Control+Alt+F1 through Control+Alt+F6. By extension, the terms “console” and “terminal” can also refer to a terminal emulator in a graphical X11 session (such as xterm, gnome-terminal or konsole).
9.2. Remote Login It is essential for an administrator to be able to connect to a computer remotely. Servers, confined in their own room, are rarely equipped with permanent keyboards and monitors — but they are connected to the network. BACK TO BASICS Client, server A system where several processes communicate with each other is often described with the “client/server” metaphor. The server is the program that takes requests coming from a client and executes them. It is the client that controls operations, the server doesn't take any initiative of its own. 9.2.1. Secure Remote Login: SSH The SSH (Secure SHell) protocol was designed with security and reliability in mind. Connections using SSH are secure: the partner is authenticated and all data exchanges are encrypted. CULTURE Telnet and RSH are obsolete Before SSH, Telnet and RSH were the main tools used to login remotely. They are now largely obsolete and should no longer be used even if Debian still provides them. VOCABULARY Authentication, encryption When you need to give a client the ability to conduct or trigger actions on a server, security is important. You must ensure the identity of the client; this is authentication. This identity usually consists of a password that must be kept secret, or any other client could get the password. This is the purpose of encryption, which is a form of encoding that allows two systems to communicate confidential information on a public channel while protecting it from being readable to others. Authentication and encryption are often mentioned together, both because they are frequently used together, and because they are usually implemented with similar mathematical concepts. SSH also offers two file transfer services. scp is a command line tool that can be used like cp, except that any path to another machine is prefixed with the machine's name, followed by a colon. $ scp file machine:/tmp/ sftp is an interactive command, similar to ftp. In a single session, sftp can transfer several files, and it is possible to manipulate remote files with it (delete, rename, change permissions, etc.). Debian uses OpenSSH, a free version of SSH maintained by the OpenBSD project (a free operating system based on the BSD kernel, focused on security) and fork of the original SSH software developed by the SSH Communications Security Corp company, of Finland. This company initially developed SSH as free software, but eventually decided to continue its development under a proprietary license. The OpenBSD project then created OpenSSH to
maintain a free version of SSH. BACK TO BASICSFork A “fork”, in the software field, means a new project that starts as a clone of an existing project, and that will compete with it. From there on, both software will usually quickly diverge in terms of new developments. A fork is often the result of disagreements within the development team. The option to fork a project is a direct result of the very nature of free software; a fork is a healthy event when it enables the continuation of a project as free software (for example in case of license changes). A fork arising from technical or personal disagreements is often a waste of human resources; another resolution would be preferable. Mergers of two projects that previously went through a prior fork are not unheard of. OpenSSH is split into two packages: the client part is in the openssh-client package, and the server is in the openssh-server package. The ssh meta-package depends on both parts and facilitates installation of both (apt install ssh). 220.127.116.11. Key-Based Authentication Each time someone logs in over SSH, the remote server asks for a password to authenticate the user. This can be problematic if you want to automate a connection, or if you use a tool that requires frequent connections over SSH. This is why SSH offers a key-based authentication system. The user generates a key pair on the client machine with ssh-keygen -t rsa; the public key is stored in /.ssh/id_rsa.pub , while the corresponding private key is stored in /.ssh/id_rsa . The user then uses ssh-copy-id server to add their public key to the /.ssh/authorized_keys file on the server. If the private key was not protected with a “passphrase” at the time of its creation, all subsequent logins on the server will work without a password. Otherwise, the private key must be decrypted each time by entering the passphrase. Fortunately, ssh-agent allows us to keep private keys in memory to not have to regularly re- enter the password. For this, you simply use ssh-add (once per work session) provided that the session is already associated with a functional instance of ssh-agent. Debian activates it by default in graphical sessions, but this can be deactivated by changing /etc/X11/Xsession.options . For a console session, you can manually start it with eval $(ssh-agent). SECURITY Protection of the private key Whoever has the private key can login on the account thus configured. This is why access to the private key is protected by a “passphrase”. Someone who acquires a copy of a private key file (for example, /.ssh/id_rsa ) still has to know this phrase in order to be able to use it. This additional protection is not, however, impregnable, and if you think that this file has been compromised, it is best to disable that key on the computers in which it has been installed (by removing it from the authorized_keys files) and replacing it with a newly generated key. CULTURE OpenSSL flaw in Debian Etch The OpenSSL library, as initially provided in Debian Etch, had a serious problem in its random number generator (RNG). Indeed, the Debian maintainer had made a change so that applications using it would no longer generate warnings when analyzed by memory testing tools like valgrind. Unfortunately, this change also meant that the RNG was employing only one
source of entropy corresponding to the process number (PID) whose 32,000 possible values do not offer enough randomness. → http://www.debian.org/security/2008/dsa-1571 Specifically, whenever OpenSSL was used to generate a key, it always produced a key within a known set of hundreds of thousands of keys (32,000 multiplied by a small number of key lengths). This affected SSH keys, SSL keys, and X.509 certificates used by numerous applications, such as OpenVPN. A cracker had only to try all of the keys to gain unauthorized access. To reduce the impact of the problem, the SSH daemon was modified to refuse problematic keys that are listed in the openssh-blacklist and openssh-blacklist-extra packages. Additionally, the ssh-vulnkey command allows identification of possibly compromised keys in the system. A more thorough analysis of this incident brings to light that it is the result of multiple (small) problems, both within the OpenSSL project and with the Debian package maintainer. A widely used library like OpenSSL should — without modifications — not generate warnings when tested by valgrind. Furthermore, the code (especially the parts as sensitive as the RNG) should be better commented to prevent such errors. On Debian's side, the maintainer wanted to validate the modifications with the OpenSSL developers, but simply explained the modifications without providing the corresponding patch to review and failed to mention his role within Debian. Finally, the maintenance choices were sub-optimal: the changes made to the original code were not clearly documented; all the modifications were effectively stored in a Subversion repository, but they ended up all lumped into one single patch during creation of the source package. It is difficult under such conditions to find the corrective measures to prevent such incidents from recurring. The lesson to be learned here is that every divergence Debian introduces to upstream software must be justified, documented, submitted to the upstream project when possible, and widely publicized. It is from this perspective that the new source package format (“3.0 (quilt)”) and the Debian sources webservice were developed. → http://sources.debian.net 18.104.22.168. Using Remote X11 Applications The SSH protocol allows forwarding of graphical data (“X11” session, from the name of the most widespread graphical system in Unix); the server then keeps a dedicated channel for those data. Specifically, a graphical program executed remotely can be displayed on the X.org server of the local screen, and the whole session (input and display) will be secure. Since this feature allows remote applications to interfere with the local system, it is disabled by default. You can enable it by specifying X11Forwarding yes in the server configuration file ( /etc/ssh/sshd_config ). Finally, the user must also request it by adding the -X option to the ssh command-line. 22.214.171.124. Creating Encrypted Tunnels with Port Forwarding Its -R and -L options allow ssh to create “encrypted tunnels” between two machines, securely forwarding a local TCP port (see sidebar BACK TO BASICS TCP/UDP ) to a remote machine or vice versa. VOCABULARY Tunnel The Internet, and most LANs that are connected to it, operate in packet mode and not in connected mode, meaning that a packet issued from one computer to another is going to be stopped at several intermediary routers to find its way to its destination. You can still simulate a connected operation where the stream is encapsulated in normal IP packets. These packets follow their usual route, but the stream is reconstructed unchanged at the destination. We call this a “tunnel”, analogous to a road tunnel in which vehicles drive directly from the entrance (input) to the exit (output) without encountering any intersections, as opposed to a path on the surface that would involve intersections and changing direction.
You can use this opportunity to add encryption to the tunnel: the stream that flows through it is then unrecognizable from the outside, but it is returned in decrypted form at the exit of the tunnel. ssh -L 8000:server:25 intermediary establishes an SSH session with the intermediary host and listens to local port 8000 (see Рисунок 9.3, «Forwarding a local port with SSH» ). For any connection established on this port, ssh will initiate a connection from the intermediary computer to port 25 on the server , and will bind both connections together. ssh -R 8000:server:25 intermediary also establishes an SSH session to the intermediary computer, but it is on this machine that ssh listens to port 8000 (see Рисунок 9.4, «Forwarding a remote port with SSH» ). Any connection established on this port will cause ssh to open a connection from the local machine on to port 25 of the server , and to bind both connections together. In both cases, connections are made to port 25 on the server host, which pass through the SSH tunnel established between the local machine and the intermediary machine. In the first case, the entrance to the tunnel is local port 8000, and the data move towards the intermediary machine before being directed to the server on the “public” network. In the second case, the input and output in the tunnel are reversed; the entrance is port 8000 on the intermediary machine, the output is on the local host, and the data are then directed to the server . In practice, the server is usually either the local machine or the intermediary. That way SSH secures the connection from one end to the other. Рисунок 9.3. Forwarding a local port with SSH
Рисунок 9.4. Forwarding a remote port with SSH
9.2.2. Using Remote Graphical Desktops VNC (Virtual Network Computing) allows remote access to graphical desktops. This tool is mostly used for technical assistance; the administrator can see the errors that the user is facing, and show them the correct course of action without having to stand by them. First, the user must authorize sharing their session. The GNOME graphical desktop environment in Jessie includes that option in its configuration panel (contrary to previous versions of Debian,
where the user had to install and run vino). KDE still requires using krfb to allow sharing an existing session over VNC. For other graphical desktop environments, the x11vnc command (from the Debian package of the same name) serves the same purpose; you can make it available to the user with an explicit icon. When the graphical session is made available by VNC, the administrator must connect to it with a VNC client. GNOME has vinagre and remmina for that, while KDE includes krdc (in the menu at K → Internet → Remote Desktop Client). There are other VNC clients that use the command line, such as xvnc4viewer in the Debian package of the same name. Once connected, the administrator can see what is going on, work on the machine remotely, and show the user how to proceed. SECURITY VNC over SSH If you want to connect by VNC, and you don't want your data sent in clear text on the network, it is possible to encapsulate the data in an SSH tunnel (see Раздел 126.96.36.199, «Creating Encrypted Tunnels with Port Forwarding» ). You simply have to know that VNC uses port 5900 by default for the first screen (called “localhost:0”), 5901 for the second (called “localhost:1”), etc. The ssh -L localhost:5901:localhost:5900 -N -T machine command creates a tunnel between local port 5901 in the localhost interface and port 5900 of the machine host. The first “localhost” restricts SSH to listening to only that interface on the local machine. The second “localhost” indicates the interface on the remote machine which will receive the network traffic entering in “localhost:5901”. Thus vncviewer localhost:1 will connect the VNC client to the remote screen, even though you indicate the name of the local machine. When the VNC session is closed, remember to close the tunnel by also quitting the corresponding SSH session. BACK TO BASICS Display manager gdm3, kdm, lightdm, and xdm are Display Managers. They take control of the graphical interface shortly after boot in order to provide the user a login screen. Once the user has logged in, they execute the programs needed to start a graphical work session. VNC also works for mobile users, or company executives, who occasionally need to login from their home to access a remote desktop similar to the one they use at work. The configuration of such a service is more complicated: you first install the vnc4server package, change the configuration of the display manager to accept XDMCP Query requests (for gdm3, this can be done by adding Enable=true in the “xdmcp” section of /etc/gdm3/daemon.conf ), and finally, start the VNC server with inetd so that a session is automatically started when a user tries to login. For example, you may add this line to /etc/inetd.conf : 5950 stream tcp nowait nobody.tty /usr/bin/Xvnc Xvnc -inetd -query localhost -once -geometry 1024x768 -depth 16 securitytypes=none Redirecting incoming connections to the display manager solves the problem of authentication, because only users with local accounts will pass the gdm3 login screen (or equivalent kdm, xdm, etc.). As this operation allows multiple simultaneous logins without any problem (provided the server is powerful enough), it can even be used to provide complete desktops for mobile users (or for less powerful desktop systems, configured as thin clients). Users simply login to the server's screen with vncviewer server :50, because the port used is 5950.
9.3. Managing Rights Linux is definitely a multi-user system, so it is necessary to provide a permission system to control the set of authorized operations on files and directories, which includes all the system resources and devices (on a Unix system, any device is represented by a file or directory). This principle is common to all Unix systems, but a reminder is always useful, especially as there are some interesting and relatively unknown advanced uses. Each file or directory has specific permissions for three categories of users: its owner (symbolized by u as in “user”); its owner group (symbolized by g as in “group”), representing all the members of the group; the others (symbolized by o as in “other”). Three types of rights can be combined: reading (symbolized by r as in “read”); writing (or modifying, symbolized by w as in “write”); executing (symbolized by x as in “eXecute”). In the case of a file, these rights are easily understood: read access allows reading the content (including copying), write access allows changing it, and execute access allows you to run it (which will only work if it is a program). SECURITY setuid and setgid executables Two particular rights are relevant to executable files: setuid and setgid (symbolized with the letter “s”). Note that we frequently speak of “bit”, since each of these boolean values can be represented by a 0 or a 1. These two rights allow any user to execute the program with the rights of the owner or the group, respectively. This mechanism grants access to features requiring higher level permissions than those you would usually have. Since a setuid root program is systematically run under the super-user identity, it is very important to ensure it is secure and reliable. Indeed, a user who would manage to subvert it to call a command of their choice could then impersonate the root user and have all rights on the system. A directory is handled differently. Read access gives the right to consult the list of its entries (files and directories), write access allows creating or deleting files, and execute access allows crossing through it (especially to go there with the cd command). Being able to cross through a directory without being able to read it gives permission to access the entries therein that are known by name, but not to find them if you do not know their existence or their exact name. SECURITY setgid directory and sticky bit The setgid bit also applies to directories. Any newly-created item in such directories is automatically assigned the owner group of the parent directory, instead of inheriting the creator's main group as usual. This setup avoids the user having to change its main group (with the newgrp command) when working in a file tree shared between several users of the same dedicated group.
The “sticky” bit (symbolized by the letter “t”) is a permission that is only useful in directories. It is especially used for temporary directories where everybody has write access (such as /tmp/ ): it restricts deletion of files so that only their owner (or the owner of the parent directory) can do it. Lacking this, everyone could delete other users' files in /tmp/ Three commands control the permissions associated with a file: chown user file changes the owner of the file; chgrp group file alters the owner group; chmod rights file changes the permissions for the file. There are two ways of presenting rights. Among them, the symbolic representation is probably the easiest to understand and remember. It involves the letter symbols mentioned above. You can define rights for each category of users ( u / g / o ), by setting them explicitly (with = ), by adding ( + ), or subtracting ( - ). Thus the u=rwx,g+rw,o-r formula gives the owner read, write, and execute rights, adds read and write rights for the owner group, and removes read rights for other users. Rights not altered by the addition or subtraction in such a command remain unmodified. The letter a , for “all”, covers all three categories of users, so that a=rx grants all three categories the same rights (read and execute, but not write). The (octal) numeric representation associates each right with a value: 4 for read, 2 for write, and 1 for execute. We associate each combination of rights with the sum of the figures. Each value is then assigned to different categories of users by putting them end to end in the usual order (owner, group, others). For instance, the chmod 754 file command will set the following rights: read, write and execute for the owner (since 7 = 4 + 2 + 1); read and execute for the group (since 5 = 4 + 1); read-only for others. The 0 means no rights; thus chmod 600 file allows for read/write rights for the owner, and no rights for anyone else. The most frequent right combinations are 755 for executable files and directories, and 644 for data files. To represent special rights, you can prefix a fourth digit to this number according to the same principle, where the setuid , setgid and sticky bits are 4, 2 and 1, respectively. chmod 4754 will associate the setuid bit with the previously described rights. Note that the use of octal notation only allows to set all the rights at once on a file; you cannot use it to simply add a new right, such as read access for the group owner, since you must take into account the existing rights and compute the new corresponding numerical value. TIP Recursive operation Sometimes we have to change rights for an entire file tree. All the commands above have a -R option to operate recursively in sub-directories. The distinction between directories and files sometimes causes problems with recursive operations. That is why the “X” letter has been introduced in the symbolic representation of rights. It represents a right to execute which applies only to directories (and not to files lacking this right). Thus, chmod -R a+X directory will only add execute rights for all categories of users ( a ) for all of the sub-directories and files for which at least one category of user (even if their sole owner) already has execute rights.
TIPChanging the user and group Frequently you want to change the group of a file at the same time that you change the owner. The chown command has a special syntax for that: chown user : group