Lecture 08: Networking services: theres no place like 127.0.0.1 - PowerPoint PPT Presentation

Lecture 08: Networking services: there’s no place like 127.0.0.1 Hands-on Unix system administration DeCal 2012-10-15 1 / 22

DNS ❖ About DNS ❖ Common DNS records ❖ Other DNS records Networking DNS SSH Network users 2 / 22

About DNS DNS Domain Name Service ● ❖ About DNS Internet’s /etc/hosts file ❖ Common ● DNS records ❖ Other DNS client software (e.g., web browser) ● records automatically asks DNS server for Networking SSH records Network users requests passed between servers ✦ see also host , dig ● 3 / 22

Common DNS records A : IPv4 address DNS ● ❖ About DNS AAAA : IPv6 address ❖ Common ● DNS records ❖ Other DNS CNAME an alias for another record ● records (Canonical Name) Networking SSH MX : mail server(s) for a domain (Mail ● Network users Exchanger) PTR : reverse A record (Pointer) ● 4 / 22

Other DNS records SRV : service DNS ● ❖ About DNS TXT : text ❖ Common ● DNS records ❖ Other DNS records Networking SSH Network users 5 / 22

DNS Networking ❖ Too many TLAs ❖ TCP ❖ UDP Networking ❖ NATs ❖ Port forwarding ❖ HTTP ❖ NFS SSH Network users 6 / 22

Too many TLAs OSI reference model, we focus on DNS ● Networking application layer ❖ Too many TLAs transport protocols: TCP, UDP ● ❖ TCP ❖ UDP ports numbered between 1 and 65535 ● ❖ NATs ❖ Port (unsigned 16 bit integer) forwarding ❖ HTTP ports below 1024 (e.g., 22/tcp – SSH, ● ❖ NFS 80/tcp – HTTP), require root access SSH Network users on Unix 7 / 22

TCP DNS Transmission Control Protocol ● Networking reliable, more overhead, stateful ● ❖ Too many TLAs most network services use TCP ● ❖ TCP ❖ UDP (HTTP, SMTP, SSH, etc.) ❖ NATs ❖ Port forwarding some may use both TCP and UDP ✦ ❖ HTTP ❖ NFS SSH Network users 8 / 22

UDP DNS User Datagram Protocol ● Networking unreliable, simple (“fast”), stateless ● ❖ Too many TLAs often used by DNS, DHCP, TFTP, ● ❖ TCP ❖ UDP VoIP, streaming media, etc. ❖ NATs ❖ Port forwarding DNS uses TCP, however, for ✦ ❖ HTTP ❖ NFS larger responses SSH Network users 9 / 22

NATs DNS Network Area Translation ● Networking accomplished by home/office router ● ❖ Too many TLAs ❖ TCP rewrite packets for many ✦ ❖ UDP ❖ NATs computers to use one public IP ❖ Port forwarding address (Source NAT, IP ❖ HTTP ❖ NFS Masquerading) SSH private IP addresses: ✦ Network users 192.168.0.0–192.168.255.255, 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255 10 / 22

Port forwarding DNS also called Destination NAT (DNAT) ● Networking forward a public IP addressed port to ● ❖ Too many TLAs an internal IP addressed port ❖ TCP ❖ UDP required to access services behind a ● ❖ NATs ❖ Port Source NAT forwarding ❖ HTTP ❖ NFS SSH Network users 11 / 22

HTTP DNS Hyper-Text Transfer Protocol ● Networking simple, text-based protocol ● ❖ Too many TLAs ❖ TCP basic web server can be ✦ ❖ UDP ❖ NATs implemented in a 25-line bash ❖ Port forwarding script with netcat ❖ HTTP ❖ NFS popular servers: Apache, IIS, lighttpd, SSH ● Network users nginx 12 / 22

NFS DNS Network File System ● Networking mounts can be defined in ● ❖ Too many TLAs /etc/fstab ❖ TCP ❖ UDP usually need to be root to mount ● ❖ NATs ❖ Port forwarding ❖ HTTP ❖ NFS SSH Network users 13 / 22

DNS Networking SSH ❖ About SSH ❖ SSH public-private SSH keys ❖ Public- private keys ❖ Symmetric keys ❖ PAM Network users 14 / 22

About SSH DNS Secure SHell ● Networking different authentication mechanisms: ● SSH PAM, public key, GSSAPI (Kerberos) ❖ About SSH ❖ SSH public-private remote encrypted terminal/console on ● keys ❖ Public- remote machine private keys other features: port forwarding, X ❖ Symmetric ● keys forwarding, file transfer, can be ❖ PAM Network users combined with other protocols 15 / 22

SSH public-private keys alternative to password-based DNS ● Networking authentication SSH ❖ About SSH uses public/private key ❖ SSH ✦ public-private keys cryptography ❖ Public- private keys SSH agent caches key in memory ● ❖ Symmetric keys SSH forwarding forwards key ● ❖ PAM Network users challenges 16 / 22

Public-private keys public key: everyone can see lock DNS ● Networking private key: one person has key ● SSH encrypt with public key, decrypt with ❖ About SSH ● ❖ SSH public-private private key keys ❖ Public- sign with private key, verify with public ● private keys key ❖ Symmetric keys ciphers: RSA, DSA ❖ PAM ● Network users 17 / 22

Symmetric keys one shared key DNS ● Networking advantage: speed, security ● SSH disadvantage: often impractical to ❖ About SSH ● ❖ SSH public-private verify, especially against keys ❖ Public- man-in-the-middle attacks private keys ciphers: AES, 3DES, blowfish, arcfour ❖ Symmetric ● keys ❖ PAM Network users 18 / 22

PAM DNS Pluggable Authentication ● Networking Modules SSH API for authentication commonly used ❖ About SSH ● ❖ SSH public-private on Unix keys ❖ Public- pam_unix: /etc/shadow password ● private keys hashes ❖ Symmetric keys ❖ PAM Network users 19 / 22

DNS Networking SSH Network users ❖ LDAP Network users ❖ Kerberos 20 / 22

LDAP DNS Lightweight Directory Access ● Networking Protocol SSH distributed directory information ● Network users ❖ LDAP service, like phone book ❖ Kerberos arranged as records with attributes ● often used to populate user accounts ● across a network CalNet is an LDAP directory ● 21 / 22

Kerberos trusted third party provides mutual DNS ● Networking authentication between machines and SSH users Network users ❖ LDAP arranged as principals which can be ● ❖ Kerberos fetched as tickets to authenticate CalNet is also a Kerberos realm ● 22 / 22