Chapter 10 Network Services HP-UX Handbook Revision 13.
Chapter 10 Network Services October 29, 2013 TERMS OF USE AND LEGAL RESTRICTIONS FOR THE HP-UX RECOVERY HANDBOOK ATTENTION: PLEASE READ THESE TERMS CAREFULLY BEFORE USING THE HP-UX HANDBOOK. USING THESE MATERIALS INDICATES THAT YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THESE TERMS, DO NOT USE THE HP-UX HANDBOOK. THE HP-UX HANDBOOK HAS BEEN COMPILED FROM THE NOTES OF HP ENGINEERS AND CONTAINS HP CONFIDENTIAL INFORMATION.
Chapter 10 Network Services October 29, 2013 TABLE OF CONTENTS Introduction ______________________________________________________________________ 4 Host Based Network Support ________________________________________________________ 4 Name Resolution_________________________________________________________________________4 Name Service Switching ___________________________________________________________________5 The system as a DNS client _________________________________________________________________
Chapter 10 Network Services October 29, 2013 Introduction This document is a short introduction to some commonly used network services on HP-UX systems. It is not intended to be an exhaustive survey of services. Since most, if not all, network services rely heavily on solid and consistent name resolution, this is addressed first. This is followed by a general description of some commonly seen network services.
Chapter 10 Network Services October 29, 2013 Name Service Switching Most, if not all, network services are designed to be Name Service Switch (NSS) aware. For instance, the telnetd daemon in the process of setting up an incoming telnet connection, will as part of the program logic, verify the source IP address on the incoming request. To do this the telnetd program opens /etc/nsswitch.conf if it is present and follows the instructions for ipnodes first and then hosts.
Chapter 10 hosts: ipnodes: Network Services October 29, 2013 dns [NOTFOUND=return] nis [NOTFOUND=return] files dns [NOTFOUND=return] nis [NOTFOUND=return] files If the application actually uses the name localhost instead of the loopback IP address of 127.0.0.1 it means that every query to localhost will mean a query to DNS which will not be answered by the nameserver so the query gets sent to another nameserver for outside queries which return NXDOMAIN (no answer) or possibly SERVFAIL return code.
Chapter 10 Network Services October 29, 2013 subdomains should be found, a search statement can be used (instead of the domain statement), e.g.: search grc.hp.com, bbn.hp.com Up to three nameserver statements can be entered into this file. These must be specified by IP address, not hostname. Current versions of libc allow a custom timeout for fallback through directives (retry and retrans), see man 4 resolver page for details.
Chapter 10 Network Services October 29, 2013 The reasoning behind this recommendation is that nsquery uses the same resolver routines as a typical application; therefore, it will act similarly if there is an unresponsive nameserver referenced in /etc/resolv.conf. The DNS BIND distribution provides the tool dig which is an industry standard and very useful for seeing the complete DNS server’s response to queries. Often it is good to check for consistency between forward and reverse lookups.
Chapter 10 Network Services October 29, 2013 # domainname Determine the server to which the client bound # ypwhich Determine which NIS maps are available # ypwhich -m Display the contents of a map # ypcat -k Match a specific entry in a map # ypmatch `hostname` hosts The system as a LDAP-UX client The LDAP-UX client is valuable with other services such as NFS because it has largely taken over the role that NIS has historically played.
Chapter 10 Network Services October 29, 2013 Well-Known Network Services A standard HP-UX installation is capable of using several network services. Many but not all of these are, or may be, launched from the Internet super daemon, inetd. Those which are not are configured (in HP-UX) to start from configuration scripts in /etc/rc.config.d directory.
Chapter 10 Network Services October 29, 2013 Some security is provided in HP-UX via /var/adm/inetd.sec: service_name { allow | deny } } { hostaddrs | hostnames | netaddrs | netnames example (only allow loopback telnet connections) telnet allow 127.0.0.1 This file applies only to services launched out of inetd (as defined in /etc/inetd.conf), it is not a general security mechanism. man inetd.conf shows the syntax of the file. Lines starting with“#” are comments.
Chapter 10 Network Services October 29, 2013 The portmapper of the server system communicates the port information to the client where the rpc.mountd can be reached. The client system sends a mount request for the corresponding file system to the server’s mount daemon. The mount daemon checks, if the file system can be exported to the client. If so, it then sends the client the file handle of the corresponding file system. Otherwise, it answers with “access denied”.
Chapter 10 Network Services October 29, 2013 made in /etc/rc.config.d/nfsconf: NFS_CLIENT=1 The service may be started and stopped using # /sbin/init.d/nfs.client start # /sbin/init.d/nfs.client stop or Enter file systems in /etc/fstab to make them available via NFS automatically upon reboot. Temporary ones may be made available using the automount daemon. The file /etc/rc.config.
Chapter 10 Network Services October 29, 2013 behavior. Performance discussions show how important it is to adjust NUM_NFSD=, if the UDP protocol is used for NFS communication. It determines the number of nfsd processes, which handle UDP-NFS requests –the main factor of all NFS related load today. The number should be greater than 4 times the number of available CPUs; and if the system is an NFS client of itself, at least greater than 32.
Chapter 10 Network Services October 29, 2013 Involved Scripts and Processes Client Server Administration Scripts: /etc/rc.config.d/nfsconf /sbin/init.d/nfs.client [stop|start] /etc/rc.config.d/nfsconf /sbin/init.d/nfs.server[stop|start] Worker Processes: rpcbind rpc.mountd nfsd / nfsktcpd biod (a sufficient number) automount(d) (if required ) File Locking Processes: rpcbind rpc.lockd rpc.statd rpcbind rpc.lockd rpc.
Chapter 10 Network Services October 29, 2013 Most of the above information can be collected using an internal HP support tool, nfsinfo. This tool is HP’s intellectual property and is proprietary. It should be used outside of HP only in the context of a support case. This tool does not perform a nettl trace which needs to be run while recreating the problem. The basic techniques involved in nettl tracing are covered in the previous chapter of this handbook.
Chapter 10 Network Services October 29, 2013 With NIS configuration becoming increasingly rare, Enhanced AutoFS in conjunction with LDAP-UX may contain the maps used by automountd which was previously commonly implemented via NIS. Straightforward configuration guidance can be found in the book Managing NFS/NIS by Hal Stern. NFS manuals for HP-UX can be found by referring to the HP-UX Networking Software for the appropriate level of HP-UX that is being worked with. http://h20000.www2.hp.
Chapter 10 Network Services October 29, 2013 If the automountd process no longer responds to the SIGUSR2 signal, it most often will also not respond to the SIGTERM signal. In this case, there is no other way to fully restore the functionality of the daemon than to reboot. Commonly used network services telnet The telnet service has historically been the application that provides a pseudo-term (which is a substitute for a hard-wired console interface) for a login account to use to access a server.
Chapter 10 Network Services October 29, 2013 ftp The ftp service has historically been the file transfer service of choice. While still popular, this service is not well suited for environments where security is a big concern. The ftp client (host) is given only a cursory inspection of its identity (forward and reverse lookup of incoming IP address to prevent spoofing) and it provides no privacy since everything, including, the clear text password can be picked up with a network trace.
Chapter 10 Network Services October 29, 2013 1500000000 bytes sent in 13.91 seconds (105324.47 Kbytes/s) Firewall issues- Once a control connection is established to ftp on the server the issue, ftp can operate in either ACTIVE mode or PASSIVE mode. In ACTIVE mode ftp client firewalls will be asked to allow an incoming connection coming from a privileged port (20). In a PASSIVE connection the ftp client asks for anonymous ports on the ftp server.
Chapter 10 [hostname] Network Services [username] October 29, 2013 [#comment] Common problems include: Unexpected prompting for password with rlogin- Host equivalency is not properly established because hostname resolution does not resolve to a hostname which matches the /etc/hosts.equiv or $HOME/.rhosts file entry. remshd: Login incorrect. – Host equivalency is not properly established.
Chapter 10 Network Services October 29, 2013 The two most common, Password and Public-Key, will be considered in this document. Password authentication is simple and should work with no configuration set up. Although a password is sent across the network it is not sent in clear text as in the case of telnet or rlogin or ftp. Public-Key authentication is set up by means of generating a mathematically related Private/Public key pair on the ssh client.
Chapter 10 Network Services October 29, 2013 Although not commonly implemented, the ssh-agent program can be launched at the beginning of a login session to provide a passphrase only once. This permits the use of passphrase but eliminates some of the inconvenience of having a passphrase. The use of the ssh-agent is not discussed in this document.
Chapter 10 Network Services October 29, 2013 Permissions for the Client Files and Directories Permissions for the Server Files and Directories Still can’t log in - Further debug logging will be required. A first pass at debug logging of the sshd server (the client does not control whether it is authenticated, the server must determine) can be taken as follows: server# script /tmp/server.out Script started, file is /tmp/server.
Chapter 10 Network Services October 29, 2013 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Someone could be eavesdropping on you right now (man-inthe-middle attack)! It is also possible that the RSA host key has just been cha nged. The fingerprint for the RSA key sent by the remote host is 91:a7:55:1b:c6:0b:e7:29:6c:f0:6c:42:c5:bd:36:7c. Please contact your system administrator. Add correct host key in /.ssh/known_hosts to get rid of thi s message. Offending key in /.
Chapter 10 Network Services October 29, 2013 Additional Information General Knowledge TCP/IP Network Administration by C. Hunt (O'Reilly) Managing NFS and NIS by H. Stern (O'Reilly) DNS and BIND by Albitz/Liu (O'Reilly) Internet Standards – RFC http://www.rfc-editor.org http://www.isc.org HP-UX Handbook – Rev 13.
