1 / 58

OpenServer 6 Networking for OpenServer 5 Administrators John Boland SCO Support

OpenServer 6 Networking for OpenServer 5 Administrators John Boland SCO Support. At the end of this session you should: Understand the ISL differences between OpenServer 6 and OpenServer 5 relating to Networking Be aware of how OpenServer 6 networking starts on system boot

vaughn
Download Presentation

OpenServer 6 Networking for OpenServer 5 Administrators John Boland SCO Support

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OpenServer 6 Networking for OpenServer 5 AdministratorsJohn Boland SCO Support

  2. At the end of this session you should: Understand the ISL differences between OpenServer 6 and OpenServer 5 relating to Networking Be aware of how OpenServer 6 networking starts on system boot Know how to enable tcp wrappers on inetd services Understand how netconfig(ADM) differs between OpenServer 6 and OpenServer 5 Know how to configure and use ssh(1) Be able to configure a simple VPN using IPsec Session Objectives

  3. The following topics will be covered OpenServer 6 Installation Network Configuration Manager differences OpenServer 6 Network Start-up Configured Network Services on OpenServer 6 tcpd(ADM) aka Tcpwrappers OpenServer 6 and OpenSSH Using IPSec to implement a VPN IP Filters Brief Overview Session Topics

  4. OpenServer 6.0.0 ISL Networking Differences: Samba, PPP and Kerberos installed at ISL IPX/SPX, SCO Gateway for Netware and Lan Manager Client packages obsolete DHCP client configuration at ISL Only drivers for detected Network Cards (NICs) are displayed at ISL Manual list only contains non-autodectable ISA NIC cards OpenServer 6 Installation

  5. OpenServer 5 Connectivity Package Selection OpenServer 6 Installation

  6. OpenServer 6 Connectivity Package Selection OpenServer 6 Installation

  7. Network Card Selection on OpenServer 5 OpenServer 6 Installation

  8. Network Card Selection on OpenServer 6 OpenServer 6 Installation

  9. OpenServer 5 Network Configuration Manager: Network Configuration Manager

  10. Network Configuration Manager Differences: No localhost entry Removed the IPX protocol NFS protocol configured by default (if installed) Only Auto-detected Network Cards are displayed No relink and reboot required when you add a card Removed WAN configuration Failover support added Network Configuration Manager

  11. Network Interface Card (NIC) Drivers and netconfig(ADM) NIC drivers are stored under /etc/inst/nd/mdi Find out what nd driver package is installed using: pkginfo –l nd Get the latest nd driver package (8.0.6e) at: http://www.sco.com/support/update/download/release.php?rid=281 netconfig(ADM) uses PCI Board IDs to recognise cards resmgr | more 18 e1008g 8 6 4 18 4400 443f fcde0000 fcdfffff - - 4 0x8086100E 0x0002 0 2 0 34 net0 8 6 - - - - - - - - - 0x8086100E - - 2 – grep 0x8086100E /etc/inst/nd/mdi/e1008g/*.bcfg /etc/inst/nd/mdi/e1008g/e1008g_100E.bcfg:BOARD_IDS="0x8086100E" Network Configuration Manager

  12. Automatic Network Failover and Backup cards Must have MP2 installed TA 110336: Not all NICs support failover. Check with: grep "FAILOVER=true" /etc/inst/nd/mdi/<your nic driver>/*.bcfg Can manually failover using netconfig(ADM) Automatic failback is not currently supported TA 126686: Cannot manually failback to the primary NIC using netconfig(ADM). Instead you use: nd failback net0 Note that while some NICs failover on removal of cable, not all NICs do Network Configuration Manager

  13. Debugging netconfig(ADM): When you run netconfig(ADM) you are running: /usr/lib/netcfg/bin/ncfgUI netconfig(ADM) configuration files held under /usr/lib/netcfg To trace problems uncomment: #cmdtrace on [ open /tmp/ncfgUI.log a+ ] netconfig(ADM) also uses ndcfg(ADM) to do NIC configuration. The ndcfg log file is found at: /usr/lib/netcfg/tmp/ndcfg.log TA 110131: Troubleshooting NIC Installation Network Configuration Manager

  14. /etc/inittab Network Start-up Entries Initialize the socket subsystem in the kernel at sysinit iks0::sysinit:/sbin/initsock -d > /dev/console 2>&1 Configure STREAMS at sysinit sl::sysinit:/etc/slink -c /etc/strcf > /dev/console 2>&1 Initialise the loopback interface at sysinit loop::sysinit:/usr/sbin/initialize -u lo0 > /dev/console 2>&1 Load STREAMS modules ap1::sysinit:/sbin/autopush -f /etc/ap/sco.ap Start syslogd(ADM) to log local & remote messages bchk::sysinit:/sbin/bcheckrc </dev/console >/dev/console 2>&1 OpenServer 6 Network Start-up

  15. /etc/inittab Network Start-up Entries [contd] The following entries will be described in greater detail on the slides that follow: lli::sysinit:/etc/nd start < /dev/null > /dev/null 2>&1 tcp::sysinit:/etc/tcp start < /dev/null > /dev/null 2>&1 ……. ……. ……….. r2:2:wait:/etc/rc2 1> /dev/console 2>&1 </dev/console OpenServer 6 Network Start-up

  16. Network Adapter Driver Script nd(ADM) /etc/nd is used to start and stop configured NICs It starts the dlpid(ADM) daemon which links each MDI (MAC Driver Interface) driver to the common DLPI (Data Link Provider Interface) The dlpi module is a bit like your OSI Data Link Layer The MDI interface sits between the card and the DLPI /etc/nd is started by entry in /etc/inittab lli::sysinit:/etc/nd start < /dev/null > /dev/null 2>&1 nd(ADM) is updated by netconfig(ADM) when adding or removing NICs OpenServer 6 Network Start-up

  17. nd(ADM) [contd.] Never try to update or modify /etc/nd manually nd(ADM) man page incorrectly refers to /etc/rc2.d/S35dlpi and /etc/rc0.d/K97dlpi being used to start and stop nd Can debug issues with /etc/nd by uncommenting: #cmdtrace on [ open /tmp/nd.log a+ ] or #cmdtrace on stderr OpenServer 6 Network Start-up

  18. TCP Start/Stop Script tcp(ADMN) /etc/tcp starts and stops TCP When starting in single-user mode (sysinit) it will: Read /etc/default/tcp to get info incl. domain and gateway Call inconfig(ADM) to load default TCP kernel parameters Configure network interfaces with IP addresses using /usr/sbin/initialize -U Will start syslogd(ADM) if not already started Set default route using the gateway entry from /etc/default/tcp Start the streams error logging daemon, strerr(ADM) Start the Pseudo Random Number Generator Daemon prngd(ADM) OpenServer 6 Network Start-up

  19. OpenServer 6 Networking Start-up • Single User Mode start-up: init intisock slink Initialize lo0 autopush nd start tcp start syslogd dlpid Setup NICs Domain and gateway Setup TCP Kernel Params initialize netx route add strerr(ADM) prngd(ADM)

  20. tcp(ADMN) [contd] When starting in multi-user mode (rc2) it will also: Start prngd(ADM) again Start inetd(ADMN), the Internet Super Server daemon Start pppd(ADMN) only if MST PPP is configured (off by default) Start snmpd(ADMN), the snmp agent Start named(ADMN) if nameserver is config’d (off by default) Start sshd(8), the ssh daemon and if necessary generate host keys (/etc/ssh/ssh_host*) Start any daemons listed in /etc/default/tcp (off by default) Start ntpd, lpd(ADMN) and aasd(ADMN) if configured (not by default) OpenServer 6 Network Start-up

  21. tcp(ADMN) [contd] Issues the messages: add net default: gateway 192.168.248.1 Starting TCP services: prngd inetd snmpd sshd The tcp(ADMN) man page incorrectly refers to ifconfig when it should refer to initialize Existing sessions can continue to function after a tcp stop Existing sessions are stopped by a tcp shutdown Can debug the /etc/tcp shell script by adding set –x OpenServer 6 Network Start-up

  22. Networking services started by rc2(ADM) The /etc/rc2 script is invoked by init(M): r2:2:wait:/etc/rc2 1> /dev/console 2>&1 </dev/console /etc/rc2 messages are logged to /usr/adm/rc2.log Networking Services scripts called by rc2 include: Can disable a service as follows: mv /etc/rc2.d/S87nfs /etc/rc2.d/s87nfs shutdown –y –g0 –i6 OpenServer 6 Network Start-up • S85tcp • S86rpc • P86sendmail • S87nfs • S90nis • P90apache • S95docview • S99cups • S99nmbd • S99smbd

  23. Network services started by traditional rc2(ADM) S85tcp Symbolic link to /etc/tcp S86rpc Symbolic link to /etc/rpcinit Starts rpcbind(ADMN), rwalld(NADM) and sprayd P86sendmail (or MMDF equivalent) Starts sendmail(ADMN) S87nfs Symbolic link to /etc/nfs Starts exportfs(NADM), nfsd(NADM), biod(NADM), mountd(NADM), statd(1Mnfs), lockd(NADM), bootparamd(NADM) and pcnfsd(NADM) S90nis Symbolic link to /etc/nis Not configured or started by default OpenServer 6 Network Start-up

  24. Network services started by traditional rc2(ADM) P90apache Starts the apache web server on port 80 S95docview Starts the OpenServer 6 documentation server on port 8457 S99cups Starts the CUPS Print server, cupsd(8) Remote admin is disabled by default (See TA 126211) S99nmbd Starts the NetBIOS name service, nmbd(8) S99smbd Starts the File and Print Server daemon, smbd(8) OpenServer 6 Network Startup

  25. Services controlled by inetd(ADMN) inetd is knows as a Super Server inetd is started by /etc/rc2.d/S85tcp (/etc/tcp) inetd configures the services listed in /etc/inetd.conf inetd reads /etc/services (and /etc/protocol) to get the name, aliases, port and protocol to use for each service OpenServer 6 default Network Services

  26. Services controlled by inetd(ADMN) On a traditional install inetd configures services including: ftp stream tcp nowait root /etc/ftpd ftpd -a telnet stream tcp nowait NOLUID /etc/telnetd telnetd shell stream tcp nowait NOLUID /etc/rshd rshd login stream tcp nowait NOLUID /etc/rlogind rlogind exec stream tcp nowait NOLUID /etc/rexecd rexecd pop3 stream tcp nowait root /etc/popper popper imap stream tcp nowait root /etc/imapd imapd swat stream tcp nowait root /usr/sbin/swat swat Can disable a service by commenting it out # telnet stream tcp nowait NOLUID /etc/telnetd telnetd And then restarting inetd with a SIGHUP kill -1 `cat /etc/inetd.pid` OpenServer 6 default Network Services

  27. OpenServer 6 Networking Start-up • Multi-User Mode start-up: rc2 S85tcp S86rpc S87nfs P90apache S99cups S99smbd P86sendmail S90nis S95docview S99nmbd prngd snmpd sshd named pppd inetd aasd lpd ntpd

  28. OpenServer 6 Networking Start-up • Multi-User Mode start-up [contd]: inetd ftpd telnetd rlogind rshd rexec pop3 imap swat

  29. tcpd(ADM) aka tcpwrappers 7.6 Can be used to log and control access to inetd services To enable tcpwrappers on telnetd: Edit /etc/inted.conf Comment out the entry: telnet stream tcp nowait NOLUID /etc/telnetd telnetd Uncomment the entry: # telnet stream tcp nowait NOLUID /etc/tcpd telnetd Save the file Restart inetd using: kill -1 `cat /etc/inetd.pid` Telnet to the server and check syslog: Jul 11 17:26:14 jrbt5 telnetd[2102]: connect from jrbhp1 OpenServer 6 and TCPWrappers

  30. Controlling Access using tcpd(ADM) hosts_access(SFF) control implemented using: /etc/hosts.allow and /etc/hosts.deny These files contain no rules by default Access is controlled as follows: Grant access if you match an entry in the /etc/hosts.allow file Deny access if you match an entry in the /etc/hosts.deny file Otherwise, grant access OpenServer 6 and TCPWrappers

  31. Controlling Access using tcpd(ADM) [contd] Entries in hosts.allow and hosts.deny are of the form: daemon_list : client_list daemon_list is a list of one or more daemon process names or wildcards client_list is a list of one or more host names, host addresses, patterns or wildcards that will be matched against the client host name or address There are two basic options: Deny all and add entries to /etc/hosts.allow (Mostly Closed) Allow all and add entries to /etc/hosts.deny (Mostly Open) OpenServer 6 and TCPWrappers

  32. Some hosts_access(SFF) examples: To deny everything, in /etc/hosts.deny add: ALL: ALL To allow everything leave /etc/hosts.allow empty To allow exceptions in /etc/hosts.allow add: ftpd: .friendly.domain telnetd: ALL@192.168.124.1 rlogind: 192.168.1.0/255.255.255.0 To report on blocked access ALL :ALL : spawn (echo Attempt from %h %a to %d at `date` | tee -a /var/log/tcp.deny.log |mail jboland@sco.com ) OpenServer 6 and TCPWrappers

  33. OpenServer 6 MP2 ships with: OpenSSH_4.2p1 The package provides: ssh(1) (aka slogin(1)) for secure, encrypted login and remote command execution scp(1) for secure, encrypted remote copy sftp(1) for secure, encrypted file transfer Can also be used for, among other things: Local Port Forwarding Dynamic Port Forwarding X11 Forwarding OpenServer 6 and OpenSSH

  34. OpenServer 6 ssh(1) Authentication: Host Based Authentication using /etc/ssh/shosts.equiv and/or ~/.shosts /etc/ssh/ssh_known_hosts and/or ~/.ssh/known_hosts RSA/DSA Authentication using: ~/.ssh/authorized_keys Keyboard Username and Password authentication (default fallback) Try avoid using SSH 1 as its less secure than SSH 2 Always use RSA and not DSA if possible OpenServer 6 and OpenSSH

  35. Windows to OpenServer 6.0.0 RSA Authentication: Use a Key Generator on your Windows PC to generate your public and private keys and save the keys to a directory on your PC On the OpenServer 6 system create the .ssh directory using: mkdir $HOME/.ssh chmod 700 $HOME/.ssh Create $HOME/.ssh/authorized_keys and add paste your public key into this file On the Windows PC configure your ssh Terminal Emulator to use your private key OpenServer 6 and OpenSSH

  36. OpenServer 6 to OpenServer 6 RSA Authentication: On the “client” OpenServer 6 system generate keys using ssh-keygen –t rsa On the “server” OpenServer 6 system create the .ssh directory using: mkdir $HOME/.ssh chmod 700 $HOME/.ssh Create $HOME/.ssh/authorized_keys and add paste the $HOME/.ssh/id_rsa.pub public key from the client OpenServer 6 system into this file Login from the OpenServer 6 client system using: ssh <server_name> or ssh <user>@<server name> OpenServer 6 and OpenSSH

  37. OpenServer 6 ssh(1) Host Based Authentication: Host Based Authentication can use /etc/ssh/shosts.equiv and/or ~/.shosts /etc/ssh/ssh_known_hosts and/or ~/.ssh/known_hosts Server Side Configuration: Create $HOME/.shosts with 192.168.1.250 jboland jrbosr6.it.sco.com jboland jrbosr6 jboland Edit /etc/ssh/sshd_config and change/add HostbasedAuthentication yes IgnoreUserKnownHosts yes IgnoreRhosts yes OpenServer 6 and OpenSSH

  38. OpenServer 6 ssh(1) Host Based Authentication: Server Side Configuration [contd]: Restart sshd using: tcp restart Client Side Configuration: Edit /etc/ssh/ssh_config and change/add HostbasedAuthentication yes EnableSSHKeysign yes From the client login to the server using: ssh <server_name> To debug use ssh –v <server_name> OpenServer 6 and OpenSSH

  39. Uses for ssh Dynamic Port Forwarding: Dynamic Port forwarding allows forwarding of traffic via a local SOCKS Proxy Server to a remote secure server using ssh(1) OpenServer 6 and OpenSSH Local SOCKS Proxy Server Secure ssh Server The Internet

  40. Setup Dynamic Port Forwarding on OpenServer 6: Setup a SOCKS Proxy Server as root using: ssh –D 1080 jboland@<fqdn of OSR6 ssh server> To configure Mozilla to use the SOCKS proxy: Run mozilla Select Edit -> Preferences… -> Advanced -> Proxies Click the “Manual Proxy Configuration” In the SOCKS Host: field put localhost In the Port: field put 1080 Click on OK OpenServer 6 and OpenSSH

  41. Setting up Dynamic Port Forwarding on Windows: Setup a SOCKS Proxy Server using PuTTY as follows: Launch PuTTY Enter the Host Name of the remote server Select Connection -> SSH -> Tunnels Enter 1080 in the source port field Click on the Dynamic Radio Button Click Add Click Open OpenServer 6 and OpenSSH

  42. Setting up Dynamic Port Forwarding on Windows: Configure Firefox to use the SOCKS Proxy as follows: Launch Firefox Select Tools -> Options -> Advanced -> Networking Click on Settings Check the Manual proxy configuration: radio button Enter localhost in the SOCKS Host: field Enter 1080 in the source port field Click OK Click OK Firefox is now configured to use the SOCKS Proxy OpenServer 6 and OpenSSH

  43. Setting up Dynamic Port Forwarding on Windows: Configure PuTTY to use the SOCKS Proxy as follows: Launch PuTTY Enter the Host Name of the remote server Select Connection -> Proxy Check SOCKS 5 as the proxy type Enter 1080 for the port Click OK Click OK PuTTY is now configured to use the SOCKS Proxy OpenServer 6 and OpenSSH

  44. What is IPsec: IPsec allows you to: Encrypt IP packets between hosts and subnets Authenticate IP Packets between hosts and subnets Defined in http://www.ietf.org/rfc/rfc2401.txt Authentication can be performed using Expanded IPsec headers, keys or certificates IPsec requirements: OpenSSL 0.9.7 or later openssl version A configured and functioning network connection OpenServer 6 and IPsec

  45. IPsec Terminology: Two types of IPsec configuration: Transport encrypts IP Data only Tunnel encrypts IP Data and IP Headers Two types of Authentication protocol: Authentication Header (AH) does authentication only and is not recommended Encapsulating Security Payload (ESP) does authentication and encryption In an IPsec configuration file: SAD is Security Association Database SPD is the Security Policy Database OpenServer 6 and IPsec

  46. To enable IPsec in the kernel: Edit /etc/conf/pack.d/inet/space.c changing int ipsec_enable = 0; to int ipsec_enable = 1; Relink the kernel using: /etc/conf/bin/idbuild –M inet Reboot the server using shutdown –y –g0 –i6 OpenServer 6 and IPsec

  47. Simple OSR6 to OSR6 IPsec configuration: On “sysa” create /etc/inet/sysa.ipsec.conf with: add <sysa ip> <sysb ip> esp 0x10001 -m transport -E 3des-cbc "thescogp12341234thescogp" ; add <sysb ip> <sysa ip> esp 0x10002 -m transport -E 3des-cbc "thescogp43214321thescogp" ; spdadd <sysb ip>[any] <sysa ip>[any] tcp -P in ipsec esp/transport/<sysb ip>-<sysa ip>/use ; spdadd <sysa ip>[any] <sysb ip>[any] tcp -P out ipsec esp/transport/<sysa ip>-<sysb ip>/use ; OpenServer 6 and IPsec

  48. Simple OSR6 to OSR6 IPsec configuration: On “sysb” create /etc/inet/sysb.ipsec.conf with: add <sysa ip> <sysb ip> esp 0x10001 -m transport -E 3des-cbc "thescogp12341234thescogp" ; add <sysb ip> <sysa ip> esp 0x10002 -m transport -E 3des-cbc "thescogp43214321thescogp" ; spdadd <sysa ip>[any] <sysb ip>[any] tcp -P in ipsec esp/transport/<sysa ip>-<sysb ip>/use ; spdadd <sysb ip>[any] <sysa ip>[any] tcp -P out ipsec esp/transport/<sysb ip>-<sysa ip>/use ; OpenServer 6 and IPsec

  49. Loading the IPsec configuration: On sysa run setkey(ADM): ipseckey –f /etc/inet/sysa.ipsec.conf On sysb run setkey(ADM): ipseckey –f /etc/inet/sysb.ipsec.conf To see the ESP traffic tcpdump host sysa and sysb To see the ipsec network statistics run: netstat -nsp ipsec To remove/flush the SAD and SPD entries use: ipseckey –F Ipseckey -FP OpenServer 6 and IPsec

  50. Using racoon for automatic key management Keys need to be changed to maintain security Manual changing of keys is time consuming and prone to error racoon(ADM) is a daemon that manages keys (and certificates) on behalf of IPsec racoon(ADM) uses the Internet Key Exchange (IKE) protocol to exchange keys securely between hosts OpenServer 6 and IPsec

More Related