Linux SSH and Samba Notes
Chapter 21 Linux Administration: A Beginners Guide
Secure Shell (SSH)
SSH Basics (Page 479)
Linux supports remote login access through several different servers including Telnet, VNC and even X. They all transfer data over the network in unencrypted form. SSH encrypts the password exchange and all subsequent data transfers. SSH provides file transfer features & the ability to tunnel other network protocols Several SSH servers are available, the most popular is the OpenSSH server OpenSSH can be launched using a super script or with a SysV startup script (preferred) Configuring Basic SSH Features (page 486) The main configuration file for the OpenSSH server is /etc/ssh/sshd_config (page 490) The default settings work for most systems. You might want to check or modify: Protocol Level: Version 2.0 is preferred due to known vulnerabilities in earlier versions. Permit_Root_Login: The default is yes, but this is a security risk. X11_Forwarding: (X tunneling features) The default is no If you make changes to the configuration file, be sure to restart the server.
SSH Keys (Page 480)
SSH uses a security system that involves two keys: a Private Key and Public Key All parties that engage in an SSH communication have their own keys. These keys are mathematically linked so that data encrypted with a Public Key may only be decrypted with the matching Private Key. On the server, there are normally 4 to 6 keys and they are stored in /etc/ssh If keys are not present, you can generate them with the ssh-keygen command On the client, keys are stored in the ~/.ssh/known_hosts file. You can pre-populate this file on the client to prevent security warnings. Some good references are listed on page 483 if you want to delve further into encryption.
SSH Clients (Page 485)
There are several clients available for use with SSH.
PuTTY is one of the oldest and most popular SSH Clients for Win32 platforms. It is free and can be downloaded at http://www.chiark.greenend.org.uk/~sgtatham/putty/
OpenSSH for Mac OS X
MindTerm This program supports V1 and 2 of SSH. Written in java it works on many UNIX platforms. http://www.cryptzone.com/products/agmindterm/
FreeSSH for Windows http://www.freessh.org/ keeps track of programs both free and commercial for SSH clients and implementations.
SecureCRT for windows. Commercial product. http://www.vandyke.com/products/securecrt/index.html
Secure Copy (SCP) via SSH (page 495)
SSH includes a file-copying command: scp It works like cp but you must specify the target computer You must use a colon at the end of this command to prevent renaming the file
Secure FTP (SFTP) (page 495)
Secure FTP is a subsystem of the ssh daemon. You can access the secure FTP server by using the sftp command line tool.
Configuring Logins without Passwords
SSH can be configured to allow logins without passing a password A security risk is if someone gains access to your account on the client, then they have your access to the server. To do this, you must generate a special key pair on the client, transfer the Public Key to the server, and place it in the ~/.ssh/authorized_keys file.
Setting Up SSH Port Tunnels (page 491)
SSH has the ability to encrypt other protocols and thus protect them in transit On the server side, must make sure that the /etc/ssh/sshd_config file has the option AllowTCPForwarding set to yes On the client side, you must establish a special SSH connection using the -N, -f, and the -L options.
Chapter 24 Linux Administration: A Beginners Guide
SAMBA
Samba Basics (page 548)
Samba is a suite of applications for allowing UINX based systems to operate with Windows based operating systems. Samba provides file and print sharing services to Windows clients. It does this through the use of native Microsoft networking protocols SMB/CIFS. Samba has been ported to many number of platforms including most variants of UNIX and several non-unix environments.
Samba Mechanics (page 548)
The Linux password and login mechanism is different from Windows PDC (Primary Domain Controller) model and the Windows Active Directory model. It is important for system administrators to keep passwords and logins consistent across both platforms. Relative to Samba there are several options for handling username and password issuers.
Some of these are:
The Linux Pluggable Authentication Modules (PAM). Allows you to authenticate users against the PDC. This means you will have 2 users lists, one local and one on the PDC but users only need to remember one.
Samba as PDC Allows you to keep all logins and passwords on the Linux system while all your windows systems authenticate with Samba. Roll your own solution using Perl Allows for the use of your own custom script. This can be done with WinPerl and Perl modules that allow changes to the Security Access manager (SAM) to update PDC’s password list. Encrypted Passwords
Windows uses encrypted passwords when communicating with the PDC and any server requiring authentication (including Linux and Samba). The encryption algorithm used by windows is different from UNIX so it is therefore not compatible.
Your choices in dealing with this are:
1. Edit the registry on windows clients to disable the use of encrypted passwords. (As of v3 of Samba, this is no longer necessary) 2. Configure Samba to use encrypted passwords.
Samba Daemons
The Samba code is actually composed of several components. The book examines three.
1. SMBD – handles the actual sharing of file systems and printer services 2. NMBD – is responsible for handling NETBIOS name service requests 3. WINBINDD – can be used to query native Windows servers for user and group information that can then be used on purely Linux/UNIX platforms
Installing and Running Samba
Can be installed using yum, apt-get, or can be done via source. Once installed Samba can be configured thru the command line. It can also be configured with Webmin using its GUI interface.