CompTIA Linux+ XK0-005 – Unit 14 – FTP and Email Services part 2

15. SSH Daemon Configuration

Now opensssh, as we talked about, as one of your options with SSH, does have daemon services or configuration capability to make a server on your machine. Now, some of the nice things about SSH daemons is that you can use those secure connections to be able to help you with other types of nonsecure communication. As an example, there is an option that’s called the X Eleven Forwarding. Now, this is a system that enables you to be able to securely transmit information that normally would have been unsecure. Information like being able to look at remote windows and screens on a remote computer across the network.

In other words, the XLP and Windows system allows you to have that remote access, but everything going back and forth is completely open to any hacker or anybody that intercepts that information, and they could use that information against you. There may be non secure applications that need your usernames and passwords or passphrases. It has a feature called Agent Forwarding, which will cache your information, create an SSH connection to the target server, supply your credentials securely over that connection so that you can get into that otherwise insecure application that you’re trying to open up. And another option is called port forwarding. Now, what Port forwarding does is basically create an SSH tunnel.

In other words, if, let’s say you’re wanting to check email and you need to use port 110, well, port 110 is not secure. So what happens is we take your traffic and we encrypt it and wrap it up into an SSH session, send it through the secure SSH connection, and when it comes out to the other side, it gets unwrapped and then sent back to the correct port, port 110. So all that back and forth is done in a secure tunnel. So those are just some options you have to help secure not just the type of traffic we’re talking about, perhaps with FTP, but really almost any other type of traffic that you want to make sure you aren’t giving away secrets with, like applications like email, like remote access.

16. key Generation B

Other programs like PGP could create their own key files so that you could actually go through the process of creating your own for free, and you would exchange them back and forth without having a third party around. And it’s so hard for you because there’s so much I want to tell you about this, but that’s another whole encryption course. But anyway, the idea is that we have to have a pair of keys. So what it’s coming down to is that to do public keys encryption, to do what we call asymmetric, you would either have to pay for the service through RSA or generate your own. Now, generating your own is fine. The only issue we have is that I cannot really verify that you are authentically who you say you are. Here’s an example.

If I go to my online bank and they send me a public key, which we’ll talk about, why they would do that, how do I know it really is the bank and not somebody pretending to be the bank? And the answer is, if it’s self generated, you don’t know. But if you use RSA or public key encryption, where you have what we call a trusted third party, these things created by a certificate authority, then not only do you send me the public key, but that entire certificate can be verified so I know whether you’re legitimately, who you say you are or if you’re somebody else pretending. So those are some issues that I thought I’d bring up to think about with key generation. Now, for the most part, you’re probably going to have your systems automatically create their own keys. And so you have commands like the SSH keygen or keygen itself, which is creating what we often call a self signed key. And remember, it is an actual pair of keys, public and private. Bye.

17. Key Generation

Now, in order to use SSH, we do have to go through a key generation process. Now, a key generation comes in two forms and there’s actually two deals. We have to work with symmetric keys and asymmetric keys. Now, very quickly, as a quick encryption review, a symmetric key is a type of encryption algorithm that says the key that I use to encrypt data will be the same key that decrypts it. In other words, for you and I to have a secure communication, we both need the same keys. Well, one of the problems is if I try to connect, let’s say, to my bank and I want that secure connection, well, my bank is going to say, well, we need to have the same key. How do we exchange it? It’s not that.

My bank called me last month and told me to type this key in, which by the way, I guess they could do that. But that kind of key management is rough. We want to keep changing those keys. So we had to find another way to exchange those, what we call session keys, symmetric keys. Another way of doing it was this thing called public key encryption. Now, public key encryption is based on an asymmetric algorithm that says every crypto system or algorithm has two keys. One we call a public key, one we call a private key. Now, the goal of this system is that whichever key you use first, public or private, to encrypt a message, you have to use the other key to decrypt it. So you have to have two keys.

Now, the nice thing about this is that it is secure so long as people keep their private key private and we can utilize the public key to help us in the exchange of those session keys. Now, there are other types of methods of coming up with these pair of keys. A company that is now owned by EMC, originally called RSA, allowed us to be able to have a public key private key system. It also provided an architecture for creating certificates through the public key infrastructure. It was really a great little thing that we had going on there. We still have it, but it wasn’t free. A lot of people like free. So diffie hellman is another option that we’re, we really aren’t going to talk about so much, but it’s another method of doing this secure exchange. We also had DSA keys, but again, the idea was it was key pairs.

18. Public Key Encryption

Now, the goal of public key encryption, as I said, was that whichever key I use to encrypt a message, I have to have the other key to decrypt it. Now, I’m not going to take you through all of the options of public key encryption, but I want to take you through the option that would describe the secure shell or if you went into the web pages, the secure socket layer. They both operate the same way. So here was the original problem. SSH, or SSL, uses a symmetric encryption key for the bulk amount of data that they want to secure. The weakness is that you and I need to have the same key. So here’s the catch 22.

How do we exchange the key securely when we can’t set up a secure communications? Because we don’t have the same key, you can see the logical circle I’m in. So what we use is the public key encryption to facilitate the exchange of the symmetric key exchange. And here’s what happens. I’m going to use the example of a bank. I connect to my bank and I request a secure session. The bank will send me their public key and I will use their public key. I will generate my own symmetric session key and I will encrypt it with the bank’s public key. Now, when I’m sending them the session key, anybody that tries to intercept it will have an encrypted bit of information but not actually have the key.

Who can decrypt it? Well, only the person with the private key, the bank. Remember I used the bank’s public key to encrypt my symmetric key and then I sent that symmetric key. They encrypted symmetric key back to the bank. They used their private key to unlock it. Now we both have the same key and now we can create a secure communication SSH SSL run in that same fashion. Now, some people would say, well, hey, this public key private key thing sounds pretty cool, why don’t we just use that? Well, bulk amounts of data as we would have in a typical session. File transfer would be very difficult to use public and private key for encryption because it uses a lot of horsepower on the CPU to do this.

In other words, things would just come to a crawl and the CPU would be overworked trying to maintain this. Also, when you consider the length of a public key private key, those keys are like 1024 bits or longer. That’s a huge key. But believe it or not, 128 bits symmetric key is more secure and harder to break than that thousand and 24 bit key. In other words, symmetric keys. And symmetric encryption is not only faster, but it’s actually more secure if given keys of the same length. So it’s a better choice all the way around. We use the public key encryption. One of the ways we use it is to help facilitate that symmetric key exchange.

19. Demo – Installing and Configuring the SSH Daemon

Well, here I am back at the Synaptic package manager and we’re going to search for SSH and we’re going to install the Opensssh so we can be a server and supply secure connections to those who are connecting to us. You might notice the Opensssh client was already installed, so we’re actually going to be a client and server to ourselves and we’ll wait till that package gets opened and then we’ll take a look at the keys. Now remember that this type of connectivity requires a set of keys to exchange what we call the symmetric key or the session key between us. And we’ll look at the terminal to take a look at some of those options. Let me get in here as the route just to make my life a little easier. We’ll clear everything out and we’re going to do the cat to look at the SSH host and hopefully get the whole thing out there Rsaqi pub.

And that’s showing you not that you can read it, but that is showing you basically our public key. Now that’s the key that we would exchange to anybody who’s connecting to us to send them the session key that was encrypted. And of course, if we did that, then we also need to be able to look at the private key. The private key, we will take the dot pub off of there and we have our private key. Now the private key needs to be very secure because that is the one part of this secure communications that would be the most apt to actually have it broken and that is people getting the private key and then everything is lost.

Now, if you want, you can create your own key pairs. This is also something you can purchase from commercial entities to create your own. We’ll use the SSH key gen program. And the problem with doing this though, is if you create your own key pair, there’s no third party certificate authority that can verify who you are. All right, so from here we’re going to take the default where to save the keys and we’re going to put in a passphrase of pass phrase one, two, three. And again, pass phrase one, two, three. And there we go. We have some random art, but we have a key that’s been created.

And again, that’s just one of those nice little things that we can go out there and create these keys and then have them available for us to be able to hand out. All right, so just like that, we’ve done most of what we would want to do to look at creating our own keys and doing a bunch of other options, looking at the keys that we have and hopefully keeping them safe. And the next thing that we’ll do is create an active SSH connection where we will use secure shell to make sure that everything is encrypted. Part of which having these keys helps us do.

20. Demo – Connecting via SSH

All right, I am logged in this trainer and according to PWD and of course my prompt, that little tilde that you see next to the dollar sign, I’m in my home directory. And what I’m going to do is I’m going to purposely change to the root directory so that when I do an SSH connection back into myself and log back into my user, you’ll see a change in the actual path format so you can actually see that I made that connection. And I’ll clear our screen off and I’m going to do the SSH to local host, which is myself. And there it says, okay, well, what’s the trainer’s local password? So in that case, the password is this one that I used to log into the system. And just like that, I’m inside.

And you notice that my prompt is showing methat I am in the home directory where I was before I actually started this mess. Now, when I do the LS, I see that home directory. If I type exit, you’re going to see that the connection to local host is closed. That’s my SSH connection into the system. And when I did that, look at my prompt again. My prompt is showing you that I’m back in that root or top of the file system where I started from when I did the SSH. And when I do the LS, you can see I’m sort in that path. So it was just that easy. As long as you knew the passwords and accepted those keys from the clients, you’re able to make an SSH connection without any problem.

21. Synchronizing Directories

Now, another thing we have to look at when dealing with FTP is a sync called the Synchronization or Synchronizing Directories. There is a command we can run called the Rsync command. And its job is to synchronize your local files with remote files by sending the differences between locations. Now, the reason we like the idea of Rsync is that if I take a file out from a server and I make changes to it, or if you make changes, changes to it on the server, and mine is out of date. The Rsync command’s job is to look at those and figure out who’s got the newest copy so I can stay up to date. It allows us also a continuous live backup. But the bad thing is it could backup corrupt data.

That is a problem, right? If I have a bad file that I’m synchronizing, it might not be what I want. Anyway, Rsync is a choice you have for people doing this type of checkout. Now, I would tell you there are probably other ways to do collaboration, but this is a free included into Linux. It’s been there for a long time. Might not be your current choice of solutions, but it’s still worthy of talking about. Now, remember, we need to make sure these file exchanges are done securely, so the data exchanged via the Rsync is going to be sent in that SSH secure channel.

22. Topic B: Mail Services

Now let’s talk a little bit about Mail Services. Now mail services is just to make sure you understand what’s running, what the different protocols are, and that you understand the terminologies. We’re not going to deal with fullfledged email servers, but really working with Linux, of course, as our client, so that you can set up your clients. You understand what you need for the networking, communications and everything else.

23. Electronic Mail

Now when we talk about electronic mail, there are several protocols that you’re going to want to know about and understand the port numbers and everything else and what they do for us. So straightforward, the one that we often use for sending an email is called the SMTP or the Simple Message Transfer Protocol. Originally it ran on port 25. Now one of the problems we have is that too many people have been writing programs to basically take over and email server on port 25 and use it to spam the world with hundreds of thousands of emails. So a lot of times now you see service providers actually blocking port 25 and moving SMTP over to port 587. Just make sure you know which one is appropriate for your server.

The Post Office Protocol, version three, pop three is what we use for retrieving email from a server on port 110. Now, what’s important to know is that with pop, you’re actually taking the email off the server, loading it to your client so there’s no longer a copy on your server and that you specifically set that up to keep a copy on the server. Another one that’s often used is IMAP.The Internet Message Access Protocol, version four. It uses port 143. In that case, you’re actually accessing the server and the email that you read and that you send is all being done from the server so that it’s always there and never downloaded on your client. A lot of people prefer that, especially if they’re checking email from multiple different client machines.

Because if you had like four or five laptops and you travel around and you use pop three, some of your emails on one laptop, some is on another, some is on this other one, and it’s very difficult to manage your email. All right, your outbound mail that you work with are going to have a couple of, as I said, different ports and we talk about the mail transfer agent, the mail sending agents, and those are the routines that we use, the connections that we use to make the connection from client to the server. Again, remember, the port numbers especially for your outbound mail, is either going to be port 25, the general default, or it’s going to be port 587, depending on your service provider, depending on your network or security administrator and what settings your actual email server is using.

24. Mail Clients

Now, as far as the mail clients, well, there are tons of those. One of the most popular is this whole family of Microsoft Outlook. Now, that’s great if you’re running it on your Windows machine. We generally don’t see outlook. I mean, you could try to find a way to run it, I suppose, on Linux. I have never seen it happen, but we generally don’t have Outlook on our Linux. But we have all sorts of other options. Mozilla has Thunderbird, there’s Eudora, Novell’s Evolution, Apple Mail, web based, web based, that’s another one that’s taken off like crazy where we’re using the Internet Explorer, our Mozilla, Firefox, whatever we’re using, we’re connecting with that Web Explorer to the actual email server and reading everything on there. And we can even do it with a nice secure SSL connection.

So that’s another option for probably a growing trend in the actual checking of your email. In fact, in that aspect you can technically use Outlook because if you have an Exchange Server, a Microsoft Exchange Server, they call that connectivity, the OA, the Outlook Web access. And it allows you to make that connection with your web browser and get an Outlook like GUI loaded in your web browser. Now, in the old days, when there was no HTML, no attachments, it was the old, old stuff of email. You might not believe this, but there was a time when your email was just words. We used little clients like Mutt, Mail and Pine to make those connections. I’m telling it to you, I suppose, so that if you ever go into jeopardy and you’re on email clients, you’ll do well with those types of trivia things.

25. Email Addresses

Now, when we deal with email addresses, we kind of look at email setups for your enterprise, for your corporation, or for yourself as either small scale or large scale. Small scale says that your user account, when you create it, will have an email address for them, often as an alias, and you would set it up under the Etsy aliases, and you would set it up with a new aliases command. On the large scale, we’re generally not going to have the user accounts mapped with these aliases. You’re going to probably manage this with some sort of specific tool for your email or exchange server and create a series of virtual accounts. The reason I say that is on a large scale of thousands, 2006, thousand people, I don’t think you want to manually go out there and with each account set up an alias and all those other sorts of things. It’s nice to have a tool that might do this for us automatically.

26. Unit 14 Review

All right, so in this unit, we talked about some other common services, especially the FTP service. What you can look at in setting up your server, how to protect the directory access from people making connections, to authenticate them, to allow the anonymous connections, and to understand that there’s a couple of different modes that FTP can run in on the email. Our goal was to make sure we understood which network connections we needed, which ports, which service and protocols were out there, and how that worked with the choice of clients that you use to be able to connect from your Linux system to whatever email server you’re using. So we talked a lot about the different components so that you basically were able to set it up or work with your network admins to appropriately have your Linux, be able to make the connection of the client to email.