Linux Administration
Due: Friday, November 17th, 2006, before beginning of class
Name: ___________________________________
Score: _____ / 45
INSTRUCTIONS:
Perform the following tasks in the order described below.
Account Creation
0. (2 pts) Send all pieces of information that you are
requested to e-mail in a single message to me once you have
completed the whole assignment. I DO NOT want multiple e-mails
with separate answers for different questions.
1.) (2 pts) Login to the server 10.10.103.249 using your lastname for your username and “Bd350!” as your password and change your password. Then you can log out of this server as you won’t be using it for a while.
2. (2 pts) Login to
your personal Linux instance as “root” and change your password if you have
not done so already. (Look at the CERN
site for info on good passwords.) E-mail this password to me.
3. (2 pts) Create a user account for the TA that does NOT have root privileges (this will be the default) and give it a good password. The name of this account should be exactly “osricw” without quotes. Look in the man pages for useradd, passwd, and perhaps userdel, for help on creating accounts. Make sure that the home directory gets created and the comment field gets set. E-mail this password to me.
VNC
4. (5 pts) Start the VNC server program on your Linux instance as described below. Make sure you leave this running after you are finished, so I can test it without having to start it myself. E-mail me the password you use when starting this up, as well as the vncserver session number, ie 1, 2, 3, etc. You only need to leave one session running.
Starting the VNC server
VNC is a graphical windows manager that you use to enhance your Linux instance's environment. The VNC server is already installed on your instance. Log in as a normal user (not root) and start the VNC server.
To start up VNC server, type:
% vncserver :1
*The :1 signifies
the session number. You can use whatever you want but remember that the
session will listen on port 5900 plus the session number.
So, if you start
vncserver with :1, it will listen on port 5901; if you start vncserver with :2,
it will listen on port 5902.
*The program will prompt you for a password. This is the password you will use for authentication to connect to your vncserver. Make it a secure password (long enough, complex enough). If you want to change the VNC password used, you may change it with vncpasswd. All VNC servers created by a user will use the same password.
*To test that the vncserver is running, do a “ps faux” and see if the Xvnc process has started.
Connect
to the vncserver
To connect to the vncserver on your host you will have to use a vncviewer program. (Your host is the PC from which you are SSH'ing to your Linux instance. You will download the VNC viewer program to your U: drive on your local PC - if you are doing this in the CoB lab - and run it from there. When you run VNC viewer, you will have it connect to your Linux instance.) The binary for the Windows(c) version is located at this address: http://www.tightvnc.com/download.html
*Make sure you download the VIEWER program only!! It does not require an installation process, only extracting the binary file and running it.
*Remember that
accessing your instance (even with VNC) must be done from on campus – either in
the CoB lab or via elab.
*The file
name for x86 machines running Windows is “tightvnc-1.2.9_x86_viewer.zip”
*Extract the zip file and run the executable it provides. After installation you can run the viewer (client) to connect to the server on
your Linux instance. It will ask for the server name/IP that you want to connect to, as well as a password.
*The proper syntax for the server name (if your machine is 103.249) is as follows:
yourInstanceIP:sessionNumber
For example: 10.10.103.249:1
*Use the password that you previously made for the vncserver.
Shutting
down the server
Since the vncserver program can take up considerable system resources, it is wise to shut it down when not in use. (However, leave at least one server running to be graded!) To shut down a vnc session, issue the following command:
% vncserver –kill :1
*This will shut down vncserver number 1.
* kde is the default manager. It is very simple. If you would like to use another manager such as twm, gnome, or windowmaker it is up to you to install it. To make vncserver use one of those you will have to edit the ~/.vnc/xstartup file, comment out the line that starts up kde6, and put in the proper one for your manager. For example, for windowmaker it would be “exec wmaker”. Remember that since the s-390 architecture is different from x86 you will have to either build from the source or get packages that are built for the s-390.
SSH
5. (5 pts) Log in to your personal Linux instance as your normal (not-root) user.
Create
a Key Pair
Now you will create a public/private key pair for your user.
* Use the command ssh-keygen with the –t option to specify a dsa key.
#ssh-keygen -t dsa
*Use the default directory for the key.
*Create a passphrase if you wish, but it is not necessary for the key to function. (And a passphrase will require you to enter it every time you use the keys, so for our purposes you probably don’t want to create one.)
Distribute
your public key
You should now have 2 keys in your $HOME/.ssh directory: id_dsa and id_dsa.pub . Using the scp command, copy only your PUBLIC key to the YourRemoteHomeDirectory/.ssh directory on 10.10.103.249. (YourRemoteHomeDirectory is your home directory on 10.10.103.249.) Use man scp for more information.
#scp YourLocalHomeDirectory/.ssh/id_dsa.pub yourUserName@10.10.103.249:.ssh/id_dsa.pub
-YourLocalHomeDirectory is your home directory on your individual Linux instance.
-note the “:” and the “.” after the 20
-note that if .ssh does not exist in your home directory on 103.249 you will need to create it before carrying out this command.
*While in your .ssh directory on 10.10.103.249, copy your public key to the authorized_keys2 file. You may have to create this file.
#cat id_dsa.pub >>authorized_keys2
*You may have to give yourself permission to alter this file.
Use
the key to authenticate
From your personal linux instance, ssh into 10.10.103.249. Your instance will automatically present its private key to the 103.249 machine, which will verify the key with its public key – this process should circumvent you needing to enter a password. If you need to enter a password, something isn’t set up correctly – check and make sure you’ve set up all your keys correctly.
SAMBA
Samba
- Tunneling, Software Installation from Source Files and RPMs, Patching, and
Integrating Windows and Linux Systems via Samba
In this section you will download, install, and use Samba, in the process using port-forwarding to get the required software to your Linux instance from the Internet. Another aspect of this assignment is learning how to install software on Linux systems. There are three main ways you install Linux software: 1) from source files, 2) from RPM (Redhat Package Manager) files, and 3) as binary files. You will do all three of these in this assignment.
6. (2 pts) Create a second user account for yourself that does NOT have root privileges and give it a good password. The name of this account should be "sambauser" and will be used to test / use Samba. Make this all lowercase. (For some reason Windows does not seem to distinguish between upper- and lower-case usernames, and this can lead to problems in using Samba...) E-mail this password to me.
7. (15 pts) Download samba 3.0.23c to your instance using port-forwarding and put it in /usr/local/src/samba, as described below. (This includes numerous steps, including making a subdirectory for the samba source files, editing the /etc/profile.local PATH statements, etc., and updating inetd.conf to listen for and respond to SWAT connection requests.)
SSH tunneling / Samba How-To for the CSU network:
This section is meant to demonstrate how to download a software package onto a Linux instance (which as no direct Internet access because its IP address is not externally routable). Then it will show how to install the package properly. For this assignment we will be using samba 3.0.23c.
Samba will be downloaded through an SSH tunnel that goes from your Linux instance to the host on the Internet where samba is located. Then it will be installed from source files.
Finding the package:
Before we may install the package we must know the exact download location of the package we want to install.
If you go to www.samba.org and proceed to download, you may easily find this location. The full path of the samba package is:
http://hostopia.samba.org/samba/ftp/samba-3.0.23c.tar.gz
http://us1.samba.org/samba/ftp/old-versions/samba-3.0.23c.tar.gz
*Notice that the last portion of the link is the actual package: samba-3.0.23c.tar.gz.
This path name is what we will use to get the package on our Linux instance.
Setting up the tunnel:
We want to be able to make all requests for our localhost on a specified port go out to hostopia.samba.org. (hostopia.samba.org is the site from which we will download Samba, as described above.) We have no direct, routable, Internet access, but holly.colostate.edu (or lamar, or simla, etc.) does. (And you automatically have an account on holly, or lamar, or simla, or another of CSU's UNIX machines.) We can use an SSH tunnel to forward our requests to us1.samba.org, with holly doing the forwarding. An example of how to do this is as follows:
-SSH to your given linux instance
-setup the tunnel with this command
# ssh –L
7001: hostopia.samba.org:80 username@holly.colostate.edu
The command explained:
The # sign is the Linux prompt. (So don't type this as part of the command!) The command is telling the computer to do this: forward all requests for localhost port 7001 to hostopia.samba.org port 80, using holly.colostate.edu as the intermediary. The username portion is the login name you would typically use to log into holly. We do this because our Linux instance can talk to holly (both are inside the CSU network) and holly has access to the outside world, while our instance does not have access to the outside world.
**The tunnel will only stay up as long as this session is logged in. To be able to run more commands you must either run it in the background or start a new SSH session. For this assignment we will open up a new SSH session.
Your Tunnel is established, now we will use it to get the Samba software.
SSH into you Linux instance under a new session making sure the other session is still connected. (The other session should have your port-forwarding command still active.) You can verify this after logging in the second time by using the "ps aux" command and looking for the tunneling ssh command you issued above.
We can now get the samba package with this line:
# wget http://localhost:7001/samba/ftp/samba-3.0.23c.tar.gz
Compare this line's path to the package with the regular path to the package:
http://hostopia.samba.org/samba/ftp/samba-3.0.23c.tar.gz
The command explained:
wget is a simple retrieval tool. If we had direct Internet access then we could simply wget to the normal path. But since we don’t, we have to use the tunnel. We have to change the host and port parameters in the link to reflect what we changed with setting up the tunnel. So instead of using hostopia.samba.org, we used localhost. Instead of sticking to default port 80, we use port 7001 (which is what we specified in the tunnel).
The command should go through some authentication and then download the file. It will be saved in the directory you are in when you run wget. If you do not succeed, re-check how you set up the tunnel and make sure you type the wget command correctly. After you have the tar.gz file, you may close your tunnel by exiting out of your holly connection.
We now have the Samba software, now how do we install it?
This is an installation from source files, you must be root to install Samba!
VNC to your instance:
From your local computer (home machine, Elab, or COB lab, etc), VNC to your instance. Since you will be logged in as a normal user, and will need to be root to install Samba, su to root from your normal account within the VNC session.
Using VNC to compile and install a program(or any other lengthy task) is generally a good idea. If your network connection goes down, the VNC server is still running and you can log back into your instance without the program build failing.
Move the samba file to a proper location to install it:
# mv samba-3.0.23c.tar.gz /usr/local/src/samba
*In order to do this, you will need to first create a "samba" directory beneath /usr/local/src.
*You may have downloaded the file directly into this directory. If so, you don't need to move them now. :)
Change to the /usr/local/src/samba directory to see if the command was successful:
An ls listing should show that samba-3.0.23c.tar.gz is there.
Unpack the source:
# tar –zxvf samba-3.0.23c.tar.gz
*The –j flag will replace the –z flag if it is a *.bz2 file instead of a *.gz file. x is extract, v is verbose, f is file.
*The extraction from the tar command will create a new subdirectory called samba-3.0.23c.
Change to the new directory created by un-tar’ing the samba-3.0.23c.tar.gz file:
# cd samba-3.0.23c
*Please read the installation info (README) for further installation instructions/options. A simple installation will be performed next:
Change to the source directory:
# cd source
*You should now be in /usr/local/src/samba/samba-3.0.23c/source.
Do the follow set of commands to configure and build the binaries:
# ./configure
# make –s
-the s flag will use the silent option for the make command, and print less output to the screen. Omit this flag if you want to see more output from the make command.
# make install
# make clean
*The make process can take considerable time, go make a sandwich and watch some TV. :-)
Now remove unneeded installation files:
# cd /usr/local/src/
# rm -rf /usr/local/src/samba
Be careful when using the rm command with the –rf flag! It will recursively delete files in a directory, and with root access, you can cause considerable damage to your system!
Set the path so binaries can be run from other working directories:
The new binaries will be /usr/local/samba/bin and /usr/local/samba/sbin.
You must now setup the proper PATH statement so you can execute these binaries without typing the full path. Put these lines in /etc/profile.local. You will have to create this file.
PATH=/usr/local/samba/bin:$PATH
MANPATH=/usr/local/samba/man:$MANPATH
*/etc/profile.local may not exist until you create this file. If so, make sure you set its permissions to 755 after creating it.
*Type “source /etc/profile.local” (without the quotes) or re-login to have the changes take effect.
Get Samba Running
The easiest way to get a proper samba configuration file and start the samba server is through SWAT (samba web administration tool).
Start swat from inetd. To do this you must edit the /etc/inetd.conf file. There is a SWAT line in there already. Copy this line (so that you can go back to the original if you do something wrong, uncomment the copied line, and make sure that it points to the correct path. (It must give the complete path to and including the swat binary filename.) It does not by default. You will need to look around the /usr/local/samba directory to find the swat binary file. After the line has been added, you must save the inetd.conf file and restart inetd for the changes to take effect.
To restart inetd, do the following:
# ps faux | grep inetd.
Look for the PID of the inetd process.
When you have found the PID corresponding to the inetd process restart it by doing the following:
# kill –HUP PID
PID represents the PID you located from the ps fuax command
Test if the server is running
# netstat –tupan
Look for the port 901. (That is the port SWAT listens on.) If it is listening then SWAT is working.
Access SWAT
Point a web browser in the lab to your Linux instance on port 901:
*NOTE: 10.10.103.214 is not YOUR instance, so you will need to specify the IP number for the instance you have been given. You will also have to log in with your Linux root account to be able to start and stop the samba daemon.
SWAT is where you create and configure the samba share, make sure smbd is running, and create the samba user.
*Create a SHARE named “sambashare” and configure it (path, writable, browseable)
*Start the samba daemon (smbd)
*Create and enable the sambauser. In order to create a SWAT sambauser, there must be a Linux account by the same name that already exists – you should have created that account already in a previous part of this assignment. (Be sure to COMMIT changes on screens that have a COMMIT option!)
*Then, from your PC, map a drive to this share. From the “Map network drive” window, enter your Linux instance IP and your Samba share name, and indicate that you will log in with a different user (not your CoB user account). For instance, when I log into 10.10.103.214 to test Samba, I use “\\10.10.103.214\sambashare” and tell it to log me in as user “sambauser” (with the password I set using SWAT)
*Once you have mapped to this share, create a new folder called Samba, and put a text file called MyLinuxInstance.txt in this folder. In this file put your name and your Linux instance's IP number.
*EMail me the sambauser password, otherwise I’ll not be able to test to see that this works… J
*You can use SWAT on the Linux instance from home/outside CSU by tunneling in through holly, lamar, etc., from the outside. (This document does not describe the exact details for doing this, although you may be able to apply what you have learned up to now to get it done.)
That’s all there is to it. If it doesn’t work…. Go back and make sure you are following the directions correctly and completely. :)
8.
(5
pts) Apache webserver: The apache
webserver is installed on the instances. When it is running you will see
it as a process named httpd. (It is not running by default on your Linux instance.) It can be started (among other ways) with the
init scripts that are in /etc/init.d/rc3.d. Figure out how to make apache start
upon boot up of the instance. (You'll need to create a link / script
similar to the other rc3.d links / scripts.)
Find apache's document root (the default directory it looks in to load
the system's web page), rename the page, and insert your own default page. Any
rudimentary page (keep it civil please) will suffice.
9.
(5
pts) Set up sudo for your account
Sudo is a program that will let you run one specific command as though you were
root. This can be very useful for
administrating a system – if you only log in using a limited account and only
invoke sudo with care and forethought; it’s much less likely that accidents
will happen. Also, sudo logs all
activity that is performed, who performed it, and when – which can establish
accountability for multiple administrators working on one machine. (For more information see the man page, or check
wikipedia - http://en.wikipedia.org/wiki/Sudo)
The sudo configuration file is only editable by root.
By default, the sudo configuration file can only be edited with vi. If you’re not comfortable with vi, type export EDITOR=pico (Or substitute pico with whichever editor
you prefer. Note: “EDITOR” must be in all
caps.)
The sudo configuration file is always encrypted by the system to prevent
hacking. To edit the file, you must use
the specific command visudo
This will present you with the editor of your choice editing an unencrypted
temporary version of the configuration file.
At the bottom of the file, add a new line of the form:
username ALL=(ALL) ALL
This line will specify that “username” has permission to run any and all
commands with root privileges.
Substitute “username” with your limited user account.
Save and close the file. Then log out of
root and log in using your limited account.
You can use sudo by typing sudo <command> To test that it
works, try any command – eg. sudo ls
When it prompts you for a password, enter the password for your limited user
account. Sudo will then execute the
program you specified with root privileges.
You can become root this way without knowing the root password. Eg. sudo su - (note the dash at the end) will prompt you for your password and then
give you a full root login.
After you’ve used sudo once you won’t have to enter your password again for 5
minutes. J If you truly hate entering your password,
this safeguard can be disabled (see the man page.)
Now that you can perform anything as root, it should be unnecessary to log in
with the true root account. It is safer (and many say wiser) to do all
administration from a limited account in this manner.
10. (5 pts) Install
Ethereal
-
Ethereal will be installed from an RPM file.
-
Use the SCP command from your instance to get the RPM files for
ethereal. You can find these on
10.10.103.249 in /share/HW4/. The two files are
ethereal-0.9.6-32.s390.rpm and libpcap-0.7.1-38.s390.rpm
- Hint: Use *.rpm to get both the rpm files in the directory. There are only 2, and both are needed.
- Put these rpm files in a directory on your linux instance called /usr/local/src/ethereal. (You'll need to create this directory as the root user.)
- Once you have the RPM’s you may install them using the rpm command. (You will need to read the man page for the proper flag for the rpm command, and you will need to be logged in as root during the install process.)
- Hint: install both RPM’s from one line with one command.
- When you have installed the RPM’s get into a VNC session (one should still be running!), open a new KDM Konsole, and run ethereal via sudo (type sudo ethereal from the command prompt). (You should have started the vncserver and now attempt to connect to it, as your normal user, not as root.) You can find the Konsole start-up icon at the very bottom of your window - you may have to scroll the window down to see it - with the monitor and shell icon. Click on the icon and wait for the window to open. Close the "help" window.
- Once
you are sure that Ethereal and the other RPM installed successfully, remove the
/usr/local/src/ethereal directory as well as both the RPM files you downloaded.
11. (5pts) Log
FTP Packets
-
If you have not already done so, open a new KDM Konsole in your VNC
session, run Ethereal via sudo. (See above.)
-
In Ethereal, click the Capture menu, uncheck Promiscuous Mode, then
start.
-
Make sure the interface selected is ANY, and uncheck the “Capture
packets in promiscuous mode”
-
From a Konsole window, ftp to simla.colostate.edu, and enter your webct
username and password.
-
After you have logged in with ftp, go back to Ethereal and stop
capturing packets.
-
In the Filter text box at the bottom of Ethereal, we want to filter out
all packets that are not ftp related.
·
tcp.port == 21
·
*This will grab all control packets for ftp.
·
http://www.ethereal.com/docs/man-pages/ethereal-filter.4.html
has additional information about filters for Ethereal.
-
Look through these packets, and see if you find anything
interesting/disturbing/insecure. Email me a paragraph explaining what you
found.
·
*If you have more than ~40 packets or so, go back and make sure you have
the all the settings correct.