Chapter 8 (Linux)
Run the following command to create the Kerberos database:
# kdb5_util create
On Ubuntu systems, an IPSec host-to-host connection begins in the /etc/ipsectools.conf file. The script shown here is based on the setkey -f command, on a host with IP address 192.168.0.100. This file creates a security policy database (SPD) for a host connection from IP address 192.168.0.100 to 10.0.0.100. It flushes any previous regular and SPD policies:
#!/usr/sbin/setkey -f flush; spdflush;
The following command takes the contents of user Michael's home directory recursively (with all subdirectories) and sends it to the remote system named backup.example.org in the /backups/ subdirectory:
$ rsync -e ssh -aHz /home/michael backup.example.org:/backups/
If you want to log in remotely with X11 forwarding, use ssh's ___ switch
-X
For regular NFS shares, the standard configuration includes domain names or IP addresses along with mount options. For example, the following directive is a typical regular NFS share directive:
/backups 192.168.0.0/255.255.255.0(rw,sync)
If the packages for NFSv4 are installed, you can set up a share similar to the following, which authenticates shares to clients specifically assigned by the Kerberos server:
/backups gss/krb5i(sync,rw)
Shared NFS directories are configured in the ____ file
/etc/exports
When installed on an Ubuntu system, configuration options are commented into a number of files in the ____ directory. On some other systems, you'll find these files in the ____ directory
/etc/freeradius/, /etc/raddb/
Any changes made to ____ should be matched with changes either to the Domain Name System (DNS) database or the /etc/hosts files for each applicable system
/etc/krb5.conf
Red Hat systems specifically cite /etc/vsftpd/ftpusers in the associated pluggable authentication module (PAM) configuration file, ____
/etc/pam.d/vsftpd
The Samba user password database is separate from the Linux password database, and is stored in files in the ____ directory
/etc/samba/
If you forget that database password, you'll have to delete the files in the ____ or ____ directories (depending on distribution) before re-creating the database by rerunning this command (# kdb5_util create)
/var/lib/krb5kdc/, /var/kerberos/krb5kdc/
What steps must you take to create a Kerberos ticket for a system?
1. Access the kadmin: prompt with administrative privileges with the kadmin command. For the Kerberos administrative key created earlier, you'd access the kadmin: prompt with the following command: # kadmin michael/[email protected] 2. Add a random NFS key for the client system with the following command. If your domain and realms are different, change the command accordingly. kadmin: addprinc -randkey nfs/[email protected] 3. Enter the next command to add this ticket to the keytab for the local server: kadmin: xst nfs/[email protected]
This section includes many of the same directives as the "Standalone Server Options" section. In this [global] part of the file, directives should be used only once. Three options are noted in this section for the security directive:
1. Domain 2. Server 3. Ads
Different port and protocol numbers are used for IPSec connections. Assuming a firewall is configured on each network, you'll have to make sure these ports and protocols are open on the respective networks:
1. Encapsulating Security Payload (ESP) protocol 2. Authentication Header (AH) protocol 3. Internet Key Exchange (IKE) protocol 4. Network Address Translation (NAT) traversal protocol
RADIUS can work with a variety of such databases, including:
1. LDAP 2. Network Information Service (NIS) 3. Microsoft's Active directory 4. Novell's eDirectory 5. Local shadow password suite
With its archive features, the rsync command can back up more than just the information in regular files. It can preserve more, including the following:
1. Ownership by users and groups 2. Last file-access times 3. Permissions 4. Symbolic links between files
RADIUS authentication uses systems such as?
1. Password Authentication Protocol (PAP) 2. Challenge-Handshake Authentication Protocol (CHAP) 3. Extensible Authentication Protocol (EAP)
Standard e-mail clients connect to servers using three major protocols:
1. SMTP 2. POP3 4. IMAP4
The relevant directives regarding the Master Browser are as follows:
1. domain master 2. local master 3. os level 4. preferred master
Two other configuration files are directly used for the vsftp service, which can help prevent malicious users from using privileges at least on the vsftp server:
1. ftpusers 2. user_list
If the NetBIOS name does not exist, the WINS server defaults to the hostname of the system. The basic directives in this section are straightforward:
1. wins support 2. wins server 3. wins proxy 4. dns proxy
What is the standard SSH port number?
22
What is the ticket-granting ticket (TGT)?
A pass that assures other servers that you have been authenticated
What is a Master Browser?
A system assigned to maintain a database of NetBIOS names and their services, such as domain or workgroup membership.
Generally, secure FTP servers do not allow connections based on the ____, as that can lead to denial of service (DoS) attacks
American Standard Code for Information Interchange (ASCII)
If you've set up a Kerberos server, you can change some of these default Kerberos options for Kerberos or regular passwords. Methods to do so include Kerberos tickets or ____ tokens
Andrew Filesystem (AFS)
The ____ uses protocol 51. AH traffic can be allowed through an iptables firewall with a -p 51 -j ACCEPT switch
Authentication Header (AH) protocol
The ____ directive specifies the location of authorized SSH keys in each user's home directory
AuthorizedKeysFile
A ____ is a backup for a PDC on a Microsoft Windows NT domain.
Backup Domain Controller (BDC)
If login banners are used to transmit corporate or organizational policies for remote users, you'll want to activate the following directive and enter those policies in the /etc/issue.net file:
Banner /etc/issue.net
If you use Kerberos for network authentication, why does it requires the installation of Kerberos software on both the client and server?
Because services such as telnet that normally send usernames and passwords in cleartext will not be protected if it is not installed on both
If you need SSH connections over a telephone modem, you may consider activating this option. However, there are interaction problems with PAMs:
ChallengeResponseAuthentication no
By default, a Samba server shares printers configured using the ____ over the Windows network
Common Unix Printing System (CUPS)
On Red Hat systems, IPSec host-to-host connections are configured in two files in the /etc/sysconfig/network-scripts/ directory. One is ifcfg-host, where host is the name of the host-to-host device. The configuration is simple, including just four directives:
DST=192.168.122.127 TYPE=IPSEC ONBOOT=yes IKE_METHOD=PSK
The ____ uses protocol 50. ESP traffic can be allowed through an iptables firewall with a -p 50 -j ACCEPT switch
Encapsulating Security Payload (ESP) protocol
What happens if either the ftpusers or user_list file is compromised?
He or she may be able to obtain limited administrative privileges (or more) through them
The following HostKey directives specify Digital Signature Algorithm (DSA) and Rivest Shamir Adelman (RSA) host key files that can be used to help verify the integrity of the host server. SSH won't work unless permissions on these files are limited to the root administrative user:
HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_rsa_key
Generally, you want to retain user-based authentication. To that end, the following host-based authentication option is disabled by default and should remain that way:
HostbasedAuthentication no IgnoreRhosts yes
You need to retain the following default option to avoid malicious users who substitute their systems for known systems:
IgnoreUserKnownHosts no
The ____ uses the User Datagram Protocol (UDP) over port 500. IKE traffic can be allowed through an iptables firewall with a -p udp --dport 500 -j ACCEPT switch
Internet Key Exchange (IKE) protocol
Also an Application Layer e-mail protocol, ____ supports client access to remote servers
Internet Message Access Protocol version 4 (IMAP4)
____ is a set of extensions to IP that were developed as part of IPv6 but can be implemented along with IPv4 to allow encryption between two hosts
Internet Protocol Security (IPSec)
What is the key distribution center (KDC) used for?
It is used to distribute cryptographic keys to avoid some of the challenges associated with key exchange
How does IPSec work?
It works at both ends of a connection, tunneling communications through protocols 50 and 51. In tunneling mode, it is a form of virtual private networking
____ is used for authentication across multiple systems.
Kerberos
A ____ is an identity associated with Kerberos tickets. It includes the user, the Kerberos administrator, and the realm
Kerberos principal
A ____ is the proof on one system that verifies the identity of a second system
Kerberos ticket
If coupled with appropriate configuration options in the /etc/exports file, ____ can be used to limit access to authorized clients.
Kerberos tickets
How was the issue with versions of NFS prior to version 4?
Kerberos—which can at least authenticate client systems. So a malicious user with a portable system won't be able to connect to your NFS shares. Of course, this assumes that the malicious user hasn't found another way to break into a client that already has an NFS-based Kerberos ticket
Why is FTP not generally considered a good option for file transfer?
Lack of encryption
The ListenAddress directive can limit the networks configured for SSH. For example, the following directive looks for and listens to network cards with the noted IP address:
ListenAddress 192.168.10.1
____ directive disconnects if a login hasn't happened in the noted time
LoginGraceTime
The ____ directive limits the number of login attempts per connection
MaxAuthTries
A NetBIOS name is commonly assigned on...
Microsoft-style networks and is associated with the Session Layer of the OSI Reference Model of networking
The ____ uses the TCP and UDP over port 4500. NAT traffic can be allowed through an iptables firewall with -p tcp --dport 4500 -j ACCEPT and -p tcp --dport 4500 -j ACCEPT switches
Network Address Translation (NAT) traversal protocol
The netbios name directive is associated with the ____ name of a system
Network Basic Input/Output System (NetBIOS)
____ service ensures that all of your systems are synchronized to a single time source, which is crucial for Kerberos because it is very time sensitive
Network Time Protocol (NTP)
After you've set up passphrases, you can change this to no to disable cleartext tunneled passwords:
PasswordAuthentication yes
When passwords are used, they should not be empty, so ensure this directive looks like this:
PermitEmptyPasswords no
The ___ directive should almost always be set to no to minimize the risk of a malicious user decrypting an administrative password sent over a network
PermitRootLogin
Another Application Layer e-mail protocol, ____ supports e-mail client downloads of incoming messages
Post Office Protocol version 3 (POP3)
A ____ is a master server on a Microsoft Windows NT domain that controls and can grant access to a number of computer resources based on the usernames and passwords in its database
Primary Domain Controller (PDC)
Kerberos was developed at the Massachusetts Institute of Technology (MIT) as part of ____, a distributed computing environment still in use at MIT.
Project Athena
To ensure that no one attempts to exploit a vulnerability with SSH version 1, you will need to be explicit about using only version 2 of the protocol. Therefore, most sshd_config files limit access to SSH version 2 with the following directive:
Protocol 2
If you have to administer connections from telephone modems, the standard used is the ____
Remote Authentication Dial In User Service (RADIUS)
Because SSH version 1 has known security weaknesses, most administrators encourage the use of ____
SSH version 2
____ can be used to securely manage domain-based networks
Samba
____ is the Linux implementation of Microsoft's Server Message Block protoco
Samba
____ provides additional protection for vsftp. Directories shared using FTP servers should be labeled with the public_content_t type. If you want to configure a directory for uploads, you'll need to configure that directory with the public_content_rw_t type. The same options work for directories associated with rsync servers
Security Enhanced Linux (SELinux)
An Application Layer e-mail protocol, the ____ is used primarily for outgoing messages from clients
Simple Mail Transfer Protocol (SMTP)
The ____ directive keeps users from setting world-writable files over an SSH connection
StrictModes
One of the values of the SSH server configuration file is its ability to encrypt FTP connections. The following directive supports connections to user home directories with the sftp command:
Subsystem sftp /usr/libexec/openssh/sftp-server
____ determines where logging information is stored. It's normally set to AUTH or AUTHPRIV. The log file for AUTH or AUTHPRIV messages is normally defined in the /etc/syslog.conf file.
SyslogFacility
Explain the following command: $ rsync -e ssh -aHz /home/michael backup.example.org:/backups/
The -e ssh tunnels the backup packets over an SSH connection. If you haven't yet connected to the noted remote system, the remote SSH server prompts for a password or sends a message to verify the passphrase described earlier in this chapter. The -a transmits the files in archive mode. The -H includes hard-linked files in the archive. The -z compresses the data being transmitted, speeding the backup
What is the difference between the Kerberos Realm and the associated uniform resource identifiers (URIs)?
The difference is that if the Kerberos realm on the local network is EXAMPLE.ORG, the domain is example.org. The Kerberos realm is typically the name of the domain for the LAN or enterprise network, in uppercase letters. It's an administrative concept that collects systems together for management and authentication purposes. Every system would belong to a specific Kerberos realm
Explain this: $ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/michael/.ssh/id_rsa) :
The example in this section sets up an SSH passphrase for logins from a client to a remote server. It starts with the ssh-keygen command, which leads to the messages that follow. Unless you're creating a key for the root administrative user (which is not recommended), these commands should be run from a regular user account. The noted file is the location of the RSA private key. Most users will accept the default location, at which point the next message prompts them for a passphrase
Explain this command: ktutil: addent -password -p [email protected] -k 1 -e rc4-hmac
The following addent commands at the ktutil prompt adds [email protected] as a Kerberos principal with the -p switch, a unique identity to which a Kerberos server can assign tickets. The -k 1 specifies key version number 1. The -e rc4-hmac specifies an encryption scheme, created by Ron Rivest. The rc4 stands for Ron's code, version 4. (Ron is a reference to Ron Rivest, one of the developers of the RSA algorithm for public key cryptography) It's associated with the hash-based message authentication code (hmac)
Explain these options: kdc_timesync = 1 forwardable = true proxiable = true
The kdc_timesync option keeps the Kerberos server running if there's a temporary problem with the connection to the NTP server. The next two options can help cache and forward Kerberos keys if there's a problem with one of multiple Kerberos servers
Explain the different levels of NTP servers
The lower the number, the closer you are to the atomic clock managed by the National Institute of Standards and Technology. A Stratum 2 server is a second-tier NTP server
Why is FTP still used today?
There are so many legacy processes and applications that use it
Why are passphrases more secure than passwords?
They use private/public key pairs with some large number of bits, typically 1,024 or more. The key pairs are associated with a passphrase
Explain Domain
This assumes the local system has been added to an NT domain. It refers authentication requests to another server
Explains WINS server
This configures a pointer to a running WINS server
Explain Domain Master
This determines whether the local system forces an election for the domain
Explain Preferred Master
This determines whether the local system forces an election for the local network
Explain Local Master
This determines whether the system puts itself up for election
Explain WINS support
This enables a WINS server on the local system.
Explain this command: /backups 192.168.0.0/255.255.255.0(rw,sync)
This is a straightforward share of the /backups/ directory with the systems on the noted IP network address and subnet mask. The rw and sync mean that the share is read-write and reads and writes are done synchronously. Other options are shown in the man pages for the mount command and /etc/exports file
Explain WINS proxy
This redirects WINS requests to a system specified by wins server
Explain OS level
This sets the advertising level for browsing elections. It may be set between 0 and 255
Explain Ads
This sets the local system as a domain member in an Active Directory domain
Explain DNS proxy
This supports NetBIOS name resolution via DNS
Explain Server
This works if the local system has not been added to an NT domain, if a local smbpasswd database is available. It is vulnerable to man-in-themiddle attacks
What is NFS frequently used for?
To share the /home/ directory from a central server
SSL has been superseded by ____
Transport Layer Security (TLS)
The Network File System (NFS) service can be mounted as if it were a local system (T/F)
True
The value given to most Samba directives can be uppercase or lowercase. For example, security = USER works as well as security = user (T/F)
True
Versions of NFS prior to version 4 (NSFv4) may have been more susceptible to unauthorized users gaining access to systems (T/F)
True
In a similar fashion, a Telnet client attempt to connect to a Kerberos-enabled Telnet server works only when appropriate Kerberos server and client options are configured as described earlier in this chapter. Without those settings, a user who attempts to connect to a Kerberos-enabled Telnet server will get the following message before he or she can enter a username or password:
Unencrypted connection refused. Goodbye. Connection closed by foreign host.
Name resolution on Microsoft networks is based on the status of ____ servers and DNS servers
Windows Internet Name Service (WINS)
If you need GUI-based tools, the next directive can be especially valuable. ____ is the name of a protocol associated with the Linux X Window system. It allows you to start and use GUI tools remotely
X11
How can you address the issue of people not wanting to use SSH and want to use Telnet?
You can address this issue on both the client and server. On the client, you can delete or move the commands associated with regular Telnet clients. You could create links between the expected client commands in their expected directory locations and the actual SSL or Kerberos-enabled client commands. For example, the following commands create soft links between the standard Telnet client command and the more secure options described in this section: # ln -s /usr/bin/telnet-ssl /usr/bin/telnet # ln -s /usr/kerberos/bin/telnet /usr/bin/telnet You can also make sure the Telnet server accepts only those connections for which it was designed. The SSL version of Telnet is configured in the internet super server configuration file, /etc/inetd.conf. In that file, you can add the -z secure switch, which accepts only secure connections. If a remote user tries to connect with a regular Telnet client, that person will see the following message before he or she can enter a username or password: telnetd: [SSL required - connection rejected]. Connection closed by foreign host.
On older systems, what should you do in the directive to mitigate the Kerberos version 4 issues?
You should make sure the following directives are set to false: krb4_convert = false krb4_get_tickets = false
A WINS server contains...
a database of NetBIOS names and IP addresses
Nonprivileged users do not have...
administrative permissions that would be found with a superuser, root, or administrative account
The following directive sets up a specific directory for anonymous access to the vsftp server:
anon_root = /secure
An ____ with all such original information can form the basis for a gold baseline
archive rsync-based backup
RADIUS is designed to provide...
authentication, authorization, and accounting for remote users who want to connect to a network service
On a Microsoft network, the ____ collects the domain or workgroup name of every system on the network. But only one system can be a browser at a time on a LAN
browser
One option for uploads is to change the ownership of such files to a specific user, such as nobody or another user configured with minimal privileges. That can reduce the risk of an uploaded script or binary file that otherwise affects the security of the FTP server. Of course, this assumes user nobody is properly configured in the shadow password suite (or other user database) with appropriate minimal privileges:
chown_uploads = yes chown_username = nobody
One of the risks associated with the rsync command is that it normally transmits data in ____
cleartext
The best passphrases are ____, with uppercase and lowercase characters, numbers, and punctuation
complete sentences
Before NFSv4, there was no user based authentication. As such, a user with a system on the local network could...
connect to NFS directories shared with that network. If that NFS share included a user home directory, all the user needed to do was to set up a client system with the appropriate username and ID number on the local client system. He could then get full access to the other user's home directory files through the remote share
Frequently, administrators like you are responsible for transmitting corporate or organizational policies regarding the use of services like vsftp. If the following directive is enabled, vsftp looks for a hidden .message file in each accessible directory unless overridden by a message_file directive:
dirmessage_enable = yes
IPSec relies on ____ to hide communications over public networks
encapsulation
One of the benefits of SSH is ____
encryption
Related to Kerberos tickets is the ____
generic security services application programming interface (GSSAPI)
The guest ok access can be set to no to prevent users from changing others' scripts. The writable and share modes options shown also limit access to the administrative user:
guest ok = no writable = no share modes = no
If the netbios name value is not assigned, the system ____ is used
hostname
If you are configuring a PDC, pay attention to the [netlogon] and [profiles] stanzas in the "Shares Definitions" section of the smb.conf configuration file. These stanzas determine...
how logon information is shared by user
A couple of additional options can work sort of like screensavers. The following options end the connection if no commands or additional file transfer bits are detected in the given number of seconds. Some administrators may prefer to reduce the value of the idle_session_timeout directive:
idle_session_timeout = 600 data_connection_timeout = 120
The interfaces and hosts allow directives can limit access to the Samba server in two ways. The examples shown here limit the interfaces and addresses to which Samba listens. The hosts allow directive can be revised to limit access to a domain or even individual hostnames:
interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 hosts allow = 127. 192.168.12. 192.168.13.
The ____ and ____ allow directives can limit access to the Samba server
interfaces, hosts
Unless otherwise configured, vsftp is actually run as an ____
internet super server service
Policies can be created as defined in the man page for the ____ command
kadmin
To implement it for use with Kerberos, you need to copy it to the /etc/ directory. Now that users have been set up, the next step is to set up keys to connect the local Kerberos server system with desired clients. You can create such keys with the kadmin.local command, which opens a kadmin.local: prompt. The following command sets a random key for a host with the noted fully qualified domain name (FQDN):
kadmin.local: addprinc -randkey host/ubuntuserver.example.org
Kerberos goes beyond basic authentication using a concept known as a ____ to verify the credentials of a user before allowing access to various network services
key distribution center (KDC)
When the basic database is available in the appropriate directory, it's time to set up ____ files, which are pairs of Kerberos principals and clients
keytab
Kerberos version 4 is known to have security issues. Nevertheless, older releases of Kerberos version 5 software enable access using version 4 tickets, courtesy of the ____ command.
krb524init
Once configured on the NFSv4 server, users on Kerberos-authorized client systems will be able to connect to the share. Such users would either need root administrative privileges or require appropriate configuration changes to the /etc/fstab file. These changes should include the ____ option.
krb5i
After keytab files have been created for all desired users, the next step is to merge keytab files into the /etc/krb5.keytab file. First, the following commands read keytab files for users michael and donna into local memory:
ktutil: read_kt michael.keytab ktutil: read_kt donna.keytab
The keys can then be written to a local keytab file. The following commands write it to the michael.keytab file in the local directory:
ktutil: wkt michael keytab
Then the following command writes those keytab files to the krb5.keytab file in the local directory:
ktutil: write_kt krb5.keytab
It's safer to run vsftp as its own service, with its own control script in the /etc/init.d/ directory. Both Ubuntu and Red Hat versions of vsftp make this possible with the following directive:
listen = yes
If the vsftp server is to work on an Internet Protocol version 6 (IPv6) network, you could configure the following alternative directive. Just be aware that vsftp won't work with both versions of the listen directive:
listen_ipv6 = yes
The following options load CUPS printers and configure raw data for processing by Microsoft printer drivers:
load printers = yes cups options = raw
If the objective is to keep systems on a local area network (LAN) in sync with each other, it may be best to configure an NTP server on a ____
local network
It may be helpful to set up logs by different machines. The following directives would set up log files by NetBIOS name or IP address. The max log size directive sets a limit on log files, in kilobytes.
log file = /var/log/samba/%m.log max log size = 50
Profiles can be enabled with the logon path directive. For example, the following directive specifies a shared profile/ directory on some server named authentication. The %U means user profile information is stored in a subdirectory named for the user:
logon path = authenticationprofile%U
Local Samba servers can be configured to send and receive login information from Microsoft systems. To that end a Samba-enabled Linux system can be configured as if it were a Microsoft client. Login scripts can be configured for machines and users with the logon script directive:
logon script = %m.bat logon script = %u.bat
The browser control options include directives that drive which system is assigned as the ____ on a Microsoft network
master browser
The most secure systems start from a...
minimal installation with an absolute minimum of services
Generally, NFS directories should rarely if ever be exported with the ____ option, as that would allow root administrative access to the shared directory
no_root_squash
A ____ is an account with standard end-user operating system permissions
nonprivileged user
If you want to specifically set a nonprivileged user, the following directive can help:
nopriv_user = nobody
Running fewer services on a system requires a reduced amount of resources. Fewer running services also means there are...
not as many ways for attackers or malicious users to compromise or misuse the resources on the system
Alternatively, if you want to use an LDAP database, set ____
passdb backend = ldapsam
Because the domain, server, and ads options require access to some other system for authentication, they won't work without the ____ directive to point to the FQDN or IP address of that server
password server
The [profiles] stanza is used to allow users to log on from different workstations. The profiles in the noted path directory allow users with Microsoft clients to have the same look and feel on each workstation. Profiles may be stored in username-specific subdirectories, as defined by the path:
path = /home/samba/profiles/%U
If you want to configure a Windows NT-style PDC, pay attention to the security directive described earlier. It works with the [netlogon] and [profiles] stanzas in the "Share Definitions" section of the smb.conf configuration file. The [netlogon] stanza is for storage of user-specific Microsoft logon scripts. The path directive determines the directory where those scripts are stored. It's associated with the username, based on the logon script directive described earlier:
path = /var/lib/samba/netlogon
In addition to using SSH to configure interactive username/password connections, you may also automate the SSH connection process through the use of ____
public/private key pairs
IPSec encryption depends on the IKE service, sometimes known as ____
racoon
The next three directives allow users to change profiles and write those changes. To set up standard profiles, you may choose to set read only = yes:
read only = no create mask = 0600 directory mask = 0700
If you've set up a Kerberos server with an Active Directory, use the ____ directive to specify the name of the Kerberos realm
realm
The ____ command is frequently used for backups
rsync
To generate a Samba configuration for a server that will act as an Active Directory server, you can run the ____. It will step you through all of the settings by asking questions
samba-tool
The ____ command will create the smb configuration file for you
samba-tool domain provision
If the objective is to keep systems on remote networks in sync, it may make more sense to configure connections to the...
same remote NTP servers, or perhaps two NTP servers equally distant from the target networks.
Several SSH client commands are made available when the SSH client package is installed. These commands include ____ for secure copying
scp
Why is the scp command better than using FTP?
scp is encryped. No credentials are passed in the clear over the network.
The scp command can copy a file over an SSH connection. If you run a command like the following, expect to be prompted for the noted user's password or passphrase on the remote system:
scp localfile [email protected]:/backups/
Security-conscious professionals should almost never set ____, as that allows access to shared directories for users without accounts
security = share
Security-conscious professionals should almost never set security = share, as that allows access to shared directories for users without accounts. All they need is the password for the shared directory. So for a standalone server, a PDC, or a BDC, you want to set up the following directives:
security = user passdb backend = smbpasswd
The IMAP4 and POP3 protocols ____ e-mail to clients
serve
Once installed, NTP services are easy to configure. The default versions of NTP installed for both Red Hat and Ubuntu systems include a server directive with the URL of an associated NTP server. Examples include the following:
server 0.rhel.pool.ntp.org server ntp.ubuntu.com
Anonymous FTP connections are not allowed with the ____ command
sftp
Several SSH client commands are made available when the SSH client package is installed. These commands include ____ for encrypted connections to FTP servers
sftp
Several SSH client commands are made available when the SSH client package is installed. These commands include ____ for client connections
ssh
The most straightforward way to log into a remote system is with the ____ command
ssh user@hostname
The standard SSH server configuration file is ____, in the /etc/ssh/ directory
sshd_config
The Samba user password database is separate from the Linux password database, and is stored in files in the /etc/samba/ directory. In the configuration shown, it's stored in the smbpasswd file. If set to ____, user-account information is stored in the passdb.tdb file.
tdbsam
The smbpasswd and ____ options allow administrators to set up or change user passwords with the smbpasswd command
tdbsam
The most straightforward way to log into a remote system is with the ssh user@hostname command. If no username is specified, the ssh command assumes...
the current user account on the local system also applies on the remote system
The list of users in the ftpusers and user_list files are based on...
the default set of service users. In other words, it includes users with user IDs (UIDs) below 100, 500, or 1000, depending on the distribution
The Kerberos server that grants TGTs is known as a ____, which works hand in hand with the KDC. The configuration that follows sets up both functions on a single system.
ticket-granting server (TGS)
When verified, the KDC issues a ____, a sort of time-limited super-ticket that supports access to other systems without additional authentication
ticket-granting ticket (TGT)
The SMTP protocol ____ e-mail from clients
transmits
While many FTP server options are available, ____ is the server used by Red Hat, SUSE, Debian, and even the developers of the Linux kernel.
vsftp
The standard vsftp configuration file is ____
vsftpd.conf
Samba used the ____ directive to specify the name of the network of the noted group of computers
workgroup
As shown here, the workgroup directive is normally coupled with the server string and netbios name directives. The example shown returns Samba Server Version followed by the version number of the Samba server, as specified by the %v. It's shown as a comment in a Microsoft My Network Places window or in the output of a Microsoft net view or a Samba smbclient -L command:
workgroup = bigdomain server string = Samba Server Version %v netbios name = trivialinfo
Given the popularity of many anonymous FTP services, logging information about uploads and downloads may be useful. It's activated with the xferlog_enable directive:
xferlog_enable = yes
