linuxbuddies.com » Core Linux

How Kerberos Works

Eldo — Thu, 10 Sep 2009 08:41:05 +0000

As we know the kerberos authentication method is the most secure network authentication method ever build. In normal method the password is sent accross the network, which is vulnerable but in kerberos method no password is sent accross the network.

The Steps included in kerberos authentication

users enters his user name and password to login program, in kerberos each user have his own principal. Login program converts the username to his principal and request the KDC (key distrubtion centre) for TGT (ticket granding ticket) for this principal. KDC then check his database if the principal is there KDC create two secret keys. One key is encrypted with the password for the principal stored in his database and is sent back to the login program.

Login program tries to decrypt the packet received from KDC using the password entered by the user, if is possible to decrypt the user is authenticated.

User (username + password) —> Login Program

KDC (create two secret keys ) ———–> S1 & S2

KDC (encrypt the S1 with password associated with principal ) ———–> Login program

Add Internet Users

Eldo — Thu, 10 Sep 2009 07:55:01 +0000

We usally configure the proxy server to share the internet over the internal network, users inside the network can access the internet through the proxy server. All the logs of the internet usage are stored in proxy server logs files, but there is a problem in this condition. we cannot track the usage of internet by user wise and also there is no authentication method used in this. To over this situation we can use the authentication method inbuilt in the proxy server ( Squid), by this method all users in the network will got a username and password for accessing the interwork and admins are able to track the usage by userwise.

Configration changes in the squid.conf file

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/sqpasswd
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users

create user and password for squid access

htpasswd -cm /etc/squid/sqpasswd eldo

Enter the password for eldo inorder to get internet access

We can sarg package for Squid Analysis Report Generator, sarg will make HTML report page

Dhcp Server Provides Multiple Range of Ips

Eldo — Thu, 10 Sep 2009 07:17:11 +0000

In some areas they are different networks in the same building, we need a DHCP server to provide Ip address for the computers in this different networks. It is possible to configure DHCP server with multiple range of ip address.

Configuration Example

In the working example configuration shown below, the DHCP server host is only connected to the 192.168.0.0/24 IP subnet. DHCP clients in the ethernet network segment using a 192.168.2.0/24 IP subnet will be served IP configuration leases in the 192.168.2.100 – 192.168.2.200 range because the requests are relayed by the 192.168.2.1 DHCP Relay Agent (this DHCP Relay is assumed to already be present on the 192.168.2.0/24 subnet and configured to relay DHCP messages for this DHCP server).

Most significantly, a host previously connected to the 192.168.0.0/24 network, but later moved to the 192.168.2.0/24 network segment, will be forced to obtain a new IP configuration lease in the 192.168.2.100 – 192.168.2.200 range, so that it can function correctly on this separate network and IP subnet.

Example /etc/dhcpd.conf

ddns-update-style none;

default-lease-time 3600;

max-lease-time 7200;

authoritative;

log-facility local5;

subnet 192.168.0.0 netmask 255.255.255.0 {

range 192.168.0.100 192.168.0.200;

option domain-name-servers 192.168.0.2;

option routers 192.168.0.1;

}

subnet 192.168.2.0 netmask 255.255.255.0 {

range 192.168.2.100 192.168.2.200;

option domain-name-servers 192.168.2.2;

option routers 192.168.2.1;

}

Configure the DHCP Relay Agent

The DHCP Relay Agent (dhcrelay) allows for the relay of DHCP and BOOTP requests from a subnet with no DHCP server on it to one or more DHCP servers on other subnets.

When a DHCP client requests information, the DHCP Relay Agent forwards the request to the list of DHCP servers specified when the DHCP Relay Agent is started. When a DHCP server returns a reply, the reply is broadcast or unicast on the network that sent the original request.

The DHCP Relay Agent listens for DHCP requests on all interfaces unless the interfaces are specified in /etc/sysconfig/dhcrelay with the INTERFACES directive.

To start the DHCP Relay Agent, use the command service dhcrelay start

The DHCP Relay Agent (dhcrelay) allows for the relay of DHCP and BOOTP requests from a subnet with no DHCP server on it to one or more DHCP servers on other subnets.

When a DHCP client requests information, the DHCP Relay Agent forwards the request to the list of DHCP servers specified when the DHCP Relay Agent is started. When a DHCP server returns a reply, the reply is broadcast or unicast on the network that sent the original request.

The DHCP Relay Agent listens for DHCP requests on all interfaces unless the interfaces are specified in /etc/sysconfig/dhcrelay with the INTERFACES directive.

Types of Aliases Can Used on mail service

Eldo — Thu, 10 Sep 2009 06:45:11 +0000

In mail service we can use alias function to forward the mails coming to a mail id to a another mail address, In some cases the destination mail address may be one for more. Basically they are 5 different types of alias methods which can be used to forward the mails.

The 5 types are

1. one to one

2. one to many

3. Include function

4. File function

5. Pipe Function

One to One

This is the common forward method used in the mail service, in this method mail coming to user inbox is forward to a another user.

Ex: If we need to forward a user mail to another user

eldo@linuxbuddies.com: riyesh@linuxbuddies.com

By adding this entry in /etc/aliases the mail coming to eldo is forwarded to riyesh

One to Many

In the previous method we seen that the incoming mail is forwarded to a another single mail id, some cases we need to add more users id at the receivers area.

Ex: If Eldo and Riyesh were in the admin group, and they also need the mails coming to the admin@linuxbuddies.com in that situation we can use the followwing entry in /etc/aliases

admin@linuxbuddies.com: eldo@linuxbuddies.com, riyesh@linuxbuddies.com

Include Function

Using the one to many method we can add multiple mail id’s at the destination area, but there areas this method are not recommended in areas like mailing list, if they are ten thousand users in receivers section we cannot one to many function because it is diffcult to manage that number of users. In include function we include a file which contains the users

Ex: If maillinglist@linuxbuddies.com contains users like eldo,riyesh,arun,philip……………………

For this need create a file

vi /etc/postfix/maillinglist then add mail id’s in that file, one id per line

then add the entry in /etc/aliases

maillinglist@linuxbuddies.com: :include: /etc/postfix/maillinglist

File Function

In all mail systems we make particular mail id to capture the abuse mails, if we need to store the mails coming to abuse mail id. In that case we can use the file function, by this method the mails coming for the abuse id is appened to a file and can be used for later reference in need.

Ex: create a file /var/log/abusemaillog

make the following entry in /etc/aliases

abuse@linuxbuddies.com: /var/log/abusemaillog

Pipes Function

They are situations that we need to run a script in server only on particular times, for that we can use pipe function for that. We need to create a particular mail id for that, when ever a mail for id comes the script will get executed. We can use perl or shell script for this.

Ex: If there is alert program on the server, when ever a mail for alert@linuxbuddies.com comes the alert binary get executed.

for this need, add like this on /etc/aliases

alert@linuxbuddies.com: |/usr/local/bin/alert

Venue Details:

Survey #13/1, KB halli ,

Varthur Hoobli,

Outer ring road,

Marathahalli

Bangalore – 87