protecto dnl yourself from spam. However, the laptop and users on computers

that doo dnl not have 24x7 DNS do need this.o FEATURE(`accept_unresolvable_domains')dnlo dnl FEATURE(`relay_based_on_MX')dnlo MAILER(smtp)dnl

o MAILER(procmail)dnlo Cwlocalhost.localdomaino

o sendmail.mc options:

o define('confDEF_USER_ID',"8:12") # Specifies user (8) and group (12) to run sendmail as

o OSTYPE('linux') # Imports OS specific informationo undefine('UUCP_RELAY') # Disable UUCP relayingo undefine('BITNET_RELAY') # Disable bitnet relayingo define('confAUTO_REBUILD') # Rebuild /etc/aliases

automaticallyo define('confTO_CONNECT','1m') # Set time limit for SMTP

connections to 1 minuteo define('confTRY_NULL_MX_LIST',true) # If no mx record exists,

contact host directlyo define('confDONT_PROBE_INTERFACES,true) # ????o define('PROCMAIL_MAILER_PATH','/usr/bin/procmail') # Specify location

of procmailo FEATURE('smrsh','/usr/sbin/smrsh') # Specify location of sendmail

restricted shello

o ### Enable virtusertable, mailertable, and access and specify their locations:

o ###o FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnlo FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnlo FEATURE(`access_db',`hash -o /etc/mail/access.db')dnlo

o FEATURE(redirect) # ???o FEATURE(always_add_domain) # Append local hostname to

locally delivered e-mailo FEATURE(use_cw_file) # Read aliases to use from

/etc/mail/local-host-nameso FEATURE(local_procmail) # Use procmail as the local MDAo

o FEATURE('blacklist_reipients') # Allows e-mail to be blocked based on destination

o FEATURE('accept_unresolvable_domains') # Accept e-mail even if the reverse lookup of

o # the sender's domain doesn't worko FEATURE('rbl') # Iplements Realtime Blackhole List to

fight spam.o FEATURE('relay_based_on_MX') # Automatically allow relaying if

sendmail servero # is listed as the target domain's MX record.o # This appears to only work if the hostname is

seto # to the same value as the MX record.o FEATURE(domaintable) # Enable use of domaintableo FEATURE(mailertable) # Enable use of mailertableo

o ### The following sets a "smart host" that all of your mail will be relayed through.

o define(SMART_HOST,mail.yourdomain.com)o

o ### The following line tells sendmail to only listen on the localhost interface.

o DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')o

o ### The following 3 allow a host to masquerade as another host. Useful for hiding

o ### internal machine names from the outside world. Note that any user specified in

o ### an "EXPOSED_USER" (e.g. root), will not have their e-mail address masqueraded.

o MASQUERADE_AS(yourdomain.net) # Specifies domain to use in FROM and envelope addresses.

o FEATURE(allmasquerade) # Turn on masquerading for all e-mail

o FEATURE(masquerade_envelope) # Masquerade the envelope address also

o

3. /etc/aliases (& /etc/aliases.db)

o Contains aliases for e-mail addresses. For example, it allows you to send mail destined for user 'daemon' to 'root'.

o Only local names may be aliased.

o Example /etc/aliases:

o daemon: root # Messages sent to user daemon are redirected to root

o root: steve # Messages sent to root are redirected to steve

o webmaster: steve bob sue # Messages sent to webmaster are redirected to steve, bob and sue

o steve@foo.com: bob # This entry is invalid unless the local host name is foo.com

o # or foo.com is listed in /etc/mail/local-host-nameso

o After editing /etc/aliases, you must regenerate /etc/aliases.db with the newaliases command.

4. /etc/mail/access (& /etc/mail/access.db)

o Controls which hosts are allowed to use sendmail.

o Example /etc/mail/access:

o localhost.localdomain RELAY #o localhost RELAY ### These 3 permit the localhost to relayo 127.0.0.1 RELAY #o

o 10.22 REJECT # Reject mail from any host with an IP that starts with 10.22

o nobody@ REJECT # Rejects any mail addressed to user 'nobody' regardless

o # of the domain it's sent to.o foo.com OK # Accept mail from foo.com (not for relaying)

eveno # if other rules might reject ito bar.com REJECT # Reject all mail from bar.com and send

message to sendero foobar.com DISCARD # Like REJECT, except sender doesn't

receive a messageo

o # The following sends the specfied RFC error code back to the sender along with the

o # message specified after it.o someone.com 550 We don't accept your mail.o

o After editing /etc/mail/access, you must regenerate /etc/mail/access.db by going into /etc/mail and typing make.

5. /etc/mail/mailertable (& /etc/mail/mailertable.db)

o Useful for overriding DNS or if DNS isn't available.

o Allows you to perform domain translation.

o Can specify the deliver agent.

o Example /etc/mail/mailertable

o foo.net smtp:bar.net # Forward mail addressed to foot.net to bar.net

o foobar.net smtp:[192.168.1.20] # Forward mail addressed to foobar.com to the host at 192.168.1.20

o

o Regenerate /etc/mail/mailertable.db by going to /etc/mail and typing make.

6. /etc/mail/virtusertable (& /etc/mail/virtusertable.db)

o Allows you to map multiple virtual domains and users to other addresses.

o Example /etc/mail/virtusertable:

o webmaster@foo.com steve # Mail sent to webmaster@foo.com is redirected to local user steve

o postmaster@bar.com steve@foo.com # Mail sent to postmaster@bar.com is redirected to steve@foo.com

o

o @somedomain.com joe@foo.com # Mail addressed to _any_ user at somedomain.com is redirected

o # to joe@foo.como @foobar.com %1@bar.com # Mail addressed to a user at

foobar.com is redirected to the sameo # user at barr.com.o

o Regenerate /etc/mail/virtualusertable.db by going to /etc/mail and typing make.

7. /etc/mail/domaintable (& /etc/mail/domaintable.db)

o Allows an old domain to be mapped to a new one.

o Example /etc/mail/domaintable:

o NEED TO FIND MORE INFO ABOUT domaintableo

o Regenerate /etc/mail/domaintable.db by going to /etc/mail and typing make.

8. /etc/mail/local-host-names

o This file must contain the sendmail server's machine name and any aliases. Sendmail must be restarted after changing this file in order for it to take effect.

o Example:

o foo.como bar.como foobar.como

Specifies that foo.com, bar.com, and foobar.com are all local domains.

9. /usr/share/sendmail-cf/cf/

Contains various sample configuration files for sendmail.

10. /etc/mail/helpfile

This file contains the help information that is display when someone uses the SMTP "help" command during an SMTP session.

11. /etc/mail/statistics

Stores statistics about processed mail.

17.3 A Simple Client Configuration 1. Configures client machines to send mail to a central smart host.

2. Masquerades their mail domain as the mail domain of the smart host.

3. Example:

Host workstation.somedomain.com needs to be able to send mail to the outside world. However, we want mail coming from workstation.somedomain.com to have a from address of user@somedomain.com, not user@workstation.somedomain.com.

The central mail hub for the somedomain.com is mail.somedomain.com.

Make these changes in /etc/sendmail.cf on workstation.somedomain.com.

o The DR line specifies sendmail's forwarding agent for unqualified domain names. Change it to:

o DRmail.somedomain.como

o The DH line specifies which host all local e-mail traffic should be forwarded to. Change it to:

o DHmail.somedomain.como

o The DS line specifies the smart relay host. Change it to:

o DSmail.somedomain.como

o The DM specifies what the client should masquerade as. Change it to:

o DMsomedomain.como

The smart host mail.somedomain.com will also need to be configured to allow relaying from subnets that the client machines exist on.

17.4 Debugging Sendmail 1. mail -v <user>

Shows information about message delivery while it's being processed.

2. debug mode

To enable debug mode, run sendmail with the "-d" option and specify a debug # after it.

3. Display Queue Contents

Type: mailq or sendmail -bp

4. Running the Queue

Type: sendmail -q

5. Hostname Problems

In order to make sure sendmail is identifying the hostname of your machine correctly, type: sendmail -d0 < /dev/null

If sendmail thinks your hostname is localhost, check to see if /etc/hosts is configured correctly. Try removing all hostnames except for localhost and try again.

Next Previous Contents Next Previous Contents

18. Apache

18.1 Defaults 1. Configuration File: /etc/httpd/conf/httpd.conf

2. Server root: /etc/httpd

3. Document root: /var/www/html

4. Logging location: /var/log/httpd

5. User: apache

6. Group: apache

7. Ports: 80 TCP (HTTP) and 443 TCP (HTTPS)

8. Modules stored in /etc/httpd/modules

9. MinSpareServers 5

10. MaxSpareServers 10

11. StartServers 8

12. MaxClients 150

13. MaxRequestsPerChild 1000

14. Default Pages Served

Whenever a URL is requested that ends in a directory and not a file, a default file within the directory will be loaded. The DirectoryIndex directive is used to specify what this default file or files will be.

DirectoryIndex index.html index.htm index.shtml index.php index.php4 index.php3 index.cgi

With the above configuration, if a user were to request the following URL: http://www.somedomain.com, Apache would search it's document root for the files specified in the DirectoryIndex directive. The files are searched for in the order in which they appear in the directive. So, it first checks to see if a file named index.html exists, then index.htm, then index.shtml and so on.

18.2 Resource Control 1. MinSpareServers

Minimum # of idle server processes that must be available to handle incoming requests.

2. MaxSpareServers

Maximum # of idle server processes that wait for client connections.

3. StartServers

Initial # of servers to start when Apache is started.

4. MaxClients

Maximum # of clients that can be served at once. This effectively limits the maximum number of httpd processes started since it requires 1 process per client.

5. MaxRequestsPerChild

Maximum # of requests to handle per child. After this number is attained, the child is killed and a new child process is spawned to replace it. This is used to help prevent memory leaks from eating up system resources.

18.3 Logging 1. Error Log

Use ErrorLog directive to specify. For example:

ErrorLog /var/log/httpd/error_log

2. Access Log

No AccessLog directive. Instead use the CustomLog directive.

CustomLog /var/log/httpd/access_log combined

"combined" is a previously defined log format (defined with LogFormat directive).

"common" is another previously defined log format that logs less information than "combined".

18.4 User Web Space 1. Specify name of user www directory with UserDir directive:

UserDir public_html

2. User must create a "public_html" directory in their home directory.

3. Anything placed in the public_html directory can be accessed through the web if permissions allow Apache to access it.

4. In order to visit a user's "public_html" directory, specify ~user after the base URL:

www.somedomain.com/~steve

18.5 Access Restrictions 1. Provides directory and file level access control.

2. Are recursively applied to directories underneath the directory specified unless overridden.

3. / should be configured to be VERY restrictive. Then, start configuring directories from the document root on down.

4. If "AllowOverride" is specified for a directory in the httpd.conf file, then permissions can be overridden by placing a .htaccess file in the directory. Permissions are then specified in the .htaccess file.

5. AllowOverride Options:

o None

Nothing can be overridden.

o Authconfig

Allows use of user/group authorization directives (AuthName, AuthUserFile, AuthGroupFile, Require).

o FileInfo

Allows use of directives controlling document types.

o Indexes

Allows use of directives that control directory indexes.

o Limit

Allow directives that control access based on browser, hostname, and network.

o Options

6. Access Control Setup

o order

1. allow,deny

allow acls processed before deny acls. Default deny - hosts not explicitly allowed are denied.

2. deny,allow

deny acls processed before allow acls. Default allow - hosts not explicitly denied are allowed.

3. mutual-failure

All explicitly allowed hosts that are not also denied are allowed.

o allow from

Specifies which hosts should be allowed access.

o deny from

Specifies which hosts should be denied access.

o Examples

o <Directory /var/www/html>o order allow,deny # In this case, no one would be granted

accesso allow from 199.151.220 # because denys are processed after

allows.o deny from Allo <Directory>o <Directory /var/www/html>o order deny,allow # In this case, only those hosts in the

199.151.220.0/24o allow from 199.151.220 # network will be allowed in.o deny from Allo <Directory>o

18.6 Authentication 1. User/password database

o Use AuthUserFile directive to specify a password file. Can be used in a <Directory> directive or in an .htaccess file (if "AllowOverride authconfig" is specified for the directory).

o Create the password file and add user "steve" to it:

htpasswd -c /var/www/userpasswd steve

Only use the "-c" option when you create the file. After that, leave it off. Otherwise you will wipe out your existing password file.

2. Authentication Type

Specify an AuthType (Basic or Digest)

3. Realm

Specify a realm using AuthName.

4. Authentication Requirements

Specify authentication requirements using require

5. Example .htaccess file

6. AuthName "My Realm"7. AuthType Basic8. AuthUserFile /var/www/passwd9. require valid-user

The above example allows any valid user ("valid-user" must be in all lower case) to access this directory. Valid meaning that the user is defined in /var/www/passwd.

If only certain users are allowed to access this directory, you can specify them instead of "valid-user":

require bob sue steve

In this case, only users bob, sue, and steve will be allowed to access this directory.

18.7 CGI 1. Defining a directory for CGI scripts

o ScriptAlias

ScriptAlias /cgi-bin/ /var/www/cgi-bin/

Don't forget the trailing "/" on both parameters.

This specifies that the /var/www/cgi-bin can contain cgi scripts and it can be reached when a user accesses the web address and appends /cgi-bin/ to the base URL. For example:

http://www.somehost.com/cgi-bin/cgi-test

Would cause the cgi script called cgi-test to be executed if it exists in the /var/www/cgi-bin directory.

o ExecCGI

A directory can also be specified as containing cgi scripts by specifying Options ExecCGI within a <Directory> directive or an .htaccess file.

o Sample CGI scripts can be found in /usr/share/doc/apache-X.X.XX/cgi-bin.

18.8 Virtual Hosts 1. IP Based

o Requires host to have a separate IP for each virtual host.

o Use <VirtualHost> directive to specify.

o Must at least specify ServerName.

o Recommend specifying a separate document root, error log, and script alias for each virtual host.

o Example:

o <VirtualHost 192.168.1.10>o ServerName www.somedomain.como ServerAdmin webmaster@somedomain.como DocumentRoot /var/www/www.somedomain.com/htmlo ScriptAlias /cgi-bin/ /var/www/www.somedomain.com/cgi-bin/o ErrorLog /var/log/httpd/www.somedomain.com/error_logo CustomLog /var/log/httpd/www.somedomain.com/access_log

combinedo <Directory /var/www/www.somedomain.com/html>o Options Indexes Includeso order deny,allowo Allow from Allo </Directory>o </VirtualHost>

2. Name Based

o Very similar to IP based.

o Must specify IP to use for virtual hosting with the NameVirtualHost directive. All further <VirtualHost> directives that reference the IP specified by NameVirtualHost automatically become a named based virtual host.

o The first virtual host becomes the default host.

o ServerAlias allows you to specify an alternate name for a name based virtual host.

o Example:

o NameVirtualHost 192.168.1.11o <VirtualHost 192.168.1.11>o ServerName www.someotherdomain.como ServerAlias www1.someotherdomain.como ServerAdmin webmaster@someotherdomain.como DocumentRoot /var/www/www.someotherdomain.com/htmlo ScriptAlias /cgi-bin/ /var/www/www.someotherdomain.com/cgi-bin/o ErrorLog /var/log/httpd/www.someotherdomain.com/error_logo CustomLog /var/log/httpd/www.someotherdomain.com/access_log

combinedo <Directory /var/www/www.someotherdomain.com/html>o Options Indexes Includeso order deny,allowo Allow from Allo </Directory>o </VirtualHost>

3. Troubleshooting

o If accessing any of the defined named based virtual hosts always causes the default virtual host to be viewed, verify that the names specified for each virtual host (ServerName) are correct.

o To view virtual host settings, type:

o httpd -So

18.9 SSL 1. mod_ssl

2. Encryption Configuration

o Certificate stored in /etc/httpd/conf/ssl.crt/server.crt

o Private key stored in /etc/httpd/conf/ssl.key/server.key

o Certificate/Key Generation

1. Use openssl

2. RH provided Makefile at /usr/share/ssl/certs/Makefile:

make testcert - Self-signed certificate

make certreg - Certificate signature request to get a certificate authority signed certificate.

Next Previous Contents Next Previous Contents

19. BIND

19.1 Overview 1. BIND 9

2. Resolves hostnames to IP addresses(forward lookup).

3. Resolves IP addresses to hostnames(reverse lookup).

4. Provides e-mail routing information.

5. Packages

o bind - Primary package. Provides binaries, documentation, configs, etc.

o bind-utils - Tools used to query DNS servers.

o bind-conf - Contains tools to configure a DNS server.

o caching-nameserver - Includes necessary configuration files to make BIND a caching only nameserver.

Important files provided by caching-nameserver: /var/named/localhost.zone # Forward zone for localhost/var/named/named.ca # "Hints" file. Contains root servers/var/named/named.local # Reverse zone for localhost

o openssl - Needed for some of BIND's security features.

6. Ports

o 53 UDP - DNS queries

o 53 TCP - Zone transfers and DNS queries > 512 bytes.

7. redhat-config-bindconf

GUI configuration utility provided by bindconf package.

19.2 Configuration Files 1. /etc/named.conf

o Specifies zones, options, and access controls.

o SEMI-COLON placement is critical!

o Sample named.conf

o options {o directory "/var/named"; // Working directory of servero allow-query { any; }; // Specify which hosts are allowed to

query this servero allow-transfer { 192.168.1.0/24; }; // Specify hosts that are allowed

to receive zoneo // transfers from this servero recursion yes; // Enable recursive querieso allow-recursion {192.168.1.0/24; }; // Specify which hosts can

perform recursive queries.o version "Surely you must be joking"; // Set version reported by ndc

and when queryingo // version.bind in the chaos classo };o

o // The following controls who can access this server using rndc.o // Bind to 127.0.0.1 and allow only localhost access.o controls {o inet 127.0.0.1 allow { localhost; } keys { rndckey; };o };o

o zone "." IN { // Hints file containing root serverso type hint;o file "named.ca";o };

o

o zone "localhost" IN {o type master;o file "localhost.zone";o allow-update { none; };o };o

o zone "0.0.127.in-addr.arpa" IN {o type master;o file "named.local";o allow-update { none; };o };o

o zone "xyz.com" IN { // Forward lookup zone for xyz.como type master; // This is a master zoneo file "db.xyz.com"; // Zone information stored in

/var/named/db.xyz.como allow-update { none; };o };o

o zone "zyx.com" IN { // Forward lookup zone for zyx.como type master; // This is a master zoneo file "db.zyx.com"; // Zone information stored in

/var/named/db.zyx.como allow-update { none; };o };o

o zone "somedomain.com" IN { // Forward lookup zone for somedomain.com

o type slave; // This is a slave zoneo file "db.somedomain.com"; // Optional for slave zones. If set, a

copy of the zoneo // information is kept locally on disk under

/var/named.o };o

o include "/etc/rndc.key"; // Private key used for secure remote administration

o

See the end of the named.conf man page for more configuration examples.

SECURITY NOTE:

If the following options are left unspecified, they default to allowing access from all hosts. allow-queryallow-transferallow-recursion

2. /etc/nsswitch.conf

o Not part of BIND, but must be setup correctly in order for local processes to use BIND for host resolution.

o Specifies the order in which resources are queried in order to resolve hostnames, IP addresses, etc.

o Partial example:

o hosts: files dnso networks: fileso protocols: files nispluso

The "hosts" line specifies that we should first check our local files (e.g. /etc/hosts for hostname resolution before consulting DNS services. The "networks" line states that only our local files (e.g. /etc/networks) should be consulted for network information. The "protocols" line says we should first consult our local files (e.g. /etc/protocols) for protocol information, and then consult nisplus services if it isn't found in our local files.

3. /etc/hosts

o Not part of BIND, but must be setup correctly in order for host resolution to work.

o See host resolution above.

4. /etc/resolv.conf

o Not part of BIND, but must be setup correctly in order for host resolution to work.

o See host resolution above.

19.3 Caching Only Name Servers 1. Not authoritative for any zone.

2. Uses DNS root servers or another name server known as a forwarder to resolve DNS queries.

3. To create a Forwarding Name Server, put the following line in the "options" section of the /etc/named.conf file:

4. forwarders { 192.168.1.20; };

5. If you want BIND to only use it's forwarders to resolve hosts and not the root name servers, put the following line in the "options" section of the /etc/named.conf file:

6. forward only;

The "forwarders" option specifies which DNS or DNS servers queries should be forwarded to for resolution.

19.4 Zones 1. Overview

o Specified in /etc/named.conf.

o No trailing "." on FQDN.

o "IN" after zone name is optional (see sample named.conf above for example).

2. Master Zones

o DNS server is authoritative for that zone.

o All domains must have one.

o Example:

o zone "somedomain.com" {o type master;o file "db.somedomain.com";o allow-transfer { 192.168.3.4; };o };o

3. Slave Zones

o Provides backup service to "masters".

o Example:

o zone "somedomain.com" {o type slave;o masters { 192.168.1.50; };o file "db.somedomain.com";o };o

o masters - Specifies the DNS server that is the "master" of this domain.

o file - Not required for slave. If specified, indicates the name of the local file where the zone information is kept.

o When a slave server starts, it checks the serial number for the zone on them master. If it's been updated, the slave performs a zone transfer to get the latest information. If it hasn't, and the slave has the zone on disk (e.g. the file directive was used), it will load the information directly from disk reducing network traffic.

o Slaves must be given permission to perform zone transfers by the master server. In /etc/named.conf:

o options {o ...o allow-transfer { 192.168.1.45; };o ...o };o

Or you can specify the "allow-transfer" directive on a per zone basis as shown above.

4. Reverse Lookup Zones

o Used to resolve IP to hostname.

o Special domain .in-addr.arpa is used.

o Zone name is created by reversing the octets in the network portion of the IP address and appending .in-addr.arpa to it.

For example, to provide reverse lookups for all hosts in the IP range 192.168.1.0/24, use the following zone name:

1.168.192.in-addr.arpa

o Example:

o zone "1.168.192.in-addr.arpa" {o type master;o file "db.1.168.192.in-addr.arpa";o };o

o zone "0.0.127.in-addr.arpa" { # Loopback zoneo type master; # Should NEVER be a slaveo file "db.0.0.127.in-addr.arpa";o };o

5. Root Zone

o Special zone that specifies the root servers.

o Zone type is "hint".

o Example:

o zone "." {o type hint;o file "named.ca"; # Contains root DNS serverso }o

o Used when a query isn't resolvable by any of the other configured zones.

o Update root servers from ftp://rs.internic.net/domain/named.ca or used dig:

o dig @<rootserver>o dig @a.root-servers.neto

6. Zone Delegation

o Divides up a larger domain into smaller, more manageable domains.

o For example, support.somedomain.com and development.somedomain.com can be delegated to someone else's control to ease the management of the somedomain.com domain.

o Example. In the zone file for somedomain.com, put the following entries:

o support.somedomain.com. IN NS ns.support.somedomain.com.o ns.support IN A 192.168.44.10o

o development.somedomain.com IN NS ns.development.somedomain.com.

o ns.development IN A 192.168.45.10o

o Both the NS and A records are required in order to delegate a zone.

o These are known as "glue" records that help queries go from one name server to another.

19.5 Resource Records 1. Format

2. [domain/@] [ttl] [class] <type> <rdata> [comment]

o domain/@ - Optional. If left blank, defaults to the same value as the last resource record. @ represents the domain name specified in /etc/named.conf for the zone. Otherwise, any name specified will have the domain appended to it unless it ends in a ".".

o ttl - Optional. Time-to-Live. Defaults to the value specified by the $TTL directive if left unspecified. Specifies how long the record can be cached.

o class - Optional. If left unspecified, defaults to IN??

o type - Specifies the type of RR.

o rdata - Specifies RR related data.

o comment - Comments about the RR.

3. Character Restrictions

Hostnames can only consist of A-Z (case insensitive), 0-9, and -.

4. Start of Authority (SOA)

o Every zone must have one and only one.

o Preamble of the zone file.

o Example:

o @ 1D IN SOA ns root (

o 2002011201 ; serialo 3H ; refresho 15M ; retryo 1W ; expireo 1D ) ; minimumo

o @ 1D IN SOA ns.somedomain.com. root.somedomain.com. (o 2002011201 ; serialo 3H ; refresho 15M ; retryo 1W ; expireo 1D ) ; minimumo

Both of the above two sample SOA RR are identical when the $ORIGIN is somedomain.com. The name server specified in the SOA record must be a machine with an A record. You cannot use machine named defined by a CNAME record in the SOA record.

Component Definitions:

1. serial - Used for version control. Every time an update is made to the zone, the serial number must be updated so the slave zones know there has been an update.

2. refresh - How often the slave servers should check the serial number on the master for changes.

3. retry - Amount of time a slave should wait before attempting another "refresh" after a previous refresh has failed.

4. expire - How long a slave should use it's DNS information without a refresh from the master.

5. minimum - How long a server should cache negative hits (e.g. no such domain/host).

Values for the above entries can be specified in seconds (default), minutes (M), hours(H), days(D), and weeks(W). You must use a capital letter to specify the unit and there can't be a space between the number and the unit.

86400 = 24H = 1D

5. Name Server (NS)

o Every zone must have at least the master name server specified.

o A FQDN must be used for NS resource records.

o Example:

o @ IN NS ns1.somewhere.com.o somewhere.com. IN NS ns2.somewhere.com.o IN NS ns3.somewhere.com.o

All 3 lines refer to the same domain. The @ in the first line refers to the origin (specified by the zone directive in /etc/named.conf. The second line explicitly states the domain (notice the trailing ".") The third line doesn't specify the domain or an @ so it defaults to the domain in the RR above it.)

6. Address (A)

o Maps a hostname to an IP address.

o Used by forward lookups.

o Example:

o ns1.somewhere.com. IN A 192.168.20.10 # FQDN specified. Notice trailing "."

o ns2 IN A 192.168.20.11 # FQDN isn't required. In the last 4 lines,

o ns3 IN A 192.168.20.12 # somedomain.com. is appended to ns2, ns3,

o www IN A 192.168.20.15 # www, and mailo mail IN A 192.168.20.20o

7. Canonical Name (CNAME)

o Provides an "alias" or alternate name for an existing host.

o A CNAME record should never be referred to by another CNAME record, an MX record, or an SOA record.

o Example:

o pop IN CNAME mailo imap IN CNAME mailo

In this case, both pop and imap refer to the "mail" address (A) record in the previous example.

8. Pointer (PTR)

o Maps an IP address to hostname.

o Used in "in-addr.arpa" zones.

o Example (assume a zone of 1.168.192.in-addr.arpa):

o 10 IN PTR ns1.somewhere.com.o 11 IN PTR ns2.somewhere.com.o 12 IN PTR ns3.somewhere.com.o 15.1.168.192.in-addr.arpa. IN PTR www.somewhere.com.o 20 IN PTR mail.somewhere.com.o

Again, if a FQDN isn't specified, the domain is appended to the entry.

9. Mail Exchange (MX)

o Define a mail exchange for a zone.

o Requires a priority be specified right after the "MX" but before the hostname. The lower the number, the higher the priority.

o Used by MTAs to deliver mail to the zone.

o Should not be used in reverse lookup zones.

o Example:

o @ IN MX 5 mail.somewhere.com. ### Highest priorityo somewhere.com. IN MX 10 mail2.somewhere.com.o IN MX 15 mail3.somewhere.com. ### Lowest priorityo

10. Host Information (HINFO)

o Provides information about your host.

o Generally not a good idea to give out any host information due to security concerns.

o Should not be used in reverse lookup zones.

o Example:

o mail IN HINFO i686 Linux-2.4.18o www IN HINFO i686 Linux-2.4.17-pre2o

19.6 Zone Files 1. Generally located in /var/named.

2. Must begin with a Start Of Authority (SOA) resource record.

3. Contain other resource records.

4. $TTL directive must be specified.

5. Always specify the last "." for a FQDN.

6. Example Forward Zone File:

7. $TTL 864008. $ORIGIN xyz.com. ; If not specified, it's taken from named.conf9.10. ; ns1 is a nameserver for the domain. root is the11. ; e-mail address of the owner of the domain. The domain12. ; is appended to each of these values since they don't13. ; end with a period. (e.g. they become ns1.xyz.com14. ; and root.xyz.com);15. @ 1D IN SOA ns1 root (16. 2002011901 ; serial17. 3H ; refresh18. 15M ; retry19. 1W ; expire20. 1D ) ; minimum21.22.23. ; These two lines specify the same domain.24. ; @ means take it from the $ORIGIN or the zone25. ; specified in named.conf26. @ IN NS ns1.xyz.com.27. xyz.com. IN NS ns2.xyz.com.28.29. ns1 IN A 192.168.1.2030. ns2 IN A 192.168.1.2131.

32. www IN A 192.168.1.2233. kashyyyk IN CNAME www34. coruscant IN CNAME kashyyyk # BAD IDEA!!35.36. www1.xyz.com. IN A 192.168.1.2337. endor IN CNAME www138.39. mail IN A 192.168.1.2440. backup-mail IN A 192.168.1.2541.42. @ IN MX 5 mail # Both lines reference43. xyz.com. IN MX 20 backup-mail # the same domain44.45. support.xyz.com. IN NS ns.support.xyz.com. # Zone delegation46. ns.support IN A 192.168.2.2047.48. development.xyz.com. IN NS ns.development.xyz.com. # Zone delegation49. ns.development.xyz.com. IN A 192.168.3.20

50. Example Reverse Zone File:

51. $TTL 8640052. $ORIGIN 1.168.192.in-addr.arpa.53.54. @ 1D IN SOA ns1.xyz.com. root.xyz.com. (55. 2002011901 ; serial56. 3H ; refresh57. 15M ; retry58. 1W ; expire59. 1D ) ; minimum60.61. ; These two lines specify the same domain.62. ; @ means take it from the $ORIGIN or the zone specified in named.conf63. @ IN NS ns1.xyz.com.64. 1.168.192.in-addr.arpa. IN NS ns2.xyz.com.65.66. 20 IN PTR ns1.xyz.com. # Domain appended to 2067. 21.1.168.192.in-addr.arpa. IN PTR ns2.xyz.com. # Domain not appended

(ends with a "." )68.69. 22 IN PTR www.xyz.com.

70. 23.1.168.192.in-addr.arpa. IN PTR www1.xyz.com.71.72. 24 IN PTR mail.xyz.com.73. 25 IN PTR mail-backup.xyz.com.

Next Previous Contents Next Previous Contents

20. DHCP

20.1 Overview 1. Provides dynamic configuration and network information to hosts.

o IP address.

o DNS servers.

o Netbios name servers.

o Gateways.

o Domain name.

2. Only one DHCP server per network segment.

3. Uses broadcast packets to retrieve information.

4. Superset of bootp.

5. Can answer requests from bootp clients.

6. Packages

o Server - dhcpd.

o Client - dhcpcd or pump.

7. Ports

o Server - UDP 67 (bootps)

o Client - UDP 68 (bootpc)

20.2 Server Configuration

1. /etc/dhcpd.conf

Don't forget the trailing semi-colons.

Example: # Global Options (can also be specified for a specific subnet)option nis-domain "secret_nis_domain"; # Set NIS domainoption domain-name "somedomain.com"; # Domain name assigned to clientoption domain-name-servers 192.168.1.20, 192.168.1.21; # DNS servers for domainoption netbios-name-servers 192.168.1.19; # WINS server

# Specifies host that the initial boot file should be loaded fromnext-server boot-server;

default-lease-time 600; # Lease time used unless client requests otherwise.max-lease-time 7200; # Maximum lease time that will be given

# At least one subnet block is required.# It must correspond with a configured interface.subnet 192.168.1.0 netmask 255.255.255.0{ # Definitions in block only apply to this subnet

# Default gateway option routers 192.168.1.1;

# Range of IPs to use for dynamic configuration range 192.168.1.100 192.168.1.200;

# Static configuration - The host with the stated MAC address will # always receive the IP address stated below. host enterprise { hardware ethernet 00:0a:cc:3a:1c:42; fixed address 192.168.1.11 }

}

An example dhcpd.conf file is available at/usr/share/doc/dhcp-2.0p15/dhcpd.conf.sample

2. /var/lib/dhcp/dhcpd.leases

Stores information about leased IP addresses. It must exist in order for dhcp to start! If it doesn't exist, type: touch /var/lib/dhcp/dhcpd.leases

20.3 Client Configuration 1. dhcpcd

o Default client.

o Used by "ifup" to configure interface.

o Stores information in /etc/dhcpc.

o Common usage:

o /sbin/dhcpcd -n -H eth0o

o -H = Force dhcpcd to set the hostname of the host to the hostname option

o supplied by the DHCP server.o -n = If dhcpcd is already running send it an ALRM signal to cause it too attempt to renew it's lease.o eth0 = Interface to configure.o

2. pump

o Only used if dhcpcd isn't found.

o Used by "ifup" to configure interface.

o Common usage:

o /sbin/pump --lookup-hostname -i eth0o

o --lookup-hostname = Get hostname and domain name from DNSo -i = Specifies interface to configureo

Next Previous Contents Next Previous Contents

21. X Window System

21.1 Pieces 1. X Server

The X-server is responsible for managing resources for X-clients. These resources typically include the screen, keyboard, and mouse. The X server runs on the machine that the user interacts with. It passes user input back to the X-clients and outputs information from the X-clients back to the user via the screen.

2. X Clients

X-clients connect to the X-server in order to use it's resources. X-clients can be ran locally on the same machine as the X-server or remotely (in which case they connect to the local X-server).

3. X Protocol

X-clients and X-servers communicate using this protocol.

21.2 Configuration Tools 1. Xconfigurator

o TUI based.

o Primary configuration tool used on RH machines.

o Automatically probes video card for necessary configuration information.

o If probe fails, use "SuperProbe" to determine video card.

o Recommended configuration tool.

o Use "--expert" option in order to override probed values.

2. xf86config

o Character based.

o Xconfigurator recommended over this for exam.

3. SuperProbe

o Part of XFree86.

o Can be used to determine video card if Xconfigurator fails.

o May freeze system when probing.

21.3 Configuration Recommendations 1. Choose "No Clockchip Setting"

2. Select multiple video modes in case one doesn't work

3. If your card is unsupported, choose the generic SVGA or VGA support.

21.4 Hardware Support 1. Websites

o RH Hardware Compatibility Lists - http://www.redhat.com/corp/support/hardware/index.html

o XFree 3.X - http://www.XFree86.org/cardlist.html

o XFree 4.X - http://www.XFree86.org/4.1.0/Status.html

o Laptops - http://linux-laptop.net

21.5 Files 1. X Configuration

o Default font path - /usr/X11R6/lib/X11/fonts

o User configuration files

1. ~/.xinitrc - Starts specified xclients in background and then execs a window manager (e.g. exec startkde).

2. ~/.Xclients - execs .Xclients-default. Created by switchdesk.

3. ~/.Xclients-default - Starts desktop environment (e.g. exec startkde or exec wmaker). This is used to override the default

desktop environment specified in /etc/sysconfig/desktop. This file is created by switchdesk.

4. ~/.xsession - Used by display managers (e.g. xdm,kdm,gdm).

5. ~/.Xresources -

6. ~/.Xkbmap -

7. ~/.xmodmap -

o System configuration files

1. /etc/X11/<window manager>/ - Window manager specific files.

2. /etc/X11/XF86Config-4 - XFree 4.X primary configuration file.

3. /etc/X11/XF86Config - XFree 3.X primary configuration file.

4. /etc/X11/xinit/xinitrc - Same purpose as .xinitrc in users $HOME. Only used if .xinitrc doesn't exist.

5. /etc/X11/xinit/xinitrc.d/ - Contains additional init scripts for X startup. Executed by /etc/X11/xinit/xinitrc

6. /etc/X11/xdm/Xsession - Session configuration. Executed by display manager (e.g. xdm, kdm, gdm).

7. /etc/X11/xdm/xdm-config - Configuration file for xdm.

o /etc/X11/

1. applnk/ - Directory structure for menu items.

2. fs/ - Built-in font server configuration.

3. <window manager>/ - Window manager specific files.

4. gdm/ - Configuration files for gdm display manager.

5. xdm/ - Configuration files for xdm display manager.

6. xinit/ - Configuration files needed for X startup & initialization.

o /usr/X11R6/

1. bin/ - X binaries

2. lib/

modules/ - X server extensions/modules.

xscreensaver/ - Screen saver programs.

X11/fonts/ - Default font path.

X11/app-defaults/ - Application defaults.

X11/locale/ - Locale information.

X11/xkb/ - X related keyboard information.

2. /etc/X11/X

o XFree 4.X

/etc/X11/X is a symlink to /usr/X11R6/bin/XFree86

o XFree 3.X

/etc/X11/X is a symlink to the actual X server.

3. Common X Client Options

4. -display server:0.05. -geometry 100x100+10+20 # A box 100x100 pixels that is 10 pixels from

the left6. # and 20 from the top of the screen7. -font font name8. -background color9. -foreground color10. -title string11. -bordercolor color12. -borderwidth pixels

21.6 Window Managers 1. A special type of x-client.

2. Controls how other x-clients appear.

3. Causes all x-clients to display with common features (title bar, minimize & maximize buttons, etc.)

4. Basically controls look & feel of window session.

5. Common Window Managers:

o fvwm - Can be configured to emulate other windowing environments(e.g. Windows 95, Motif).

o WindowMaker - Resembles NEXTSTEP.

o Enlightenment - Previous default window manager for GNOME.

o Sawfish - Current default window manager for GNOME.

6. Configuration files stored in /etc/X11/<window manager>/

21.7 Desktop Environments 1. Provide more features than a window manager.

2. A window manager is one part of the desktop environment.

3. Attempts to create a consistent environment for all applications.

4. Common Desktop Environments:

o KDE - K Desktop Environment (QT based)

o GNOME - GNU Network Object Model Environment (GTK based)

21.8 Display Managers 1. X-client.

2. Handles authentication.

3. Examples: xdm, gdm, kdm.

4. To change, edit /etc/X11/prefdm

21.9 Session Managers 1. Executes display managers:

o xdm - /usr/bin/xsession

o kdm - /usr/bin/kwm

o gdm - /usr/bin/gnome-session

2. Doesn't execute ~/.xinitrc

3. Will execute ~/.xsession if it exists, otherwise ~/.Xclients is executed.

21.10 Starting X 1. startx

o /usr/X11R6/bin/startx

Basic Operation if exists (~/.xinitrc) client = ~/.xinitrcelse client = /etc/X11/xinit/xinitrc

if exists (~/.xserverrc) server = ~/.xserverrcelse server = /etc/X11/xinit/xserverrc

# Authorization setupxauth add $display_name . $magic_cookie

xinit $client -- $server# If $server isn't specified, xinit defaults to X:0

o /etc/X11/xinit/xinitrc

o if exists (/etc/X11/Xresources)o xrdb -merge /etc/X11/Xresourceso if exists (~/.Xresources)o xrdb -merge ~/.Xresourceso

o if exists (/etc/X11/Xkbmap)o setxkbmap `cat /etc/X11/Xkbmap`o if exists (~/.Xkbmap)o setxkbmap `cat ~/.Xkbmap`o

o if exists (/etc/X11/Xmodmap)o xmodmap /etc/X11/Xmodmapo if exists (~/.Xmodmap)

o xmodmap ~/.Xmodmapo

o execute any scripts in /etc/X11/xinit/xinitrc.d/o

o if exists (~/.Xclients)o exec ~/.Xclientso else if exists /etc/X11/init/Xclientso exec /etc/X11/init/Xclientso elseo exec fvwm2o

2. xdm (Display Manager)

o /etc/X11/xdm/xsession

Basic Operation execute any scripts in /etc/X11/xinit/xinitrc.d/

if exists (~/.xsession) exec ~/.xsessionelse if exists (~/.Xclients) exec ~/.Xclientselse if exists (/etc/X11/xinit/Xclients exec /etc/X11/xinit/Xclientselse exec xsm

21.11 Remote Display of X Applications 1. Security

xhost controls access to the local X server. Access information is stored in ~/.Xauthority.

Format of xhost command: xhost [+|-]name

Where name is in the format of family:name. Family can be one of the following: inet(default),dnet,nis,krb,local.

xhost + # Grant access from everywherexhost - # Revoke access from everywherexhost +server.domain.com # Grant access from server.domain.comxhost -server.domain.com # Revoke access from server.domain.comxhost +local:bob # Allow local user bob access

2. Specifying a different display

Two ways to specify a display:

o Per client:

xterm -display server.domain.com:0.0

o For all clients:

export DISPLAY=server.domain.com:0.0

"DISPLAY" used by xclients to determine where to send output.

3. Putting it all together

To allow remote.xyz.com to display clients on local.xyz.com, perform the following steps:

o On local.xyz.com:

xhost +remote.xyz.com

o On remote.xyz.com:

o export DISPLAY=remote.xyz.com:0.0o xtermo

4. SSH

If X-Forwarding is enabled, SSH automatically configures everything for you so that can display X-clients from the remote host to your local host.

21.12 Troubleshooting X 1. Startup Problems

o X starts, but window manager doesn't.

1. Check .xinitrc file to see if the window manager is exec'd at the end.

2. Check to see if window manager files are readable by user.

3. Try renaming user's window manager configuration files and restart X.

o X won't start.

1. Save existing XF86Config file and use Xconfigurator to build a new one.

2. Verify selected video card and it's attributes with SuperProbe.

2. Mouse Problems

o Check physcial connection.

o Run mouseconfig.

o If it doesn't work in X or gpm, it's probably a problem with the mouse itself.

3. Can't login to Display Manager

o Verify that the user can log successfully from a virtual terminal.

o Try a different window manager.

o Rename the user's window manager configuration files and try again.

4. Display Alignment is off

o Try adjusting monitor settings.

o Use xvidtune to adjust mode lines in the XF86Config file.

Next Previous Contents Next Previous Contents

22. FTP

22.1 Packages.

1. anonftp

o Not an ftp server.

o Required to setup anonymous ftp.

o Sets up the chroot'd env for anonymous ftp in /var/ftp.

o /var/ftp/bino /var/ftp/etco /var/ftp/libo /var/ftp/pubo

o Cannot work stand alone, requires wu-ftpd.

2. wu-ftpd

o Actual FTP server software.

o Configuration files.

o xinetd configuration file.

o Documentation.

22.2 Configuration files 1. /etc/ftpaccess

Primary configuration file.

2. /etc/ftpusers

List of users that are not allowed to use ftp. This file is deprecated in RH 7.X. Use deny-uid/deny-gid in /etc/ftpaccess instead.

3. /etc/ftphosts

Access restrictions by user/host. The last rule that matches wins. For example, to deny access to steve from everywhere but 192.168.1.0/24, add the following entries: deny steve *allow steve 192.168.1.0/24

4. /etc/ftpconversions

Specify file conversions that are to be performed by the ftp server. It's commonly used to automatically compress and/or decompress files on the fly for transfer.

5. /etc/ftpgroups

FINISH ME

6. /etc/xinetd.d/wu-ftpd

xinetd configuration file for wu-ftpd.

7. /etc/pam.d/ftp

Pam configuration file for ftp.

22.3 Operation 1. Started by xinetd.

2. Ports: 21 TCP and 20 TCP.

3. Starts as user root, then switches according to login type:

o anonymous: Switches to user ftp.

o user: Switches to the user logging in.

o guest: Switches to user logging in.

22.4 Types of User Accounts 1. Anonymous

o Easy to setup (Automatically configured when anonftp is installed).

o User uses "anonymous" for login and their e-mail address for a password.

o User is chroot'd to /var/ftp by default.

o Cannot upload files by default.

2. Real

o Also easy to setup. Works by default.

o Users use their system logins and passwords to gain access.

o Start out in users home directory.

o User has full access to system.

o Can upload files to any directory where the unix file permissions permit it.

o Can be dangerous to use.

3. Guest

o Requires setup.

o Users use their system logins and passwords to gain access.

o Users are chroot'd to a directory, typically their home directory.

o User only has access to the directories within the chroot'd environment.

o User can upload files if unix file permissions permit it.

o Much safer to use than "Real" user accounts.

22.5 Setting up Guest Users I this example, we will configure user steve as a guest user.

1. Put /bin/false in /etc/shells so it's recognized as a valid shell by the ftp server.

2. Change steve's shell to /bin/false. Use chsh or edit /etc/passwd directly.) This prevents the user from logging in via normal means (telnet, ssh, etc.).

3. Edit /etc/passwd and append "/./" (without quotes) to the end of steve's home directory.

Change:

steve:x:500:500::/home/steve:/bin/false

To:

steve:x:500:500::/home/steve/./:/bin/false

4. Setup the guest user's home directory so it works as a chroot'd env:

5. cp -a /var/ftp/bin ~steve6. cp -a /var/ftp/etc ~steve7. cp -a /var/ftp/lib ~steve8. chmod 0750 ~steve

Note that anonftp must be installed in order for the above steps to work.

9. Create the guestgroup specified in /etc/ftpaccess(default is ftpchroot) as a system group.

groupadd -r ftpchroot

10. Edit /etc/group and add user steve to the ftpchroot group.

11. Try to ftp to the server as user steve and see if it worked.

22.6 Anonymous Upload 1. Look for "upload" under the "Permission Capabilities" section in the ftpaccess

man page for more information.

2. Create and configure the upload directory:

3. mkdir /var/ftp/incoming4. chown root.root /var/ftp/incoming5. chmod 3773 /var/ftp/incoming # Set sticky and setgid bits so no one can6. # overwrite existing files and all files are7. # created with the same group as the directory.

8. Add the following entry to /etc/ftpaccess

9. upload /var/ftp /incoming yes root root 0400 nodirs

This states that any user who has a home directory of /var/ftp (e.g. anonymous users), allow uploads into the incoming directory, but don't let them create directories. Change the ownership too user root, group root with permissions 0400 so anonymous ftp users can't read the file.

22.7 Virtual Hosts 1. Several domains can be hosted by a single ftp server.

2. Requires an IP per domain. Use separate interfaces or IP aliasing (preferred) on a single interface.

3. Configure /etc/ftpaccess

4. virtual 192.168.1.10 root /var/virtualftp/somedomain.com5. virtual 192.168.1.10 banner /var/virtualftp/somedomain.com/banner.msg6. virtual 192.168.1.10 logfile /var/log/virtualftp/somedomain.com/xferlog7. virtual 192.168.1.10 allow *

Note: The above directories will need to be created if they don't already exist.

The "root" option specifies the root path for the virtual ftp server. The "banner" options specifies the location of the file containing the banner message that is displayed at login. The "logfile" options specifies where transfers should be logged to. The "allow" option allows all users to login to the virtual ftp server. You could also specify specific users to allow.

The above configuration causes anonymous users to be chroot'd to the "root" of the virtual server. Real users are still placed in their home directory at login. It is recommended that guest users be configured for the virtual domain that chroot to the virtual server's "root".

To disable anonymous ftp to the virtual server, specify: virtual 192.168.1.10 allow private

Next Previous Contents Next Previous Contents

23. Print Services

23.1 Overview 1. Packages

LPRng is the only package required to actually print. The other packages provide printer drivers and utilities to ease printer configuration.

o LPRng - Provides binaries, configuration files, documentation.

o Omni - Printer drivers.

o Omni-foomatic - Meta information about print drivers.

o printconf - GUI/TUI based printer configuration utility.

o ghostscript - A postscript interpreter.

o ghostscript-fonts - Fonts for ghostscript.

o gv - A user interface to ghostscript.

2. Uses TCP port 515

23.2 Configuration Files 1. /etc/printcap

This file is auto generated by the printconf utilities. Any changes made to this file by hand will be lost. The first printer defined in this file is the default printer.

2. /etc/printcap.local

If you need to make changes to /etc/printcap by hand, put them in here instead. These custom changes will be included in /etc/printcap when it is regenerated.

3. /etc/lpd.conf

Configuration file for the LPRng printer spooler system.

4. /etc/lpd.perms

Permissions control file for LPRng printer spooler system.

23.3 Utilities 1. printconf-gui/printconf-tui

Primary method of configuring printers.

2. lpc

Used to administer printing services.

o Disable/enable printers.

o lpc start bj200 # Start a single printero lpc stop bj200 # Stop a single printero lpc start all # Start all printerso

o Disable/enable spooling queues.

o lpc enable bj200 # Enable print spool for a single printero lpc disable bj200 # Disable print spool for a single printero lpc enable all # Enable all print spools

o

o Modify job priorities.

o lpc topq bj200 101 # Move job 101 to the top of the print queueo

o View status of printers and queues.

o lpc status all # Display the daemon and queue status for all printerso

o Hold/release print jobs.

o lpc hold bj200 8 # Hold job 8 for printer bj200 from printingo lpc release bj200 8 # Release job 8 for printing on bj200o

o Move jobs to another printer.

o lpc move bj200 8 hp697c # Move job 8 from bj200 to hp697co lpc move bj200 hp697c # Move all jobs on bj200 to hp697co

o Redirect jobs to another printer.

o lpc redirect bj200 hp697c # Redirect all jobs sent to bj200 to hp697co lpc redirect bj200 hp697c off # Turn off redirectiono

o Reprint a job.

o lpc redo bj200 7 # Reprint job 7 on printer bj200o

3. lpr

Used to send print requests to a printer. lpr /etc/hosts # Print file to default printercat /var/log/messages | lpr -P hp697c # Print standard in to hp697c

4. lpq

Display information about and administer print queues. lpq # Display queue information for default printerlpq -Php420 # Display queue information for hp420 printer

5. lprm

Remove print jobs from a print queue. lprm # Remove last job submitted

lprm -Pbj200 12 # Remove job 12 from print queue bj200lprm -Pbj200 steve # Remove all of steve's jobs from print queue bj200lprm -a all # Remove all jobs in all print queueslprm -a steve # Remove all of steve's print jobs in all print queues

6. checkpc

Checks the /etc/printcap file for problems and verifies devices assigned to printers.

23.4 Remote Printing Requirements 1. Remote LPD

o IP address of remote print server.

o Name of queue on remote print server.

2. Samba

o NetBIOS name or IP address of the Samba server.

o Name of shared print service. This must include the server name (e.g. //server1/bj200ex not bj200ex)

o Print filter for remote printer installed locally.

o User name to connect to the print share with (usually nobody or guest).

o The password for the user if required.

o The workgroup name of the Samba server providing the print service.

3. Novell

o ncpfs package installed.

o server name/ip.

o printer name.

o valid username and password.

Next Previous Contents Next Previous Contents

24. NFS

24.1 Overview 1. File sharing service.

2. RPC based service, so it requires Portmap.

3. Packages:

o nfs-utils

Provides:

1. nfsd - Provides userland portion of NFS service.

2. lockd - NFS lock manager (kernel module)

3. rpciod -

4. rpc.mountd - Provides mounting services.

5. rpc.rquotad - Returns quota information.

6. rpc.statd - Used by lockd to recovery locks after a server crash.

o portmap

Provides portmap program. Portmap maps calls made by other hosts to the correct RPC service. Because portmap is compiled with tcp wrappers support (libwrap), those that need to access portmap must be given access via /etc/hosts.allow and/or /etc/hosts.deny.

4. Ports

o TCP/UDP 111 - portmap

o UDP 2049 - nfsd

o The other NFS related services vary in the port numbers they use. Clients contact portmap to find out the port number the other RPC services use.

5. Required Services

Listed in startup order:

o NFS Server

1. portmap

2. nfs

o NFS Client

1. portmap

2. nfslock

24.2 Configuration 1. /etc/exports

o NFS server configuration file.

o Format:

o <directory> <host or network>(options) <host or network>(options) ......

o

It is critical that there not be any spaces between the host/network and it's options.

o Example:

o # Allow all hosts in the somewhere.com domain to mount /var/ftp/pub read-only

o

o /var/ftp/pub *.somewhere.com(ro)o

o

o # Allow all hosts to mount /var/www/html read-only and allow certain hosts

o # mount it read-writeo

o /var/www/html *(ro) 192.168.1.0/255.255.255.0(rw) 192.168.2.10(rw)o

o

o # Allow certain hosts to mount /usr read-only and another read-write as root

o

o /usr 172.16.0.0/255.255.0.0(ro) 172.16.1.10(rw,no_root_squash)o

o

o # Allow access to /usr/local by everyone, but only as the anonymous user

o

o /usr/local *(ro,all_squash,anonuid=100,anongid=100)o

o Restrictions

1. Root can't mount an nfs share as root unless no_root_squash is used. Normally when root mounts a share, NFS maps root to the local user nobody.

2. You can't export a directory that is a parent or child of another exported directory within the same file system.

e.g. You can't export both /usr and /usr/local unless /usr/local is a separate file system.

o Common Export Options

o no_root_squash - Remote hosts can access local shares as root (Dangerous!)

o ro - Read-onlyo rw - Read/Writeo sync - All file system writes must be committed to disk before the

request can be completed.o all_squash - All remote users are mapped to a local anonymous user.o anonuid - Specify the uid to user for anonymous access.o anongid - Specify the gid to user for anonymous access.o

2. /etc/fstab

o Used for NFS client configuration

o Example:

o server:/usr /usr nfs user,soft,intr,rsize=8192,wsize=8192 0 0o

o Common NFS related mount options

o soft - Processes return with an error on a failed I/O attempt

o hard - If a process tries to access an unavailable share, it will hang until data is retrieved.

o intr - Allows NFS requests to be interrupted or killed if the server is unreachable

o nolock - Disable file locking in order to work with older NFS serverso rsize - Sets the number of bytes NFS reads from a share at one time

(default 1024)o wsize - Sets the number of bytes NFS writes to a share at one time

(default 1024)o * Setting rsize and wsize to 8192 greatly increases performance.o

24.3 Auto Mounting NFS shares 1. Requires autofs package to be installed.

2. Create entry in /etc/auto.misc for the NFS share:

3. ftp -fstype=nfs,intr,soft 192.168.1.20:/var/pub/ftp

If the default autofs setup is used, whenever someone accesses /misc/ftp, the remote NFS share on 192.168.1.20 will be automatically mounted. The options specified in the /etc/auto.misc have the same meaning as when they are used in /etc/fstab.

24.4 NFS Utilities 1. exportfs

o Used to maintain the table of exported file systems.

o Example Usage:

o exportfs -r # Refresh the share listing after modifying /etc/exports.o # This MUST be done in order for your changes to take effect.o exportfs -v # Display a list of shared directorieso exportfs -a # Exports all shares listed in /etc/exportso

o # To export a filesystem not in /etc/exportso exportfs 192.168.1.0/255.255.255.0:/tmpo

o # Unexport a filesystemo exportfs -u 192.168.1.0/255.255.255.0:/tmp

o

2. showmount

o Show mount information for an NFS server.

o Does not require that any local NFS services be running in order to use it.

o Example Usage:

o showmount -e 192.168.1.67 # Shows available shares on host 192.168.1.67

o showmount -a 192.168.1.67 # Shows the clients connected to host 192.168.1.67

o # and the shares they have mounted.o

3. rpcinfo

o Reports RPC information.

o Can determine if RPC services are running on a host.

o Example Usage:

o rpcinfo -p 192.168.1.77 # Display list of RPC services running on 192.168.1.77

o

Next Previous Contents Next Previous Contents

25. Network Information Service (NIS)

25.1 Overview 1. Central information database

2. Can provide user, group, name resolution, home directory, and authentication information.

3. Packages

o ypserv - Provides the ypserv and yppasswdd daemons. ypserv provides the NIS service and yppasswdd allows the user to change their password and possibly their shell and GECOS information (see below).

o ypbind - Provides ypbind daemon that is used by clients to connect to an NIS server.

o yp-tools - Provides various NIS client programs.

o portmap - Not part of NIS, but is required for it to work.

4. Ports

Assigned by portmap.

5. Supported NIS Versions

ypbind supports version 1 through 3.

ypserv supports versions 1 & 2.

6. Topology

o Flat namespace. No sub-domains are allowed.

o Only one master per domain.

o Multiple slave servers are allowed. This provides fault tolerance and load sharing.

7. Limitations

o Low Security - Designed when networks could be trusted (e.g. No sniffers installed, no one tries to bypass the service).

o Low Scalability - Replication of data between servers isn't very efficient. NIS has a flat name space that can't be delegated out by subdomain to help ease administration. This limits the use of NIS in larger networks.

o Only runs on *nix - Limited use in heterogeneous environments.

25.2 NIS Client Info 1. Startup

o Two options for finding NIS server:

1. Broadcast

ypbind contacts it's NIS server by sending a broadcast message. This can be a security risk since a rogue NIS

server could answer all NIS broadcasts in order to collect authentication information.

2. /etc/yp.conf

NIS servers for the client's domain can be listed in this file. This is more secure since clients contact the NIS server directly instead of broadcasting. This file is modified by authconfig when you select NIS authentication.

2. Configuration

o Use authconfig to configure the client machine to use NIS. You must specified the following:

1. The domain the client will belong to.

2. An NIS domain server (master or slave).

authconfig automatically starts the ypbind daemon for you.

o Configure /etc/nsswitch.conf.

Make sure that "nis" is listed for any information that will be stored in NIS. For example: passwd: files nis # Check for users in the local system file first, then NISshadow: files nis # Same as above, only for the users' passwordshosts: files nis dns # Check the local files, then NIS, then DNS for host information

The order specified is important. For example, if user steve is defined in both the system files and the NIS map and we have the same setup as the nsswitch.conf file above, the information about user steve (passwd, GECOS, etc.) will be retrieved from the local system files and not from the NIS map.

To change this, we would need to reverse the order listed above for the passwd and shadow entries so that "nis" comes before "files".

3. Client Side Tools

o ypwhich - Determines which master or slave NIS server the client is using.

o ypcat - Used to print keys in an NIS map. For example, to print information in the passwd file:

o ypcat passwdo

o ypchfn - Change your GECOS information in NIS.

yppasswdd must be started with "-e chfn" in order for users to be able change their GECOS information.

o ypchsh - Change your login shell in NIS.

yppasswdd must be started with "-e chsh" in order for users be able to change their login shell.

o yppasswd - Change your NIS password.

o yppush - Used to copy NIS information from masters to slaves. Called automatically if "NOPUSH=false" in the /var/yp/Makefile.

o ypmatch - Used to print the value of one or more keys in an NIS map.

For example, to print and entry for user steve in the passwd file: ypmatch steve passwd

25.3 NIS Server 1. Configuration

o Specify your domain in /etc/sysconfig/network by inserting the following line:

o NISDOMAIN=somedomaino

This will set your domain name at bootup. To set it now, use the domainname command:

domainname somedomain

SECURITY NOTE: The domain specified should not be the same as your DNS domain. NIS domains should be kept secret in order to improve

security. If an NIS domain is known and the NIS server can be reached, any client can connect to the domain.

o Master Servers

1. Make sure the host name has been changed to something other than localhost.localdomain. This can cause problems for slave servers if it's not changed.

2. Specify the networks that are allowed to connect to the NIS server in /var/yp/securenets.

3. Change /var/yp/Makefile to fit your needs. This file includes a list of possible information that NIS can store.

A few options: NOPUSH=true # Set to false if you have slave serversMERGE_PASSWD=true # Should we merge the shadow file with the password file?MERGE_GROUP=true # Should we merge the gshadow file with the group file?MINUID=500 # Lowest uid to include in the NIS mapMINGID=500 # Lowest gid to include in the NIS map

4. Start portmap and ypserv:

5. service portmap start6. service ypserv start7.

8. Create the NIS map:

9. /usr/lib/yp/ypinit -m10.

You may receiving the following message:

Could not read ypservers map: 3 Can't bind to server which serves this domain

This does not appear to be a critical error. The NIS map is still created.

If you only want to include login and group information in your NIS map, you could use the following instead of ypinit: make passwd shadow group

Any time you change information on the master server that affects the NIS map, you must re-run the "make" command. User passwords are the exception to this rule. They are updated automatically.

o Slave Servers

1. Put an entry in /etc/hosts for the master NIS server.

2. All names of the slave servers must be specified in the /var/yp/ypservers file on the master server.

3. Start portmap and ypserv:

4. service portmap start5. service ypserv start6.

7. Execute ypinit:

8. /usr/lib/yp/ypinit -s <masterserver>9.

If specifying the IP address of the master server doesn't work, specify the hostname (from /etc/hosts) of the master server instead.

You may see the following message several times: Trying ypxfrd ... not running

Everything still appears to transfer ok from the master server.

2. Replication

o yppush is automatically called whenever the master server's database are updated. yppush transfers the NIS map from the master to the slaves. In order for replication to work, ypbind must be running on the master server.

o ypxfr is similar to yppush except that it transfers the NIS map from the NIS server to the localhost. It is usually invoked by ypinit or ypserver.

3. Debugging

o Check NIS using rpcinfo:

o rpcinfo -p localhosto

o Verify portmap is running.

25.4 Using Automounter to Automount

User Home Directories 1. First, add the following line to /etc/auto.master:

2. /home /etc/auto.home --timeout 60

3. Then, create the /etc/auto.home file with the following contents:

4. * -rw,soft,intr 192.168.1.20:/home/&

In this case, 192.168.1.20 is the IP address of the NFS server.

5. Unmount /home on the client machine if it is a separate partition.

6. Restart autofs.

7. On the NFS server, put the following line in /etc/exports

8. /home 192.168.1.0(rw)

9. Start (or restart) NFS on the NIS server.

Next Previous Contents Next Previous Contents

26. LDAP

26.1 Overview 1. Distributed directory service.

2. Plaintext is used by default, but can be configured to use TLS.

3. Packages

o openldap - Contains configuration files, libraries, and documentation needed for OpenLDAP to function.

o openldap-servers - Contains the slapd LDAP daemon and the slurpd replication daemon as well as several migration scripts.

o openldap-clients - Contains client programs needed for accessing and modifying openldap directories.

o nss_ldap - Contains two LDAP access clients, nss_ldap and pam_ldap.

o gq - Provides GUI LDAP client gq.

4. Ports

o slapd - TCP 389

o slurpd - ???

5. Terminology

o Distinguished Name (DN) - Used to reference a specific entry in the directory service. Example DN:

o uid=steve, ou=People, dc=somedomain, dc=como

o BaseDN - A server is responsible for all DNs that are within it's BaseDN. Example BaseDN:

o dc=somedomain, dc=como

26.2 LDAP Server 1. slapd

o Stand-alone LDAP Daemon.

o Migration

1. Scripts to migrate existing system data to an LDAP server stored in /usr/share/openldap/migration.

2. migrate_common.ph - Contains common header information needed by migration scripts. Need to modify:

$DEFAULT_MAIL_DOMAIN

$DEFAULT_BASE

3. After changing defaults, modify /etc/openldap/slapd.conf (see

below) and then run the appropriate migration script. For example:

migrate_all_offline.sh - Migrates traditional UNIX flat files.

NOTE: Starting with RH 7.1, protocols and services were added that contain a + in their name. These must be commented out of /etc/protocols and /etc/services because they cause trouble with the migration scripts.

migrate_all_nis_offline.sh - Migrates information from existing NIS services.

See /usr/share/openldap/migration/README for an explanation of the various migration scripts.

4. Change the ownership of the ldap database files so slapd can access them:

5. chown -R ldap:ldap /var/lib/ldap6.

o Configuration

1. Edit /etc/openldap/slapd.conf and specify the following:

suffix - The BaseDN

rootdn - The DN for the administrator

rootpw - The password for the administrator

2. Access

Default setup gives rootdn read/write access and read-only to all others.

Highly Configurable.

Compare, search, read, and write access can be configured for each entry.

26.3 LDAP Clients 1. Command Line

o Configured in /etc/openldap/ldap.conf.

1. Specify which server to bind to.

2. Specify the BaseDN to use.

3. Client utilities usually let you override these defaults.

o Utilities include:

1. ldapadd - Add directory entries.

2. ldapdelete - Delete directory entries.

3. ldapmodify - Modify directory entries.

4. ldappasswd - Change password of an entry.

5. ldapsearch - Searches directory entries.

2. GUI

o gq - Allows user to browse, search, modify, and display directory entries.

26.4 Using LDAP with NSS 1. Requires nss_ldap RPM.

2. Configuration

o /etc/nsswitch.conf - Add "ldap" to the search order of the entries that will be provided by LDAP.

o /etc/ldap.conf - Configuration file for nss ldap. Note that this is different from the client configuration file /etc/openldap/ldap.conf.

Common Entries: host 192.168.1.5 # LDAP serverbase dc=xyz,dc=com # Base DN of databasebinddn cn=binduser,dc=xyz,dc=com # DN to bind to the server with. Default is anonymous access.bindpw super_secret # Password for user to bind withrootbinddn cn=root,dc=xyz,dc=com # DN to bind to the server with when the unix uid is 0. # Password is stored in /etc/ldap.secret in plaintext (mode 600)

ssl # Use TLS instead of plaintext communication

The rootbinddn is the DN used to attach to the LDAP database when the userid = 0. It must be set to a DN with proper permissions (typically the rootdn specified in /etc/openldap/slapd.conf) in order for root to update user accounts using command line utilities like passwd, chsh, etc.

o /etc/pam.d/system-auth - PAM configuration file used for system authentication. This is configured by authconfig.

3. Troubleshooting

If, as root, you attempt to change the password of a user stored in the ldap database and you receive an error about the user being "Unknown", verify the password in /etc/ldap.secret is correct. It must be in plain text. When the password is incorrect, root can't bind to the LDAP database and therefor won't be able to find the user.

Next Previous Contents Next Previous Contents

27. Samba

27.1 Overview Samba provides SMB/CIFS services to clients. The smbd daemon performs authentication, authorization, file, and print sharing services. The nmbd daemon can act as a netbios name server as well as a WINS server.

1. Packages

o samba-common

Contains files needed by both the client and server parts of Samba.

o samba-client

Contains the client side files.

o samba

Contains the server side files.

o samba-swat

A web based administration tool.

2. Ports

o smbd

TCP port 139.

o nmbd

UDP ports 137 & 138

27.2 Configuration 1. /etc/samba/smb.conf

o All configuration is done via editing this file.

o Similar in format to the windows.ini file.

o Sections

1. global

Contains all server wide or generic settings.

2. homes

Used to grant users access to their home directories.

3. printers

Used to configure printer resources/services.

2. Global Configuration

o User/Password Options

1. Encrypted Passwords

To enable encrypted passwords, the following two lines must be uncommented: encrypt passwords = yessmb passwd file = /etc/samba/smbpasswd

To create the password file, simply add a user: smbpasswd -a steve

OR

smbadduser steve:steve # <unix user>:<nt user>smbpasswd -u steve

The user must exist in the user system password files before adding them to the smbpasswd file. The default file created will be the password file specified by the smb passwd file option in /etc/samba/smb.conf.

2. username level

Helps Samba determine what the unix user name is. By default it tries all lower case characters. This number specifies how many uppercase combinations should be tried. The larger the number, the longer it can take to authenticate, but the better chance you'll have success.

3. password level

Same as username level only for the password.

4. Syncing with Unix passwords

If you want the unix password changed every time the Samba password is changed, you must specify the following: unix password sync = Yes

# unix utility to usepasswd program = /usr/bin/passwd %u

# chat stringpasswd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*au$ # chat string

o workgroup

The workgroup option specifies the name of the windows workgroup or NT domain name that the Samba Server will belong to.

o netbios name

The netbios name options specifies what the Samba server will advertise as it's netbios name. By default, this is the same name as the first part of the host's FQDN.

o Restricting Hosts

The hosts allow options allows you to specify which hosts are allowed to use the Samba service. hosts allow = 192.168.1. 192.168.2. 192.168.3.20

This allows all hosts in the 192.168.1.0/24 and 192.168.2.0/24 networks and the single host 192.168.3.20 to access the Samba services.

o Printer Options

o printcap name = /etc/printcap # Specify printer definition fileo load printers = yes # Make all defined printers available to userso printing = lprng # Specifies printing system usedo

o guest account

The account used for access permissions when connecting to shares that allow guest access. Make sure to add this account to /etc/passwd. If it isn't specified, user "nobody" is used.

o WINS support

Samba can act as a WINS client, or a WINS server, but not both. As a WINS client it will lookup netbios names using another WINS server. As a WINS server, it will provide the netbios name to IP conversion for other clients.

To make Samba a WINS client: wins server = 192.168.1.5

To make Samba a WINS server:

wins support = yesname resolve order = wins lmhosts host bcast

The second option is required and defaults to "host lmhosts wins bcast". It specifies which order to access the various resources for netbios name resolution.

1. host - Perform the standard host name to IP resolution using /etc/hosts, NIS, and DNS.

2. lmhosts - Use the name/IP address mappings specified in the lmhosts file. By default, the lmhosts file is /etc/samba/lmhosts.

3. 127.0.0.1 localhost4. 192.168.1.5 endor5.

6. wins - Query the host specified in the wins server option to resolve the IP address.

7. bcast - Use a netbios broadcast to resolve the IP address. This only works for hosts connected to the local network.

o Authentication Methods

Specify authentication method with the security option. Possible values are:

1. user - Authenticate by user using smbpasswd file. The user must be defined on the unix system. This is the default.

2. share - User authenticates against each individual share.

3. server - Samba validates the user using the server specified by the password server parameter. The user must still be defined on the unix system.

4. domain - Samba validates the user using the PDC or BDC as a normal NT server would. The Samba server must first be added as a valid machine to the PDC. The user must still be defined on the unix system.

o Logging Options

o log file = /var/log/samba/%m.log

o max log size = 0o

The first options specifies that an individual log will be kept for each machine(%m) that connects to the server. The second options specifies a size limit to put on the log file (zero = unlimited).

o Browser Options

o local master = yes # Allow Samba to participate in master browser elections

o os level = 35 # The higher the level, the better chance of winning the election

o preferred master = yes # Causes Samba to force an election upon startup

o domain master = yes # Allows Samba to collate browse lists between subnets

o

o Domain Options

o domain logons = yes # Causes Samba to become a domain logon server for Windows 95 machines.

o

3. Common Share Options

o public

Share can be accessed by the "guest" account.

o browseable

Makes the share visible in browse lists.

o writable

Allows users to write to the share.

o printable

Specifies the share/resource as a printer not a disk.

o group

Specifies the UNIX group that will be assigned as the default primary group for all users connecting to the share.

o valid users

Specifies the users that are allowed to connect to the share.

o create mode/create mask

Specifies the unix file permission bits that will always be set on any file created in this directory by Samba.

o directory mode

Same as 'create mode' only for directories.

o write list

A list of users and/or groups that will be given write access to the share if the 'writable' option is set to "no".

o path

Specifies the location of the share within the unix file system.

o only guest/guest only

If set to yes, then only guest connections to the share are permitted.

o guest ok/public

This permits the guest account to access this share.

o Special shares

Some shares have special meaning to Samba when defined, these are:

1. [printers]

Printable share that includes all system defined printers.

2. [homes]

Sets up each user's home directory as a file share that is accessible only by that user.

3. [netlogon]

Specifies the netlogon directory for Domain Logons

4. Example Shares

o File share for research dept.

o [research]o comment = Research Dept.o path = /var/research # Location of share on file systemo public = yes # Shows up in browse listso writable = yes # Authenticated users can write to ito printable = noo

o Printer share configuration

o [printers] # Special share that defines all printerso comment = All printerso path = /var/spool/samba # Location of spooling directory for print

jobso browseable = no # Does not show up in browse listso guest ok = no # Guest user is not allowed to connect to this

shareo printable = yes # A printer shareo

o File share for accounting dept.

o [accounting]o comment = Accountingo path = /usr/local/shares/accountingo valid users = @accounting # Only users in the unix group

'accounting' can access the shareo public = noo write list = bob sue steve # Only users bob, sue, and steve can write

to this shareo

o Home directory shares

o [homes]o comment = Home Directorieso browseable = yeso writable = yeso valid users = %S

o create mode = 0664o directory mode = 0775o

27.3 Utilities 1. testparm

o Check for errors in smb.conf.

o Test security settings for a particular host

o testparm /etc/samba/smb.conf 192.168.1.20

This would return the resources available to the host at 192.168.1.20.

2. testprns

Determines whether a printer is valid for use through smbd. testprns <print> /etc/printcap

3. smbclient

Provides command line ftp-style retrieval of files from smb/cifs shares. smbclient -L 192.168.1.10 # List accessible share on host 192.168.1.10smbclient //192.168.1.10/homes # Connect to user home directorysmbclient -U steve //somehost/homes # Connect to homes share as user steve

4. nmblookup

Provides hostname and IP resolution for netbios. nmblookup -U server -R 'endor' # Lookup host 'endor' using unicast to query WINS server 'endor' # and set the recursion flag on (-R)nmblookup \* # List all machines

5. smbmount

Used to mount smb/cifs shares on a local system. # Mount share research from server endor onto mount point /mnt/smb/research as user stevesmbmount //endor/research /mnt/smb/endor -o username=steve

Samba mounts can be performed automatically at boot up by putting them in the /etc/fstab file.

//endor/research /mnt/smb/endor smbfs defaults,credentials=/etc/smb/endor.research 0 0

The credentials option specifies the file that contains the username/password pair to use. Make sure this file is protected adequately. The credentials file should contain:

username = stevepassword = mypassword

27.4 Disabling Encrypted Passwords on

Windows Clients 1. Windows 95 OSR2+ and Windows 98

Using the registry editor(regedit), go to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VNETSUP

Add a DWORD value with the name of EnablePlaintextPassword. Set it's value to 0x01.

2. Windows NT

Using the registry editor(regedit), go to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rdr\Parameters

Add a DWORD value like above.

27.5 Configuring Samba as a Primary

Domain Controller 1. Make sure Samba is only PDC on network.

2. Make sure there is a WINS server on the network (NT or Samba).

3. Samba is set to use "user" level security.

4. Set the following options in the [global] section of your smb.conf file:

5. [global]6. workgroup = MYGROUP7. domain logons = yes8. security = user

9. os level = 3410. local master = yes11. preferred master = yes12. domain master = yes13.14. [netlogon]15. comment = Domain Logon Service16. path = /var/samba/logon17. public = no18. writeable = no19. browsable = no

20. NT Clients

If you have NT clients on your network, you must also add the following option: encrypted passwords = yes

NT client also require a trust account. Trust accounts allow the machine to log in to the PDC and become a member of the domain. Use the following steps to setup a trust account on the Samba server for the NT client:

o Add a unix system account for the machine. The logon name will always end in a "$". Your /etc/password entry should look similar to:

o endor$:x:1000:1000:Trust Account:/dev/null:/dev/nullo

Place an * in the password field of the /etc/shadow file to prevent anyone from logging into the unix server with this account.

o Add the encrypted password for the machine:

o smbpasswd -a -m endoro

The "-m" specifies it's a machine trust account. The default password will be set to the netbios name of the machine. The NT client should log into the PDC asap so it can change the default password.

27.6 Default Red Hat smb.conf This is the default smb.conf that comes with RH 7.2. # This is the main Samba configuration file. You should read the# smb.conf(5) manual page in order to understand the options listed

# here. Samba has a huge number of configurable options (perhaps too# many!) most of which are not shown in this example## Any line which starts with a ; (semi-colon) or a # (hash)# is a comment and is ignored. In this example we will use a ## for commentry and a ; for parts of the config file that you# may wish to enable## NOTE: Whenever you modify this file you should run the command "testparm"# to check that you have not made any basic syntactic errors.##======================= Global Settings =====================================[global]

# workgroup = NT-Domain-Name or Workgroup-Name workgroup = MYGROUP

# server string is the equivalent of the NT Description field server string = Samba Server

# This option is important for security. It allows you to restrict# connections to machines which are on your local network. The# following example restricts access to two C class networks and# the "loopback" interface. For more examples of the syntax see# the smb.conf man page; hosts allow = 192.168.1. 192.168.2. 127.

# if you want to automatically load your printer list rather# than setting them up individually then you'll need this printcap name = /etc/printcap load printers = yes

# It should not be necessary to spell out the print system type unless# yours is non-standard. Currently supported print systems include:# bsd, sysv, plp, lprng, aix, hpux, qnx printing = lprng

# Uncomment this if you want a guest account, you must add this to /etc/passwd# otherwise the user "nobody" is used

; guest account = pcguest

# this tells Samba to use a separate log file for each machine# that connects log file = /var/log/samba/%m.log

# Put a capping on the size of the log files (in Kb). max log size = 0

# Security mode. Most people will want user level security. See# security_level.txt for details. security = user

# Use password server option only with security = server# The argument list may include:# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]# or to auto-locate the domain controller/s# password server = *; password server = <NT-Server-Name>

# Password Level allows matching of _n_ characters of the password for# all combinations of upper and lower case.; password level = 8; username level = 8

# You may wish to use password encryption. Please read# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.# Do not enable this option unless you have read those documents encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd

# The following is needed to keep smbclient from spouting spurious errors# when Samba is built with support for SSL.; ssl CA certFile = /usr/share/ssl/certs/ca-bundle.crt

# The following are needed to allow password changing from Windows to# update the Linux sytsem password also.# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.# NOTE2: You do NOT need these to allow workstations to change only# the encrypted SMB passwords. They allow the Unix password

# to be kept in sync with the SMB password.; unix password sync = Yes; passwd program = /usr/bin/passwd %u; passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*

# Unix users can map to different SMB User names; username map = /etc/samba/smbusers

# Using the following line enables you to customise your configuration# on a per machine basis. The %m gets replaced with the netbios name# of the machine that is connecting; include = /etc/samba/smb.conf.%m

# This parameter will control whether or not Samba should obey PAM's# account and session management directives. The default behavior is# to use PAM for clear text authentication only and to ignore any# account or session management. Note that Samba always ignores PAM# for authentication in the case of encrypt passwords = yes

; obey pam restrictions = yes

# Most people will find that this option gives better performance.# See speed.txt and the manual pages for details socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Configure Samba to use multiple interfaces# If you have multiple network interfaces then you must list them# here. See the man page for details.; interfaces = 192.168.12.2/24 192.168.13.2/24

# Configure remote browse list synchronisation here# request announcement to, or browse list sync from:# a specific host or from / to a whole subnet (see below); remote browse sync = 192.168.3.25 192.168.5.255# Cause this host to announce itself to local subnets here; remote announce = 192.168.1.255 192.168.2.44

# Browser Control Options:# set local master to no if you don't want Samba to become a master

# browser on your network. Otherwise the normal election rules apply; local master = no

# OS Level determines the precedence of this server in master browser# elections. The default value should be reasonable; os level = 33

# Domain Master specifies Samba to be the Domain Master Browser. This# allows Samba to collate browse lists between subnets. Don't use this# if you already have a Windows NT domain controller doing this job; domain master = yes

# Preferred Master causes Samba to force a local browser election on startup# and gives it a slightly higher chance of winning the election; preferred master = yes

# Enable this if you want Samba to be a domain logon server for# Windows95 workstations.; domain logons = yes

# if you enable domain logons then you may want a per-machine or# per user logon script# run a specific logon batch file per workstation (machine); logon script = %m.bat# run a specific logon batch file per username; logon script = %U.bat

# Where to store roving profiles (only for Win95 and WinNT)# %L substitutes for this servers netbios name, %U is username# You must uncomment the [Profiles] share below; logon path = \\%L\Profiles\%U

# Windows Internet Name Serving Support Section:# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server; wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both; wins server = w.x.y.z

# WINS Proxy - Tells Samba to answer name resolution queries on# behalf of a non WINS capable client, for this to work there must be# at least one WINS Server on the network. The default is NO.; wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names# via DNS nslookups. The built-in default for versions 1.9.17 is yes,# this has been changed in version 1.9.18 to no. dns proxy = no

# Case Preservation can be handy - system default is _no_# NOTE: These can be set on a per share basis; preserve case = no; short preserve case = no# Default case is normally upper case for all DOS files; default case = lower# Be very careful with case sensitivity - it can break things!; case sensitive = no

#============================ Share Definitions ==============================[homes] comment = Home Directories browseable = no writable = yes valid users = %S create mode = 0664 directory mode = 0775# If you want users samba doesn't recognize to be mapped to a guest user; map to guest = bad user

# Un-comment the following and create the netlogon directory for Domain Logons; [netlogon]; comment = Network Logon Service; path = /usr/local/samba/lib/netlogon; guest ok = yes; writable = no; share modes = no

# Un-comment the following to provide a specific roving profile share# the default is to use the user's home directory;[Profiles]; path = /usr/local/samba/profiles; browseable = no; guest ok = yes

# NOTE: If you have a BSD-style print system there is no need to# specifically define each individual printer[printers] comment = All Printers path = /var/spool/samba browseable = no# Set public = yes to allow user 'guest account' to print guest ok = no writable = no printable = yes

# This one is useful for people to share files;[tmp]; comment = Temporary file space; path = /tmp; read only = no; public = yes

# A publicly accessible directory, but read only, except for people in# the "staff" group;[public]; comment = Public Stuff; path = /home/samba; public = yes; writable = yes; printable = no; write list = @staff

# Other examples.## A private printer, usable only by fred. Spool data will be placed in fred's

# home directory. Note that fred must have write access to the spool directory,# wherever it is.;[fredsprn]; comment = Fred's Printer; valid users = fred; path = /home/fred; printer = freds_printer; public = no; writable = no; printable = yes

# A private directory, usable only by fred. Note that fred requires write# access to the directory.;[fredsdir]; comment = Fred's Service; path = /usr/somewhere/private; valid users = fred; public = no; writable = yes; printable = no

# a service which has a different directory for each machine that connects# this allows you to tailor configurations to incoming machines. You could# also use the %U option to tailor it by user name.# The %m gets replaced with the machine name that is connecting.;[pchome]; comment = PC Directories; path = /usr/local/pc/%m; public = no; writable = yes

# A publicly accessible directory, read/write to all users. Note that all files# created in the directory by users will be owned by the default user, so# any user with access can delete any other user's files. Obviously this# directory must be writable by the default user. Another user could of course# be specified, in which case all files would be owned by that user instead.;[public]; path = /usr/somewhere/else/public; public = yes; only guest = yes

; writable = yes; printable = no

# The following two entries demonstrate how to share a directory so that two# users can place files there that will be owned by the specific users. In this# setup, the directory should be writable by both users and should have the# sticky bit set on it to prevent abuse. Obviously this could be extended to# as many users as required.;[myshare]; comment = Mary's and Fred's stuff; path = /usr/somewhere/shared; valid users = mary fred; public = no; writable = yes; printable = no; create mask = 0765

Next Previous Contents Next Previous Contents

28. Squid

28.1 Overview 1. HTTP and FTP caching proxy server.

2. Conforms to Harvest Cache architecture.

3. Uses Inter-Cache Protocol (ICP) to communicate with other cache servers.

4. Only recognizes HTTP on the client side, but will use both FTP and HTTP on the server side.

5. Required Packages: squid

6. Ports

o Clients connect to TCP port 3128 by default.

o Default port can be changed.

o For accelerator mode, clients will typically connect to TCP port 80.

28.2 Configuration 1. /etc/squid/squid.conf

o Primary configuration file.

o Parent/sibling caches - Squid can be configured to check other caches for a request before fetching a new object.

Configuration example:

# Proxy ICP # Host Name Type Port Port cache_peer parentcache.xyz.com parent 3128 3130 cache_peer childcache1.xyz.com sibling 3128 3130 cache_peer childcache2.xyz.com sibling 3128 3130

o Access Control Lists - Squid has very extensive ACLs for control access.

o See /etc/squid/squid.conf for further configuration examples. It is very well documented.

o Cache initialization.

The cache is located at /var/spool/squid. If it hasn't been created, the startup script will automatically created it when squid is started.

28.3 Client Program (/usr/sbin/client) 1. FINISH ME!

Next Previous Contents Next Previous Contents

29. INND

29.1 Overview 1. Provides Network News Transport Protocol (NNTP) service.

2. Major newsgroups include: alt,comp,gnu,misc,news,rec,sci,soc, and talk.

3. Newsgroups configured in a hierarchical fashion.

4. Package: inn

5. Port: TCP 119.

29.2 Configuration 1. /etc/news/

Location of configuration files. A minimal leafnode setup requires that you modify the following files:

o inn.conf

Set the following options. The defaults for the remaining options should be fine. organization: MyOrganizationdomain: mydomain.comserver: news.mydomain.com

o incoming.conf

Place your ISP's news server information in here. # Peer definition# MyISP.com (800) 555-1212 news@MyISP.compeer myisp.com { hostname: news.myisp.com }

o newsfeeds

If you want to post articles, you need to modify newsfeeds. news.myisp.com:comp.*,!comp.sources.*,comp.sources.unix/!foo:Tf,Wnm:news.myisp.com

The colon is the field delimiter used above. The format of that above line is:

sitename[/exclude,exclude,...]:pattern,pattern,...[/distrib,distrib,..]:flag,flag,...:param

Options:

1. sitename - Names the site to which this feed relates. It can be called anything you want and does not have to be the domain name of the site.

2. pattern - Indicates which news groups are to be sent to this site. The default is to send all groups (leave it blank if that's what you want). The above example will cause all "comp" groups to be received, but not any group under "comp.sources" except for "comp.sources.unix".

distribution - If specified, and an article has a "Distribution" header, it is check against this value. If the distribution specified matches the distribution header in the article, it is sent. However, if the distribution specified starts with an exclamation point, and the distribution header in the article matches, it is not sent. In the above example, any article with a distribution header containing "foo" will not be sent.

3. flag - Specify various options about the newsfeed. The above options specify that this is a file feed type (Tf), and that only articles "message-id" and "token" (Wmn) should be written.

4. param - Meaning varies depending on the feed type. When the feed type is "file" as in the example above, it specifies the file to write an entry to when an article is received. If not an absolute path, it is relative to the "pathoutgoing" option in inn.conf.

o readers.conf - Edit this file if you want to allow readers on other computers.

o motd.news - If you allow readers, it is a good idea to put a banner in this file that relays your usage policies to your readers.

2. Run inncheck to correct any permissions problems and catch any configuration file errors.

3. Run makehistory to initialize the INN history database.

4. Run makedbz to rebuild the dbz database files.

29.3 Troubleshooting 1. innd won't start

o Use inncheck.

o Check logs under /var/log/news.

2. Readers can't read

o Verify that the reader is allowed access by checking nnrp.access.

o Make sure innd is running.

o Check logs under /var/log/news.

o telnet to port 119 and see if a banner comes up.

3. Posters can't post

o Confirm poster is allowed to post by checking nnrp.access.

o Check logs under /var/log/news.

o telnet to port 119 and see if a banner comes up with (posting allowed).

Next Previous Contents Next Previous Contents

30. NTP

30.1 Overview 1. Network Time Protocol

o Uses a distributed hierarchy to synchronize time to UTC (Universal Coordinated Time).

o Each server is at a certain stratum. The lower the stratum, the closer it is to an external source of UTC.

o Stratum 1 servers have direct access to an external UTC source. (e.g. a radio clock synchronized to time signal broadcasts).

o A stratum 2 server gets its time from a stratum 1 server. A stratum 3 gets it

from a stratum 2, and so on and so on.

o To avoid synchronization problems, the maximum number of strata is 15.

o Ideally, NTP likes to have at least 3 sources of time available to synchronize to.

o NTP never runs a system clock backwards, but can slow it down if it's running too fast.

o When NTP is first started, it starts to compute the frequency of the clock on the computer it's running on. It usually takes a day or so for NTP to determine the error or "drift" of the local clock. This "drift" is stored in a local file so it doesn't have to be recomputed if NTP is restarted.

2. Packages

ntp

3. Port

UDP 123

30.2 Configuration 1. /etc/ntp.conf

o Primary configuration file.

o Example:

o server rackety.udel.eduo server umd1.umd.eduo server lilben.tn.cornell.eduo

o driftfile /etc/ntp/drifto

The "server" keyword is used to indicate the servers that should be used to synchronize to UTC. This host can receive synchronization from one of the listed servers, but cannot provide it to them.

The "driftfile" directive indications the file that contains the current value of the frequency error of the clock on the computer.

Next Previous Contents Next Previous Contents

31. PPP

31.1 Overview 1. Point-to-Point Protocol.

2. Typically used by dial-up users.

3. Packages

o ppp - Provides pppd daemon and other tools necessary to setup a ppp client or server.

o rp-pppoe - Required for ADSL connections that run PPP over Ethernet.

o wvdial - wvdial is an easy to use ppp client configuration tool.

o mgetty - Needed for a pppd server to listen on a serial port.

31.2 Client Configuration 1. Use wvdial to configure the client.

2. wvdial automatically detects and configures your modem.

3. Configuration Steps:

o As root, execute: /usr/bin/wvdialconf /etc/wvdial.conf - This creates the configuration file for wvdial based on your modem.

o Edit /etc/wvdial.conf and specify the phone number, login name, and password that's needed to login to your ISP. Uncomment the 3 lines that already exist for this purpose and fill in the necessary information.

4. Connecting to your ISP

To connect to your ISP, all you need to do is execute /usr/bin/wvdial

31.3 Server Configuration

1. General pppd configuration options are placed in /etc/ppp/*

2. Configure mgetty to listen on your serial port. In /etc/inittab put the an entry similar to the following:

3. ppp0:35:respawn:/sbin/mingetty ttyS0

This tells mgetty to listen on serial port /dev/ttyS0.

4. Then, you must tell mgetty to perform automatic PPP negotiation. Put the following line in /etc/mgetty+sendfax/login.conf:

5. /AutoPPP/ - - /usr/sbin/pppd auth -chap +pap login

Next Previous Contents Next Previous Contents

32. OpenSSH

32.1 Overview 1. Replaces insecure network communication applications.

2. Can authenticate via user and/or token.

3. Can tunnel insecure protocols through an encrypted tunnel.

4. Packages

o openssh - Provides core components for both openssh-servers and openssh-clients.

o openssh-server - Contains sshd, the secure shell daemon.

o openssh-clients - Includes ssh, slogin, ssh-agent, ssh-add, sftp.

o openssh-askpass - Provides X11 based pass phrase dialog.

o openssh-askpass-gnome - A GNOME specific X11 based pass phrase dialog.

o openssl - Provides cryptographic libraries.

5. Ports

o sshd - TCP 22

32.2 Configuration 1. /etc/ssh/

o Client and Server configurations stored here.

o Server Related Files

1. sshd_config - Primary server configuration file.

Sample options: Port 22 # Port to bind toProtocol 2,1 # Protocol versions and order to use them in.#ListenAddress 0.0.0.0 # Bind to all addresses.ListenAddress 192.168.1.20 # Bind to a specific interface.HostKey /etc/ssh/ssh_host_key # Specify Host key filesHostKey /etc/ssh/ssh_host_rsa_keyHostKey /etc/ssh/ssh_host_dsa_keyServerKeyBits 768 # Size of server key for SSHv1 protocolLoginGraceTime 600KeyRegenerationInterval 3600 # How often server key is regenerated in SSHv1 protocolPermitRootLogin no # Don't allow root to login directlyIgnoreRhosts yes # Ignore .rhost filesIgnoreUserKnownHosts yes # Ignore user's known_hosts files.StrictModes yes # Tells sshd to check file modes and ownerhsip of # user files before allowing loginX11Forwarding yes # Permit X11 ForwardingX11DisplayOffset 10 # Specifies which display to use when forwarding

# Enable secure ftpSubsystem sftp /usr/libexec/openssh/sftp-server

2. ssh_known_hosts - Contains a list of hostnames and their associated public key.

3. ssh_host_key & ssh_host_key.pub - Private/Public RSA key-pair for SSHv1 protocol.

4. ssh_host_rsa_key & ssh_host_rsa_key.pub - Private/Public RSA key-pair for SSHv2 protocol.

5. ssh_host_dsa_key & ssh_host_dsa_key.pub - Private/Public DSA key-pair for SSHv2 protocol.

o Client Related File(s)

1. ssh_config - Client configuration file.

Default configuration: # Site-wide defaults for various options

# Host *# ForwardAgent no# ForwardX11 no# RhostsAuthentication no# RhostsRSAAuthentication yes# RSAAuthentication yes# PasswordAuthentication yes# FallBackToRsh no# UseRsh no# BatchMode no# CheckHostIP yes# StrictHostKeyChecking yes# IdentityFile ~/.ssh/identity# IdentityFile ~/.ssh/id_dsa# IdentityFile ~/.ssh/id_rsa# Port 22# Protocol 2,1# Cipher blowfish# EscapeChar ~

32.3 Client Usage 1. ssh

2. ssh 192.168.1.25 # Login to host 192.168.1.25 via ssh as local user initiating session

3. ssh server.xyz.com # Login to host server.xyz.com4. ssh steve@192.168.1.25 # Login to host 192.168.1.25 as user steve5. ssh 192.168.1.25 ls -la # Execute 'ls -la' on host 192.168.1.256.

7. scp - Secure Copy

8. scp essay steve@192.168.1.25:school_dir # Copy local file 'essay' to directory school_dir

9. # in steve's home directory on the remote host10. scp essay steve@192.168.1.25:english_paper # Copy local file 'essay' to

remote host and rename11. # it to 'english_paper' on the remote host12. scp -r ~/docs steve@192.168.1.25 # Copy the local directory docs and

all of it's13. # contents to the remote host14.

15. sftp - Secure ftp

16. sftp steve@192.168.1.25 # Logs into host 192.168.1.25 as user steve and provides an

17. # ftp like session.18. sftp -C steve@192.168.1.25 # Same as above, only enables compression too.19.

32.4 Authentication Methods Supported

by sshd 1. password - Sent securely through encrypted tunnel.

2. Public Key - Put public key in  /.ssh/authorized_keys on remote host. Private key is then used to authenticate user with remote host.

3. Kerberos

4. s/key

5. SecureID

32.5 ssh-agent usage

eval `ssh-agent`ssh-add

32.6 Keys 1. Generate with ssh-keygen.

2. ssh-keygen -b 1024 # Generate 1024 bit RSA key for SSHv1 protocol3. ssh-keygen -t dsa -b 1024 # Generate a 1024 bit DSA key for SSHv2 protocol4. ssh-keygen -t rsa -b 1024 # Generate a 1024 bit RSA key for SSHv2 protocol

5. Key Location:

o RSA (SSHv1 protocol) - ~/.ssh/identity and ~/.ssh/identity.pub

o RSA (SSHv2 protocol) - ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub

o DSA (SSHv2 protocol) - ~/.ssh/id_dsa and ~/.ssh/id_dsa.pub

Next Previous Contents Next Previous Contents

33. Security

33.1 TCP Wrappers 1. Provides host based security.

2. Configuration files: /etc/hosts.allow & /etc/hosts.deny.

o hosts.allow is checked first. If access isn't explicitly permitted, then hosts.deny is checked. If access isn't explicitly denied, then access is granted.

o Configuration File Format:

o <service_list>:<client_list> [:options]o

o Special keywords

1. ALL - Can be used to represent all clients and/or all services. For example, to deny access to every service from all clients, place the following in /etc/hosts.deny

2. ALL:ALL

3.

4. EXCEPT - Can be used with ALL to provide exceptions. For example, to deny access to all services except sshd and vsftp from all clients, place the following in /etc/hosts.deny

5. ALL EXCEPT sshd EXCEPT vsftp:ALL6.

7. LOCAL - Can be used to represent all hosts without a dot in their name.

8. UNKNOWN - All hosts or users that can't be looked up.

9. KNOWN - All hosts or users that can be resolved.

10. PARANOID - All hosts where the forward and reverse lookups do not match.

3. tcpd

o The tcpd program checks permissions and launches the specified service if access is permitted.

o tcpd is typically used with inetd type services.

4. libwrap

o Programs compiled against libwrap can use tcp wrappers configuration files for determining access without having to use the 'tcpd' program.

o Many programs in Red Hat Linux are compiled against libwrap. These include:

o sendmailo slapdo sshdo stunnelo tcpdo xinetd # This includes all services executed by xinetdo gdmo gnome-sessiono ORBito portmapo

5. Options

o Can be used to execute a command when a rule match occurs. For example, to e-mail root a warning message every time someone tries to telnet in from cracker.org, put the following in /etc/hosts.deny:

o in.telnetd: .cracker.org : spawn echo \o "login attempt from %c to %s" | \o mail -s "Telnet login warning" rooto

o Variable replacements:

o %c - client information (user@host)o %s - service information (service@host)o %h - client's hostname or IP address if hostname is unavailableo %p - The server process ido

o See hosts_options man page for more information.

6. Example Setup

o /etc/hosts.allow

o # Allow all clients in the 192.168.1.0/24 network and the client at 63.21.45.2 access

o # to sshd and imapd.o

o sshd, imapd:192.168.1. 63.21.45.2o

o # For a multi-homed host, you can specify the interface. This allows all hosts

o # in the 192.168.1.0/24 to access in.ftpd, but only if it's through the 192.168.1.10 interface.

o

o in.ftpd@192.168.1.10:192.168.1.o

o # Allow access to pop3d by all hosts in the somedomain.com domain.o

o pop3d:.somedomain.como

o # Another way to specify network netmaskso

o vsftp:192.168.1.0/255.255.255.0o

o # Allow access to telnet from the 'research' network (specified in /etc/networks or NIS)

o

o in.telnetd:@researcho

o /etc/hosts.deny

o # Deny access to all services that aren't explicitly permitted in /etc/hosts.allow

o

o ALL:ALLo

33.2 xinetd based security 1. Overview

o xinetd has it's own host based access controls built-in.

o TCP Wrappers are checked first. If TCP Wrappers permits access, then xinetd's access controls are checked.

o Provides some additional restrictions that TCP Wrappers doesn't provide: time, max # of instances, and number of instances per source allowed.

2. Access Controls

o only_from - Specifies which hosts are allowed to access this service.

o only_from 192.168.1.0/24o

o no_access - Specifically deny a host or hosts.

o no_access = 192.168.1.20o

NOTE: - If both only_from and no_access are specified, the one that is more specific wins. In this case no_access wins because it specifies a specific host within the 192.168.1.0/24 network.

o access_times - Specifies a time period where access is allowed.

o access_times 07:30-17:30o

o instances - Specifies the maximum number of instances of this service

that may be launched.

o instances = 100o

o per_source - Specifies the maximum number of instances that can be initiated per IP address

o per_source 3o

33.3 IPCHAINS 1. Overview

o Ipchains is the packet filter provided in the 2.2 kernels.

o Also supported by 2.4 kernels with the ipchains compatibility module.

o Format:

o ipchains [action] [chain] [options] [target]o ipchains -A input -i eth0 -p tcp -s 192.168.1.20 -d 0.0.0.0 -j

ACCEPTo

2. Capabilities

o Actions

o -A = Append rule to end of chaino -I = Insert rule at beginning of chaino -D = Delete existing rule in chaino -N = Create new chaino -X = Delete a chain (user defined only)o -P = Set default policy for chain (ACCEPT, DENY, or REJECT)o -F = Flush all rules in a chaino -L = List existing rules (can specify a specific chain)o

o Chains - 3 Built-in chains. Names in lower case.

o input - All packets that come into the interface pass through this chain. Even packets that

o are being routed to another interface pass through this chain.o forward - All packets that come in one interface and leave on another

pass through this chain.

o output - All packets leaving an interface pass through this chain. Even packets that are

o being routed from another interface pass through this chain.o

o Options

o -i = Interface (eth0, eth1, lo)o -p = Protocol (udp,tcp,icmp, or the protocol number)o -s = Source address of packet (192.168.1.20, 192.168.1.0/24, etc.)o Can also include the source port for tcp/udp (192.168.1.20 80)o -d = Same as -s, only for the destination addresso -y = Matches a packet that has only the SYN flag set (First step in TCP

handshake)o -l = Log the packeto

o --source-port = Specify a source port without a source addresso --destination-port = Specify a destination port without a destination

addresso

o Targets

o DENY = Drop packet without sending any sort of response to the source

o REJECT = Drop packet, but send the source an ICMP error messageo ACCEPT = Accept the packeto <CHAIN> = Specify a user defined chain to jump to for further

processingo

3. Examples

4. # Set the default Policies to DENY5. ipchains -P input DENY6. ipchains -P output DENY7. ipchains -P forward DENY8.9. # Allow all incoming tcp connections on interface eth0 to port 80 (www)10. ipchains -A input -i eth0 -p tcp -s 0.0.0.0 1024: --destination-port 80 -j ACCEPT11.12. # We must also allow packets back out in order for the connection to work13. ipchains -A output -i eth0 -p tcp --source-port 80 -d 0.0.0.0 1024: -j ACCEPT14.

15. # Allow outgoing connections to other web servers16. ipchains -A output -i eth0 -p tcp --source-port 1024: -d 0.0.0.0 80 -j ACCEPT17. ipchains -A output -i eth0 -p tcp --source-port 1024: -d 0.0.0.0 81 -j ACCEPT18. ipchains -A output -i eth0 -p tcp --source-port 1024: -d 0.0.0.0 443 -j ACCEPT19.20. # We must now allow TCP packets back in on ports >= 1024 to complete the

connection. However,21. # we don't want to allow any packet through with the SYN flag set since that

would indicate22. # someone is trying to make a connection to us.23. ipchains -A input -i eth0 -p tcp ! -y -s 0.0.0.0 80 --destination-port 1024: -j

ACCEPT24. ipchains -A input -i eth0 -p tcp ! -y -s 0.0.0.0 81 --destination-port 1024: -j

ACCEPT25. ipchains -A input -i eth0 -p tcp ! -y -s 0.0.0.0 443 --destination-port 1024: -j

ACCEPT26.27. # Allow external access to our DNS services.28. ipchains -A input -i eth0 -p udp --destination-port 53 -j ACCEPT29. ipchains -A output -i eth0 -p udp --source-port 53 -j ACCEPT30.31. # If you leave out a source (-s) or destination(-d) address it's like specifying

0.0.0.032. # for it.33.34. #35. # MASQUERADING36. #37. # In these examples, eth0 is the external interface on the firewall, and eth1 is

the38. # internal interface.39.40. # Set Masquerade Timeouts41. # Set a 2 hour (7200 sec) time out for TCP session timeouts42. # Set a 15 second timeout for TCP/IP traffic after a FIN is received43. # Set a 3 minute (180 sec) time out for UDP traffic44. /sbin/ipchains -M -S 7200 15 18045.46. # Set up the Masquerading

47. # Remember that the default policy is set to DENY above. Otherwise we would set it here.

48. /sbin/ipchains -A forward -i eth0 -s $INTERNAL_LAN -j MASQ

33.4 IPTABLES (Netfilter) 1. Overview

o 2.4 kernels only.

o Many benefits over ipchains:

1. Connection Tracking.

2. Rate Limiting.

3. Support for true NAT.

4. Many more filtering options: All TCP flags, MAC addresses, user, etc.

5. Improved logging.

o Format

o iptables [table] [action] [chain] [options] [target]

o iptables -t filter -A INPUT -m state --state NEW -p tcp -s 192.168.1.0/24 -j ACCEPT

o

2. Capabilities

o Table - Specifies which table the chain applies to: nat, filter, or mangle/

o Action - See IPCHAINS actions above.

o Chains - 5 Built-in chains. Names capitalized unlike IPCHAINS.

o # Filter Table:o INPUT - All packets entering an interface that are destined for a local

process use thiso chain. Note that packets that are being routed from one interface

to anothero do NOT go through this chain as is the case with IPCHAINS.o FORWARD - Only packets routed from one interface to another pass

through this chain.

o OUTPUT - All packets leaving an interface that originated from a local process use this

o chains. Note that packets that are being routed from one interface to another

o do NOT go through this chain as is the case with IPCHAINS.o

o # Nat Table:o PREROUTING - Rules in this chain occur before it is determined

whether the packet willo use the INPUT or FORWARD chain. Destination NAT (DNAT) is

configuredo using this chain.o POSTROUTING - Rules in this chain occur after the OUTPUT and

FORWARD chains. Source NATo (SNAT) is configured using this chain.o

o Options

o -i = Input interface (eth0, eth1, lo)o -o = Output interface (eth0, eth1, lo)o -p = Protocol (udp,tcp,icmp, or the protocol number)o -s = Source address of packet (192.168.1.20, 192.168.1.0/24, etc.)o -d = Same as -s, only for the destination addresso -m = Specify an extension module to load (e.g. -m state). This must be

the first optiono specified if it is usedo

o --sport = Source porto --dport = Destination porto

o Targets

o # 3 Default Targetso DROP = DROP the packet without returning an indication that it was

dropped to the sourceo ACCEPT = Accept the packeto <CHAIN> = A user defined chaino

o # Additional Targets provided by modules:o LOG = Log the packet

o REJECT = Reject the packet and send the source a user defined response (defaults to an icmp

o error message)o

o Connection Tracking

1. Requires state module (-m state).

2. Packet STATES:

3. NEW = A new connection4. ESTABLISHED = Packet is part of an existing connection5. RELATED = Packet is related to an existing connection (e.g.

ICMP error messages)6. INVALID = Packet doesn't belong to any other connection7.

8. Tracking FTP Connections:

Because of the nature of the FTP protocol, tracking ftp connections requires a special kernel module: ip_conntrack_ftp. If you wish to use NAT with ftp connection tracking, you must also load the ip_nat_ftp kernel module

3. Examples

4. # Set the default Policies to DENY5. iptables -P INPUT DENY6. iptables -P OUTPUT DENY7. iptables -P FORWARD DENY8.9. # Allow all incoming tcp connections on interface eth0 to port 80 (www)10. iptables -A INPUT -i eth0 -p tcp -s 0.0.0.0 --sport 1024: --dport 80 -j ACCEPT11.12. # We must also allow packets back out in order for the connection to work

since we aren't13. # using connection tracking14. iptables -A OUTPUT -o eth0 -p tcp --sport 80 -d 0.0.0.0 --dport 1024: -j ACCEPT15.16. # Allow outgoing connections to all ports, and use connection tracking so17. # we don't have to create rules to allow us to receive the packets coming

back.

18. iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED \19. -o eth0 -p tcp --sport 1024: -j ACCEPT20. iptables -A INPUT -m state --state ESTABLISHED,RELATED \21. -i eth0 -p tcp --dport 1024: -j ACCEPT22.23. # Allow external access to our DNS services, and keep state on the connection.24. iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED \25. -i eth0 -p udp --dport 53 -j ACCEPT26. iptables -A OUTPUT -m state --state ESTABLISHED,RELATED \27. -o eth0 -p udp --sport 53 -j ACCEPT28.29. # Redirect all incoming traffic that hits port 8080 to port 80 on a web server30. # in our internal LAN31. iptables -t nat -A PREROUTING \32. -p tcp -i eth0 --dport 8080 \33. -j DNAT --to 192.168.1.10:8034.35. # Source NAT36. iptables -t nat -A POSTROUTING \37. -o eth0 -s 192.168.1.0/24 \38. -j SNAT --to-source $EXTERNAL_IP_ADDRESS39.40. # Allow ICMP echo requests, but limit them to 1 per second. A burst of 3 will

allow41. # a burst of up to 3 ICMP packets before the rate limiting kicks in.42. iptables -A INPUT -i eth0 -p icmp --icmp-type 8 \43. -m state --state NEW,ESTABLISHED \44. -m limit --limit 1/s --limit-burst 3 \45. -j ACCEPT46.47. iptables -A OUTPUT -o eth0 -p icmp -m state --state ESTABLISHED -j ACCEPT

Next Previous Contents Next Previous Contents

34. Process Accounting

34.1 Overview

1. Keeps track of user processes.

2. Originally intended as a way to keep track of resources in order to bill departments/users for their usage.

3. Packages

psacct

34.2 Turning On/Off 1. Enabling - Use accton command and specify the file for storing the accounting

information.

2. /sbin/accton /var/log/pacct

3. Disabling - Use accton command without specifying a file.

4. /sbin/accton

34.3 Viewing Information 1. ac - The 'ac' command is used to print out a report of connection times.

Examples: ac # Print total connection time.ac -dp # Give daily (-d) connection totals by person (-p)ac --complain # Print out any problems in wtmp file (time-warps, missing records, etc.)

2. sa - The 'sa' command is used to summarize accounting information.

Examples: sa # Print information about all commands in the process accounting filesa -u # Print command information by user

3. lastcomm - Displays which commands have been executed.

Examples: lastcomm # Display all commands executed on systemlastcomm rm # Display information about all invocations of the 'rm' command

Next Previous Contents Next Previous Contents

35. Kickstart

35.1 Overview 1. Kickstart provides a way to do automated installations.

2. The Kickstart configuration file (ks.cfg) answers all the questions that are normally asked during a normal install.

3. Allows you to automate most of the installation, including the following:

o Language Selection

o Mouse Configuration

o Keyboard Selection/Configuration

o Boot Loader Installation

o Disk Partitioning

o Network Configuration

o Authentication (NIS, LDAP,Kerberos, Samba, and Hesoid)

o Firewall Configuration

o X Window System Configuration

o Package Selection

4. Packages

o mkkickstart - This package provides utilities that will create a kickstart file based on the current machine's configuration.

o ksconfig - Provides a graphical interface for creating kickstart files.

35.2 Creating a Kickstart File 1. Manual

Copy the sample.ks kickstart file from the RH-DOCS directory on the documentation CD and modify it to meet your requirements.

Be careful when editing it because the sections must remain in order. The order is:

o Command Section

o %package Section

o %pre & %post Sections

2. mkkickstart

Use the mkkickstart utility to create a kickstart configuration file based on the current system's configuration.

3. ksconfig

Use the GUI tool ksconfig to create a kickstart file.

35.3 Kickstart Installation Types 1. Network

o Requires a DHCP/BOOTP server.

o ks.cfg file must be accessible from NFS, FTP, HTTP, or Samba (although I've only been able to get it to work when the ks.cfg file is on NFS).

o Can install from NFS, FTP, HTTP, & Samba.

2. Local

o ks.cfg file must be put on a floppy boot disk.

o Can install from a local CD-ROM or a local hard drive.

35.4 Kickstart Installation 1. Boot with a boot floppy. For a local kickstart installation, the ks.cfg must be

located in the root of the boot disk.

2. When SYSLINUX installation screen comes up, specify one of the following options:

o ks=floppy - If ks.cfg is located on the floppy.

o ks=hd:fd0/ks.cfg - Same as ks=floppy above.

o ks=floppy dd - When ks.cfg is located on the floppy and you need a driver disk.

o ks=nfs:<server>:/path - ks.cfg file is on an NFS server.

o ks=http:<server>:/path - ks.cfg file is on an HTTP server.

o ks=ftp:<server>:/path - ks.cfg file is on an FTP server.

35.5 Additional Network Installation Info 1. When specifying "linux ks" at the installation prompt:

o The ks.cfg file must be available via NFS.

o By default, it is assumed that the ks.cfg file will be on the same server as the DHCP/BOOTP server. To specify a different server for the ks.cfg file, specify the following in the /etc/dhcpd.conf file:

o filename "/path/to/ks.cfg"o next-server <hostname or IP>o

If the path specified in the "filename" clause ends with a "/", then the file that is looked for is: "/specified/path/<IP>-kickstart" where <IP> is the IP address of the machine making the request.

Note that the path specified in the "filename" clause must be the full path to the file and not the relative path from the NFS export. Kickstart will automatically try to mount the NFS export based on the path's name. In the above example, it would first try to mount "/path", then if that failed, "/path/to".

2. If you don't wish to use DHCP to specify the location of the kickstart file, you can specify one of the options listed above to point to the location of the ks.cfg file.

3. To install from NFS, the following directive must be used in the ks.cfg file right after the "install" directive:

4. nfs --server <server> --dir <dir>

5. To install from HTTP or FTP, the following directive must be used in the ks.cfg file right after the "install" directive:

6. url --url http://<server>/path7. url --url ftp://<server>/path

Next Previous Contents Next Previous Contents

36. Procmail

36.1 Overview 1. Mail processor.

2. Can be invoked via the .forward file, or directly by sendmail.

3. User configuration file is $HOME/.procmailrc.

4. Package: procmail

36.2 Configuration File Syntax 1. Format:

2. :0 [flags] [ : [locallockfile] ]3. <zero or more conditions (one per line)>4. <exactly one action line>

5. Flags

See procmailrc(5) man page for a description of the flags.

6. Special characters

o :

Indicates the start of a recipe. Commonly used with a zero following it. In the old days, the zero was replaced with the number of conditions that follow.

o *

Indicates the start of a condition.

o !

When used in a condition, it means to invert the condition. When used in an action line, it means to forward the mail to the addresses that follow.

o Pipe (|)

Starts the program specified after it when used in the action line.

o { }

When followed by at least one space, tab, or newline, it marks the beginning of a nesting block for the action line.

36.3 Example .procmailrc :0*^From.*bob # Condition*^Subject:.*Computers{ :0 c # "c" flag means create a carbon copy! steve@somedomain.org # Action - Forward to steve and keep a local copy:0COMPUTERS}This will forward mail from bob about computers to steve and also keep a local copy in the COMPUTERS folder.

Next Previous Contents Next Previous Contents

37. IMAP & POP

37.1 Overview 1. Package

o imap

1. The imap package includes the POP daemon also.

2. Provides POP2, POP3, and POP3s (POP3 over SSL) service.

3. Provides IMAP and IMAPs (IMAP over SSL) service.

2. Ports

o POP2 - TCP 109

o POP3 - TCP 110

o POP3S (over SSL) - TCP 995

o IMAP - TCP 143

o IMAPS (over SSL) - TCP 993

37.2 Setup 1. Executed by xinetd.

2. Simply install the imap package and enable service(s) in xinetd.

Next Previous Contents Next Previous Contents

38. Encryption (GPG & OpenSSL)

38.1 Overview 1. Why use it?

o Prevent password and data sniffing.

o Maintain integrity of data.

o Prevents authentication manipulation.

2. Packages

o OpenSSL - Provides crypto-graphic libraries used by other programs which communicate via the network.

o gnupg - Used to insure integrity and encrypt files (e.g. data, e-mail, etc.)

o OpenSSH - A secure replacement for ftp, telnet, rsh, rlogin, etc. Covered elsewhere.

o stunnel - Provides network encryption services for those applications which don't already have it. Covered elsewhere.

38.2 Encryption Types and Requirements

1. Random Numbers

o In order for encryption to be effective, it needs a good source of entropy to create random numbers.

o Entropy is usually created based on several things. For example: keyboard events, mouse events, and block device interrupts.

o The Linux Kernel provides 2 sources of entropy:

1. /dev/random - Best source of entropy. If the entropy pool runs out, it blocks until more entropy is gathered.

2. /dev/urandom - Uses entropy pool until it's exhausted, and then falls back to pseudorandom generation.

2. One-Way Hashes

o One-Way hashes take input of any length and created a fixed length output string known as a fingerprint.

o If any part of the input data changes, it will create a different fingerprint.

o "One-way" means you can't recreate the original data from the fingerprint.

o Examples include: md5, rmd160, sha, sha1, haval, and crc-32.

3. Symmetric Encryption

o The same key is used to both encrypt and decrypt the data.

o Examples of symmetric algorithms: DES, 3DES, Blowfish, RC2, RC4, RC5, and AES.

o Utilities that use symmetric encryption: passwd (traditional unix), gpg, and openssl.

o Minimum recommended key size: 128 bits.

4. Asymmetric Encryption

o a.k.a. Public Key Encryption

o One key is used to encrypt and another key is used to decrypt.

o Standard Operation

1. Recipient generates a private/public key pair: S & P.

2. The Recipient then publishes public key P and keeps private key S a secret.

3. Sender uses Recipient's public key P to encrypt a message for the Recipient.

4. Recipient uses private key S to decrypt the message from the sender.

o Digital Signatures

1. Provide a way to verify authenticity.

2. Sender encrypts message with private key S.

3. Recipient then decrypts message with Sender's public key P. As long as the sender's private key S hasn't been compromised, this guarantee's that it's from the Sender.

4. Detached Signatures

Similar to above operation, only Sender creates a one-way hash of the message and encrypts the one-way hash instead. The encrypted one-way hash is known as the "detached signature".

The Recipient then uses the Sender's public key P to decrypt the detached signature.

The Recipient then performs their own one-way hash on the message and compares it to the one-way hash sent by the Sender. If the two match, it guarantees the document hasn't been tampered with.

o Combining Standard Operation with Digital Signatures

1. This can be used so that only the Recipient can decrypt a message, while at the same time verifying that it was sent by the Sender.

2. Process:

Sender encrypts the message with the Sender's private key S.

Sender then encrypts the message with the Recipients public key P.

The Recipient will then decrypt the message with the Recipient's private key S.

The Recipient then decrypts the message with the Sender's public key P.

5. Digital Certificates

o Commonly used by on-line merchants(as well as others) to verify their identity to someone else, typically a customer.

o Issued by a certificate authority (CA).

o Standard Certificate Format is X.509, and consists of the following information:

1. Country

2. Province or State

3. Organization Name

4. Common Name

5. E-mail

o Certificate Creation Process

1. The merchant generates a private/public key pair.

2. The merchant must then prove their identity to a CA and provide their public key to the CA.

3. The CA then creates a one-way hash of the following information:

The CA's identity.

The merchant's identity.

The merchant's public key.

Period of validity.

4. The one-way has is then encrypted with the CA's private key creating a detached digital signature.

5. The digital certificate is made up of the combined information above and the detached digital signature.

6. The CA then issues this to the merchant.

38.3 Using GPG 1. Key Generation

2. gpg # Initialize GPG for this user (e.g. create ~/.gnupg). Only have to run once.

3. gpg --gen-key # Start key generation process. Follow prompts.

4. Viewing Keys

5. gpg --list-keys # View public keys6. gpg --list-secret-keys # View private keys

7. Exporting Public Keys

8. gpg --export <name of key owner> # Exports key in binary format9. gpg --export --armor <name of key owner> # Export in a usable, ASCII format

10. Importing Public Keys

11. gpg --import /path/to/public/key/file

12. Encrypting a Message

13. gpg --encrypt --armor --recipient <recipient> message_file # Creates encrypted message in

14. # an ASCII format

15. Decrypting a Message

16. gpg encrypted_message_file

You will be prompted for the filename to use for the output of the decryption process.

17. Encrypting with a Symmetric Key

18. gpg --symmetric --armor message_file

19. Signing and Encrypting a Message

20. gpg --sign --encrypt --armor --recipient <recipient> message_file

21. Creating a Detached Signature

22. gpg --detach-sign --armor message_file # Sender23. gpg --verify message_file.asc message_file # Recipient

24. Signing Another's Public Key

Alice is going to sign Bob's key.

# First, Alice must do:gpg --sign-key bobgpg --export --armor bob > bob.key

# Then, Bob must do:gpg --import bob.key

38.4 Using OpenSSL 1. Generating a Certificate & Key in the PEM Format

o Long Way

o openssl req -new -newkey rsa:1024 -nodes -x509 -keyout ~/key -out ~/cert

o echo >> ~/keyo cat ~/cert >> ~/keyo echo >> ~/keyo mv ~/key /usr/share/ssl/certs/give_me_a_name.pemo rm ~/certo

o Short Way

o cd /usr/share/ssl/certso make give_me_a_name.pemo

Next Previous Contents Next Previous Contents

39. stunnel

39.1 Overview 1. Provides encryption services for applications without modifying the application.

2. Uses public key encryption.

3. Packages

stunnel

39.2 Configuration 1. Create stunnel.pem

2. # Generate private key and certificate3.4. openssl req -new -newkey rsa:1024 -nodes -x509 -keyout /tmp/key -out

/tmp/cert5.6. # Create stunnel.pem7.8. echo >> /tmp/key9. cat /tmp/cert >> /tmp/key10. echo >> /tmp/key11. rm /tmp/cert12. mv /tmp/key /usr/share/ssl/certs/stunnel.pem13. chmod 600 /usr/share/ssl/certs/stunnel.pem

-OR-

cd /usr/share/ssl/certsmake stunnel.pem

14. Sample IMAPS Configuration

15. stunnel -d 192.168.1.20:993 -r localhost:143

This starts stunnel in daemon mode (-d) and causes it to listen on port 993 of interface 192.168.1.20. Incoming connections received on port 993 are then redirected to port 143.

libwrap NOTE: - Because stunnel uses libwrap, you need to configure access via /etc/hosts.allow and /etc/hosts.deny. When stunnel starts, it will write the name of the service to /var/log/messages that it will be checking for via tcp wrappers. For example, the above stunnel configuration created the following log entry: stunnel[1128]: Using 'localhost.143' as tcpwrapper service name

You will need to use "localhost.143" as the service name in /etc/hosts.allow and /etc/hosts.deny.

Next Previous Contents

Next Previous Contents

40. Fetchmail Made Simple (really simple)

40.1   /.fetchmailrc 1. Create a .fetchmailrc file in your home directory similar to the following:

2. poll pop3.somedomain.com with protocol pop3:3. user steve there is user gandalf here4. password "super_secret"

The first line says that pop3.somedomain.com hosts our pop3 account and that we will contact it using the pop3 protocol. The second line states that the user account on the pop3 server is steve and our local account is gandalf. The last line contains our password for the pop3 account.

5. Secure the .fetchmailrc file:

6. chmod 0600 ~/.fetchmailrc

7. Then retrieve your mail by typing:

8. fetchmail

Use the "-v" option to cause fetchmail to be more verbose during mail retreival.

See "CONFIGURATION EXAMPLES" in the fetchmail man page.

Next Previous Contents Next Previous Contents

41. Copyright & Disclaimer

41.1 General Disclaimer First off, I was not an RHCE when I originally created this document. I did pass the RHCE exam on April 19th of 2002. I created this guide to help myself study for the exam. While the information in this document is correct to the best of my knowledge, I DO NOT guarantee the accuracy of ANY of the information contained in this document. This information comes without any warranty of any kind, implied or otherwise. I am not responsible for any damage that may be caused by

using the information in this document whether the damage is to your computer, your brain, or anything else. In short, USE AT YOUR OWN RISK. You have been warned.

The amount of detail per topic varies greatly for many reasons, some of which include:

My personal familiarity and comfort level with the topic.

How relevant I personally feel it will be on the exam.

In other words, just because I cover something in great detail doesn't mean it will be on the test. Likewise, if I cover a topic briefly, it doesn't mean that it won't be covered in detail on the exam. In short, only you know what areas you need to improve in, and there is no way to be certain what will be asked on the exam.

This document will in no way prepare you for the RHCE exam by itself. You need a lot of hands on experience. I recommend taking some of Red Hat's excellent training courses. If you live in or near Denver, consider yourself lucky. The instructor there is excellent in my opinion.

All network addresses, hostnames, and domain names used in this document were made up. I attempted to pick names that no one would actually use. Where possible, I stayed within those IP addresses reserved for internal use.

Since I have now taken the exam, I will not be making any updates to this study guide except to correct errors. If you find an error in any of the information provided in this study guide, please report it to me per the instructions at the top of this document.

41.2 Why am I sharing this document? I think it will help the Linux movement by having more certified technical people in the job market that can support Linux. While it is true that a certification is not the only measure of technical expertise, I believe it is important that there be a large group of certified individuals available to help push Linux into areas where it isn't currently a major player (e.g. the desktop). So, if this document helps even one other person attain their RHCE, then I think it was worth sharing it.

41.3 Copyright This document is copyright(c) 2002 Steve Bremer. I've gathered this information from various sources including but not limited to:

1. The Manuals that come with Red Hat Linux.

2. Red Hat Certified Engineer Linux Study Guide 2nd Edition from Global Knowledge (with the aide of Syngress Media, Inc. and Osborne McGraw-Hill)

3. Materials provided by Red Hat in their excellent training courses that I've taken.

4. Documentation provided within Red Hat's packages.

5. Man pages.

6. Various web sites.

I've always tried to give credit where credit is due if I've copied anything directly out of one of the above mentioned documents. If you noticed any place where I've failed to do so, please contact me via e-mail.

Next Previous Contents