LPI Linux Certification in a Nutshell Part 43

On the ExamYou may be asked to provide the proper syntax for making sure ssh-agent ssh-agent is running (which is is running (which is eval 'ssh-agent' eval 'ssh-agent'). Also be ready to show how to use ssh-add ssh-add after the user has generated a key. after the user has generated a key.

Other SSH Tricks OpenSSH respects TCP wrapper configurations, described in Chapter23 Chapter23.

sshd, like the Linux login login program, denies logins when the file program, denies logins when the file /etc/nologin /etc/nologin exists. When remotely maintaining hosts in a way that may disrupt user activities, you should create this file with a helpful explanation of what is happening. This will stop all nonroot logins by any method, so you can do your maintenance undisturbed. The file is usually created by the exists. When remotely maintaining hosts in a way that may disrupt user activities, you should create this file with a helpful explanation of what is happening. This will stop all nonroot logins by any method, so you can do your maintenance undisturbed. The file is usually created by the shutdown shutdown command as well, to keep users from logging in while the machine is shutting down. The file is removed after a complete boot: command as well, to keep users from logging in while the machine is shutting down. The file is removed after a complete boot: #cat>/etc/nologin If there is any reason to suspect that your maintenance work can disconnect you or break the login mechanism, you should keep multiple login sessions open while doing the work. Test logging in again before closing them. Otherwise, doing a tiny PAM change that breaks all authentication could force you to reboot the machine into single-user mode to recover.

Consider scheduling an at at or or cron cron job to remove job to remove /etc/nologin /etc/nologin at a particular time, in the event you log yourself out. Such a job can be handy when restarting at a particular time, in the event you log yourself out. Such a job can be handy when restarting sshd sshd from a remote location as well. from a remote location as well.

SSH Port Forwarding ssh has the ability to forward arbitrary IP-based protocols. The syntax is given next. has the ability to forward arbitrary IP-based protocols. The syntax is given next.

Name ssh-keygen Syntax ssh-keygen[-bbits]-ttype ssh-keygen-p[-ttype]

ssh-keygen-q-trsa1-f/etc/ssh/ssh_host_key-C''-N''

ssh-keygen-q-trsa-f/etc/ssh/ssh_host_rsa_key-C''-N''

ssh-keygen-q-tdsa-f/etc/ssh/ssh_host_dsa_key-C''-N''

Description ssh-keygen generates keys to identify hosts or users in the SSH protocol, versions 1 and 2. generates keys to identify hosts or users in the SSH protocol, versions 1 and 2.

The first form creates a key. For version 1 of the protocol, the type should be rsa1 rsa1. For version 2, it can be either rsa rsa or or dsa dsa. The -b -b option sets the number of bits in the keys: 512 is the minimum, and 1024 bits is the default. In general, you can use as many bits as you like. During key generation, you will be asked to give a pa.s.sphrase. A pa.s.sphrase is different from a pa.s.sword in that it is a phrase, not simply a word, and is expected to be long. If a key pair has a pa.s.sphrase a.s.sociated with it, you will be expected to provide that pa.s.sphrase interactively every time you need to access that key pair. If this is undesirable (for example, if you have unattended processes accessing the key pair), you don't want to provide a pa.s.sphrase. option sets the number of bits in the keys: 512 is the minimum, and 1024 bits is the default. In general, you can use as many bits as you like. During key generation, you will be asked to give a pa.s.sphrase. A pa.s.sphrase is different from a pa.s.sword in that it is a phrase, not simply a word, and is expected to be long. If a key pair has a pa.s.sphrase a.s.sociated with it, you will be expected to provide that pa.s.sphrase interactively every time you need to access that key pair. If this is undesirable (for example, if you have unattended processes accessing the key pair), you don't want to provide a pa.s.sphrase.

The second form is used to change your pa.s.sphrase.

The three last forms are used to generate the three different kinds of host keys. The first is for version 1 of the protocol; the two others are for version 2. The -f -f option sets the output filename; if you omit the option, you will be prompted for the name. The option sets the output filename; if you omit the option, you will be prompted for the name. The -C -C option sets a comment on the key, and option sets a comment on the key, and -N -N sets the pa.s.sphrase. sets the pa.s.sphrase.

Example Generate a private key and then change its pa.s.sphrase: $ssh-keygen-tdsa-b2048 Generatingpublic/privatedsakeypair.Enterfileinwhichtosavethekey (/home/janl/.ssh/id_dsa): Createddirectory'/home/janl/.ssh'.Enterpa.s.sphrase (emptyfornopa.s.sphrase):pa.s.sphrase Entersamepa.s.sphraseagain:pa.s.sphrase Youridentificationhasbeensavedin/home/janl/.ssh/id_dsa.

Yourpublickeyhasbeensavedin/home/janl/.ssh/id_dsa.pub.

Thekeyfingerprintis: c2:be:20:4a:17:2e:3f:b2:73:46:5c:00:ef:38:ca:[email protected] $ssh-keygen-p-tdsa Enterfileinwhichthekeyis(/home/janl/.ssh/id_dsa): Enteroldpa.s.sphrase:pa.s.sphrase Keyhascomment'/home/janl/.ssh/id_dsa'

Enternewpa.s.sphrase(emptyfornopa.s.sphrase):pa.s.sphrase Entersamepa.s.sphraseagain:pa.s.sphrase Youridentificationhasbeensavedwiththenewpa.s.sphrase.

Name ssh -R|L Syntax ssh-R|Lport:host:host_port[user@]hostname[command]

Description When the main option is -L -L, ssh ssh redirects traffic from the local port redirects traffic from the local port port port to the remote machine and port given by to the remote machine and port given by host:host_port host:host_port. The host host is resolved by the resolver on the host you connect to. For security reasons, it binds only to the localhost address, not to any ethernet or other interfaces you may have. is resolved by the resolver on the host you connect to. For security reasons, it binds only to the localhost address, not to any ethernet or other interfaces you may have.

When a program connects to the localhost port, the connection is forwarded to the remote side. A very useful application for this is to forward local ports to your company's mail server so you can send email as if you were at the office. All you have to do then is configure your email client to connect to the right port on localhost localhost. This is shown by the example in the following section.

When using -R -R, the reverse happens. The port port port of the remote host's localhost interface is bound to the local machine, and connections to it will be forwarded to the local machine given by port of the remote host's localhost interface is bound to the local machine, and connections to it will be forwarded to the local machine given by host:host_port host:host_port.

Example Log into login.example.com login.example.com. Then, forward connections that come into localhost port 2525 to port 25 on mail.example.com mail.example.com, which would otherwise reject relaying for you. The reason for binding to port 2525 is that you need to be root root to bind to port 25: to bind to port 25: $ssh-L2525:mail.example.com:25login.example.com

Configuring OpenSSH This section explains how to acquire, compile, install, and configure OpenSSH for Linux, so that you can use it in place of telnet telnet, rsh rsh, and rlogin rlogin.

In the unlikely event that your Linux distribution does not include OpenSSH, it is available at http://www.openssh.com/portable.html and at many mirror sites around the world. It is a simple matter to compile and install OpenSSH if you have and at many mirror sites around the world. It is a simple matter to compile and install OpenSSH if you have gcc gcc, make make, and the necessary libraries and header files installed. The OpenSSH build uses autoconf autoconf (the usual (the usual configure configure, make make, and so on) like most other free software/open source projects.

To enable login from remote systems using OpenSSH, you must start sshd sshd, which may be done simply by issuing the following command: #sshd Note that you do not need to put this command in the background, as it handles this detail itself. Once the sshd sshd daemon is running, you may connect from another SSH-equipped system: daemon is running, you may connect from another SSH-equipped system: #sshmysecurehost The default configuration should be adequate for basic use of SSH.

On the ExamSSH is an involved and highly configurable piece of software, and detailed knowledge of its setup is not required. However, SSH is an important part of the security landscape. Be aware that all communications using SSH are encrypted using public/private key encryption, which means that plain-text pa.s.swords are not exposed by SSH and are therefore unlikely to be compromised.

Configuring and Using GNU Privacy Guard (GPG) This book isn't the place for a full GPG tutorial. However, the LPI 102 exam requires you to understand how to use the standard GPG command to: Generate a key pair Import (i.e., add) a public key to a GPG keyring Sign keys List keys Export both a public and private key Encrypt and decrypt a file You will also be expected to troubleshoot a standard implementation, which means that you'll need to understand the files in the ~/.gnupg/ ~/.gnupg/ directory. directory.

Generating a Key Pair Following is an example of the sequence necessary for generating a key pair in GPG: $gpg--gen-key pg(GnuPG)1.2.1;Copyright(C)2008FreeSoftwareFoundation,Inc.

ThisprogramcomeswithABSOLUTELYNOWARRANTY.

Thisisfreesoftware:youarefreetochangeandredistributeit.

ThereisNOWARRANTY,totheextentpermittedbylaw.

gpg:keyring'/home/james/.gnupg/secring.gpg'created gpg:keyring'/home/james/.gnupg/pubring.gpg'created Pleaseselectwhatkindofkeyyouwant: (1)DSAandElGamal(default) (2)DSA(signonly) (5)RSA(signonly) Yourselection?5 Whatkeysizedoyouwant?(1024)2048 Requestedkeysizeis2048bits Pleasespecifyhowlongthekeyshouldbevalid.

0=keydoesnotexpire =keyexpiresinndays w=keyexpiresinnweeks m=keyexpiresinnmonths y=keyexpiresinnyears Keyisvalidfor?(0)3y KeyexpiresatFriSep1800:23:002009CET Isthiscorrect(y/n)?y

YouneedaUser-IDtoidentifyyourkey;thesoftwareconstructstheuserid fromRealName,CommentandEmailAddressinthisform: "JamesStanger(JamesStanger)"

Realname:JamesStanger Emailaddress:[email protected] Comment: YouselectedthisUSER-ID: "JamesStanger"

Change(N)ame,(C)omment,(E)mailor(O)kay/(Q)uit?o YouneedaPa.s.sphrasetoprotectyoursecretkey.

Enterpa.s.sphrase: Repeatpa.s.sphrase:

Weneedtogeneratealotofrandombytes.Itisagoodideatoperform someotheraction(typeonthekeyboard,movethemouse,utilizethe disks)duringtheprimegeneration;thisgivestherandomnumber generatorabetterchancetogainenoughentropy.

..+++++ +++++ publicandsecretkeycreatedandsigned.

keymarkedasultimatelytrusted.

pub2048R/97DAFDB22004-01-12JamesStanger Keyfingerprint=85B20933AC51430B3A38D67334379CAC97DAFDB2

Notethatthiskeycannotbeusedforencryption.Youmaywanttouse thecommand"--edit-key"togenerateasecondarykeyforthispurpose.

Notice that you have several options when you first issue the gpg --gen-key gpg --gen-key command: command: DSA and ElGamal A DSA key pair is created for making signatures to sign files, and an ElGamal key pair is created to encrypt files.

DSA sign only A faster method, but only creates a key pair that can sign files.

RSA sign only Same as option 2 but uses RSA encryption instead of DSA.On the ExamYou will only need to know about option 1, DSA and ElGamal. You will not be expected to know how to use GPG with email applications, such as Mozilla Thunderbird.

Importing a Public Key to a GPG Keyring The GPG public key repository is called a "keyring." The keyring contains your private key (or multiple private keys), plus all of the public keys of individuals you wish to communicate with. To add a public key to your keyring, you generally obtain a text file that contains the public key. If, for example, the file were named andy_oram_oreilly.asc andy_oram_oreilly.asc, you would issue the following command: $gpg--importandy_oram_oreilly.asc Signing Keys Before you can safely use an imported key, you need to sign it. To do so, issue the following command from your terminal: $gpg--edit-keyusername If, for example, you wished to sign the key within the andy_oram_oreilly.asc andy_oram_oreilly.asc file, you would need to obtain the username of that key. Let's a.s.sume that the username is file, you would need to obtain the username of that key. Let's a.s.sume that the username is Andyo Andyo. You would then issue the following command: $gpg--edit-key"Andyo"

You will then be asked if you wish to really sign the key. As your reply, you need to provide the pa.s.sword for your private key. Once you do this, GPG will sign the key you have just imported.

Listing Keys Once you have imported keys, you can then list all of them by using the --list-keys --list-keys option: option: $gpg--list-keys This command lists both your private key (you usually have only one, but you can have as many as you like) as well as the public keys you have imported. An example of output from the command on a keyring that contains keys for James Stanger and Andy Oram would appear as follows: /home/james/.gnupg/pubring.gpg --------------------------------------- pub2048g/CC7877gh2009-09-11James(Stanger) sub2048g/89G5B4KM2009-09-11

pub2048D/4g37NJ272009-12-09Andyo(Oram)

If you wish to list just the private keys, or what GPG calls "secret keys," use the --list-secret-keys --list-secret-keys option. To list just the public keys, use the option. To list just the public keys, use the --list-public-keys --list-public-keys option. option.

Export both a Public and Private Key Exporting your private key is useful because you will want to create a backup should your system somehow become unavailable or experience a problem. To create a backup of all keys to a single file, issue the following command: $gpg--export-ogpg_backup_file If, for example, your username were James Stanger, the following command would export only your private key to a file named private.key private.key: $gpg--export-secret-key-a"JamesStanger"-oprivate.key To export your public key, you would issue the following command: $gpg--export-public-key-a"JamesStanger"-ostanger.pub Encrypting a File Now suppose that you wish to encrypt a file named chapter24.odt chapter24.odt so that only the user named Andy Oram can use it. You would issue the following command: so that only the user named Andy Oram can use it. You would issue the following command: $gpg-e-u"JamesStanger"-r"AndyOram"chapter24.odt The resulting file would be called chapter24.odt.gpg chapter24.odt.gpg.

Once Andy receives this file, he would issue the following command: $gpg-dchapter24.odt.gpg He would then be able to read the file using OpenOffice.

Troubleshooting Files in the ~/.gnupg/ Directory The LPI exam also expects you to identify the files in the ~/.gnupg ~/.gnupg directory, mainly because you may need to troubleshoot an installation or obtain a private key. Following is a listing of the files found in a typical GPG implementation, regardless of Linux distribution: directory, mainly because you may need to troubleshoot an installation or obtain a private key. Following is a listing of the files found in a typical GPG implementation, regardless of Linux distribution: gpg.conf Allows you to create default settings for GPG, including a preferred key server. A key server contains the public keys of any user who wishes to upload her keys.

pubring.gpg Contains the public keys that you have imported.

random_seed A text file containing settings that enable GPG to create random numbers more quickly and easily.

secring.gpg Contains the private key that determines your ident.i.ty.

trustdb.gpg The trust database, which contains the information concerning the trust values you have a.s.signed to various public keys. A user may set variable levels of trust to public keys in his key ring. More information on trust can be found in the GPG doc.u.mentation.On the ExamMake sure that you understand how to import a public key and export both public and private keys.

Chapter25.Exam 102 Review Questions and Exercises

This chapter presents review questions to highlight important concepts and hands-on exercises that you can use to gain experience with the Topics covered on the LPI Exam 102. The exercises can be particularly useful if you're not accustomed to more advanced Linux administration, and they should help you better prepare for the exam. To complete the exercises, you need a working Linux system that is not in production use. You might also find it useful to have a pen and paper handy to write down your responses as you work your way through the review questions and exercises.

Sh.e.l.ls, Scripting, and Data Management (Topic 105) Review Questions 1. Why is it dangerous to have "." (the current working directory) in your $PATH variable?

2. What characteristic of a bash bash variable changes when the variable is exported? variable changes when the variable is exported?

3. What configuration files will bash bash read when a sh.e.l.l is started? read when a sh.e.l.l is started?

4. Describe the concept of sh.e.l.l aliases.

5. When is a sh.e.l.l function more suitable than a sh.e.l.l alias?

6. Describe the function of /etc/profile /etc/profile.

7. What must the author of a new script file do to the file's mode in order to make it executable?

8. How does the sh.e.l.l determine what interpreter to execute when starting a script?

9. How can a sh.e.l.l script use return values of the commands it executes?

10. What are some common open source databases available on Linux systems?

11. Describe the common MySQL datatypes and when they are appropriate to use.

12. What is the difference between a join and a left join in a SQL query?

Exercises 1. Using bash bash, enter the export export command and the command and the set set command. Which set of variables is a subset of the other? What is the difference between the variables reported by command. Which set of variables is a subset of the other? What is the difference between the variables reported by export export and those reported by and those reported by set set? Finally, enter which export which export. Where is the export export command located? command located?

2. Examine /etc/profile /etc/profile. How is the default umask umask set? What customizations are done in the file for system users? set? What customizations are done in the file for system users?

3. Create a simple bash bash script using the script using the #!/bin/bash #!/bin/bash syntax, set the executable mode bits, and execute the sh.e.l.l. If it runs correctly, add errors to see the diagnostic messages. Have the script report both exported and nonexported variables. Verify that the nonexported variables do not survive the startup of the new sh.e.l.l. syntax, set the executable mode bits, and execute the sh.e.l.l. If it runs correctly, add errors to see the diagnostic messages. Have the script report both exported and nonexported variables. Verify that the nonexported variables do not survive the startup of the new sh.e.l.l.

4. Create some bash aliases in your current sh.e.l.l. Start a new sh.e.l.l by running the command bash bash in your current sh.e.l.l. Do your aliases work in this child sh.e.l.l? Why or why not? in your current sh.e.l.l. Do your aliases work in this child sh.e.l.l? Why or why not?

5. Create a MySQL table structure that could be used to store the fields in the file /etc/pa.s.swd /etc/pa.s.swd. Write a sh.e.l.l script to pa.r.s.e this file, one line at a time, and call the mysql mysql command-line program to insert the users defined in command-line program to insert the users defined in /etc/pa.s.swd /etc/pa.s.swd into your table. Once this is complete, write a SQL query to list all usernames that have a sh.e.l.l of into your table. Once this is complete, write a SQL query to list all usernames that have a sh.e.l.l of /bin/bash /bin/bash.

The X Window System (Topic 106) Review questions 1. What is the main X Windows configuration file?

2. What are the troubleshooting steps you need to take when X Windows won't start?

3. How can you switch between desktop environments (for example, running KDE instead of Gnome)?

4. What are some common functions that can be used to a.s.sist visually impaired users with using X Windows?

5. What file would you edit to make an application run every time you log into X Windows?

Exercises 1. Boot your system into runlevel 3. Log in as root and type the command /usr/bin/startx /usr/bin/startx. Exit X Windows and examine the logfile /var/log/Xorg.0.log /var/log/Xorg.0.log. What specific things does this file tell you about your graphical environment? From this file, can you determine what video card you have and what resolutions it supports?

2. Exit X Windows and use the /sbin/init /sbin/init command to change your system to runlevel 5. Once X Windows starts, hit the key combination Ctrl-Alt-backs.p.a.ce. What happens to X Windows? Why does this happen? command to change your system to runlevel 5. Once X Windows starts, hit the key combination Ctrl-Alt-backs.p.a.ce. What happens to X Windows? Why does this happen?