Chapter 8 (Linux)

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Run the following command to create the Kerberos database:

# kdb5_util create

On Ubuntu systems, an IPSec host-to-host connection begins in the /etc/ipsectools.conf file. The script shown here is based on the setkey -f command, on a host with IP address 192.168.0.100. This file creates a security policy database (SPD) for a host connection from IP address 192.168.0.100 to 10.0.0.100. It flushes any previous regular and SPD policies:

#!/usr/sbin/setkey -f flush; spdflush;

The following command takes the contents of user Michael's home directory recursively (with all subdirectories) and sends it to the remote system named backup.example.org in the /backups/ subdirectory:

$ rsync -e ssh -aHz /home/michael backup.example.org:/backups/

If you want to log in remotely with X11 forwarding, use ssh's ___ switch

-X

For regular NFS shares, the standard configuration includes domain names or IP addresses along with mount options. For example, the following directive is a typical regular NFS share directive:

/backups 192.168.0.0/255.255.255.0(rw,sync)

If the packages for NFSv4 are installed, you can set up a share similar to the following, which authenticates shares to clients specifically assigned by the Kerberos server:

/backups gss/krb5i(sync,rw)

Shared NFS directories are configured in the ____ file

/etc/exports

When installed on an Ubuntu system, configuration options are commented into a number of files in the ____ directory. On some other systems, you'll find these files in the ____ directory

/etc/freeradius/, /etc/raddb/

Any changes made to ____ should be matched with changes either to the Domain Name System (DNS) database or the /etc/hosts files for each applicable system

/etc/krb5.conf

Red Hat systems specifically cite /etc/vsftpd/ftpusers in the associated pluggable authentication module (PAM) configuration file, ____

/etc/pam.d/vsftpd

The Samba user password database is separate from the Linux password database, and is stored in files in the ____ directory

/etc/samba/

If you forget that database password, you'll have to delete the files in the ____ or ____ directories (depending on distribution) before re-creating the database by rerunning this command (# kdb5_util create)

/var/lib/krb5kdc/, /var/kerberos/krb5kdc/

What steps must you take to create a Kerberos ticket for a system?

1. Access the kadmin: prompt with administrative privileges with the kadmin command. For the Kerberos administrative key created earlier, you'd access the kadmin: prompt with the following command: # kadmin michael/[email protected] 2. Add a random NFS key for the client system with the following command. If your domain and realms are different, change the command accordingly. kadmin: addprinc -randkey nfs/[email protected] 3. Enter the next command to add this ticket to the keytab for the local server: kadmin: xst nfs/[email protected]

This section includes many of the same directives as the "Standalone Server Options" section. In this [global] part of the file, directives should be used only once. Three options are noted in this section for the security directive:

1. Domain 2. Server 3. Ads

Different port and protocol numbers are used for IPSec connections. Assuming a firewall is configured on each network, you'll have to make sure these ports and protocols are open on the respective networks:

1. Encapsulating Security Payload (ESP) protocol 2. Authentication Header (AH) protocol 3. Internet Key Exchange (IKE) protocol 4. Network Address Translation (NAT) traversal protocol

RADIUS can work with a variety of such databases, including:

1. LDAP 2. Network Information Service (NIS) 3. Microsoft's Active directory 4. Novell's eDirectory 5. Local shadow password suite

With its archive features, the rsync command can back up more than just the information in regular files. It can preserve more, including the following:

1. Ownership by users and groups 2. Last file-access times 3. Permissions 4. Symbolic links between files

RADIUS authentication uses systems such as?

1. Password Authentication Protocol (PAP) 2. Challenge-Handshake Authentication Protocol (CHAP) 3. Extensible Authentication Protocol (EAP)

Standard e-mail clients connect to servers using three major protocols:

1. SMTP 2. POP3 4. IMAP4

The relevant directives regarding the Master Browser are as follows:

1. domain master 2. local master 3. os level 4. preferred master

Two other configuration files are directly used for the vsftp service, which can help prevent malicious users from using privileges at least on the vsftp server:

1. ftpusers 2. user_list

If the NetBIOS name does not exist, the WINS server defaults to the hostname of the system. The basic directives in this section are straightforward:

1. wins support 2. wins server 3. wins proxy 4. dns proxy

What is the standard SSH port number?

22

What is the ticket-granting ticket (TGT)?

A pass that assures other servers that you have been authenticated

What is a Master Browser?

A system assigned to maintain a database of NetBIOS names and their services, such as domain or workgroup membership.

Generally, secure FTP servers do not allow connections based on the ____, as that can lead to denial of service (DoS) attacks

American Standard Code for Information Interchange (ASCII)

If you've set up a Kerberos server, you can change some of these default Kerberos options for Kerberos or regular passwords. Methods to do so include Kerberos tickets or ____ tokens

Andrew Filesystem (AFS)

The ____ uses protocol 51. AH traffic can be allowed through an iptables firewall with a -p 51 -j ACCEPT switch

Authentication Header (AH) protocol

The ____ directive specifies the location of authorized SSH keys in each user's home directory

AuthorizedKeysFile

A ____ is a backup for a PDC on a Microsoft Windows NT domain.

Backup Domain Controller (BDC)

If login banners are used to transmit corporate or organizational policies for remote users, you'll want to activate the following directive and enter those policies in the /etc/issue.net file:

Banner /etc/issue.net

If you use Kerberos for network authentication, why does it requires the installation of Kerberos software on both the client and server?

Because services such as telnet that normally send usernames and passwords in cleartext will not be protected if it is not installed on both

If you need SSH connections over a telephone modem, you may consider activating this option. However, there are interaction problems with PAMs:

ChallengeResponseAuthentication no

By default, a Samba server shares printers configured using the ____ over the Windows network

Common Unix Printing System (CUPS)

On Red Hat systems, IPSec host-to-host connections are configured in two files in the /etc/sysconfig/network-scripts/ directory. One is ifcfg-host, where host is the name of the host-to-host device. The configuration is simple, including just four directives:

DST=192.168.122.127 TYPE=IPSEC ONBOOT=yes IKE_METHOD=PSK

The ____ uses protocol 50. ESP traffic can be allowed through an iptables firewall with a -p 50 -j ACCEPT switch

Encapsulating Security Payload (ESP) protocol

What happens if either the ftpusers or user_list file is compromised?

He or she may be able to obtain limited administrative privileges (or more) through them

The following HostKey directives specify Digital Signature Algorithm (DSA) and Rivest Shamir Adelman (RSA) host key files that can be used to help verify the integrity of the host server. SSH won't work unless permissions on these files are limited to the root administrative user:

HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_rsa_key

Generally, you want to retain user-based authentication. To that end, the following host-based authentication option is disabled by default and should remain that way:

HostbasedAuthentication no IgnoreRhosts yes

You need to retain the following default option to avoid malicious users who substitute their systems for known systems:

IgnoreUserKnownHosts no

The ____ uses the User Datagram Protocol (UDP) over port 500. IKE traffic can be allowed through an iptables firewall with a -p udp --dport 500 -j ACCEPT switch

Internet Key Exchange (IKE) protocol

Also an Application Layer e-mail protocol, ____ supports client access to remote servers

Internet Message Access Protocol version 4 (IMAP4)

____ is a set of extensions to IP that were developed as part of IPv6 but can be implemented along with IPv4 to allow encryption between two hosts

Internet Protocol Security (IPSec)

What is the key distribution center (KDC) used for?

It is used to distribute cryptographic keys to avoid some of the challenges associated with key exchange

How does IPSec work?

It works at both ends of a connection, tunneling communications through protocols 50 and 51. In tunneling mode, it is a form of virtual private networking

____ is used for authentication across multiple systems.

Kerberos

A ____ is an identity associated with Kerberos tickets. It includes the user, the Kerberos administrator, and the realm

Kerberos principal

A ____ is the proof on one system that verifies the identity of a second system

Kerberos ticket

If coupled with appropriate configuration options in the /etc/exports file, ____ can be used to limit access to authorized clients.

Kerberos tickets

How was the issue with versions of NFS prior to version 4?

Kerberos—which can at least authenticate client systems. So a malicious user with a portable system won't be able to connect to your NFS shares. Of course, this assumes that the malicious user hasn't found another way to break into a client that already has an NFS-based Kerberos ticket

Why is FTP not generally considered a good option for file transfer?

Lack of encryption

The ListenAddress directive can limit the networks configured for SSH. For example, the following directive looks for and listens to network cards with the noted IP address:

ListenAddress 192.168.10.1

____ directive disconnects if a login hasn't happened in the noted time

LoginGraceTime

The ____ directive limits the number of login attempts per connection

MaxAuthTries

A NetBIOS name is commonly assigned on...

Microsoft-style networks and is associated with the Session Layer of the OSI Reference Model of networking

The ____ uses the TCP and UDP over port 4500. NAT traffic can be allowed through an iptables firewall with -p tcp --dport 4500 -j ACCEPT and -p tcp --dport 4500 -j ACCEPT switches

Network Address Translation (NAT) traversal protocol

The netbios name directive is associated with the ____ name of a system

Network Basic Input/Output System (NetBIOS)

____ service ensures that all of your systems are synchronized to a single time source, which is crucial for Kerberos because it is very time sensitive

Network Time Protocol (NTP)

After you've set up passphrases, you can change this to no to disable cleartext tunneled passwords:

PasswordAuthentication yes

When passwords are used, they should not be empty, so ensure this directive looks like this:

PermitEmptyPasswords no

The ___ directive should almost always be set to no to minimize the risk of a malicious user decrypting an administrative password sent over a network

PermitRootLogin

Another Application Layer e-mail protocol, ____ supports e-mail client downloads of incoming messages

Post Office Protocol version 3 (POP3)

A ____ is a master server on a Microsoft Windows NT domain that controls and can grant access to a number of computer resources based on the usernames and passwords in its database

Primary Domain Controller (PDC)

Kerberos was developed at the Massachusetts Institute of Technology (MIT) as part of ____, a distributed computing environment still in use at MIT.

Project Athena

To ensure that no one attempts to exploit a vulnerability with SSH version 1, you will need to be explicit about using only version 2 of the protocol. Therefore, most sshd_config files limit access to SSH version 2 with the following directive:

Protocol 2

If you have to administer connections from telephone modems, the standard used is the ____

Remote Authentication Dial In User Service (RADIUS)

Because SSH version 1 has known security weaknesses, most administrators encourage the use of ____

SSH version 2

____ can be used to securely manage domain-based networks

Samba

____ is the Linux implementation of Microsoft's Server Message Block protoco

Samba

____ provides additional protection for vsftp. Directories shared using FTP servers should be labeled with the public_content_t type. If you want to configure a directory for uploads, you'll need to configure that directory with the public_content_rw_t type. The same options work for directories associated with rsync servers

Security Enhanced Linux (SELinux)

An Application Layer e-mail protocol, the ____ is used primarily for outgoing messages from clients

Simple Mail Transfer Protocol (SMTP)

The ____ directive keeps users from setting world-writable files over an SSH connection

StrictModes

One of the values of the SSH server configuration file is its ability to encrypt FTP connections. The following directive supports connections to user home directories with the sftp command:

Subsystem sftp /usr/libexec/openssh/sftp-server

____ determines where logging information is stored. It's normally set to AUTH or AUTHPRIV. The log file for AUTH or AUTHPRIV messages is normally defined in the /etc/syslog.conf file.

SyslogFacility

Explain the following command: $ rsync -e ssh -aHz /home/michael backup.example.org:/backups/

The -e ssh tunnels the backup packets over an SSH connection. If you haven't yet connected to the noted remote system, the remote SSH server prompts for a password or sends a message to verify the passphrase described earlier in this chapter. The -a transmits the files in archive mode. The -H includes hard-linked files in the archive. The -z compresses the data being transmitted, speeding the backup

What is the difference between the Kerberos Realm and the associated uniform resource identifiers (URIs)?

The difference is that if the Kerberos realm on the local network is EXAMPLE.ORG, the domain is example.org. The Kerberos realm is typically the name of the domain for the LAN or enterprise network, in uppercase letters. It's an administrative concept that collects systems together for management and authentication purposes. Every system would belong to a specific Kerberos realm

Explain this: $ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/michael/.ssh/id_rsa) :

The example in this section sets up an SSH passphrase for logins from a client to a remote server. It starts with the ssh-keygen command, which leads to the messages that follow. Unless you're creating a key for the root administrative user (which is not recommended), these commands should be run from a regular user account. The noted file is the location of the RSA private key. Most users will accept the default location, at which point the next message prompts them for a passphrase

Explain this command: ktutil: addent -password -p [email protected] -k 1 -e rc4-hmac

The following addent commands at the ktutil prompt adds [email protected] as a Kerberos principal with the -p switch, a unique identity to which a Kerberos server can assign tickets. The -k 1 specifies key version number 1. The -e rc4-hmac specifies an encryption scheme, created by Ron Rivest. The rc4 stands for Ron's code, version 4. (Ron is a reference to Ron Rivest, one of the developers of the RSA algorithm for public key cryptography) It's associated with the hash-based message authentication code (hmac)

Explain these options: kdc_timesync = 1 forwardable = true proxiable = true

The kdc_timesync option keeps the Kerberos server running if there's a temporary problem with the connection to the NTP server. The next two options can help cache and forward Kerberos keys if there's a problem with one of multiple Kerberos servers

Explain the different levels of NTP servers

The lower the number, the closer you are to the atomic clock managed by the National Institute of Standards and Technology. A Stratum 2 server is a second-tier NTP server

Why is FTP still used today?

There are so many legacy processes and applications that use it

Why are passphrases more secure than passwords?

They use private/public key pairs with some large number of bits, typically 1,024 or more. The key pairs are associated with a passphrase

Explain Domain

This assumes the local system has been added to an NT domain. It refers authentication requests to another server

Explains WINS server

This configures a pointer to a running WINS server

Explain Domain Master

This determines whether the local system forces an election for the domain

Explain Preferred Master

This determines whether the local system forces an election for the local network

Explain Local Master

This determines whether the system puts itself up for election

Explain WINS support

This enables a WINS server on the local system.

Explain this command: /backups 192.168.0.0/255.255.255.0(rw,sync)

This is a straightforward share of the /backups/ directory with the systems on the noted IP network address and subnet mask. The rw and sync mean that the share is read-write and reads and writes are done synchronously. Other options are shown in the man pages for the mount command and /etc/exports file

Explain WINS proxy

This redirects WINS requests to a system specified by wins server

Explain OS level

This sets the advertising level for browsing elections. It may be set between 0 and 255

Explain Ads

This sets the local system as a domain member in an Active Directory domain

Explain DNS proxy

This supports NetBIOS name resolution via DNS

Explain Server

This works if the local system has not been added to an NT domain, if a local smbpasswd database is available. It is vulnerable to man-in-themiddle attacks

What is NFS frequently used for?

To share the /home/ directory from a central server

SSL has been superseded by ____

Transport Layer Security (TLS)

The Network File System (NFS) service can be mounted as if it were a local system (T/F)

True

The value given to most Samba directives can be uppercase or lowercase. For example, security = USER works as well as security = user (T/F)

True

Versions of NFS prior to version 4 (NSFv4) may have been more susceptible to unauthorized users gaining access to systems (T/F)

True

In a similar fashion, a Telnet client attempt to connect to a Kerberos-enabled Telnet server works only when appropriate Kerberos server and client options are configured as described earlier in this chapter. Without those settings, a user who attempts to connect to a Kerberos-enabled Telnet server will get the following message before he or she can enter a username or password:

Unencrypted connection refused. Goodbye. Connection closed by foreign host.

Name resolution on Microsoft networks is based on the status of ____ servers and DNS servers

Windows Internet Name Service (WINS)

If you need GUI-based tools, the next directive can be especially valuable. ____ is the name of a protocol associated with the Linux X Window system. It allows you to start and use GUI tools remotely

X11

How can you address the issue of people not wanting to use SSH and want to use Telnet?

You can address this issue on both the client and server. On the client, you can delete or move the commands associated with regular Telnet clients. You could create links between the expected client commands in their expected directory locations and the actual SSL or Kerberos-enabled client commands. For example, the following commands create soft links between the standard Telnet client command and the more secure options described in this section: # ln -s /usr/bin/telnet-ssl /usr/bin/telnet # ln -s /usr/kerberos/bin/telnet /usr/bin/telnet You can also make sure the Telnet server accepts only those connections for which it was designed. The SSL version of Telnet is configured in the internet super server configuration file, /etc/inetd.conf. In that file, you can add the -z secure switch, which accepts only secure connections. If a remote user tries to connect with a regular Telnet client, that person will see the following message before he or she can enter a username or password: telnetd: [SSL required - connection rejected]. Connection closed by foreign host.

On older systems, what should you do in the directive to mitigate the Kerberos version 4 issues?

You should make sure the following directives are set to false: krb4_convert = false krb4_get_tickets = false

A WINS server contains...

a database of NetBIOS names and IP addresses

Nonprivileged users do not have...

administrative permissions that would be found with a superuser, root, or administrative account

The following directive sets up a specific directory for anonymous access to the vsftp server:

anon_root = /secure

An ____ with all such original information can form the basis for a gold baseline

archive rsync-based backup

RADIUS is designed to provide...

authentication, authorization, and accounting for remote users who want to connect to a network service

On a Microsoft network, the ____ collects the domain or workgroup name of every system on the network. But only one system can be a browser at a time on a LAN

browser

One option for uploads is to change the ownership of such files to a specific user, such as nobody or another user configured with minimal privileges. That can reduce the risk of an uploaded script or binary file that otherwise affects the security of the FTP server. Of course, this assumes user nobody is properly configured in the shadow password suite (or other user database) with appropriate minimal privileges:

chown_uploads = yes chown_username = nobody

One of the risks associated with the rsync command is that it normally transmits data in ____

cleartext

The best passphrases are ____, with uppercase and lowercase characters, numbers, and punctuation

complete sentences

Before NFSv4, there was no user based authentication. As such, a user with a system on the local network could...

connect to NFS directories shared with that network. If that NFS share included a user home directory, all the user needed to do was to set up a client system with the appropriate username and ID number on the local client system. He could then get full access to the other user's home directory files through the remote share

Frequently, administrators like you are responsible for transmitting corporate or organizational policies regarding the use of services like vsftp. If the following directive is enabled, vsftp looks for a hidden .message file in each accessible directory unless overridden by a message_file directive:

dirmessage_enable = yes

IPSec relies on ____ to hide communications over public networks

encapsulation

One of the benefits of SSH is ____

encryption

Related to Kerberos tickets is the ____

generic security services application programming interface (GSSAPI)

The guest ok access can be set to no to prevent users from changing others' scripts. The writable and share modes options shown also limit access to the administrative user:

guest ok = no writable = no share modes = no

If the netbios name value is not assigned, the system ____ is used

hostname

If you are configuring a PDC, pay attention to the [netlogon] and [profiles] stanzas in the "Shares Definitions" section of the smb.conf configuration file. These stanzas determine...

how logon information is shared by user

A couple of additional options can work sort of like screensavers. The following options end the connection if no commands or additional file transfer bits are detected in the given number of seconds. Some administrators may prefer to reduce the value of the idle_session_timeout directive:

idle_session_timeout = 600 data_connection_timeout = 120

The interfaces and hosts allow directives can limit access to the Samba server in two ways. The examples shown here limit the interfaces and addresses to which Samba listens. The hosts allow directive can be revised to limit access to a domain or even individual hostnames:

interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 hosts allow = 127. 192.168.12. 192.168.13.

The ____ and ____ allow directives can limit access to the Samba server

interfaces, hosts

Unless otherwise configured, vsftp is actually run as an ____

internet super server service

Policies can be created as defined in the man page for the ____ command

kadmin

To implement it for use with Kerberos, you need to copy it to the /etc/ directory. Now that users have been set up, the next step is to set up keys to connect the local Kerberos server system with desired clients. You can create such keys with the kadmin.local command, which opens a kadmin.local: prompt. The following command sets a random key for a host with the noted fully qualified domain name (FQDN):

kadmin.local: addprinc -randkey host/ubuntuserver.example.org

Kerberos goes beyond basic authentication using a concept known as a ____ to verify the credentials of a user before allowing access to various network services

key distribution center (KDC)

When the basic database is available in the appropriate directory, it's time to set up ____ files, which are pairs of Kerberos principals and clients

keytab

Kerberos version 4 is known to have security issues. Nevertheless, older releases of Kerberos version 5 software enable access using version 4 tickets, courtesy of the ____ command.

krb524init

Once configured on the NFSv4 server, users on Kerberos-authorized client systems will be able to connect to the share. Such users would either need root administrative privileges or require appropriate configuration changes to the /etc/fstab file. These changes should include the ____ option.

krb5i

After keytab files have been created for all desired users, the next step is to merge keytab files into the /etc/krb5.keytab file. First, the following commands read keytab files for users michael and donna into local memory:

ktutil: read_kt michael.keytab ktutil: read_kt donna.keytab

The keys can then be written to a local keytab file. The following commands write it to the michael.keytab file in the local directory:

ktutil: wkt michael keytab

Then the following command writes those keytab files to the krb5.keytab file in the local directory:

ktutil: write_kt krb5.keytab

It's safer to run vsftp as its own service, with its own control script in the /etc/init.d/ directory. Both Ubuntu and Red Hat versions of vsftp make this possible with the following directive:

listen = yes

If the vsftp server is to work on an Internet Protocol version 6 (IPv6) network, you could configure the following alternative directive. Just be aware that vsftp won't work with both versions of the listen directive:

listen_ipv6 = yes

The following options load CUPS printers and configure raw data for processing by Microsoft printer drivers:

load printers = yes cups options = raw

If the objective is to keep systems on a local area network (LAN) in sync with each other, it may be best to configure an NTP server on a ____

local network

It may be helpful to set up logs by different machines. The following directives would set up log files by NetBIOS name or IP address. The max log size directive sets a limit on log files, in kilobytes.

log file = /var/log/samba/%m.log max log size = 50

Profiles can be enabled with the logon path directive. For example, the following directive specifies a shared profile/ directory on some server named authentication. The %U means user profile information is stored in a subdirectory named for the user:

logon path = authenticationprofile%U

Local Samba servers can be configured to send and receive login information from Microsoft systems. To that end a Samba-enabled Linux system can be configured as if it were a Microsoft client. Login scripts can be configured for machines and users with the logon script directive:

logon script = %m.bat logon script = %u.bat

The browser control options include directives that drive which system is assigned as the ____ on a Microsoft network

master browser

The most secure systems start from a...

minimal installation with an absolute minimum of services

Generally, NFS directories should rarely if ever be exported with the ____ option, as that would allow root administrative access to the shared directory

no_root_squash

A ____ is an account with standard end-user operating system permissions

nonprivileged user

If you want to specifically set a nonprivileged user, the following directive can help:

nopriv_user = nobody

Running fewer services on a system requires a reduced amount of resources. Fewer running services also means there are...

not as many ways for attackers or malicious users to compromise or misuse the resources on the system

Alternatively, if you want to use an LDAP database, set ____

passdb backend = ldapsam

Because the domain, server, and ads options require access to some other system for authentication, they won't work without the ____ directive to point to the FQDN or IP address of that server

password server

The [profiles] stanza is used to allow users to log on from different workstations. The profiles in the noted path directory allow users with Microsoft clients to have the same look and feel on each workstation. Profiles may be stored in username-specific subdirectories, as defined by the path:

path = /home/samba/profiles/%U

If you want to configure a Windows NT-style PDC, pay attention to the security directive described earlier. It works with the [netlogon] and [profiles] stanzas in the "Share Definitions" section of the smb.conf configuration file. The [netlogon] stanza is for storage of user-specific Microsoft logon scripts. The path directive determines the directory where those scripts are stored. It's associated with the username, based on the logon script directive described earlier:

path = /var/lib/samba/netlogon

In addition to using SSH to configure interactive username/password connections, you may also automate the SSH connection process through the use of ____

public/private key pairs

IPSec encryption depends on the IKE service, sometimes known as ____

racoon

The next three directives allow users to change profiles and write those changes. To set up standard profiles, you may choose to set read only = yes:

read only = no create mask = 0600 directory mask = 0700

If you've set up a Kerberos server with an Active Directory, use the ____ directive to specify the name of the Kerberos realm

realm

The ____ command is frequently used for backups

rsync

To generate a Samba configuration for a server that will act as an Active Directory server, you can run the ____. It will step you through all of the settings by asking questions

samba-tool

The ____ command will create the smb configuration file for you

samba-tool domain provision

If the objective is to keep systems on remote networks in sync, it may make more sense to configure connections to the...

same remote NTP servers, or perhaps two NTP servers equally distant from the target networks.

Several SSH client commands are made available when the SSH client package is installed. These commands include ____ for secure copying

scp

Why is the scp command better than using FTP?

scp is encryped. No credentials are passed in the clear over the network.

The scp command can copy a file over an SSH connection. If you run a command like the following, expect to be prompted for the noted user's password or passphrase on the remote system:

scp localfile [email protected]:/backups/

Security-conscious professionals should almost never set ____, as that allows access to shared directories for users without accounts

security = share

Security-conscious professionals should almost never set security = share, as that allows access to shared directories for users without accounts. All they need is the password for the shared directory. So for a standalone server, a PDC, or a BDC, you want to set up the following directives:

security = user passdb backend = smbpasswd

The IMAP4 and POP3 protocols ____ e-mail to clients

serve

Once installed, NTP services are easy to configure. The default versions of NTP installed for both Red Hat and Ubuntu systems include a server directive with the URL of an associated NTP server. Examples include the following:

server 0.rhel.pool.ntp.org server ntp.ubuntu.com

Anonymous FTP connections are not allowed with the ____ command

sftp

Several SSH client commands are made available when the SSH client package is installed. These commands include ____ for encrypted connections to FTP servers

sftp

Several SSH client commands are made available when the SSH client package is installed. These commands include ____ for client connections

ssh

The most straightforward way to log into a remote system is with the ____ command

ssh user@hostname

The standard SSH server configuration file is ____, in the /etc/ssh/ directory

sshd_config

The Samba user password database is separate from the Linux password database, and is stored in files in the /etc/samba/ directory. In the configuration shown, it's stored in the smbpasswd file. If set to ____, user-account information is stored in the passdb.tdb file.

tdbsam

The smbpasswd and ____ options allow administrators to set up or change user passwords with the smbpasswd command

tdbsam

The most straightforward way to log into a remote system is with the ssh user@hostname command. If no username is specified, the ssh command assumes...

the current user account on the local system also applies on the remote system

The list of users in the ftpusers and user_list files are based on...

the default set of service users. In other words, it includes users with user IDs (UIDs) below 100, 500, or 1000, depending on the distribution

The Kerberos server that grants TGTs is known as a ____, which works hand in hand with the KDC. The configuration that follows sets up both functions on a single system.

ticket-granting server (TGS)

When verified, the KDC issues a ____, a sort of time-limited super-ticket that supports access to other systems without additional authentication

ticket-granting ticket (TGT)

The SMTP protocol ____ e-mail from clients

transmits

While many FTP server options are available, ____ is the server used by Red Hat, SUSE, Debian, and even the developers of the Linux kernel.

vsftp

The standard vsftp configuration file is ____

vsftpd.conf

Samba used the ____ directive to specify the name of the network of the noted group of computers

workgroup

As shown here, the workgroup directive is normally coupled with the server string and netbios name directives. The example shown returns Samba Server Version followed by the version number of the Samba server, as specified by the %v. It's shown as a comment in a Microsoft My Network Places window or in the output of a Microsoft net view or a Samba smbclient -L command:

workgroup = bigdomain server string = Samba Server Version %v netbios name = trivialinfo

Given the popularity of many anonymous FTP services, logging information about uploads and downloads may be useful. It's activated with the xferlog_enable directive:

xferlog_enable = yes


Kaugnay na mga set ng pag-aaral

AP Gov Chapter 10 Political Socialization and Public Opinion

View Set

A&P2 Chapter 18 BLOOD - Cardiovascular system

View Set

Fitness and Wellness - Chapter 1 Review // EXSC and Weight Control

View Set

Ch. 18 Module 1: Section 18.01 Dynamic Study Module

View Set

Reproductive System and Breast Problems

View Set