1 / 17

Administração de Sistemas (ASIST)

Administração de Sistemas (ASIST). TP 4 (English version) LINUX – Administration. “ Scripts ”. A script is a small interpreted program contained in a simple text file that may be directly executed by the operating system.

dori
Download Presentation

Administração de Sistemas (ASIST)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Administração de Sistemas(ASIST) TP 4 (English version) LINUX – Administration

  2. “Scripts” A script is a small interpreted program contained in a simple text file that may be directly executed by the operating system. In other non UNIX operating systems the last part of the filename (extension) has a special meaning because it represents the file content type, in a script case it indicates the language used and as a consequence the interpreter that should be used. In LINUX/UNIX the first bytes contents (“magic number”) are used to classify the file. The file’s name and extension are mean less. For text files that are scripts the first line is used to identify the file as so, and also to identify the interpreter program to be used. The execute permission should be activated on the file in order for the system be able to run it.

  3. “Shebang” The “shebang” (from “hash”+”bang”) is the sequence “#!” in the first column of the first line in a Unix script. The characters “#!”, 0x2321 in hexadecimal are the “magic number” for scripts. The rest of the first line in the script, after the “shebang” identifies the interpreter to be used when running the script. #!/usr/bin/perl --- -- -- -- -- #!/usr/bin/pyton --- -- -- -- -- #!/bin/bash --- -- -- -- -- #!/bin/sh --- -- -- -- -- #!/usr/bin/php --- -- -- -- -- #!/bin/csh --- -- -- -- -- As most interpreted languages take as comments all lines started by “#”, the “shebang” will be ignored by the interpreter program.

  4. “Shell Scripts” The main objective of programs named as shell is providing a mean of interaction with the system by means of text commands. Shell commands can be gathered as a sequence in a text file, creating a shell script. To take full advantage of shell scripts several appropriate commands are provided like flow control based on decisions and repetition structures. Shell scripts are an important tool for the system administrator, they can be used in many management tasks and are always available, all that is required is a text editor. Many rather use the C SHELL because of its resemblance with the C programming language. All Linux systems have both the standard shell (sh/bash) and the C shell (csh/tcsh) available, so the option is almost personal. On the other hand the scripts that manage most Linux distributions are written in standard shell. Other languages like PERL and PYTON are much more powerful with big software libraries included, however they require some learning.

  5. “Shell Scripts” –simple sample in BASH On DEI user passwords can be changed in windows environment only. To make it possible for users to change their password by calling the standard “passwd” command on the Linux system, that command was replaced by a script. -bash-3.00$ cat /usr/bin/passwd #!/bin/bash echo -e "\n\n\n" echo "Alteração de password geral do utilizador `id -nu` no DEI" echo -e "\n" SMBPASSWD="" for LOC in /usr/local/samba/bin /usr/local/bin /usr/bin ; do if [ -x ${LOC}/smbpasswd ]; then SMBPASSWD=${LOC}/smbpasswd break; fi done ######################## if [ -z "${SMBPASSWD}" ]; then echo "Existe um problema na instalação desta máquina" echo "é favor contactar os administradores de rede" exit 1 fi ${SMBPASSWD} -r mafalda2 ########################

  6. Scheduled execution – the CRON service To be able to program the running of certain commands, for instance scripts, at certain hour and date is very useful for administrative tasks that should be performed periodically, eventually at idle hours, for instance creating backups. In Linux, the CRON (crond) service is widely used for this purpose, the /etc/crontab is it’s main configuration file. Command lines in the configuration file follow the form: Hour/Date SPC User SPC Command and arguments Numerical values for day of the month and day of the week may be replaced by names. In weekdays both 0 and 7 mean Sunday. Minute SPC Hour SPC Day of month SPC Month SPC Day of week 0 a 59 0 a 23 1 a 31 1 a 12 0 a 7 Date/hour values may be defined by a single value, a range or a comma separated list of values. The “*” symbol stands for all possible values for that field.

  7. The CRON service – “/etc/crontab” sample */5 * * * * root /usr/bin/mrtg /etc/mrtg/mrtg.cfg 5,35 * * * * root /etc/LinuxHealth >/dev/null 2>&1 & 45 2 * 8 6 root /root/make-backup >/dev/null 2>&1 & Value ranges may have a step attached, in the sample above “*/5” (“0-59/5”) in the minute specification means the range (0-59) in 5 minutes steps, so it’s equivalent to “0,5,10,15,20,25,30,35,40,45,50,55”. The “/etc/crontab” file is supposed to be for the administrator only, however the crond service is available for other users too. For that purpose each user may have a personal configuration file for cron (/var/spool/cron/), to edit his file a user is supposed to run the command “crontab –e”. The user´s file format is similar to “/etc/crontab”, except that no username is specified for command. Access to the crond service by users can be controlled by the administrator using the files /etc/cron.allow and /etc/cron.deny.

  8. Network security In a network environment, controlling who has access to data flowing on the network is very hard. One way to increase security is to encrypt data. The traditional symmetric cryptography requires a secret pre shared key (PSK), the process of sharing this secret key is critical. Public key cryptography solves the PSK problem by using two different keys one (public) for ciphering and other (private) for deciphering, because the ciphering key is public, key distribution is not a problem. Encrypted data Cipher Decipher Data Data Secret key Secret key B A Encrypted data Decipher Cipher Data Data Encrypted data Data CIFRAR DECIFRAR Data B public key B private key A B A public key A private key Encrypted data CIFRAR Data Data DECIFRAR

  9. Authentication in the network Traffic confidentiality is pointless if we are not absolutely sure who we are talking with. The authentication process handles this problem . Authentication is associated with cryptography Symmetric cryptography : authentication is assured because both ends have a secret key nobody else knows, in fact the authentication problem was somehow addressed before during the secret key distribution. There are two main techniques for secret key distribution: use public key cryptography or use a prior secret known to both ends like for instance the user’s password. Public key cryptography: because the key used for ciphering is public, it’s use doesn't authenticate nothing. Anyone can use the public key. However the private key is known to it’s owner only, only the owner of a public key will ever be able to decipher data ciphered with that key. That may be used to grant authenticity as far as the authenticity of the public key can also be granted.

  10. Public key certificates Public key cryptography turn it very simple to distribute keys, however due to the public nature of the key, it’s authentication value was lost. Because private keys are secret they can be used as authentication factor, to achieve that the public key authenticity must be granted. Public key certificates do that. A public key certificate contains the public key owner identification (Subject), the certification authority identification (Issuer), the public key itself. The certificate is then signed by the certificate issuer (the certification authority). Private key of the certificate issuer Certificate Issuer Identification Version number, expiration date, ... Public Key Owner Identification Public key Digital signature A certificate is accepted based on the trust we have in the certificate issuer, the public key owner identification and expiration date.

  11. Sample - Public key certificate [root@server ~]# openssl x509 -in /etc/cert/redecert.pem -text Certificate: Data: Version: 1 (0x0) Serial Number: 2 (0x2) Signature Algorithm: md5WithRSAEncryption Issuer: C=PT, ST=PORTO, L=PORTO, O=DEI.ISEP, OU=DEI, CN=DEICA/emailAddress=dei@dei.isep.ipp.pt Validity Not Before: Jun 20 11:37:28 2007 GMT Not After : Jun 17 11:37:28 2017 GMT Subject: C=PT, ST=PORTO, L=PORTO, O=DEI.ISEP, OU=DEI, CN=rede.dei.isep.ipp.pt/emailAddress=dei@dei.isep.ipp.pt Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:cc:38:e2:e6:5d:ff:43:6d:ff:43:12:94:03:db: 8f:5c:28:61:1a:61:0d:d5:5e:04:dd:20:a9:d8:99: 0c:53:e3:c6:23:b0:6c:4d:fe:6b:9e:b8:00:ea:23: 1d:55:fa:e7:9a:9b:1b:fa:ef:e0:0d:2c:e0:e1:43: 31:2d:b1:37:b5:27:68:01:e0:3d:d8:bf:96:15:bb: 25:31:ec:6c:38:5e:2f:17:4c:b5:14:5e:8c:de:1b: 14:20:b9:9c:fb:fe:41:5e:ea:68:17:ab:50:a7:9f: 6d:93:b3:30:0f:c2:09:2b:7b:43:a4:06:1b:2a:e8: d2:e5:ca:ff:71:e1:69:9c:fb Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 97:e9:b2:9d:f1:ca:16:37:43:21:3a:11:61:03:d7:4b:de:f9: 06:f9:ee:02:4e:6e:08:25:bc:e3:98:e8:1d:bf:9f:43:5b:cb: 6c:20:d0:6e:7c:d2:53:f2:29:3b:f9:6e:aa:c3:e0:ab:f8:8f: 06:83:95:9f:dc:a8:94:bb:a8:50:67:34:de:64:0a:02:29:f0: 1b:1d:f1:bc:51:09:37:f9:15:23:14:5d:b6:98:85:86:d4:37: ff:58:d0:74:24:2f:0d:da:d9:c4:02:89:7f:e6:6c:98:c3:f0: 8e:42:77:45:3d:a1:ae:a2:8c:20:83:83:c5:2b:cc:58:7c:d7: 2f:06:32:c6:fa:95:b3:de:5f:48:76:54:08:7a:df:b1:58:a8: 8d:d9:74:94:57:c1:57:5b:79:32:f1:71:02:77:bb:6f:2a:9f: 42:94:ef:37:d1:03:da:db:9f:b6:11:8a:4b:d4:e4:34:48:86: a0:e3:ce:9e:a3:f4:97:86:37:e1:b9:d4:af:de:a8:e9:ce:2a: 70:aa:8f:c5:90:d9:71:48:a8:9b:8b:f0:2e:6c:42:7e:c3:bf: b6:8e:80:79:2f:ed:81:cb:3a:01:69:ce:c0:e8:9f:fe:ce:0a: bf:08:89:4b:68:d0:d5:9b:78:9a:e6:e5:19:92:6c:93:7f:c5: a0:89:f9:45

  12. Self-signed certificates A self-signed certificate is issued by the public key owner. It has no value for authentication purposes because it’s not signed by a trusted entity. This kind of certificate must be installed manually, by doing so we are implicitly trusting the issuer, the issuer of this certificate becomes a root certification authority as far as we are concerned (ROOT CA). As the name stands a ROOT CA is the starting point of a trusted certification tree. The ROOT CA certificate is self signed and we trust the issuer by manually installing it. Once a public certificate is accepted and installed, any certificate issued by any member of the tree is trusted, so no questions will be asked when such certificates are presented to the application.

  13. “openssl” command (LINUX) Openssl is a library of security related functions, among others it supports SSLv2, SSLv3 and TLSv1 standards. The “openssl” command is a included front end to the library. Among other functions, the openssl” command, can be used to manage public keys and public key certificates. “openssl req …” – the main goal of the “req” command is generating a public/private key pair and the public key certificate request.. The request should be sent to the certificating authority for certification, in reply a new certificate will be issued. The command can also be used to create the keys and the self signed certificate, for instance: openssl req -nodes -x509 -keyout ttt.key -out ttt.crt -days 3650 -newkey rsa:1024 “openssl x509 …” – used in certificate management, for instance receiving certification requests and issuing certificates. For some commands, as for instance certificates management, the configuration file “openssl.cnf” may be required.

  14. SAMBA administration The SAMBA open source project has been developing for some time now a free software set for Linux aiming it’s integration in Windows networks. • The SAMBA server system (“smbd” and “nmbd” services) implement all the main functions of o native Windows server on a Linux host. • SAMBA also includes several options for integration from the client point of view: • “smbclient“ / “rpcclient” / “net” / … commands make possible to access Windows servers resources from Linux machines and even manage Windows servers. • SMBFS/CIFS Linux kernel support allows the full integration of Windows shared folders in the Linux file system (mount). • The “winbindd” service provides to “libnss_winbind” and “pam_winbind” modules access to Windows servers user database. Windows (native or not) users will then become valid in the Linux system.

  15. SAMBA Servers • Transforming a Linux server into a Windows server is not a simple task. The underling systems are very different. Some concepts don’t exist in both systems, others use different formats and conversions and equivalencies are required: • File system objects – POSIX ACL / NTFS ACL • The POSIX ACL is very static and limited when compared with NTFS ones, as consequence any NTFS ACL presented by the samba server will reflect those limitations. • Users and groups – LINUX user or group / WINDOWS user or group • Both Windows users and groups are identified by an SID (Security Identifier), Linux users are identified by UID and groups by GID. These identifiers format is very different, 16 bits numbers in Linux and much longer identifiers in Windows. Also many Windows user account data doesn’t fit on the Linux system, for instance the “ROAMING PROFILE” and the user PASSWORD ciphered it two different ways.

  16. SAMBA servers – users • Windows users accounts hold critical data that is unavailable in Linux users accounts, among others the SID and the ciphered password. • There are several ways to handle a problem like this: • Develop an equivalency system • For instance, “SID=SID-DOMINIO-(1000+2*UID)” was used in the early SAMBA versions. • Create a parallel users database to complement the standard Unix database • For instance, before Samba 3.0 the only option to store the windows ciphered passwords was the /etc/smbpasswd file. • - Arrange for a user database system capable of storing all the user data required for both systems. • Current SAMBA server implementation is able to access user accounts in a wide range of databases, if those databases are also supported by Linux using NSS/PAM modules, then user data will be stored all I the same place. One widely used configuration in current days uses LDAP servers for this purpose.

  17. “winbindd” + “libnss_winbind” + “pam_winbind” The Winbind service is one of the most recent features of SAMBA. The service process “winbindd” receives requests from the local modules “libnss_winbind” and “pam_winbind” and keeps in touch with a PDC Windows server (most often a native one) to use its services. WINDOWS SERVER (PDC) winbindd nss_winbind pam_winbind LINUX SYSTEM The Winbind service manages an equivalency database between Windows SIDs and Linux UIDs and GIDs. When a valid Windows user tries to login in the Linux system Winbind checks if he already exists, if not then is created immediately. Winbind is required to generate some values unavailable in Windows accounts, for instance the HOME directory and the user SHELL. For this purpose templates like “/home/%U” for HOME can be used.

More Related