Security

• tcp wrappers
  • Installed by default
    • security is open, Suggestion is to change to the following. This only allows access from .fnal.gov addresses. If one wants to open it up then make a concious decision to do so and only put it what has to be there.
      • /etc/hosts.allow
        • ALL: .fnal.gov
      • /etc/hosts.deny
        • ALL: ALL
• ssh - secure shell
  • Highly suggested for use. May be required in future.
  • encrypt's all traffic
  • designed to replace rlogin, rcp, rsh
  • Cannot distribute because of export laws
  • Version 1.x.x license allows use at Fermi
  • Version 2.x.x license does NOT seem to allow use at Fermi
  • Available via ftp from linux-rep.fnal.gov/pub/security/ssh
  • Comes in 2 parts
    • sshd - needs to be started in /etc/rc.d/rcx.d
    • ssh,scp clients
• /etc/inetd.conf
  • Comment out all that is not needed. See above example
• PAM
  • Pluggable Authentication Modules PAM info at RedHat
    • Way of letting System Admin to set authentication policy without having to recompile authentication programs such as "login"
    • 4 types of modules
      • auth
        • actual authentication such as asking for a password
      • account
        • check to make sure that the authentication is allowed. Such as "Has the account expired?"
      • password
        • set passwords
      • session
        • after the user has been authenticated.
    • /etc/pam.d
      • config files live here