SUSE Linux Enterprise Desktop Administration Chapter 5 Manage the Network Configuration

SUSE Linux Enterprise Desktop Administration

Chapter 5Manage the Network Configuration


Objectives

• Objective 1—Manage the Network Configuration Information from YaST

• Objective 2—Test the Network Connection with Command-Line Tools

• Objective 3—Use SuSEfirewall2

• Objective 4—Use Network Manager to Configure the Network

• Objective 5—Provide Remote Access

2


Objective 1—Manage the Network Configuration Information from YaST

• The YaST module for configuring network cards and the network connection– Can be accessed from the YaST Control Center– See Figure 5-1

• To activate the network configuration module, select Network Devices > Network Card

• Network setup methods:– User Controlled with Network Manager– Traditional Method with ifup

3

SUSE Linux Enterprise Desktop Administration 4

Figure 5-1 The YaST module for configuring network cards and the network connection


Figure 5-2 List of the detected network cards



(continued)• Cards are usually autodetected by YaST

– And the correct kernel module is used

• Select the card you want to configure– Then select Edit (see Figure 5-4)

• If the card is not recognized by YaST, the required module must be entered manually

• Use the Manual Network Card Configuration dialog to configure: (see Figure 5-3)– Network Configuration– Kernel Module

6


Figure 5-3 Manual Network Card Configuration dialog


Figure 5-4 Network Address Setup dialog



(continued)• Network address options

– None Address Setup– Automatic Address Setup (via DHCP)– Static Address Setup– Hostname and Name Server– Routing– Advanced

• Hostname and Name Server configuration– See Figure 5-6

9


Figure 5-6 Hostname and Name Server Configuration dialog



(continued)• Routing configuration

– See Figure 5-7

• General configuration options (see Figure 5-8)– Firewall Zone

• No Zone, All Traffic Blocked

• Internal Zone (Unprotected)

• Demilitarized Zone

• External Zone

– Device Activation– MTU (Maximum Transfer Unit)

11


Figure 5-7 Routing Configuration dialog


Figure 5-8 General tab of the Network Address Setup dialog



(continued)• If you selected Wireless as a Device Type for a

WLAN card– A dialog appears where you can enter WLAN-specific

configuration parameters– WEP keys are entered in a separate dialog after

selecting WEP Keys

• Verify that the Ethernet card is available in the computer using the ip command

14


Exercise 5-1: Manage the Network Configuration Information from YaST

• In this exercise, change all important configuration information into static values

• Use the ip command to find out which IP address you are currently using– Note your current hostname – Then change the network configuration to a static IP

address, using the values you found – Use 10.0.0.254 as the default gateway and also as the

address of the name server

15


Objective 2—Test the Network Connection with Command-Line Tools

• This objective will cover the following:– View and Change the Network Configuration with ip– Test Network Connections– Trace Network Packets

16


View and Change the Network Configuration with ip

• IP address setup– To display the IP address setup of all interfaces, enter ip address show

17


View and Change the Network Configuration with ip (continued)

• Device attributes– If you are only interested in the device attributes and

not in the IP address setup, you can enter ip link show

18



• Device statistics– You can use the option -s with the ip command to

display additional statistics information about the devices

19



• Routing table– To view the current routing table, enter ip route show

• Assign an IP address to a device

• Delete the IP address from a device

20



• Change device attributes– You can also change device attributes with the ip tool– Basic command:

ip link set device attribute

• Set and delete routes– Set a route to a different network

– Delete an entry from the routing table

21


Test Network Connections with ping

• Tool ping– Lets you check network connections between two

hosts in a simple way– Sends special network packets to the target system

and waits for a reply– Basic syntax: ping 10.0.0.10

22


Table 5-1 Options for ping


Trace Network Packets with traceroute

• traceroute– Diagnosis tool primarily used to check the routing

between different networks– Sends packets with an increasing TTL value to the

destination host– Uses UDP packets, which are called datagrams

• Syntax: traceroute hostname

24


Exercise 5-2: Test the Network Configuration

• In this exercise, you view the current network configuration with the ip command and test it using ping and traceroute

• Use ip to view the current IP address and current route– Use ping to access your own IP address, that of the

gateway, and that of www.novell.com

• Use traceroute to view the hops an IP packet takes to access www.novell.com

25


Objective 3—Use SuSEfirewall2

• Packet filtering in Linux is done by the kernel and its netfilter framework

• SuSEfirewall2– Consists of a number of scripts that set rules to filter

IP packets using the program iptables– Can be configured using the YaST Firewall module

• An alternative would be to edit the file /etc/sysconfig/SuSEfirewall2 with a text editor

– See Figure 5-9

26


Figure 5-9 YaST Firewall module


Figure 5-10 Assign desktop system interfaces to the External Zone


Objective 3—Use SuSEfirewall2 (continued)

• Allowing SSH services– See Figure 5-11

• Changes are stored in the file /etc/sysconfig/SuSEfirewall2

29


Figure 5-11 Allowing SSH service


Figure 5-12 Firewall configuration summary


Objective 4—Use NetworkManager to Configure the Network

• NetworkManager– Allows you to change the network configuration

according to your needs• Without switching to the root account

– Runs as a root-user system level daemon

• Programs used– /usr/sbin/NetworkManager – /usr/sbin/NetworkManagerDispatcher

• NetworkManager will first try a wired and then a wireless adapter

32


Objective 4—Use NetworkManager to Configure the Network (continued)

• NetworkManager keeps two lists of wireless networks:– A trusted list and a preferred list

• NetworkManager applet– Shows the current network configuration– Also allows you to change the configuration

• To connect to a wireless network, select a wireless network entry– Your computer will be disconnected from the wired

network and connected to the wireless network

33


Figure 5-13 Switching to NetworkManager


Figure 5-14 NetworkManager applet

Objective 4—Use NetworkManager to Configure the Network (continued)


Objective 5—Provide Remote Access

• This objective explains how to:– Use OpenSSH– Configure VPN Connections– Use VNC

36


Use OpenSSH

• SSH suite– Developed to provide secure transmission by

encrypting the authentication strings• And all the other data exchanged between the hosts

• SUSE Linux Enterprise Desktop 10 installs the package OpenSSH by default– Includes programs such as ssh, scp, and sftp as

alternatives to Telnet, rlogin, rsh, rcp, and FTP

37


Use OpenSSH (continued)

• Cryptography basics– Cryptography deals with procedures and techniques

used to encrypt data• And prove the authenticity of data

– Symmetric encryption• DES (Data Encryption Standard)

• Triple DES

• IDEA

• Blowfish

• AES (Advanced Encryption Standard)

38



• Cryptography basics (continued)– Asymmetric encryption

• RSA

• DSA

• Diffie Hellman

• SSH features and architecture– SSH features

• Login from a remote host

• Interactive or noninteractive command execution on remote hosts

39



• SSH features and architecture (continued)– SSH features (continued)

• File copying between different network hosts; optional support for compressing data

• Cryptographically secured authentication and communication across insecure networks

• Automatic and transparent encryption of all communication

• Complete substitution of the ‘‘r’’ utilities: rlogin, rsh, and rcp

• Port forwarding

• Tunneling

40



• SSH features and architecture (continued)– SSH protocol versions

• Protocol Version 1 (SSH1) (see Figure 5-16)

• Protocol Version 2 (SSH2) (see Figure 5-17)

– SSH authentication mechanism configuration• SSH server can decrypt the session key generated and

encrypted by the client only if it also has the private key

• Client can check if the public host key of the server really belongs to the server

• SSH currently does not use any directory services or any certificates for public key management

41


Figure 5-16 SSH Protocol Version 1 (SSH1)


Figure 5-17 SSH Protocol Version 2 (SSH2)



• SSH features and architecture (continued)– SSH authentication mechanism configuration

(continued)• The two most important mechanisms

– Public key (RSA/DSA) authentication

– Password authentication

• Configure the SSH server– See Table 5-3– Configuration file for the server is

/etc/ssh/sshd_config

44



45

Table 5-3 SSH Server configuration options



• Configure the SSH client– Edit the file /etc/ssh/ssh_config– Users can edit their individual settings in the

file /.ssh/config– Ensure that only servers are accepted whose keys

have been previously added to /.ssh/known_hosts or /etc/ssh/ssh_known_hosts

• Set the option StrictHostKeyChecking in the client configuration file (/.ssh/config) to yes

46



• SSH-related commands– See Table 5-4– Basic syntax for ssh:

• ssh options host command

– Basic syntax for scp is:• scp options sourcefile destinationfile

– SSH can also be used to protect unencrypted traffic, like POP3, by tunneling it through an SSH connection

47



48

Table 5-4 SSH-related commands


Exercise 5-3: Practice Using OpenSSH

• Perform the following tasks:– Log in to your partner’s computer as root– Execute the ps aux command on your partner’s

computer without logging in to his or her computer– Copy the /etc/hosts file from your partner’s computer

to your /tmp directory– Copy the /etc/hosts file from your computer to the

home directory of geeko on your partner’s computer– Using sftp, copy the /bin/date file from your partner’s

computer to /home/geeko/ on your computer

49



• Public key authentication management– Public key authentication process

• Public key of the user has to be stored on the server in the home directory of the user account being accessed

• Public keys are stored on the server in the file/.ssh/authorized_keys

• The corresponding private key must be stored on the client computer

• The secret key should be protected by a passphrase

50



• Public key authentication management (continued)– Create a key pair

• Create a key pair with the ssh-keygen command

• A different key is required for SSH1 than for SSH2

• The keys are stored in the directory /.ssh

– Configure and use public key authentication• For authentication using RSA or DSA keys, you need to

copy the public key to the server

– And then append the public key to the file /.ssh/authorized_keys

51



• Public key authentication management (continued)– Configure and use public key authentication

(continued)• When authentication is done with keys, the passphrase

is required when logging in to the server

– Or when copying with scp

• The ssh-agent can be used to avoid typing this passphrase upon each connection

• The ssh-agent serves as a wrapper for any other process

• You can also use the ssh-agent with a graphical login

52


Exercise 5-4: Perform Public Key Authentication

• Create an ssh-key pair, add the public key to the file ~geeko/.ssh/authorized_keys on your partner’s computer, and note the difference between logging in with and without a public key

• Then, use the ssh-agent to cache the private key and log in again to your partner’s machine as geeko

• As root, change the SSH server configuration to allow only public key authentication

• Restart sshd and, as root, try ssh geeko@localhost

53


Configure VPN Connections

• VPN and IPSec basics– VPN (Virtual Private Network)

• Technology that uses one network infrastructure to carry the packets of another network

– A VPN does not necessarily have to encrypt the traffic, but encryption is used on most VPNs

– Technologies used to implement VPNs• IPSec, OpenVPN, L2TP, HTTPS, and SSH

54


Configure VPN Connections (continued)

55

Figure 5-18 Virtual private network (VPN)



• Configure VPN connections with NetworkManager– The NetworkManager applet makes it easy to connect

to a VPN gateway• See Figure 5-19

– An assistant guides you through the VPN configuration

• See Figure 5-20

– Types of VPN clients• Novell VPN client, OpenVPN client, and Compatible

Cisco VPN client (vpnc)

• See Figure 5-2156



57

Figure 5-19 NetworkManager applet



58

Figure 5-20 Create VPN Connection wizard


Figure 5-21 Novell VPN client



• Configure VPN connections with NetworkManager (continued)– GNOME keyring

• Application that allows you to store various credentials and protect them with a password

– Advantage of using the GNOME keyring• You only have to remember one password to unlock

the encrypted keyring

– Contains various usernames and corresponding passwords for different applications

60


Use VNC

• VNC (Virtual Network Computing)– VNC server software component transmits the

content of the screen to a remote computer• Running the VNC viewer software

– Allows someone else to view your desktop– Allows another user to interact with the mouse and

keyboard– Implementations used on SUSE Linux Enterprise

Desktop 10 are TightVNC and vino– See Figures 5-24 and 5-25

61


Use VNC (continued)

62

Figure 5-24 VNC remote desktop preferences


Use VNC (continued)

63

Figure 5-25 User is informed of the connection request


Exercise 5-5: Use VNC

• In this exercise, you will work with a partner

• You start the VNC server using vino-preferences and allow your partner to connect to your desktop with vncviewer

64


Summary

• The Network Card module of YaST can be used to easily manage your network interface configuration

• Common IP configuration parameters include an IP address, subnet mask, hostname, name server (DNS), and WLAN settings for wireless network interfaces

• Network interface and IP information is stored in the /etc/sysconfig/network directory

• Different IP networks are connected to one another via routers

65


Summary (continued)

• After system initialization, you can use the ip command to view, configure, and manage your network interfaces, IP configuration, and routing table

• You can use the Firewall module of YaST to configure packet filtering on your network interfaces

• NetworkManager can be used to keep track of several wired and wireless networks on portable or laptop computers

• The SSH daemon (sshd) provides a secure alternative to telnet, rlogin, rsh, rcp, and FTP by encrypting traffic

66


Summary (continued)

• SSH uses a combination of asymmetric and symmetric encryption and supports several standard encryption algorithms

• You can configure the SSH type, authentication, and encryption types in the SSH server configuration file /etc/ssh/sshd_config

• You can generate asymmetric SSH encryption keys using the ssh-keygen command and view them using the ssh-keyscan command

• You can use the vino-preferences command to configure a VNC server

67

Documents

SUSE Linux Enterprise Desktop Administration Chapter 5 Manage the Network Configuration