-------------------------
Week 10 Notes for NET2003
-------------------------
-Ian! D. Allen - idallen@idallen.ca

Remember - knowing how to find out an answer is more important than
memorizing the answer.  Learn to fish!  RTFM!  (Read The Fine Manual)

Keep up on your readings (Course Outline: average 5 hours/week homework)

[************************************************************]
[************************************************************]
[*** Students should be taking their own notes in class   ***]
[*** and updating them with my published summaries.       ***]
[************************************************************]
[************************************************************]

Abbreviation "ALN" = your "Advanced Linux Networking" text by R.W.Smith

Alternative VNS network config for those using wireless or VPN or who
have only a single IP address at home:
 - in your VMplayer click on the Ethernet device and change the type of
   network on eth0 from "bridged" to "NAT" (or try "host-only")
 - start your VNS
 - make sure pump is running on eth0 (should be there already)
 - "ifconfig eth0" should show a private address
 - "ip route" should show a route to your VNS host machine gateway private IP
   - should be able to ping this gateway private IP
 - see if you can ping your VNS host machine external address
 - see if you can ping something on the Internet
 - details: see  http://cri.ch/linux/docs/sk0020.html
   - you can also directly edit your *.vmx file and add/change this line:
   - ethernet0.connectionType = "nat", "hostonly" or "bridged"

See: Notes virtual_network_sandbox.txt

NTP - ALN Chapter 10 - p.241 - Maintaining Consistent Time: Time Servers
--------------------

 Read: When to run a time server
 Read: Setting up an NTP server
 Skip: Using samba to serve time
 Read: Summary

 - Internet time is handled by two client programs: ntp-server and ntpdate
   - "man ntpd" and "man ntpdate"
 - ntp-server will not normally make large corrections; use ntpdate for that
   - at boot, run ntpdate before ntp-server
   - some ntp-server start-up scripts automatically run ntpdate first
 - pick time servers near you (or use pool.ntp.org, a collection of
   volunteer NTP time server machines)
   - Canadian stratum 2 servers:  time.nrc.ca and time.chu.nrc.ca
   - http://inms-ienm.nrc-cnrc.gc.ca/time_services/network_time_protocol_e.html

Q: What is "pool.ntp.org"?

 - program to sync PC hardware clock to system time: hwclock
   - Warning: Unix likes a hwclock in UTC (GMT); Windows uses local time
   - hwclock --systohc --localtime

Q: Why do you have to be careful about your BIOS clock settings when
   dual-booting Windows and Linux?

ALN Chapter 4 - "Starting Servers" p.79
-------------

See also week07notes.txt for more questions re Chapter 4.

 Read: Using SysV startup scripts
 Read: Using inetd
 Skip: the /etc/inetd.conf file format
 Read: using TCP wrappers
 Read: Using xinetd
 Read: Using local startup scripts
 Skip: Using GUI tools
 Read: When to use each startup method
 Read: Summary

The inetd/xinetd "super-servers" - ALN Chapter 4 p.89-99
--------------------------------

* How a Super-Server works

- two main programs: inetd (original) and xinetd (newer)
- older "inetd" usually replaced with newer "xinetd"
- config files/directories are different:
  /etc/inetd.conf vs. /etc/xinetd.conf and /etc/xinetd.d/

Q: How does a super-server work?  p.89
   - binds to many ports
   - starts real server upon incoming connection

Q: Outline the costs/benefits to using a super-server instead of
   running many individual servers.   p.89, p.108-110, table p.109

Q: Suppose the super-server and each of five other servers controlled
   by the super-server take 1MB of memory each.  (1) How much memory
   is in use when none of the other servers are being used?  (2) How
   much memory is in use if all the other servers are being used?
 
Q: If we start the five other servers (e.g. from SysV start-up scripts)
   without running the super-server, (3) how much memory is in use if
   none of the five servers are being used?  (4) How much memory is in
   use if all of the five servers are being used?  (Hint: same answer)

Q: A system often comes configured with many servers enabled in the
   inetd or xinetd config files. Are these servers safe to leave enabled? p.92

* TCP Wrappers - used by inetd and xinetd (and other programs such as sshd)

The book mentions only inetd and xinetd as using TCP Wrappers - in fact,
some other programs (e.g. sshd) use the same config files without having
to use inetd or xinetd to start them.  (TCP Wrappers was made into a
library/API called "libwrap" that any server may include.)  If a program
uses TCP Wrappers directly, it is the *name* of the program that should
be placed in the hosts.allow and hosts.deny config files, not the name
of the service from /etc/services, e.g. use "sshd" not "ssh".

Q: What name should I place in /etc/hosts.allow to control the SSH service
   on port 22?

TCP Wrappers are called "wrappers" because of the way they originated
in the inetd.conf file, where the "tcpd" program was inserted in front
of the daemon name, effectively "wrapping" the call to the daemon, e.g.
a line from inetd.conf before TCP Wrappers and after adding TCP wrappers:

   before:  telnet stream  tcp nowait root  telnetd
   after:   telnet stream  tcp nowait root  /usr/sbin/tcpd telnetd

Note the use of tcpd in front of telnetd.  The "tcpd" program does
IP-based access checks and only calls the program telnetd if the checks
pass (based on the contents of hosts.allow and hosts.deny).

Q: What is the network function of TCP Wrappers?  p.92

Q: Can TCP Wrappers restrict access to a server based on IP address?  p.92

Q: Can TCP Wrappers restrict access to a server based on port number?  p.92

Q: Name the two config files used by TCP Wrappers.  p.92
   Which of the two config files over-rides the other config file?  p.92
   What is the comment character used in these two files?  p.93
   What is the "wildcard" name used in these files?  p.93

- What daemons are listed in the VNS base machine TCP Wrappers config files?
  (Go look!)

Q: T/F Configuring the two TCP Wrappers files means TCP Wrappers will
   apply to all servers on your machine.  p. 93

Q: What is the syntax of the basic TCP Wrappers config file line?  p.93-94
   How would I allow the SSH service from all hosts in domain carleton.ca?

Note that if SSH (compiled to use libwrap) is running stand-alone, it
expects to find its daemon name "sshd" in the TCP Wrappers config files,
not the "ssh" service name from /etc/services.  The book shows only
"ssh", which is what you would use if running SSH from inetd or xinetd. (p.94)

The book talks about blocking based on user name (ident or auth); but,
this almost never works since most machines don't give out that info. (p.95)

Q: How do you tell TCP Wrappers to block access to all services from
   all IP addresses?  p.95

Q: How do you tell TCP Wrappers to allow access to all services from
   all IP addresses?

* The "xinetd" super server

- Where does the xinetd super-server keep its main config file?  p.96

- Where does the xinetd super-server keep its supplementary config files?  p.96

- How many supplementary xinetd config files are installed in your
  VNS base system?  (Go look!)

The xinetd config files have an option with the dumb name "disable"
that you set to "yes" to DISABLE the service, and to "no" to ENABLE
the service.  (No option present means to enable.)  (p.97)

Q: How do you enable a service under xinetd?

- For all the supplementary xinetd config files on your VNS base system,
  how many are enabled/disabled?  (Go look!  "grep" is your friend)  p.97

The book says xinetd doesn't use TCP Wrappers (p. 97); but, modern
version of xinetd come with TCP Wrappers "libwrap" compiled in.  You can
use options to disable this or modify how libwrap is used.  RTFM

Q: T/F modern versions of xinetd have TCPwrappers (libwrap) built-in.

- How do you tell xinetd to reload/reread its configuration files?  p.98

The book mentions the access control features of xinetd as being "similar
to TCP Wrappers".  Modern xinetd has TCP Wrappers libwrap compiled in;
it *is* TCP Wrappers.  (p.98-99)

Q: How do you start or restart xinetd?  (p.98)

If you have system logging enabled, at start-up xinetd will log the
number of services found and enabled (may be zero!).

Q: Will the xinetd process still be running if there are zero services
   configured?

Configuring DHCP (client) - ALN Chapter 2 p.33
-------------------------

Q: How does a DHCP client locate a DHCP server?  p.33

- T/F: Linux has only two common DHCP client packages. p.33

Q: What is the name of the DHCP client for Debian systems? p.35 (table)

  Note on p.35 the misuse of the term "start-up script" for Debian
  DHCP; in fact, client DHCP doesn't have a traditional System V init.d
  start-up script.  Client DHCP is started/enabled for an interface if
  the network configuration asks for it; so, client DHCP is started as
  part of bringing up the network.  It doesn't make sense to "start DHCP"
  if you haven't specified which network interface on which to listen.

  The Debian network start-up script name is "/etc/init.d/networking", and
  inside that start-up script is a call to the binary program "ifup -a"
  that uses the Debian master network config file /etc/network/interfaces,
  and in that master config file the keyword "dhcp" on an interface
  signals the use of a DHCP client, e.g.  iface eth0 inet dhcp

Q: What is the absolute pathname of the Debian network start-up script?

Q: Give the absolute pathnames of the file you must edit to configure a
   client DHCP network interface under Debian/Ubuntu/Knoppix.

How would you configure a Debian system eth0 for DHCP at boot time?
(See week 8 notes for a sample network interfaces file.)

Remote login and Configuring SSH - ALN Chapter 13, p.321
--------------------------------

Q: T/F: Text-mode remote login tools directly permit X11 graphical
   programs to run.  p.309

Q: Rank ssh, rlogin, and telnet in order from most to least secure.  p.310

Q: True/False: the telnet protocol sends your password in clear text
   over the network.  p.320

Q: True/False: a telnet session itself is encrypted once you log in.  p.320

Q: What is the popular SSH protocol used for?  p.321

Q: What is the name of the non-commercial open source SSH package used in
   most Linux distributions?  p.322

Q: T/F: the open source SSH and the commercial SSH cannot
   connect to each other.  p.322

Many distributions split up the OpenSSH client/server suite into
separate client and server packages, since not everyone needs both.
You may need to install up to three software packages to get a full
open source SSH client and server on a Linux system.  p.323 (Text Note:
"-client" should be spelled "-clients" on some systems.)

Q: T/F: SSH allows you to forward ports across your encrypted
   connection.   p.323

Q: T/F: the scp program encrypts the login but not the data.  p.323-324

Q: How is the SSH server traditionally started in Linux?  p.324

Q: You can elect to run the SSH server from a super-server.  What
   inconvenience might this cause (esp. on hardware with slower CPUs)?  p.324

- What is the absolute pathname of the script used to start the SSH
  server?  (Go look!)

- What is the actual name of the running SSH server started by the script?
  (What is the absolute pathname of the SSH server program?)

Q: What configuration has to happen before you can run the SSH server for
   the very first time?  p.325

- What are the key types of the key files that the system SSH
  start-up script generates before starting the SSH server?  (Go look!)

Q: What happens to client connections if you re-generate (overwrite) the
   encryption keys on your server?  p.325

- What is the absolute pathname of the SSH server config file?  p.325

- What is the absolute pathname of the SSH client config file?  p.325

Q: What happens the first time you use an SSH client to connect to a
   server?  bottom p.328

Q: What happens at the client end when the key for a server changes?  p.328-329

Q: How can you force an SSH client connection to a server if the key file has
   changed?  top p.329

Configuring POP3 - ALN Chapter 11 p.257
----------------

Q: What is the difference between a "Push" and a "Pull" mail protocol?  p.257

Q: T/F: a pull mail server can operate without a working push server.  p.257

Q: An enterprise mail system receives email (delivered via the SMTP push mail
   protocol).  Describe two ways that office users can read this email.  p.258

Q: What kind of mail server do I need to permit users to fetch and
   read mail from their own computers?  p.259

Q: What happens if the push mail server (SMTP server) on a pull mail
   machine (POP3 server) fails?  p.259

Q: Describe what "relay" means in a push mail (SMTP) protocol.  p.259-260

Q: Why does a pull mail server need a larger disk than a pull mail server?
   top p.261

Q: What is the role of a pull mail server?  p.261

Q: T/F: You must use the same host name for your push and pull mail
   servers.   p.261

Q: Describe briefly how POP and IMAP servers handle their email store.
   p.262, p.266-267

Q: True/False: POPmail requires more storage and bandwidth than IMAP.
   p.262, p.266-267

Q: True/False: default POP and IMAP mail servers carry userids,
   passwords, and email safely in encrypted form.  p.267

Q: True/False: most POP servers are simple and require no configuration.  p.267

Q: True/False: most POP/IMAP servers run under a "super-server" such as
   inetd/xinetd.  p.269,p.270