April 18, 2019

Remote Administration of Linux Systems - page 2

Introducing Remote Adnministration

  • August 27, 2002
  • By Alexander Prohorenko

The text console is the most useful and exploitable tool for system administration of Linux. It's not exigent upon communication bandwidth, but from the point of view of the user, for remote and local administration tasks, using the text console has absolutely the same effect.

For remote administration we can use serial COM ports or modem and network (TCP/IP) connections.

In the case of a connection via serial port we will use the mgetty package. The configuration files for mgetty are located in /etc/mgetty+sendfax. To perform a standard setup, we can easily do these next steps:

  1. In the file mgetty.config, we need to add a description of the serial port:
    port ttyS0
    speed 115200
    data-only y
    init-chat "" ATZ OK ATL1M1 OK

    • port ttyS0 - The device name (port name), to which we will connnect the modem
    • speed 115200 - Port speed. It depends on hardware properties
    • data-only y - Directive to mgetty, that modem will care only data, and not voice functions;
    • init-chat "" ATZ OK ATL1M1 OK - We will re-define initialization parameters, in the request-answer format, where answer is the ability to receive commands and for modems it's just an empty line
  2. In the file login.config, we need to check that following string exists (usually, it's set by default):
    -       -       /bin/login @
  3. In /etc/inittab we will append a record like this one:
    S0:345:respawn:/sbin/mgetty /dev/ttyS0
  4. Re-load all the configuration from this file by typing
    init q

It goes without saying that the modem needs to be connected to the PC and phone line and should be powered up at this moment.

Now, if anyone calls with any terminal software tool to the modem's telephone number, that user will see the login prompt on his display and a password prompt--just like the one we have on our local console.

In case if we need to work in text mode via TCP/IP we can use telnet, rsh (Remote SHell), or ssh (Secure SHell). I strongly do not recommend telnet and rsh as they are unprotected from illegal access or any hack attempts. ssh uses encryption during send/receive operations as well as digital signatures (certificates) to keep things much safer.

It is very important to note, however, that even with ssh, you should use only the latest versions available on your distributor's site, and check the digital signature and checksum of the ssh package before installation.

ssh consists of two parts: server (daemon) and client. The configuration files are located in the /etc/ssh directory. We also have the local system keys there.

Let's configure the server part, first of all. We will take a look at the simplest and not very "paranoid" variant--allowing for any hostname and password authentification, using any known encryption methods. For that, we need to follow these steps:

  1. In the file /etc/sshd_config,
    • Disallow log in for root user (security condition):
      PermitRootLogin no
    • Allow password authentification
      PasswordAuthentication yes
    • Disallow "empty" passwords. In this case a user without a password can not login to the system
      PermitEmptyPasswords no
  2. Allow access in the tcp_wrappers configuration section of /etc/hosts.allow
    sshd: ALL

    Instead of ALL (all hostnames) we can write a more detailed rule, for example:

    sshd: 10.0. 

    This means that access is allowed only for localhost, network, and hostname

  3. To start up the server
    service sshd start
    sshd started:                                          [  ��  ]

    and let's set up the server to auto-start upon system reload

    chkconfig sshd on

Now the server part is ready. Let's try to connect to it. On a workstation we can type:

ssh -l username host.com

where username is a login name of an existing user on the server and host.com is the name or an IP address of the server.

During the first startup ssh will display a warning that the host is unknown and it will give us a "finger-print" of the received key.

    The authenticity of host 'host.com (' can't be established.
    RSA key fingerprint is 2f:75:e7:8e:35:37:cf:17:c4:5d:ac:54:1f:ff:6f:9b.
    Are you sure you want to continue connecting (yes/no)?

We need to answer yes. We will never see this message again (provided the key is not changed). Now, we will be prompted to enter a password, which will complete this operation.

We also can implement RSA key authentification as opposed to password authentification. For this purpose, with the help of ssh-keygen utility we will need to create keys (on client-PC):

ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: 3d:9a:35:65:c4:36:11:8c:0a:43:28:e4:26:4f:19:59 user@host.com

We need to add the contents of the id_rsa.pub file to the /home/user/.ssh/authorize_keys file out on the server.

After all these operations and steps are completed, we can connect to the server without entering a password, which is very useful when creating certain kinds of scripts.

Most Popular LinuxPlanet Stories