20061120

From Wsms

Jump to: navigation, search

previous next
GO TO:
Linux Class Notes
Usermin and encryption



Monday Nov 20 2006

Contents

[edit]

usermin and webmin

Today we will look at the usermin part of webmin.

Also, we will be making some changes to XP, the host OS. We will automatically download the updates, but not install them. That way

Also, we didn't understand how networking was working, and we opened some ports on Windows firewall unnecessarily.

Webmin We are dropping packets from 209.128.91.148. Should have a screen dump here.

Joe set up usermin on port 20000 on the server. Set up an ssh tunnel to port 20000 on the server, then you can access usermin. On linux use something like: 

[ggeller@ws06 ~]$ ssh -f -N -L 2000:localhost:20000 georgeg@rop.ncc.sdccd.net
[edit]

File and Directory Permissions, Users, Groups, an umask

We noticed that on our server, all the users read access to each other's home directories. We thought that this is the default setup in Fedora Core 5. We can't tell if that's the default setup or not. It may have been changed by the folks that set up the Fedora Core 5 appliance for webmin. It is a little more complicated because all our users belong to the students group.

Our umask is 022 

[georgeg@rop ~]$ umask
0022
[georgeg@rop ~]$ ls -l
total 8
drwxr-xr-x 2 georgeg students 4096 Nov 17 10:58 Desktop
-rw-r--r-- 1 georgeg students   21 Nov 20 08:30 testfile

Notice that my files belong to the students group, Also notice that everything is world readable. 

[georgeg@rop ~]$ chmod 701 .

This will give everyone x rights to the directory. The rights allow everyone to traverse the directory, but not to see a listing.

But, if somebody is a member of the students group, will they be denyed the directory traversal rights? The answer is yes. We want people to access files if we set the permmissions correctly. We have to give x rights to both the group and world. 

[georgeg@rop ~]$ chmod 711 .

And, we probably want to change our umask to 011. This would be done in .bashrc, I think.

[edit]

Back to webmin and usermin

Usermin looks something like this:
image:20061120-0100-usermin.png
What's happening here is that my machine is running firefox under linux. In Fedora Core 5, I set up a tunnel from port 2000 on my localhost to port 20000 rop.ncc.sdccd.net using the ssh command quoted above.

Why didn't I use port 20000 on my Linux machine? Because port 20000 on my Linux machine is being used by usermin. 

[root@ws06 ~]# netstat -pant | grep 20000
tcp        0      0 0.0.0.0:20000               0.0.0.0:*                   LISTEN      1820/perl

Everybody else is using Secure Shell SSH from XP and setting up a tunnel using the dialog box with all the tabs. It is very confusing.


Usermin includes a webmail interface. Click on the email icon:
image:20061120-0200-usermin-mail.png
Click on the Read Mail icon:
Image:20061120-0300-usermin-mailbox.png

[edit]

timezones

The server itself has a timezone. The server timezone can be set by root with webmin or with the setup program.

Each user can have his own TZ shell variable. This may different from the machines timezone.

Update your time from the command line with: 

[root@ws06 ~]# ntpdate pool.ntp.org

Joe showed us how to use webmin to reqularly synchronize the time. First go to Webmin's hardware tab and click on the System Time icon. You may have to install the System Time module using Webmin module manager thingie. It makes a little script call sync.pl that is run by cron every hour.

If you run crontab -e as root, you see that the file is in /etc/webmin/time/sync.pl

The file contains: 

#!/usr/bin/perl
open(CONF, "/etc/webmin/miniserv.conf");
while(<CONF>) {
        $root = $1 if (/^root=(.*)/);
        }
close(CONF);
$ENV{'WEBMIN_CONFIG'} = "/etc/webmin";
$ENV{'WEBMIN_VAR'} = "/var/webmin";
chdir("$root/time");
exec("$root/time/sync.pl", @ARGV) || die "Failed to run $root/time/sync.pl : $!";
[edit]

Installing usermin

Start webmin on your VM. Access it using firefox from the gnome interface (you may have to do startx). To get to webmin point your browser to localhost:10000
Image:20061121-010-webmin.png
Note: In these screenshots, webmin sees my hostname as arthur.sdlinuxguy.com because I'm doing this at home instead of in class. Your workstation will come up as localhost.localdomain or maybe wsNN.ncc.sdccd.net if you followed the instructions for setting your host name at 20061108#Set_a_host_name_on_your_virtual_machine. Anyway, click on Usermin Configuration
Image:20061121-020-usermin-install.png
Click Install Usermin RPM package. After a while you see something like this:
Image:20061121-030-usermin-install.png
Usermin is installed, which you can verify with: 

[ggeller@arthur ~]$ rpm -q usermin
usermin-1.230-1

Next, point your browser at localhost:20000
Image:20061121-040-usermin.png
Usermin has some nice stuff including a webmail interface.

[edit]

Any port in a storm.

Joe showed us how to install usermin on our virtual machine and connect to it using a tunnel with SSH Secure Shell.

Then everybody got confused because they were trying to make two tunnels with two SSH Secure Shell sessions:

  1. XP, port 20000 to the virtual machine's port 20000
  2. XP, port 20000 to port 20000 on rop.ncc.sdccd.edu

Of course it doens't work because only one tunnel can listen on a port on the XP.

So, Joe fixed it by picking a different port for the first one.

You can use the netstat -an command in the Windows command window. 

C:\Documents and Settings\GeorgeG>netstat -an

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:21             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:25             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    10.101.20.38:139       0.0.0.0:0              LISTENING
  TCP    10.101.20.38:1046      10.101.1.200:22        ESTABLISHED
  TCP    10.101.20.38:1051      10.101.20.67:5906      ESTABLISHED
  TCP    127.0.0.1:1029         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:5906         0.0.0.0:0              LISTENING
  UDP    0.0.0.0:445            *:*
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:1025           *:*
  UDP    0.0.0.0:1027           *:*
  UDP    0.0.0.0:3456           *:*
  UDP    0.0.0.0:4500           *:*
  UDP    10.101.20.38:123       *:*
  UDP    10.101.20.38:137       *:*
  UDP    10.101.20.38:138       *:*
  UDP    10.101.20.38:1900      *:*
  UDP    127.0.0.1:123          *:*
  UDP    127.0.0.1:1900         *:*

Only one process can be listening on a port at a give time. All you have to do is find a port that isn't being used.

[edit]

Q and A

Q. But isn't root access to the server blocked?
A. Root access via ssh is blocked. If you try to use SSH Secure Shell to log in as the root user, you will not be able to. This is because we modified the config file for sshd. However, you can login as root within webmin. Webmin has nothing to do with sshd. You can see the setting in /etc/sshd_config: 

PermitRootLogin no

Q. If someone tries to login to webmin as root, what happens?
A. Good question. You get an entry in /var/log/secure 

Nov 20 11:57:41 ws06 webmin[29108]: Invalid login as root from 127.0.0.1
Retrieved from "http://wsms.wikiplanet.com/mediawiki/index.php/20061120"
Personal tools