1
<?xml version="1.0" encoding="UTF-8"?>
2
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4
<!ENTITY % globalent SYSTEM "../../libs/global.ent">
6
<!ENTITY % gnome-menus-C SYSTEM "../../libs/gnome-menus-C.ent">
8
<!ENTITY % xinclude SYSTEM "../../libs/xinclude.mod">
10
<!ENTITY language "&EnglishAmerican;">
12
<chapter id="remote-administration" status="review">
13
<title>Remote Administration</title>
15
There are many ways to remotely administer a Linux server. This chapter will cover
16
one of the most popular <application>SSH</application> as well as
17
<application>eBox</application>, a web based administration framework.
19
<sect1 id="openssh-server" status="review">
20
<title>OpenSSH Server</title>
21
<sect2 id="openssh-introduction">
22
<title>Introduction</title>
24
This section of the Ubuntu &sg-title; introduces a powerful collection of tools
25
for the remote control of networked computers and transfer of data between
26
networked computers, called <emphasis>OpenSSH</emphasis>. You will also learn
27
about some of the configuration settings possible with the OpenSSH server
28
application and how to change them on your Ubuntu system.
31
OpenSSH is a freely available version of the Secure Shell (SSH) protocol family of
32
tools for remotely controlling a computer or transferring files between computers.
33
Traditional tools used to accomplish these functions, such as
34
<application>telnet</application> or <application>rcp</application>, are insecure
35
and transmit the user's password in cleartext when used. OpenSSH provides a server
36
daemon and client tools to facilitate secure, encrypted remote control and file
37
transfer operations, effectively replacing the legacy tools.
40
The OpenSSH server component, <application>sshd</application>, listens
41
continuously for client connections from any of the client tools. When a connection
42
request occurs, <application>sshd</application> sets up the correct connection
43
depending on the type of client tool connecting. For example, if the remote
44
computer is connecting with the <application>ssh</application> client application,
45
the OpenSSH server sets up a remote control session after authentication. If a
46
remote user connects to an OpenSSH server with <application>scp</application>, the
47
OpenSSH server daemon initiates a secure copy of files between the server and
48
client after authentication. OpenSSH can use many authentication methods, including plain password, public key, and <application>Kerberos</application> tickets.
51
<sect2 id="openssh-installation">
52
<title>Installation</title>
54
Installation of the OpenSSH client and server applications is simple. To install the
55
OpenSSH client applications on your Ubuntu system, use this command at a terminal
59
<command>sudo apt-get install openssh-client</command>
62
To install the OpenSSH server application, and related support files, use this command
66
<command>sudo apt-get install openssh-server</command>
69
The <application>openssh-server</application> package can also be selected to
70
install during the Server Edition installation process.
73
<sect2 id="openssh-configuration">
74
<title>Configuration</title>
76
You may configure the default behavior of the OpenSSH server application,
77
<application>sshd</application>, by editing the file
78
<filename>/etc/ssh/sshd_config</filename>. For information about the configuration
79
directives used in this file, you may view the appropriate manual page with the
80
following command, issued at a terminal prompt:
83
<command>man sshd_config</command>
86
There are many directives in the <application>sshd</application> configuration
87
file controlling such things as communications settings and authentication modes.
88
The following are examples of configuration directives that can be changed by
89
editing the <filename>/etc/ssh/ssh_config</filename> file.
92
<para>Prior to editing the configuration file, you should make a copy of the
93
original file and protect it from writing so you will have the original
94
settings as a reference and to reuse as necessary.
96
<para>Copy the <filename>/etc/ssh/sshd_config</filename> file and protect it
97
from writing with the following commands, issued at a terminal prompt:
101
<command>sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original</command>
102
<command>sudo chmod a-w /etc/ssh/sshd_config.original</command>
105
The following are examples of configuration directives you may change:
110
To set your OpenSSH to listen on TCP port 2222 instead of the default TCP port
111
22, change the Port directive as such:
119
To have <application>sshd</application> allow public key-based login credentials,
120
simply add or modify the line:
123
PubkeyAuthentication yes
126
In the <filename>/etc/ssh/sshd_config</filename> file, or if already present,
127
ensure the line is not commented out.
132
To make your OpenSSH server display the contents of the
133
<filename>/etc/issue.net</filename> file as a pre-login
134
banner, simply add or modify the line:
137
Banner /etc/issue.net
140
In the <filename>/etc/ssh/sshd_config</filename> file.
145
After making changes to the <filename>/etc/ssh/sshd_config</filename> file, save
146
the file, and restart the <application>sshd</application> server application to
147
effect the changes using the following command at a terminal prompt:
150
<command>sudo /etc/init.d/ssh restart</command>
154
Many other configuration directives for <application>sshd</application> are
155
available for changing the server application's behavior to fit your needs.
156
Be advised, however, if your only method of access to a server is
157
<application>ssh</application>, and you make a mistake in configuring
158
<application>sshd</application> via the
159
<filename>/etc/ssh/sshd_config</filename> file, you may find you
160
are locked out of the server upon restarting it, or that the
161
<application>sshd</application> server refuses to start due to an incorrect
162
configuration directive, so be extra careful when editing this file on a
167
<sect2 id="openssh-keys" status="review">
168
<title>SSH Keys</title>
170
SSH <emphasis>keys</emphasis> allow authentication between two hosts without the need of a password. SSH key authentication
171
uses two keys a <emphasis>private</emphasis> key and a <emphasis>public</emphasis> key.
174
To generate the keys, from a terminal prompt enter:
177
<command>ssh-keygen -t dsa</command>
180
This will generate the keys using a <emphasis>DSA</emphasis> authentication identity of the user. During the process you
181
will be prompted for a password. Simply hit <emphasis>Enter</emphasis> when prompted to create the key.
184
By default the <emphasis>public</emphasis> key is saved in the file <filename>~/.ssh/id_dsa.pub</filename>, while
185
<filename>~/.ssh/id_dsa</filename> is the <emphasis>private</emphasis> key. Now copy the <filename>id_dsa.pub</filename> file
186
to the remote host and appended it to <filename>~/.ssh/authorized_keys2</filename>:
189
<command>cat id_dsa.pub >> .ssh/authorized_keys2</command>
192
Finally, double check the permissions on the <filename>authorized_keys2</filename> file, only the authenticated user should have read and write permissions.
193
If the permissions are not correct change them by:
196
<command>chmod 644 .ssh/authorized_keys2</command>
199
You should now be able to SSH to the host without being prompted for a password.
202
<sect2 id="openssh-references" status="review">
203
<title>References</title>
205
<ulink url="http://www.openssh.org/">OpenSSH Website</ulink>
208
<ulink url="https://wiki.ubuntu.com/AdvancedOpenSSH">Advanced OpenSSH Wiki Page</ulink>
212
<sect1 id="ebox" status="review">
215
<application>eBox</application> is a web framework used to manager server application
216
configuration. The modular design of eBox allows you to pick and choose which services you
217
want to configure using eBox.
219
<sect2 id="ebox-installation" status="review">
220
<title>Installation</title>
222
The different <application>eBox</application> modules are split into different packages,
223
allowing you to only install those necessary. One way to view the available packages is
224
to enter the following from a terminal:
227
<command>apt-cache rdepends ebox | uniq</command>
230
To install the <application>ebox</application> package, which contains the default
231
modules, enter the following:
234
<command>sudo apt-get install ebox</command>
237
If you want to install all the available modules, the <application>ebox-all</application>
238
meta package will install all the modules.
241
During the installation you will be asked to supply a password for the ebox user. After
242
installing eBox the web interface can be accessed from:
243
<emphasis>https://yourserver/ebox</emphasis>.
246
<sect2 id="ebox-configuration" status="review">
247
<title>Configuration</title>
249
An important thing to remember when using <application>eBox</application> is that when
250
configuring most modules there is a <emphasis>Change</emphasis> button that implements
251
the new configuration. After clicking the Change button most, but not all, modules will
252
then need to be <emphasis>Saved</emphasis>. To save the new configuration click on the
253
<quote>Save changes</quote> link in the top right hand corner.
257
Once you make a change that requires a Save, the link will change from green to red.
261
<sect2 id="ebox-modules" status="review">
262
<title>eBox Modules</title>
264
By default all eBox <emphasis>Modules</emphasis> are not enabled, and when a new module
265
is installed it will not be automatically enabled.
268
To enable a disabled module click on the <emphasis>Module status</emphasis> link in the
269
left hand menu. Then <emphasis role="italic">check</emphasis> which modules you would
270
like to enable and click the <quote>Save</quote> link.
272
<sect3 id="ebox-default-modules" status="review">
273
<title>Default Modules</title>
275
This section provides a quick summary of the default <application>eBox</application>
281
<emphasis>System:</emphasis> contains options allowing configuration of general
287
<emphasis>General:</emphasis> allows you to set the language, port
288
number, and contains a change password form.
293
<emphasis>Disk Usage:</emphasis> displays a graph detailing information about
299
<emphasis>Backup:</emphasis> is used to backup <application>eBox</application>
300
configuration information, and the <emphasis>Full Backup</emphasis> option
301
allows you to save all eBox information not included in the
302
<emphasis>Configuration</emphasis> option such as log files.
307
<emphasis>Halt/Reboot:</emphasis> will shutdown the system or reboot it.
312
<emphasis>Bug Report:</emphasis> creates a file containing details helpful
313
when reporting bugs to the eBox developers.
320
<emphasis>Logs:</emphasis> allows <application>eBox</application> logs to be
321
queried depending on the purge time configured.
326
<emphasis>Events:</emphasis> this module has the ability to send alerts through
327
rss, jabber, and log file.
332
<emphasis>Available Events:</emphasis>
337
<emphasis>Free Storage Space:</emphasis> will send alert if free disk
338
space drops below a configured percentage, 10% by default.
343
<emphasis>Log Observer:</emphasis> unfortunately this event does not work
344
with the <application>eBox</application> version shipped with Ubuntu 7.10.
349
<emphasis>RAID:</emphasis> will monitor the RAID system and send alerts if
355
<emphasis>Service:</emphasis> sends alerts if a service restarts multiple
356
times in a short time period.
361
<emphasis>State:</emphasis> alerts on the state of
362
<application>eBox</application>, either up or down.
369
<emphasis>Dispatchers:</emphasis>
374
<emphasis>Log:</emphasis> this dispatcher will send event messages to the
375
<application>eBox</application> log file
376
<filename>/var/log/ebox/ebox.log</filename>.
381
<emphasis>Jabber:</emphasis> before enabling this dispatcher you must
382
first configure it by clicking on the <quote>Configure</quote> icon.
387
<emphasis>RSS:</emphasis> once this dispatcher is configured you can
388
subscribe to the link in order to view event alerts.
398
<sect2 id="ebox-additional-modules" status="review">
399
<title>Additional Modules</title>
401
Here is a quick description of other available <application>eBox</application> modules:
406
<emphasis>Network:</emphasis> allows configuration of the server's network options
412
<emphasis>Firewall:</emphasis> configures firewall options for the eBox host.
417
<emphasis>UsersandGroups:</emphasis> this module will manage users and groups
418
contained in an <application>OpenLDAP</application> LDAP directory.
423
<emphasis>DHCP:</emphasis> provides an interface for configuring a DHCP server.
428
<emphasis>DNS:</emphasis> provides <application>BIND9</application> DNS server
429
configuration options.
434
<emphasis>Objects:</emphasis> allow configuration of eBox
435
<emphasis>Network Objects</emphasis>, which allow you to assign a name to an IP
436
address or group of IPs.
441
<emphasis>Services:</emphasis> displays configuration information for services that
442
are available to the network.
447
<emphasis>Squid:</emphasis> configuration options for the
448
<application>Squid</application> proxy server.
453
<emphasis>CA:</emphasis> configures a Certificate Authority for the server.
458
<emphasis>NTP:</emphasis> set Network Time Protocol options.
463
<emphasis>Printers:</emphasis> allows the configuration of printers.
468
<emphasis>Samba:</emphasis> configuration options for Samba.
473
<emphasis>OpenVPN:</emphasis> setup options for OpenVPN Virtual Private Network
479
<sect2 id="ebox-resources" status="review">
480
<title>Resources</title>
484
For more information see the
485
<ulink url="http://ebox-platform.com/">eBox Home Page</ulink>.
added
removed
intrepid/serverguide/C/remote-administration.xml
