1
<?xml version="1.0" encoding="UTF-8"?>
2
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4
<!ENTITY % globalent SYSTEM "../../libs/global.ent">
6
<!ENTITY % gnome-menus-C SYSTEM "../../libs/gnome-menus-C.ent">
8
<!ENTITY % xinclude SYSTEM "../../libs/xinclude.mod">
10
<!ENTITY language "&EnglishAmerican;">
12
<chapter id="remote-administration" status="review">
13
<title>Remote Administration</title>
15
There are many ways to remotely administer a Linux server. This chapter will cover
16
one of the most popular <application>OpenSSH</application>.
18
<sect1 id="openssh-server" status="review">
19
<title>OpenSSH Server</title>
20
<sect2 id="openssh-introduction">
21
<title>Introduction</title>
23
This section of the Ubuntu &sg-title; introduces a powerful collection of tools
24
for the remote control of networked computers and transfer of data between
25
networked computers, called <emphasis>OpenSSH</emphasis>. You will also learn
26
about some of the configuration settings possible with the OpenSSH server
27
application and how to change them on your Ubuntu system.
30
OpenSSH is a freely available version of the Secure Shell (SSH) protocol family of
31
tools for remotely controlling a computer or transferring files between computers.
32
Traditional tools used to accomplish these functions, such as
33
<application>telnet</application> or <application>rcp</application>, are insecure
34
and transmit the user's password in cleartext when used. OpenSSH provides a server
35
daemon and client tools to facilitate secure, encrypted remote control and file
36
transfer operations, effectively replacing the legacy tools.
39
The OpenSSH server component, <application>sshd</application>, listens
40
continuously for client connections from any of the client tools. When a connection
41
request occurs, <application>sshd</application> sets up the correct connection
42
depending on the type of client tool connecting. For example, if the remote
43
computer is connecting with the <application>ssh</application> client application,
44
the OpenSSH server sets up a remote control session after authentication. If a
45
remote user connects to an OpenSSH server with <application>scp</application>, the
46
OpenSSH server daemon initiates a secure copy of files between the server and
47
client after authentication. OpenSSH can use many authentication methods, including plain password, public key, and <application>Kerberos</application> tickets.
50
<sect2 id="openssh-installation">
51
<title>Installation</title>
53
Installation of the OpenSSH client and server applications is simple. To install the
54
OpenSSH client applications on your Ubuntu system, use this command at a terminal
58
<command>sudo apt-get install openssh-client</command>
61
To install the OpenSSH server application, and related support files, use this command
65
<command>sudo apt-get install openssh-server</command>
68
The <application>openssh-server</application> package can also be selected to
69
install during the Server Edition installation process.
72
<sect2 id="openssh-configuration">
73
<title>Configuration</title>
75
You may configure the default behavior of the OpenSSH server application,
76
<application>sshd</application>, by editing the file
77
<filename>/etc/ssh/sshd_config</filename>. For information about the configuration
78
directives used in this file, you may view the appropriate manual page with the
79
following command, issued at a terminal prompt:
82
<command>man sshd_config</command>
85
There are many directives in the <application>sshd</application> configuration
86
file controlling such things as communication settings and authentication modes.
87
The following are examples of configuration directives that can be changed by
88
editing the <filename>/etc/ssh/sshd_config</filename> file.
91
<para>Prior to editing the configuration file, you should make a copy of the
92
original file and protect it from writing so you will have the original
93
settings as a reference and to reuse as necessary.
95
<para>Copy the <filename>/etc/ssh/sshd_config</filename> file and protect it
96
from writing with the following commands, issued at a terminal prompt:
100
<command>sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original</command>
101
<command>sudo chmod a-w /etc/ssh/sshd_config.original</command>
104
The following are examples of configuration directives you may change:
109
To set your OpenSSH to listen on TCP port 2222 instead of the default TCP port
110
22, change the Port directive as such:
118
To have <application>sshd</application> allow public key-based login credentials,
119
simply add or modify the line:
122
PubkeyAuthentication yes
125
In the <filename>/etc/ssh/sshd_config</filename> file, or if already present,
126
ensure the line is not commented out.
131
To make your OpenSSH server display the contents of the
132
<filename>/etc/issue.net</filename> file as a pre-login
133
banner, simply add or modify the line:
136
Banner /etc/issue.net
139
In the <filename>/etc/ssh/sshd_config</filename> file.
144
After making changes to the <filename>/etc/ssh/sshd_config</filename> file, save
145
the file, and restart the <application>sshd</application> server application to
146
effect the changes using the following command at a terminal prompt:
149
<command>sudo /etc/init.d/ssh restart</command>
153
Many other configuration directives for <application>sshd</application> are
154
available for changing the server application's behavior to fit your needs.
155
Be advised, however, if your only method of access to a server is
156
<application>ssh</application>, and you make a mistake in configuring
157
<application>sshd</application> via the
158
<filename>/etc/ssh/sshd_config</filename> file, you may find you
159
are locked out of the server upon restarting it, or that the
160
<application>sshd</application> server refuses to start due to an incorrect
161
configuration directive, so be extra careful when editing this file on a
166
<sect2 id="openssh-keys" status="review">
167
<title>SSH Keys</title>
169
SSH <emphasis>keys</emphasis> allow authentication between two hosts without the need of a password. SSH key authentication
170
uses two keys a <emphasis>private</emphasis> key and a <emphasis>public</emphasis> key.
173
To generate the keys, from a terminal prompt enter:
176
<command>ssh-keygen -t dsa</command>
179
This will generate the keys using a <emphasis>DSA</emphasis> authentication identity of the user. During the process you
180
will be prompted for a password. Simply hit <emphasis>Enter</emphasis> when prompted to create the key.
183
By default the <emphasis>public</emphasis> key is saved in the file <filename>~/.ssh/id_dsa.pub</filename>, while
184
<filename>~/.ssh/id_dsa</filename> is the <emphasis>private</emphasis> key. Now copy the <filename>id_dsa.pub</filename> file
185
to the remote host and append it to <filename>~/.ssh/authorized_keys</filename> by entering:
188
<command>ssh-copy-id username@remotehost</command>
191
Finally, double check the permissions on the <filename>authorized_keys</filename> file, only the authenticated user should have read and write permissions.
192
If the permissions are not correct change them by:
195
<command>chmod 600 .ssh/authorized_keys</command>
198
You should now be able to SSH to the host without being prompted for a password.
201
<sect2 id="openssh-references" status="review">
202
<title>References</title>
207
<ulink url="https://help.ubuntu.com/community/SSH">Ubuntu Wiki SSH</ulink> page.
212
<ulink url="http://www.openssh.org/">OpenSSH Website</ulink>
217
<ulink url="https://wiki.ubuntu.com/AdvancedOpenSSH">Advanced OpenSSH Wiki Page</ulink>
224
<sect1 id="puppet" status="review">
225
<title>Puppet</title>
228
<application>Puppet</application> is a cross platform framework enabling system administrators to perform common tasks using code.
229
The code can do a variety of tasks from installing new software, to checking file permissions, or updating user accounts. Puppet is
230
great not only during the initial installation of a system, but also throughout the system's entire life cycle. In most circumstances
231
<application>puppet</application> will be used in a client/server configuration.
235
This section will cover installing and configuring <application>puppet</application> in a client/server configuration. This simple example
236
will demonstrate how to install <application>Apache</application> using <application>Puppet</application>.
239
<sect2 id="puppet-installation" status="review">
240
<title>Installation</title>
243
To install <application>puppet</application>, in a terminal on the <emphasis>server</emphasis> enter:
247
<command>sudo apt-get install puppetmaster</command>
251
On the <emphasis>client</emphasis> machine, or machines, enter:
255
<command>sudo apt-get install puppet</command>
259
<sect2 id="puppet-configuration" status="review">
260
<title>Configuration</title>
263
Prior to configuring <application>puppet</application> you may want to add a DNS <emphasis>CNAME</emphasis> record for
264
<emphasis>puppet.example.com</emphasis>, where <emphasis>example.com</emphasis> is your domain. By default
265
<application>puppet</application> clients check DNS for puppet.example.com as the puppet server name, or
266
<emphasis>Puppet Master</emphasis>. See <xref linkend="dns"/> for more DNS details.
270
If you do not wish to use DNS, you can add entries to the server and client <filename>/etc/hosts</filename> file. For example, in the
271
<application>puppet</application> server's <filename>/etc/hosts</filename> file add:
275
127.0.0.1 localhost.localdomain localhost puppet
276
192.168.1.17 meercat02.example.com meercat02
280
On each <application>puppet</application> client, add an entry for the server:
284
192.168.1.16 meercat.example.com meercat puppet
289
Replace the example IP addresses and domain names above with your actual server and client addresses and domain names.
294
Now setup some resources for <application>apache2</application>. Create a file <filename>/etc/puppet/manifests/site.pp</filename>
295
containing the following:
308
require => Package['apache2']
314
Next, create a node file <filename>/etc/puppet/manifests/nodes.pp</filename> with:
318
node 'meercat02.example.com' {
325
Replace <emphasis>meercat02.example.com</emphasis> with your actual puppet client's host name.
330
The final step for this simple <application>puppet</application> server is to restart the daemon:
334
<command>sudo /etc/init.d/puppetmaster restart</command>
338
Now everything is configured on the <application>puppet</application> server, it is time to configure the client.
342
First, configure the <application>puppet agent</application> daemon to start. Edit <filename>/etc/default/puppet</filename>, changing
343
<emphasis>START</emphasis> to yes:
351
Then start the service:
355
<command>sudo /etc/init.d/puppet start</command>
359
Back on the <application>puppet</application> server sign the client certificate by entering:
363
<command>sudo puppetca --sign meercat02.example.com</command>
367
Check <filename>/var/log/syslog</filename> for any errors with the configuration. If all goes well the <application>apache2</application>
368
package and it's dependencies will be installed on the <application>puppet</application> client.
373
This example is <emphasis>very</emphasis> simple, and does not highlight many of <application>Puppet's</application> features and
374
benefits. For more information see <xref linkend="puppet-resources"/>.
379
<sect2 id="puppet-resources" status="review">
380
<title>Resources</title>
385
See the <ulink url="http://docs.puppetlabs.com/">Official Puppet Documentation</ulink> web site.
390
Also see <ulink url="http://apress.com/book/view/1590599780">Pulling Strings with Puppet</ulink>.
395
Another source of additional information is the <ulink url="https://help.ubuntu.com/community/Puppet">Ubuntu Wiki Puppet Page</ulink>.