PART VI Chapter 19: Secure Shell and Kerberos 421 A variety of options is available to enable you to configure your connection. Most options have corresponding configuration options that can be set in the configuration file. For example, with the -c option, you can designate which encryption method you want to use, for instance, idea, des, blowfish, or arcfour. With the -i option, you can select a particular private key to use. The -C option enables you to have transmissions compressed at specified levels. (See the ssh man page for a complete list of options.) scp You use scp to copy files from one host to another on a network. Designed to replace rcp, scp uses ssh to transfer data and employs the same authentication and encryption methods. If authentication requires it, scp requests a password or passphrase. The scp program operates much like rcp. Directories and files on remote hosts are specified using the username and the host address before the filename or directory. The username specifies the remote user account that scp is accessing, and the host is the remote system where that account is located. You separate the user from the host address with an @, and you separate the host address from the file or directory name with a colon. The following example copies the file party from a user’s current directory to the user aleina’s birthday directory, located on the rabbit.mytrek.com host: scp party aleina@rabbit.mytrek.com:/birthday/party Of particular interest is the -r (recursive) option, which enables you to copy whole directories. (See the scp man page for a complete list of options.) In the next example, the user copies the entire reports directory to the user justin’s projects directory: scp -r reports justin@rabbit.mytrek.com:/projects In the next example, the user george copies the mydoc1 file from the user cecelia’s home directory: [george@turtle george]$ scp cecelia@turtle.mytrek.com:mydoc1 . cecelia@turtle.mytrek.com's password: mydoc1 0% | | 0 : ETA mydoc1 100% |*****************************| 17 00:00 [george@turtle george]$ From a Windows system, you can also use scp clients such as winscp, which will interact with Linux scp-enabled systems. sftp and sftp-server With sftp, you can transfer FTP files secured by encryption. The sftp program uses the same commands as ftp. This client, which works only with SSH2, operates much like ftp, with many of the same commands. Use sftp instead of ftp to invoke the sftp client: sftp releases.ubuntu.com To use the sftp client to connect to an FTP server, that server needs to be operating the sftp-server application. The SSH server invokes sftp-server to provide encrypted FTP transmissions to those using the sftp client. The sftp-server and client use the SSH File Transfer Protocol (SFTP) to perform FTP operations securely. 422 Part VI: Security Port Forwarding (Tunneling) If, for some reason, you can connect to a secure host only by going through an insecure host, ssh provides a feature called port forwarding, which lets you secure the insecure segment of your connection. This involves simply specifying the port at which the insecure host is to connect to the secure one. This sets up a direct connection between the local host and the remote host, through the intermediary insecure host. Encrypted data is passed through directly. This process is referred to as tunneling, creating a secure tunnel of encrypted data through connected servers. You can set up port forwarding to a port on the remote system or to one on your local system. To forward a port on the remote system to a port on your local system, use ssh with the -R option, followed by an argument holding the local port, the remote host address, and the remote port to be forwarded, each separated from the next by a colon. This works by allocating a socket to listen to the port on the remote side. Whenever a connection is made to this port, the connection is forwarded over the secure channel and a connection is made to a remote port from the local machine. In the following example, port 22 on the local system is connected to port 23 on the rabbit.mytrek.com remote system: ssh -R 22:rabbit.mytrek.com:23 To forward a port on your local system to a port on a remote system, use the ssh -L command, followed by an argument holding the local port, the remote host address, and the remote port to be forwarded, each two arguments separated by a colon. A socket is allocated to listen to the port on the local side. Whenever a connection is made to this port, the connection is forwarded over the secure channel and a connection is made to the remote port on the remote machine. In the following example, port 22 on the local system is connected to port 23 on the rabbit.mytrek.com remote system: ssh -L 22:rabbit.mytrek.com:23 You can use the LocalForward and RemoteForward options in your .ssh/config file to set up port forwarding for particular hosts or to specify a default for all hosts to which you connect. SSH Configuration The SSH configuration file for each user is in the user’s .ssh/config file. The /etc/ssh/ssh_config file is used to set sitewide defaults. In the configuration file, you can set various options, as listed in the ssh_config man document. The configuration file is designed to specify options for different remote hosts to which you might connect. It is organized into segments, where each segment begins with the keyword HOST, followed by the IP address of the host. The following lines hold the options you have set for that host. A segment ends at the next HOST entry. Of particular interest are the User and Cipher options. Use the User option to specify the names of users on the remote system who are allowed access. With the Cipher option, you can select which encryption method to use for a particular host. Encryption methods include IDEA, DES (standard), triple-DES (3DES), Blowfish (128 bit), Arcfour (RSA’s RC4), PART VI Chapter 19: Secure Shell and Kerberos 423 and Twofish. The following example allows access from larisa at turtle.mytrek.com and uses Blowfish encryption for transmissions: Host turtle.mytrek.com User larisa Compression no Cipher blowfish To specify global options that apply to any host to which you connect, create a HOST entry with the asterisk as its host: HOST *. This entry must be placed at the end of the configuration file because an option is changed only the first time it is set. Any subsequent entries for an option are ignored. Because a host matches on both its own entry and the global one, its specific entry should come before the global entry. The asterisk (*) and the question mark (?) are both wildcard matching operators that enable you to specify a group of hosts with the same suffix or prefix. Here’s an example: Host * FallBackToRsh yes KeepAlive no Cipher idea Kerberos User authentication can further be controlled for certain services by Kerberos servers. Kerberos authentication provides another level of security whereby individual services can be protected, allowing use of a service only to users who are cleared for access. The name Kerberos comes from Greek mythology and is the name of the three-headed watchdog for Hades. Kerberos is a network authentication protocol that provides encrypted authentication to connections between a client and a server. As an authentication protocol, Kerberos requires a client to prove its identity using encryption methods before it can access a server. Once authenticated, the client and server can conduct all communications using encryption. While firewalls protect only from outside attacks, Kerberos is designed to protect from attacks inside the network as well. Users already within a network could try to break into local servers. To prevent this, Kerberos places protection around the servers themselves, rather than around an entire network or a computer. A free version is available from the Massachusetts Institute of Technology at http://web.mit.edu/kerberos under the MIT Public License, which is similar to the GNU Public License. Be sure to check the MIT site for recent upgrades and detailed documentation, including FAQs, manuals, and tutorials. Ubuntu installs the Kerberos support libraries by default. You can install the Kerberos server and several Kerberos clients using the krb5 packages. The server is krb5-server, which will also select the kdc server. The krb5-clients package includes the Kerberos secured replacements for RSH, RCP, telnet, and the FTP client. Selecting krb5-server or krb5-clients will install needed support packages including krb5-config, configuration files for Kerberos on Ubuntu. Tools you need to communicate with the server, such as kadmin, are included in the krb5-user package. Detailed configuration is available on the krb5-doc package. Kerberos secured servers are also available for FTP, telnet, and RSH. All the Kerberos packages, except for the configuration and documentation packages, are on the universe repository. 424 Part VI: Security TIP TIP The Kerberos V5 package includes its own versions of network tools such as telnet, RCP, FTP, and RSH. These provide secure authenticated access by remote users. The tools operate in the same way as their original counterparts. The package also contains a Kerberos version of the su administrative login command, ksu. Kerberos Servers The key to Kerberos is a Kerberos server through which all requests for any server services are channeled. The Kerberos server then authenticates a client, identifying the client and validating the client’s right to use a particular server. The server maintains a database of authorized users. Kerberos then issues the client an encrypted ticket that the client can use to gain access to the server. For example, if a user needs to check her e-mail, a request for use of the mail server is sent to the Kerberos server, which then authenticates the user and issues a ticket that is used to access the mail server. Without a Kerberos-issued ticket, no one can access any of the servers. Originally, this process required that users undergo a separate authentication procedure for each server to which they wanted access. However, users now need to perform only an initial authentication that is valid for all servers. This process involves the use of two servers: an authentication server (AS) and a ticket- granting server (TGS). Together they make up what is known as the key distribution center (KDC). In effect, they distribute keys used to unlock access to services. The authentication server first validates a user’s identity. The AS issues a ticket called the ticket-granting ticket (TGT) that allows the user to access the TGS. The TGS then issues the user another ticket to access a service. This way, the user never has any direct access of any kind to a server during the authentication process. The process is somewhat more complex than described. An authenticator using information such as the current time, a checksum, and an optional encryption key is sent along with the ticket and is decrypted with the session key. This authenticator is used by a service to verify a user’s identity. NOTE NOTE You can view your list of current tickets with the klist command. Authentication Process The AS validates a user with information in its user database. Each user needs to be registered in the AS database. The database will include a user password and other user information. To access the AS, the user provides a username and password. The password is used to generate a user key with which communication between the AS and the user is encrypted. The user will have his own copy of the user key with which to decrypt communications. The authentication process is illustrated in Figure 19-2. Accessing a service with Kerberos involves the following steps: 1. The user must be validated by the AS and granted access to the TGS with a ticket access key. You do this by issuing the kinit command, which will ask you enter your Kerberos username and then send it on to the AS (the Kerberos username is usually the same as your username): kinit 2. The AS generates a TGT with which to access the TGS. This ticket will include a session key that will be used to let you access the TGS. The TGT is sent back to you encrypted with your user key (password). PART VI Chapter 19: Secure Shell and Kerberos 425 3. The kinit program then prompts you to enter your Kerberos password, which it uses to decrypt the TGT. You can manage your Kerberos password with the kpasswd command. 4. Now you can use a client program such as a mail client program to access the mail server, for instance. When you do so, the TGT accesses the TGS, which then generates a ticket for accessing the mail server. The TGS generates a new session key for use with just the mail server. This is provided in the ticket sent to you for accessing the mail server. In effect, a TGT session key is used for accessing the TGS, and a mail session key is used for accessing the mail server. The ticket for the mail server is sent to you encrypted with the TGS session key. 5. The client then uses the mail ticket received from the TGS to access the mail server. 6. If you want to use another service such as FTP, when your FTP client sends a request to the TGS for a ticket, the TGS will automatically obtain authorization from the AS and issue an FTP ticket with an FTP session key. This kind of support remains in effect for a limited period of time, usually several hours, after which you again have to use kinit to undergo the authentication process and access the TGS. You can manually destroy any tickets you have with the kdestroy command. NOTE NOTE With Kerberos V5, a Kerberos login utility is provided whereby users are automatically granted TGTs when they log in normally. This avoids the need to use kinit to obtain a TGT manually. FIGURE 19-2 Kerberos authentication 426 Part VI: Security Kerberized Services Setting up a particular service to use Kerberos (known as Kerberizing) can be a complicated process. A Kerberized service needs to check the user’s identity and credentials, check for a ticket for the service, and if one is not present, obtain one. Once Kerberized services are set up, their use is nearly transparent to the user. Tickets are automatically issued and authentication carried out without any extra effort by the user. The /etc/services file should contain a listing of specific Kerberized services. These are services such as kpasswd, kshell, and klogin that provide Kerberos password, superuser access, and login services. Kerberos also provides its own Kerberized network tools for ftp, rsh, rcp, and rlogin. These are located at /usr/bin and use the same names as the original network tools with the prefix krb5-, as in krb5-ftp for the command line FTP client. The /usr/bin/ftp entry become a link to the /etc/alternatives/ftp item, which in turn is a link to /usr/bin/krb5-ftp. The rsh, rcp, and rlogin commands have the same kind of links. The telnet command will link to /usr/bin/telnet.krb5. Kerberos Servers and Clients Installing and configuring a Kerberos server is a complex process. Carefully check the documentation for installing the current versions. Some of the key areas are listed here. In the Kerberos configuration file, krb5.conf, you can set such features as the encryption method used and the database name. When installing Kerberos, be sure to follow the instructions carefully for providing administrative access. You can start, stop, and restart the Kerberos server with the krb5-admin-server and the krb5-kdc scripts in the /etc/init.d directory. You will need to configure the server for your network, along with clients for each host (the krb5-server package for servers and krb5-clients for clients). To configure your server, you first specify your Kerberos realm and domain. You then create a database with the kdb5_util command and the create option: kdb5_util create -s You will be prompted to enter a master key. You then need to add a local principal, a local user with full administrative access from the host on which the server runs. Start the kadmin.local tool and use the addprincipal command to add the local principal. You can then start the krb5-admin-server and krb5-kdc scripts. On each client host, use the kadmin tool with the addprincipal command to add a principal for the host. Also add a host principal for each host on your network with a host/ qualifier, as in host/rabbit.mytrek.com. You can use the -randkey option to specify a random key. Then save local copies of the host keys, using the ktadd command to save them in the /etc/krb5.keytab file. Each host needs to also have the same /etc/krb5.conf configuration file on its system, specifying the Kerberos server and the kdc host. NOTE NOTE When you configure Kerberos with the authentication tool, you will be able to enter the realm, KDC server, and Kerberos server. Default entries will be displayed using the domain example.com. Be sure to specify the realm in uppercase letters. A new entry for your realm will be made in the realms segment of /etc/krb5.conf, listing the kdc and server entries you made. 20 Firewalls M ost systems currently connected to the Internet are open to attempts by outside users to gain unauthorized access. Outside users can try to gain access directly by setting up an illegal connection, by intercepting valid communications from users remotely connected to the system, or by pretending to be valid users. Firewalls, encryption, and authentication procedures can be used to protect against such attacks. A firewall prevents any direct unauthorized attempts at access, encryption protects transmissions from authorized remote users, and authentication verifies that a user requesting access has the right to do so. The current Linux kernel incorporates support for firewalls using the netfilter (iptables) packet filtering package. To implement a firewall, you simply provide a series of rules to govern what kind of access you want to allow on your system. If that system is also a gateway for a private network, the system’s firewall capability can effectively help protect the network from outside attacks. Like all Linux systems, Ubuntu implements its firewall using iptables. However, you can choose from several different popular firewall management tools. Ubuntu now provides its own firewall management tool called the Uncomplicated Firewall (ufw). iptables and ufw are on the Ubuntu main repository, and all other firewall tools are in the universe repository. You can also choose to use other popular management tools such as Firestarter or Firewall Builder (fwbuilder). Firestarter provides a desktop interface whereas ufw is command line only. Both ufw and Firestarter are covered in this chapter, along with the underlying iptables firewall application. Search Synaptic for firewall to see a more complete listing. Firewall tools are listed in Table 20-1. Uncomplicated Firewall The Uncomplicated Firewall, ufw, is now the official firewall application for Ubuntu. It provides a simple firewall that can be managed with a few command line operations. Like all firewall applications, ufw uses iptables to define rules and run the firewall. The ufw application is a management interface for iptables. Default iptables rules are kept in before and after files, with added rules in user files. The iptables rule files are held in the /etc/ufw directory. Firewall configuration for certain packages will be placed in the /usr/share/ufw.d directory. The ufw firewall is started up at boot using the /etc/init.d/ufw script. 427 CHAPTER Copyright © 2009 by The McGraw-Hill Companies. Click here for terms of use. 428 Part VI: Security iptables firewall rules are set up using ufw commands entered on a command line in a terminal window. Most users may only need to use ufw commands to allow or deny access by services like the Web server or Samba server. To check the current firewall status, listing those services allowed or blocked, use the status command: sudo ufw status If the firewall is not enabled, you will first have to enable it with the enable command: sudo ufw enable You can restart the firewall, reloading your rules, using the /etc/init.d/ufw restart command: sudo /etc/init.d/ufw restart You can then add rules using the allow and deny commands and their options, as listed in Table 20-2. To allow a service, use the allow command and the service name—the name for the service listed in the /etc/services file. The following command allows the ftp service: sudo ufw allow ftp If the service you want is not listed in /etc/services, and you know the port and protocol it uses, can specify the port and protocol directly. For example, the Samba service uses port 137 and protocol TCP: sudo ufw allow 137/tcp The status operation will then show what services are allowed: sudo ufw status To Action From 21:tcp ALLOW Anywhere 21:udp ALLOW Anywhere 137:tcp ALLOW Anywhere Firewall Description iptables netfilter, NAT, and mangle: netfilter.org (main repository) ufw Uncomplicated Firewall: https://wiki.ubuntu.com/UbuntuFirewall (Ubuntu Main repository); also see Ubuntu Server Guide at http://doc.ubuntu.com Firestarter Firestarter firewall configuration tool, www.fs-security.com (universe repository) Firewall Builder Firewall configuration tool: allow for more complex configuration, www.fwbuilder.org (universe repository) gnome-lokkit Basic firewall configuration (universe repository) Shorewall Shoreline firewall: www.shorewall.net (universe repository) Guarddog KDE firewall configuration tool: www.simonzone.com/software/guarddog (universe repository) T ABLE 20-1 Ubuntu Firewall Configuration Tools PART VI Chapter 20: Firewall 429 To remove a rule, prefix it with the delete command: sudo ufw delete allow 137/tcp More detailed rules can be specified using address, port, and protocol commands. These are similar to the actual iptables commands. Packets to and from particular networks, hosts, and ports can be controlled. The following denies SSH access (port 22) from host 192.168.03: sudo ufw deny proto tcp from 192.168.03 to any port 22 The rules you add are placed in the /var/lib/ufw/user.rules file as iptables rules. Ufw is just a front end for iptables-restore, which will read this file and set up the firewall using iptables commands. ufw will also have iptables-restore read the before.rules and after.rules files in the /etc/ufw directory. These files are considered administrative files that include required supporting rules for your iptables firewall. Administrators can add their own iptables rules to these files for system specific features such as IP masquerading. NOTE NOTE The Ubuntu Server Guide (http://doc.ubuntu.com) shows information on how to implement IP masquerading on ufw. Commands Description enable, disable Turn the firewall on or off status Display status along with services allowed or denied logging on, logging off Turn logging on or off default allow, default deny Set the default policy, allow is open, deny is restrictive allow service Allow access by a service; services are defined in /etc/services which specifies the ports for that service allow port-number/protocol Allow access on a particular port using specified protocol; the protocol is optional deny service Deny access by a service delete rule Delete an installed rule; use allow or deny and include rule specifics proto protocol Specify protocol in allow or deny rule from address Specify source address in allow or deny rule to address Specify destination address in allow or deny rule port port Specify port in allow or deny rule for from and to address operations T ABLE 20-2 ufw Firewall Operations 430 Part VI: Security The before.rules file will specify a table with the * symbol, as in *filter for the netfilter table. For the NAT table, you would use *nat. At the end of each table segment, a COMMIT command is needed to instruct ufw to apply the rules. Rules use -A for allow and -D for deny, assuming the iptables command. The following would implement IP forwarding when placed at the end of the before.rules file (see Ubuntu firewall server documentation). This particular rule works on the first Ethernet device (eth0) for a local network (192.168.0.0/24): # nat Table rules *nat :POSTROUTING ACCEPT [0:0] # Forward traffic from eth1 through eth0. -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE # don't delete the 'COMMIT' line or these NAT table rules won't be processed COMMIT Default settings for ufw are placed in /etc/defaults/ufw. Here you will find the default INPUT, OUTPUT, and FORWARD policies. A default deny command will set the default INPUT to DROP and OUTPUT to ACCEPT, whereas default allow will set both INPUT and OUTPUT defaults to ACCEPT. FORWARD will be set to DROP. To allow IP masquerading, FORWARD would have to be set to ACCEPT. Any user rules you have set up would not be affected. You would have to change these manually. Firestarter Like all Linux systems, firewalls are implemented using iptables. Setting up the iptables rules can become very complicated, and firewall configuration tools can be used to set up your firewall, with most rules being automatically generated for you. Ubuntu provides the Firestarter firewall configuration tool for this purpose. To access Firestarter, choose System | Administration | Firewall. Much of the configuration is automatic. If you are using a local home or work network, you may have to add rules for services such as Samba Windows network access or the network address of your local network. The first time you start up Firestarter, the Firewall Wizard will prompt you for your network device and Internet connection sharing information. After the Welcome screen, the Network Device Setup window lets you select your network device, such as an Ethernet device or a modem, as well as whether to use DHCP (Dynamic Host Control Protocol) to detect your address information (Figure 20-1). The Internet Connection Sharing Setup window is rarely used. You can probably skip it. It is used only for local networks on which your computer is used as a gateway through which other computers can access the Internet. A second Ethernet device is usually connected to the local network as well as a local DHCP server controlling local network addressing. Most Internet gateways are now handled by dedicated routers, rather than computers. Firestarter starts with a window titled with your computer name, with three tabs: Status, Events, and Policy (Figure 20-2). The toolbar entries will change with each tab you select. The Status tab lets you start and stop your firewall using the Stop/Start Firewall button in the toolbar. Its status is shown as a play or stop icon in the Status area of the Status tab. The Events area of this tab shows inbound and outbound traffic, and the Network area lists your [...]... provided you have the user’s password You can access the root user using the sudo command or the su command The su command is the superuser command (and the superuser is the root user) A user granted administrative access by sudo could then become the root user The following logs in as the root user: sudo su PART VII PART I PART I PART I PART I In addition, you can let a user work as another user on a... particular network devices In the following examples, the first rule references the Ethernet device eth0, and the second references the localhost: iptables -A INPUT -j DROP -i eth0 -s 192.168.0.45 iptables -A INPUT -j ACCEPT -i lo User-Defined Chains With iptables, the FORWARD and INPUT chains are evaluated separately; one does not feed into the other This means that if you want to completely block certain... packet filtering IP masquerading commands are placed on the NAT table and treated separately from the packet-filtering commands Use iptables to place a masquerade rule on the NAT table First reference the NAT table with the -t nat option Then add a rule to the POSTROUTING chain with the -o option specifying the output device and the -j option with the MASQUERADE command iptables -t nat -A POSTROUTING... control over the entire system This is the traditional method for accessing administrative tools but is disabled by default on Ubuntu, but it can be enabled Any person, user or not, who knows the root user password can log in as the root user and gain complete control over the system The su command will allow any user to log in as the root user if they know the root user password Logging in as the root... the command, list the chain to which the rule applies, such as the INPUT, OUTPUT, or FORWARD chain, or a user-defined chain Next, you list different options that specify the actions you want taken (most are the same as those used for iptables, with a few exceptions) The -s option specifies the source address attached to the packet, -d specifies the destination address, and the -j option specifies the. .. tools adapted from the Fedora distribution supported by Red Hat Linux The GNOME administrative tools are suffixed with the term admin, and the Fedora tools use the prefix system-config In Ubuntu, the Printing administrative tool is Fedora’s systemconfig-printer, replacing the GNOME printer-admin tool used in previous Ubuntu releases A Samba GUI tool is now available for Ubuntu, which is the Fedora system-config-samba... headers The rules operate with an if-then-else structure If a packet does not match the first rule, the next rule is then checked, and so on If the packet does not match any rules, the kernel consults chain policy Usually, at this point the packet is rejected If the packet does match a rule, it is passed to its target, which determines what to do with the packet If a packet does not match any of the rules,... root You will be prompted for your administrative password, and then prompted by the passwd command to enter a password for the root user You will then be prompted to re-enter the password You can then log in as the root user with the username root, making you the superuser Because a superuser has the power to change almost anything on the system, such a password is usually a carefully guarded secret,... would cut off any connections from your computer to the Internet, unless you added a rule to permit the connection To configure your Firestarter firewall, click the Preferences button This opens a Preference window, where you can set either Interface or Firewall settings For the Interface settings, you can set either the Events logged or the Policy The Events tab lets you eliminate logging of unwanted... services, or forwarding Click the segment, and then click the Add Rule button The dialog that appears depends on the type of rule you are setting up For a connection, the Add Rule dialog lets you enter the host, IP address, or network from which you can receive connections For a service, you can select the service to allow from a pop-up menu, along with the port, as well as whether to allow access by anyone . identity. The AS issues a ticket called the ticket-granting ticket (TGT) that allows the user to access the TGS. The TGS then issues the user another ticket to access a service. This way, the user. accessing the mail server. The ticket for the mail server is sent to you encrypted with the TGS session key. 5. The client then uses the mail ticket received from the TGS to access the mail. system. The network interface for the Internet is referenced using the device name for the interface. For example, an Ethernet card with the device name /dev/eth0 would be referenced by the name