10
10
<chapter id="remote-administration" status="review">
11
11
<title>Remote Administration</title>
13
There are many ways to remotely administer a Linux server. This chapter will cover three of the most popular applications <application>OpenSSH</application>, <application>Puppet</application>, and <application>Zentyal</application>.
13
There are many ways to remotely administer a Linux server. This chapter will
14
cover three of the most popular applications <application>OpenSSH</application>,
15
<application>Puppet</application>, and <application>Zentyal</application>.
15
17
<sect1 id="openssh-server" status="review">
16
18
<title>OpenSSH Server</title>
17
19
<sect2 id="openssh-introduction">
18
<title>Introduction</title>
20
<title>Introduction</title>
20
This section of the Ubuntu &sg-title; introduces a powerful collection of tools
21
for the remote control of, and transfer of data between, networked computers called <emphasis>OpenSSH</emphasis>. You will also learn
22
about some of the configuration settings possible with the OpenSSH server application and how to change them on your Ubuntu system.
25
OpenSSH is a freely available version of the Secure Shell (SSH) protocol family of
26
tools for remotely controlling, or transferring files between, computers.
27
Traditional tools used to accomplish these functions, such as
28
<application>telnet</application> or <application>rcp</application>, are insecure
29
and transmit the user's password in cleartext when used. OpenSSH provides a server
30
daemon and client tools to facilitate secure, encrypted remote control and file
31
transfer operations, effectively replacing the legacy tools.
34
The OpenSSH server component, <application>sshd</application>, listens
35
continuously for client connections from any of the client tools. When a connection
36
request occurs, <application>sshd</application> sets up the correct connection
37
depending on the type of client tool connecting. For example, if the remote
38
computer is connecting with the <application>ssh</application> client application,
39
the OpenSSH server sets up a remote control session after authentication. If a
40
remote user connects to an OpenSSH server with <application>scp</application>, the
41
OpenSSH server daemon initiates a secure copy of files between the server and
42
client after authentication. OpenSSH can use many authentication methods, including plain password, public key, and <application>Kerberos</application> tickets.
22
This section of the Ubuntu &sg-title; introduces a powerful collection
23
of tools for the remote control and transfer of data between
24
networked computers called <emphasis>OpenSSH</emphasis>. You will also learn
25
about some of the configuration settings possible with the OpenSSH
26
server application and how to change them on your Ubuntu system.
29
OpenSSH is a freely available version of the Secure Shell (SSH) protocol family of
30
tools for remotely controlling or transferring files between computers.
31
Traditional tools used to accomplish these functions, such as
32
<application>telnet</application> or <application>rcp</application>,
33
are insecure and transmit the user's password in cleartext when used.
34
OpenSSH provides a server daemon and client tools to facilitate secure,
35
encrypted remote control and file transfer operations, effectively
36
replacing the legacy tools.
39
The OpenSSH server component, <application>sshd</application>, listens
40
continuously for client connections from any of the client tools. When a connection
41
request occurs, <application>sshd</application> sets up the correct connection
42
depending on the type of client tool connecting. For example, if the remote
43
computer is connecting with the <application>ssh</application> client application,
44
the OpenSSH server sets up a remote control session after authentication. If a
45
remote user connects to an OpenSSH server with <application>scp</application>, the
46
OpenSSH server daemon initiates a secure copy of files between the server and
47
client after authentication. OpenSSH can use many authentication methods, including
48
plain password, public key, and <application>Kerberos</application> tickets.
45
51
<sect2 id="openssh-installation">
46
52
<title>Installation</title>
48
Installation of the OpenSSH client and server applications is simple. To install the
49
OpenSSH client applications on your Ubuntu system, use this command at a terminal
54
Installation of the OpenSSH client and server applications is simple. To install the
55
OpenSSH client applications on your Ubuntu system, use this command at a terminal
53
59
<command>sudo apt-get install openssh-client</command>
56
To install the OpenSSH server application, and related support files, use this command
62
To install the OpenSSH server application, and related support files, use this command
57
63
at a terminal prompt:
60
66
<command>sudo apt-get install openssh-server</command>
63
The <application>openssh-server</application> package can also be selected to
69
The <application>openssh-server</application> package can also be selected to
64
70
install during the Server Edition installation process.
67
73
<sect2 id="openssh-configuration">
68
74
<title>Configuration</title>
70
You may configure the default behavior of the OpenSSH server application,
71
<application>sshd</application>, by editing the file
72
<filename>/etc/ssh/sshd_config</filename>. For information about the configuration
73
directives used in this file, you may view the appropriate manual page with the
76
You may configure the default behavior of the OpenSSH server application,
77
<application>sshd</application>, by editing the file
78
<filename>/etc/ssh/sshd_config</filename>. For information about the configuration
79
directives used in this file, you may view the appropriate manual page with the
74
80
following command, issued at a terminal prompt:
77
83
<command>man sshd_config</command>
80
There are many directives in the <application>sshd</application> configuration
81
file controlling such things as communication settings, and authentication modes.
82
The following are examples of configuration directives that can be changed by
86
There are many directives in the <application>sshd</application> configuration
87
file controlling such things as communication settings, and authentication modes.
88
The following are examples of configuration directives that can be changed by
83
89
editing the <filename>/etc/ssh/sshd_config</filename> file.
86
<para>Prior to editing the configuration file, you should make a copy of the
87
original file and protect it from writing so you will have the original
92
<para>Prior to editing the configuration file, you should make a copy of the
93
original file and protect it from writing so you will have the original
88
94
settings as a reference and to reuse as necessary.
90
<para>Copy the <filename>/etc/ssh/sshd_config</filename> file and protect it
96
<para>Copy the <filename>/etc/ssh/sshd_config</filename> file and protect it
91
97
from writing with the following commands, issued at a terminal prompt:
451
457
<application>Zentyal</application> consists of a series of packages
452
458
(usually one for each module) that provide a web interface to configure
453
459
the different servers or services. The configuration is stored on a
454
key-value <application>Redis</application> database but users, groups
455
and domains related configuration is on <application>OpenLDAP
460
key-value <application>Redis</application> database, but users, groups,
461
and domains-related configuration is on <application>OpenLDAP
456
462
</application>. When you configure any of the available parameters
457
463
through the web interface, final configuration files are overwritten
458
using the configuration templates provided by the modules.
459
The main advantages of using <application>Zentyal</application> are:
464
using the configuration templates provided by the modules.
465
The main advantage of using <application>Zentyal</application> is a
460
466
unified, graphical user interface to configure all network services and
461
467
high, out-of-the-box integration between them.
471
<application>Zentyal</application> publishes one major stable release
472
once a year based on the latest Ubuntu LTS release.
464
475
<sect2 id="zentyal-installation" status="review">
465
476
<title>Installation</title>
468
Zentyal 2.3 is available on Ubuntu 12.04 Universe repository. The modules
475
zentyal-core & zentyal-common: the core of the
476
<application>Zentyal</application> interface and the common libraries
477
of the framework. Also include the logs and events modules that
478
give the administrator an interface to view the logs and generate
484
zentyal-network: manages the configuration of the network. From the
485
interfaces (supporting static IP, DHCP, VLAN, bridges or PPPoE),
486
to multiple gateways when having more than one Internet connection,
487
load balancing and advanced routing, static routes or dynamic DNS.
492
zentyal-objects & zentyal-services: provide an abstraction level
493
for network addresses (e.g. LAN instead of 192.168.1.0/24) and ports
494
named as services (e.g. HTTP instead of 80/TCP).
499
zentyal-firewall: configures the <application>iptables</application>
500
rules to block forbiden connections, NAT and port redirections.
505
zentyal-ntp: installs the NTP daemon to keep server on time and allow
506
network clients to synchronize their clocks against the server.
511
zentyal-dhcp: configures <application>ISC DHCP</application> server
512
supporting network ranges, static leases and other advanced options
513
like NTP, WINS, dynamic DNS updates and network boot with PXE.
518
zentyal-dns: brings <application>ISC Bind9</application> DNS server
519
into your server for caching local queries as a forwarder or as an
520
authoritative server for the configured domains. Allows to configure
521
A, CNAME, MX, NS, TXT and SRV records.
526
zentyal-ca: integrates the management of a Certification Authority
527
within Zentyal so users can use certificates to authenticate against
528
the services, like with <application>OpenVPN</application>.
533
zentyal-openvpn: allows to configure multiple VPN servers and clients
534
using <application>OpenVPN</application> with dynamic routing
535
configuration using <application>Quagga</application>.
540
zentyal-users: provides an interface to configure and manage users
541
and groups on <application>OpenLDAP</application>. Other services
542
on Zentyal are authenticated against LDAP having a centralized
543
users and groups management. It is also possible to synchronize
544
users, passwords and groups from a <application>Microsoft Active
545
Directory</application> domain.
550
zentyal-squid: configures <application>Squid</application> and
551
<application>Dansguardian</application> for speeding up browsing
552
thanks to the caching capabilities and content filtering.
557
zentyal-samba: allows <application>Samba</application> configuration
558
and integration with existing LDAP. From the same interface you can
559
define password policies, create shared resources and assign
565
zentyal-printers: integrates <application>CUPS</application> with
566
<application>Samba</application> and allows not only to configure
567
the printers but also give them permissions based on LDAP users
574
To install <application>Zentyal</application>, in a terminal on the
575
<emphasis>server</emphasis> enter (where <zentyal-module> is
576
any of the modules from the previous list):
580
<command>sudo apt-get install <zentyal-module></command>
585
<application>Zentyal</application> publishes one major stable release
586
once a year (in September) based on latest Ubuntu LTS release. Stable
587
releases always have even minor numbers (e.g. 2.2, 3.0) and beta
588
releases have odd minor numbers (e.g. 2.1, 2.3). Ubuntu 12.04 comes
589
with <application>Zentyal</application> 2.3 packages. If you want to
590
upgrade to a new stable release published after the release of Ubuntu
591
12.04 you can use <ulink url="https://launchpad.net/~zentyal/">Zentyal
592
Team PPA</ulink>. Upgrading to newer stable releases can provide you
593
minor bugfixes not backported to 2.3 in Precise and newer features.
599
If you need more information on how to add packages from a PPA see
600
<ulink url="https://help.ubuntu.com/&distro-rev-short;/ubuntu-help/addremove-ppa.html">
601
Add a Personal Package Archive (PPA)</ulink>.
607
Not present on Ubuntu Universe repositories, but on
608
<ulink url="https://launchpad.net/~zentyal/">Zentyal Team PPA</ulink>
609
you will find these other modules:
614
zentyal-antivirus: integrates <application>ClamAV</application>
615
antivirus with other modules like the proxy, file sharing or
621
zentyal-asterisk: configures <application>Asterisk</application>
622
to provide a simple PBX with LDAP based authentication.
627
zentyal-bwmonitor: allows to monitor bandwith usage of your LAN
633
zentyal-captiveportal: integrates a captive portal with the firewall
634
and LDAP users and groups.
639
zentyal-ebackup: allows to make scheduled backups of your server using
640
the popular <application>duplicity</application> backup tool.
645
zentyal-ftp: configures a FTP server with LDAP based authentication.
650
zentyal-ids: integrates a network intrusion detection system.
655
zentyal-ipsec: allows to configure IPsec tunnels using
656
<application>OpenSwan</application>.
661
zentyal-jabber: integrates <application>ejabberd</application>
662
XMPP server with LDAP users and groups.
667
zentyal-thinclients: a <application>LTSP</application> based
668
thin clients solution.
673
zentyal-mail: a full mail stack including <application>Postfix
674
</application> and <application>Dovecot</application> with LDAP
680
zentyal-mailfilter: configures <application>amavisd</application> with
681
mail stack to filter spam and attached virus.
686
zentyal-monitor: integrates <application>collectd</application>
687
to monitor server performance and running services.
692
zentyal-pptp: configures a <application>PPTP</application> VPN server.
697
zentyal-radius: integrates <application>FreeRADIUS</application> with
698
LDAP users and groups.
703
zentyal-software: simple interface to manage installed
704
<application>Zentyal</application> modules and system updates.
709
zentyal-trafficshaping: configures traffic limiting rules to do
710
bandwidth throttling and improve latency.
715
zentyal-usercorner: allows users to edit their own LDAP attributes
721
zentyal-virt: simple interface to create and manage virtual machines
722
based on <application>libvirt</application>.
727
zentyal-webmail: allows to access your mail using the popular
728
<application>Roundcube</application> webmail.
733
zentyal-webserver: configures <application>Apache</application>
734
webserver to host different sites on your machine.
739
zentyal-zarafa: integrates <application>Zarafa</application>
740
groupware suite with <application>Zentyal</application> mail stack
479
If you would like to create a new user to access the <application>Zentyal</application>
482
<command>sudo adduser username sudo</command>
487
Add the <application>Zentyal</application> repository to your repository list:
489
<command>sudo add-apt-repository "deb http://archive.zentyal.org/zentyal 3.5 main extra"</command>
494
Import the public keys from <application>Zentyal</application>:
496
<command>sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 10E239FF</command>
497
<command>wget -q http://keys.zentyal.org/zentyal-4.2-archive.asc -O- | sudo apt-key add -</command>
502
Update your packages and install <application>Zentyal</application>:
504
<command>sudo apt-get update</command>
505
<command>sudo apt-get install zentyal</command>
507
During installation you will be asked to set a root MySQL password and
749
513
<sect2 id="zentyal-firststeps" status="review">
750
514
<title>First steps</title>
753
Any system account belonging to the sudo group is allowed to log into
754
<application>Zentyal</application> web interface. If you are using the
755
user created during the installation, this should be in the sudo group
761
If you need to add another user to the sudo group, just
765
<command>sudo adduser username sudo</command>
770
To access <application>Zentyal</application> web interface, browse into
771
https://localhost/ (or the IP of your remote server). As Zentyal creates
517
Any system account belonging to the sudo group is allowed to log into the
518
<application>Zentyal</application> web interface. The user created while
519
installing Ubuntu Server will belong to the sudo group by default.
523
To access the <application>Zentyal</application> web interface, point a browser
524
to https://localhost/ or to the IP address of your remote server. As
525
<application>Zentyal</application> creates
772
526
its own self-signed SSL certificate, you will have to accept a security
773
exception on your browser.
527
exception on your browser. Log in with the same username and password used
528
to log in to your server.
777
Once logged in you will see the dashboard with an overview of your
778
server. To configure any of the features of your installed modules, go
779
to the different sections on the left menu. When you make any changes,
780
on the upper right corner appears a red <emphasis>Save changes</emphasis>
781
button that you must click to save all configuration changes.
782
To apply these configuration changes in your server, the module
783
needs to be enabled first, you can do so from the <emphasis>Module Status
784
</emphasis> entry on the left menu. Every time you enable a module, a
785
pop-up will appear asking for a confirmation to perform the necessary
786
actions and changes on your server and configuration files.
532
Once logged in you will see an overview of your
533
server. Individual modules, such as Antivirus or Firewall, can be installed
534
by simply clicking them and then clicking Install.
535
Selecting server roles like Gateway or Infrastructure can be used to install
536
multiple modules at once.
540
Modules can also be installed via the command line:
542
<command>sudo apt-get install <zentyal-module></command>
544
See the list of available modules below.
548
To enable a module, go to the Dashboard, then click Module Status. Click
549
the check box for the module, then Save changes.
553
To configure any of the features of your installed modules, click the
554
different sections on the left menu. When you make any changes, a red "Save
555
changes" button appears in the upper right corner.
791
559
If you need to customize any configuration file or run certain actions
792
560
(scripts or commands) to configure features not available on
793
<application>Zentyal</application> place the custom configuration file
561
<application>Zentyal</application>, place the custom configuration file
794
562
templates on /etc/zentyal/stubs/<module>/ and the hooks on
795
/etc/zentyal/hooks/<module>.<action>.
563
/etc/zentyal/hooks/<module>.<action>. Read more about stubs and
564
hooks <ulink url="https://wiki.zentyal.org/wiki/En/4.0/Appendix_B:_Development_and_advanced_configuration#Advanced_Service_Customization">here</ulink>.
569
<sect2 id="zentyal-modules" status="review">
570
<title>Modules</title>
573
<application>Zentyal</application> 2.3 is available on Ubuntu 12.04 Universe
574
repository. The modules available are:
578
zentyal-core & zentyal-common: the core of the
579
<application>Zentyal</application> interface and the common libraries
580
of the framework. Also includes the logs and events modules that
581
give the administrator an interface to view the logs and generate
587
zentyal-network: manages the configuration of the network. From the
588
interfaces (supporting static IP, DHCP, VLAN, bridges or PPPoE),
589
to multiple gateways when having more than one Internet connection,
590
load balancing and advanced routing, static routes or dynamic DNS.
595
zentyal-objects & zentyal-services: provide an abstraction level
596
for network addresses (e.g. LAN instead of 192.168.1.0/24) and ports
597
named as services (e.g. HTTP instead of 80/TCP).
602
zentyal-firewall: configures the <application>iptables</application>
603
rules to block forbiden connections, NAT and port redirections.
608
zentyal-ntp: installs the NTP daemon to keep server on time and allow
609
network clients to synchronize their clocks against the server.
614
zentyal-dhcp: configures <application>ISC DHCP</application> server
615
supporting network ranges, static leases and other advanced options
616
like NTP, WINS, dynamic DNS updates and network boot with PXE.
621
zentyal-dns: brings <application>ISC Bind9</application> DNS server
622
into your server for caching local queries as a forwarder or as an
623
authoritative server for the configured domains. Allows to configure
624
A, CNAME, MX, NS, TXT and SRV records.
629
zentyal-ca: integrates the management of a Certification Authority
630
within Zentyal so users can use certificates to authenticate against
631
the services, like with <application>OpenVPN</application>.
636
zentyal-openvpn: allows to configure multiple VPN servers and clients
637
using <application>OpenVPN</application> with dynamic routing
638
configuration using <application>Quagga</application>.
643
zentyal-users: provides an interface to configure and manage users
644
and groups on <application>OpenLDAP</application>. Other services
645
on Zentyal are authenticated against LDAP having a centralized
646
users and groups management. It is also possible to synchronize
647
users, passwords and groups from a <application>Microsoft Active
648
Directory</application> domain.
653
zentyal-squid: configures <application>Squid</application> and
654
<application>Dansguardian</application> for speeding up browsing
655
thanks to the caching capabilities and content filtering.
660
zentyal-samba: allows <application>Samba</application> configuration
661
and integration with existing LDAP. From the same interface you can
662
define password policies, create shared resources and assign
668
zentyal-printers: integrates <application>CUPS</application> with
669
<application>Samba</application> and allows not only to configure
670
the printers but also give them permissions based on LDAP users
679
Not present on Ubuntu Universe repositories, but on
680
<ulink url="https://launchpad.net/~zentyal/">Zentyal Team PPA</ulink>
681
you will find these other modules:
688
zentyal-antivirus: integrates <application>ClamAV</application>
689
antivirus with other modules like the proxy, file sharing or
695
zentyal-asterisk: configures <application>Asterisk</application>
696
to provide a simple PBX with LDAP based authentication.
701
zentyal-bwmonitor: allows to monitor bandwith usage of your LAN
707
zentyal-captiveportal: integrates a captive portal with the firewall
708
and LDAP users and groups.
713
zentyal-ebackup: allows to make scheduled backups of your server using
714
the popular <application>duplicity</application> backup tool.
719
zentyal-ftp: configures a FTP server with LDAP based authentication.
724
zentyal-ids: integrates a network intrusion detection system.
729
zentyal-ipsec: allows to configure IPsec tunnels using
730
<application>OpenSwan</application>.
735
zentyal-jabber: integrates <application>ejabberd</application>
736
XMPP server with LDAP users and groups.
741
zentyal-thinclients: a <application>LTSP</application> based
742
thin clients solution.
747
zentyal-mail: a full mail stack including <application>Postfix
748
</application> and <application>Dovecot</application> with LDAP
754
zentyal-mailfilter: configures <application>amavisd</application> with
755
mail stack to filter spam and attached virus.
760
zentyal-monitor: integrates <application>collectd</application>
761
to monitor server performance and running services.
766
zentyal-pptp: configures a <application>PPTP</application> VPN server.
771
zentyal-radius: integrates <application>FreeRADIUS</application> with
772
LDAP users and groups.
777
zentyal-software: simple interface to manage installed
778
<application>Zentyal</application> modules and system updates.
783
zentyal-trafficshaping: configures traffic limiting rules to do
784
bandwidth throttling and improve latency.
789
zentyal-usercorner: allows users to edit their own LDAP attributes
795
zentyal-virt: simple interface to create and manage virtual machines
796
based on <application>libvirt</application>.
801
zentyal-webmail: allows to access your mail using the popular
802
<application>Roundcube</application> webmail.
807
zentyal-webserver: configures <application>Apache</application>
808
webserver to host different sites on your machine.
813
zentyal-zarafa: integrates <application>Zarafa</application>
814
groupware suite with <application>Zentyal</application> mail stack
801
824
<sect2 id="zentyal-references" status="review">
802
825
<title>References</title>