1 / 140

Wrestling with Alligators: putting OS X in an open access lab (or “The Joy of X”)

Wrestling with Alligators: putting OS X in an open access lab (or “The Joy of X”). What is OS X?UNIX. Command line interface , something that was entirely absent in all previous versions of the Macintosh OS. NEXTStep lineage. FreeBSD and System V (from Bell Labs) and Berkeley Labs .

dava
Download Presentation

Wrestling with Alligators: putting OS X in an open access lab (or “The Joy of X”)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wrestling with Alligators: putting OS X in an open access lab (or “The Joy of X”) Wrestling Alligators @ SIGUCCS 2003

  2. What is OS X?UNIX • Command line interface, something that was entirely absent in all previous versions of the Macintosh OS. • NEXTStep lineage. • FreeBSD and System V (from Bell Labs) and Berkeley Labs. • Long historical root • Open Source. • Huge library of well-tested software available for use • Accompanying security issues as they arise. Wrestling Alligators @ SIGUCCS 2003

  3. Major departure from pre- X operating system (OS9) • Command line interface a key distinguishing characteristic • “Aqua” design theme is very different • Graphics a way to manage a command line series of actions • Start with Terminal program (/Applications/Utilities). • Try man –k netinfo Wrestling Alligators @ SIGUCCS 2003

  4. The Toolkit • One machine as master • FireWire strongly preferred • Build your master image in layers Wrestling Alligators @ SIGUCCS 2003

  5. The Toolkit • One machine as clone • A second, identical piece of hardware is ideal • “Crash and burn” insurance • Your sandbox for experimentation Wrestling Alligators @ SIGUCCS 2003

  6. The Toolkit • Carbon Copy Cloner • From Mike Bombich (www.bombich.com). • Interface to asr (Apple Software Restore) and ditto. • Takes a complete “snapshot” of the hard drive to back up • Creates an image file (suffix .img). • Tool of choice for the production of your master image file. Wrestling Alligators @ SIGUCCS 2003

  7. The Toolkit • NetRestore • From Mike Bombich (www.bombich.com). • Restoration of a complete hard drive image. • Source image can be on a: • local partition • FireWire drive • CD • Network • Really fast. • Post-processing possible Wrestling Alligators @ SIGUCCS 2003

  8. The Toolkit • FireWire drive • Without any external drive options at all, you are likely to face an uphill battle. Wrestling Alligators @ SIGUCCS 2003

  9. Security • Different from the past • Almost the centerpiece of the process • Before OS X, the Macintosh was a low security risk. • UNIX has long been a domain for experimentation • It will only take one episode of serious abuse to create the potential for major problems. Wrestling Alligators @ SIGUCCS 2003

  10. Security • Why it matters • It is easy to set up an Apache web server, • It is easy to configure ssh and allow anyone in. • It is easy to set up packet “sniffers” • Instructions for doing these things are found on the Wild, Wild Web! • Setting up remote machines to launch a Denial of Service attack possible Wrestling Alligators @ SIGUCCS 2003

  11. Security • Open Firmware • Not new with OS X. • Access certain kinds of parameters at boot time. • Similar to the older parameter ram. • Platform independent. • Developed by Sun Microsystems. Wrestling Alligators @ SIGUCCS 2003

  12. Security • Open Firmware • What can you do with Open Firmware? • Boot from a CD. • Set or reset the root password • Easy to protect against this condition using the setenv and security-mode commands. • Interface is command-line. • Get acquainted with the CLI • Set the boot-device. • Read files on the main disk, establish limited networking services and change disk information. Wrestling Alligators @ SIGUCCS 2003

  13. Security • Open Firmware • Access: hold down the  OPTION O F keys. The command line interface will appear. • Set any options & the password • One final note: once you have entered a password, do not forget it! Wrestling Alligators @ SIGUCCS 2003

  14. Security • Single User mode • Allows a system administrator access to an ailing machine. • Once booted into single user mode, the root account is automatically logged in and does not require a password. • Simple process to check the disk and mount the entire file system as read-write. • Hard to protect yourself once the user has booted to single user mode. • Prevent it from happening at all by enabling command security and setting a password. Wrestling Alligators @ SIGUCCS 2003

  15. Security • A brief detour… • Let’s boot into single user mode… • Reboot • Hold down  S key • Notice the instructions… • Running SystemStarter enables netinfo Wrestling Alligators @ SIGUCCS 2003

  16. Security • Root • Superuser and root may be new • The root user, or superuser is a special UNIX account. • This user can do anything – absolutely anything – to a system. • By default, OS X ships with the root account disabled. • You might have to enable it. • There is a good alternative Wrestling Alligators @ SIGUCCS 2003

  17. Security • Root • Former advocate of enabling root with a good password. • Now: leave the root account disabled • Use a combination of methods • sudo Wrestling Alligators @ SIGUCCS 2003

  18. Security • Root • Sudo allows one to act as root (sudo translates to Superuser do) • Very configurable • Allow only certain programs to be used by certain users • Any local administrative account can use sudo • You can simply type sudo sh • Single-user mode still works with Root disabled Wrestling Alligators @ SIGUCCS 2003

  19. Security • Local accounts • No more local accounts • Ssh and sudo only Wrestling Alligators @ SIGUCCS 2003

  20. Security • Local accounts • Your users cannot be administrators • Be certain that your regular users are never administrative users, • With network based authentication method you are all set • No user that logs in via most properly configured methods will be anything except a non-administrative user. • Why does this whole administrative user thing even matter? • Installation of software requires administrative username and password. Wrestling Alligators @ SIGUCCS 2003

  21. Security • Why Classic mode should go away • Add-on to OS X • Run older “legacy” applications • If you offer this, you have extra work. • Potentially serious security issues • Boot into OS9, destroy OS X • FWSucker • crack /etc/passwd • Adds a layer of complexity and instability for the user. Wrestling Alligators @ SIGUCCS 2003

  22. Configuration • Open Firmware • Boot the machine - hold down the  OPTION O F keys. • The command line interface appears: Wrestling Alligators @ SIGUCCS 2003

  23. Configuration • Open Firmware • Now, set the password: • Press enter after typing in a command. The system response is usually the terse ‘ok’. • Find a way to remember this password! Wrestling Alligators @ SIGUCCS 2003

  24. Configuration • Open Firmware • Finally, set the security mode level: • Then reboot the machine: • Open Firmware is now secure. (At this point, you can leave it open as you prepare the master image… Wrestling Alligators @ SIGUCCS 2003

  25. Configuration • Next we tackle Authentication Wrestling Alligators @ SIGUCCS 2003

  26. Authentication • Several methods available • By default, OS X uses locally based methods Wrestling Alligators @ SIGUCCS 2003

  27. Authentication • Local or network? • Always open for access to the password file • If all local accounts are disabled, this is a moot point. • With all local accounts disabled, though, we face an entirely different problem. How do we log in as an administrator in order to install software? There are several aspects to this question. Wrestling Alligators @ SIGUCCS 2003

  28. Authentication • Local or network? • Software installations • Application installations get complex. • Use the sudo facility. • Non-local user can become root. • With enabled local accounts /etc/passwd looks like this: root:DWa.RtYYiKLw:0:0::0:0:System Administrator:/var/root:/bin/tcsh • A “state change” can be done several different ways. Wrestling Alligators @ SIGUCCS 2003

  29. Authentication • Local or network? • Log in as the sudo user, become root • Issue the password change – passwd root • Now, you can perform many system-level tasks. • Installations possible • You have to change this back to a disabled state Wrestling Alligators @ SIGUCCS 2003

  30. Authentication • Local or network? • Use netinfo database to enable a disabled account • Not simple to disable it. You cannot use vi and edit /etc/passwd. • Reload using niload command. Wrestling Alligators @ SIGUCCS 2003

  31. Authentication • Local or network? • Create a text file of /etc/passwd: nidump passwd . > /Users/apple/open_password_file • Make a copy to edit: cp open_password_file closed_password_file vi closed_password_file • Change all password fields to a simple asterisk Wrestling Alligators @ SIGUCCS 2003

  32. Authentication • Local or network? • Now it might look like this: nobody:*:-2:-2::0:0:Unprivileged User:/dev/null:/dev/null root:*:0:0::0:0:System Administrator:/var/root:/bin/tcsh daemon:*:1:1::0:0:System Services:/var/root:/dev/null unknown:*:99:99::0:0:Unknown User:/dev/null:/dev/null smmsp:*:25:25::0:0:Sendmail User:/private/etc/mail:/dev/null www:*:70:70::0:0:World Wide Web Server:/Library/WebServer:/dev/null mysql:*:74:74::0:0:MySQL Server:/dev/null:/dev/null sshd:*:75:75::0:0:sshd Privilege separation:/var/empty:/dev/null admin:*:501:20::0:0:Administrator:/Users/admin:/bin/tcsh customer:*:502:20::0:0:CIT Computer Lab User:/Users/customer:/bin/tcsh Wrestling Alligators @ SIGUCCS 2003

  33. Authentication • Local or network? • Now we have two password files – enabled & disabled. • Reload a file: niload -d passwd . < /Users/admin/closed_password_file • All the local accounts are disabled • Move modified password files off of the local drive! Wrestling Alligators @ SIGUCCS 2003

  34. Authentication • Next we configure our remote authentication method, LDAP Wrestling Alligators @ SIGUCCS 2003

  35. Authentication • LDAP v3 • 10.2.x only • Security is better • Passes encrypted passwords • Kerberos no longer required • Do not install MIT Kerberos on 10.2.x systems! • SSL support • LDAP data may (still) need “massaging” • This can be a critical concern Wrestling Alligators @ SIGUCCS 2003

  36. Authentication • LDAP v3 • Steps to authentication using SSL: • Configure Directory Access on the local machine • Create the dummy account • Add the certificate to the local machine • Edit the ldap.conf file to make the local system aware of the certificates • Configure Authentication on the client Wrestling Alligators @ SIGUCCS 2003

  37. Authentication • LDAP v3 • Required attributes (direct from the Apple systems Engineer!): • uniqid=User’s Short Name (for us this is netid) • uid=UID Number (we made this the same for everyone) • homeDirectory=Home Directory Path (we made this the same for everyone too!) • Useful attributes: • cn=Common Name • gid=GID Number (we made this the same for everyone too ) Wrestling Alligators @ SIGUCCS 2003

  38. Authentication • LDAP v3 • Configure Directory Access Wrestling Alligators @ SIGUCCS 2003

  39. Authentication • LDAP v3 • Configure Directory Access Wrestling Alligators @ SIGUCCS 2003

  40. Authentication • LDAP v3 • Configure Directory Access • Default Attribute Types contains only RecordName which is set to value cn as an LDAP server attribute • Users contains only those record types and attributes we use Wrestling Alligators @ SIGUCCS 2003

  41. Authentication • LDAP v3 • Configure Directory Access • RecordName is set to netid for our installation Wrestling Alligators @ SIGUCCS 2003

  42. Authentication • LDAP v3 • Configure Directory Access • RealName is the actual name of the user, a.k.a. Common Name or cn Wrestling Alligators @ SIGUCCS 2003

  43. Authentication • LDAP v3 • Configure Directory Access • UniqueID was one of our custom additions and was the critical part to get a valid local UID Wrestling Alligators @ SIGUCCS 2003

  44. Authentication • LDAP v3 • Configure Directory Access • PrimaryGroupID was another one of our custom additions but was not a critical part (at this point!) Wrestling Alligators @ SIGUCCS 2003

  45. Authentication • LDAP v3 • Configure Directory Access • NFSHomeDirectory was the third of our custom additions and was also a critical part to get a valid local home directory Wrestling Alligators @ SIGUCCS 2003

  46. Authentication • LDAP v3 • Configure Directory Access Setting connection variables: Reducing default Time out values improves performance You can test without SSL to get things going if you need to… (in which case you do not need the CA on the client) Wrestling Alligators @ SIGUCCS 2003

  47. Authentication • LDAP v3 • Create the “dummy” account • This provides the correct local home directory, group and/or user id… • Be careful here: the numbering has to match your LDAP data! • Use the account manager: • ‘Computer Lab User’ (Long name) • ‘customer’ as short name • Name can be anything • This matches our specification for UID/GID • Notice that in the /Users section, we now have: drwxr-xr-x 13 50220 442 Dec 30 16:14 customer Wrestling Alligators @ SIGUCCS 2003

  48. Authentication • LDAP v3 • Update the client for ldap and ssl • The certificates must be in the correct place on the local systems: /System/Library/OpenSSL mv ~/ca-bundle.crt /System/Library/OpenSSL/certs • You can test this from the command line (terminal): openssl s_client –connect ldap.uvm.edu:636 -showcerts Wrestling Alligators @ SIGUCCS 2003

  49. Authentication • LDAP v3 • Edit /etc/openldap/openldap.conf to reflect the newly created server & certificate locations: HOST ldap.uvm.edu BASE dc=uvm,dc=edu TLS_CACERT /System/Library/OpenSSL/certs/ca-bundle.crt Wrestling Alligators @ SIGUCCS 2003

  50. Authentication • LDAP v3: • The final ldap.conf file looks about like this: # $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt # LDAP Defaults # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never HOST ldap.uvm.edu BASE dc=uvm,dc=edu TLS_CACERT /System/Library/OpenSSL/certs/ca-bundle.crt Wrestling Alligators @ SIGUCCS 2003

More Related