Rhce Study Guide

Next Previous Contents
4. Boot Loaders
4.1 Concepts
1. Invocation
Invocation of the boot loader usually occurs in one of two ways:
o BIOS loads the first stage boot loader from the drive's MBR.
o BIOS loads another boot loader which then loads the first stage boot loader
from a partition's boot sector.
The first stage boot loader is also known as Initial Program Loader
(IPL). It must be less than 512 bytes in size, so it is fairly limited.
It's primary job is to load a more functional boot loader (a.k.a. the
second stage boot loader).
2. Configuration
There are two different ways to configure a boot loader:
o Install the first stage of the boot loader on the MBR. It can then be
configured to pass control to any desired operating system.
o Install the first stage of the boot loader in the boot sector of a partition.
Another boot loader is then installed on the MBR. This other boot loader
must be configured to pass control to the Linux boot loader.
4.2 Lilo
1. Configuration File
o /etc/lilo.conf
Sample File:
prompt # Present lilo prompt so user can interact with lilo
timeout=50 # Timeout in milliseconds to wait for user
interaction
default=linux # Default image to boot
boot=/dev/hda6 # Specifies boot device (Location to install
primary boot loader)
# To install in the MBR, specify /dev/hda
map=/boot/map # Location of map file
install=/boot/boot.b # Location of Second stage boot loader
password=some_passwd # A password required to boot
restricted # Password only required if options are entered at
boot prompt
message=/boot/message # Text message or splash screen (PCX) that
will be displayed at boot time.
linear
# Image definition
image=/boot/vmlinuz-2.4.7-10 # Specifies location of the virtual
memory compressed kernel
label=linux
initrd=/boot/initrd-2.4.7-10.img # Initial RAM Disk
read-only
root=/dev/hda9 # Location of root file system
other=/dev/hda1 # Image definition

optional
label=windows
See lilo.conf man page for an example.
2. Command Line Options
o -t - Test lilo configuration, but don't actually install.
o -v - Verbose
3. Boot Time arguments
Command line options can be entered at the boot prompt by

appending it to the image that you are booting. For example:
linux root=/dev/hda5 mem=128M 1

Tells lilo to boot the kernel with a label of "linux" into runlevel 1
using /dev/hda5 as the root filesystem. It also states the machine
has 128 MB of RAM.
If lilo has been password protected, you will be required to enter

the password before booting.
4. Errors
The 'LILO' prompt itself can be used to help diagnose boot related
errors. The number of letters presented at the LILO prompt can
indicate the success or failure of the boot loader.
o L = First stage boot loaded and started. Usually indicates disk problems or
invalid options in /etc/lilo.conf.
o LI =Second stage boot loaded from /boot, but /etc/lilo.conf has invalid
parameters or /boot/boot.b was moved without re-running /sbin/lilo.
o LIL = Second stage loader started, but the descriptor table can't be loaded
due to a bad disk or invalid parms in /etc/lilo.conf.
o LIL? = Second stage loaded at an incorrect address because of invalid

parms in /etc/lilo.conf or /boot/boot.b was moved without re-running
/sbin/lilo.
o LIL- = Descriptor table is corrupt. Caused by invalid parms in /etc/lilo.conf

or /boot/boot.b was moved without re-running /sbin/lilo.
o LILO = All of LILO loaded correctly.
5. Limitations
o Must be installed on the 1st or 2nd IDE drive.
o Limited by BIOS (uses BIOS to load kernel off of disk).
o Must re-run /sbin/lilo every time you change your configuration.
6. Fixing a corrupt MBR
Use lilo to fix:
/sbin/lilo
7. Uninstalling LILO
When LILO overwrites an existing boot sector, it saves a copy of
the original boot sector in /boot. The name of the original boot
sector will be boot.MMmm where 'MM' is the major device number
and 'mm' is the minor device number. So, the original boot sector
from /dev/hda will be /boot/boot.0300.
To restore the original boot sector, use the dd command:

dd if=/boot/boot.0300 of=/dev/hda bs=446 count=1
The original boot sector is actually 512 bytes in length, but the
remaining bytes after 446 are part of the partition table and we
don't want to overwrite that in case it's changed.
8. Initial RAM Disk
o Need: Allows necessary drivers to be loaded at boot time that aren't

compiled directly into the kernel.
o Creation: Use mkinitrd to create the initial RAM disk:

o mkinitrd /boot/initrd-2.4.7-10 2.4.7-10
o Setup: Specify in /etc/lilo.conf file as shown above.
4.3 Grub
1. Features
o Command line interface available at boot prompt.
o Can boot from multiple file systems including ext2/3, Reiserfs, FAT, minix,
and FFS
o Password protection using MD5
o Changes to configuration file take effect immediately. Don't have to re-

install MBR.
2. Configuration File
o /boot/grub/grub.conf
Sample Configuration
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this
file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/hdb5
# initrd /initrd-version.img
#boot=/dev/hdb
default=0 # Default to First definition for booting
timeout=10 # Time in seconds to wait for user
interaction
splashimage=(hd1,0)/grub/splash.xpm.gz # Splash Screen
password --md5 $1$簋饋菎$Z.............. # Password protection
title Red Hat Linux (2.4.17) # First definition

root (hd1,0)
kernel /vmlinuz-2.4.17 ro root=/dev/hdb5
title Red Hat Linux (2.4.17pre2-pk) # Second definition

root (hd1,0)
kernel /vmlinuz-2.4.17pre2-pk ro root=/dev/hdb5
title Red Hat Linux (2.4.17pre2)

root (hd1,0)
kernel /vmlinuz-2.4.17pre2 ro root=/dev/hdb5
title Windows 98SE

rootnoverify (hd0,0)
makeactive
chainloader +1
3. Boot Time arguments
In order to pass arguments to the image being booted, you must

enter menu editing mode, or enter the grub command line. If
GRUB has been password protected, you'll need to enter 'p'
followed by your password first.
To enter menu editing mode, select and entry and press 'e'. This
will allow you to modify an existing boot setup and pass options
to the kernel as well as init.
The GRUB command line allows you to create boot commands
that don't exist in your grub.conf file. You can also run diagnostic
tests and view the contents of files on your file systems.
4. Device Names according to Grub
o (fd0) - First floppy drive detected by BIOS
o (hd0) - First hard drive detected by BIOS (SCSI or IDE)
o (hd1,3) - Fourth partition on the 2nd hard drive detected by the BIOS
5. Fixing a corrupt MBR
Use grub-install to fix:
/sbin/grub-install /dev/hda
6. Multi-disk scenario
In this situation, we have a nameless OS installed on /dev/hda

and Linux installed on /dev/hdb. We need to setup grub to boot
both OSes. This involves installing the first stage of grub on the
MBR of /dev/hda and the second stage of grub on the /boot
partition of /dev/hdb. We will use the grub configuration file listed
above. This scenario assumes you either have a working system
or are running in rescue mode chroot'd to /mnt/sysimage.
o Launch a grub shell:
/sbin/grub
Note: The remaining steps will performed from within the

"grub shell".
o Set the root device:
root (hd1,0)
o Specify where to install various boot stages:
install (hd1,0)/grub/stage1 d (hd0) (hd1,0)/grub/stage2 p

(hd1,0)/grub/grub.conf
The above command line can be broken down as follows:
install <stage-1> d <install-disk> <stage-2> p <config file>

4.4 DOS Based
1. Loadlin - Capable of booting multiple OSes
2. Syslinux - Used by RH installation program.
5. Boot up
5.1 Steps
1. BIOS loads first stage boot loader from the first sector of available disks (floppy,
hard drive, cd-rom, etc.)
2. First stage boot loader then loads the second stage boot loader.
3. Second stage boot loader allows user to choose what kernel to boot.
4. Chosen kernel then booted and devices are initialized.
5. Kernel then executes init process.
6. Init starts services according to /etc/inittab:
o rc.sysinit - System initialization scripts
1. Mounts /proc.
2. Configures Kernel parameters (via sysctl)
3. Configures system clock.
4. Sets host name.
5. Initialize USB and HID devices.
6. Configure PnP.
7. Determines module dependencies.
8. Setup any RAID devices.
9. Performs file system checks if needed.

10. Mounts file systems.
11. Starts user quotas.
12. Enable process accounting.
13. Starts swap.
14. Initialize serial ports.
15. Dump boot messages to /var/log/dmesg
16. Much more....
o rc - Configures services based on runlevel
1. Stop services that begin with "K" in /etc/rcX.d where X is the

runlevel.
2. Start services that begin with "S" in /etc/rcX.d where X is the

runlevel.
o rc.local - Configures any system specific information (deprecated).
o Other, runlevel specific services started according to /etc/inittab.
1. mingetty (except for runlevel 1).
2. xdm (runlevel 5).
5.2 /etc/inittab
This file contains information needed by init to configure the system.
Entries in the file have a specific format:
id:runlevel:style:command to run
1. id - A 1-4 character field the creates a unique identifier for the entry.
2. runlevel - Specifies the runlevel(s) that the entry applies to.
3. style - Specifies how the command is executed.
o respawn - Process is restarted if it ever dies.
o wait - Process is started once when the specified runlevel is entered. Init
will wait for it to finish before proceeding.
o once - Process will be executed once when the specified runlevel is entered.
o boot - Process will be executed during system boot (runlevel field is

ignored).
o bootwait - Same as boot, except init will wait for it to complete before
continuing.
o initdefault - Specifies default run level (command field ignored).
o sysinit - Process executed during boot before any boot or bootwait entries.
o powerwait - Process executed when power goes down. Init waits for it to
complete.
o powerfail - Same as powerwait, except init doesn't wait for it to complete.
o powerokwait - Executed when power is restored. Init waits for it to

complete.
o powerfailnow - Executed when battery on UPS is almost dead.
o ctrlaltdel - Process executed when init receives SIGINT signal

(CTRL+ALT+DEL was pressed).
4. command - Specifies process to execute.
5.3 Viewing boot up information.

1. Boot information displayed during boot up is stored in /var/log/dmesg.
2. Use 'dmesg' command to view.
5.4 Run Levels

0 - Halt (Don't set default runlevel to this!)
1 - Single User mode
2 - Multi-user mode without NFS
3 - Full multi-user mode
4 - Unused
5 - X11 (with networking)
6 - Reboot (Don't set default runlevel to this!)
5.5 Default Run Levels

1. Workstation/Laptop = 5
2. Server = 3
3. Custom with X = 5
4. Custom w/o X = 3
6. Service Management
6.1 Types of services

1. System V services
o Managed by System V init scripts
o Scripts are stored in /etc/init.d
2. xinetd services
o Services started by the xinetd daemon.
o xinetd service control files located in /etc/xinetd.d
o Defaults for xinetd set in /etc/xinetd.conf
o xinetd itself is a System V service.
3. init services
o Configured in /etc/inittab.
o Provides respawn capability if service dies.
6.2 Management tools

1. System V services
o service - Start/Stop services (CLI).
Example: To restart Apache:

service httpd stop
service httpd start
or
service httpd restart
o chkconfig - Configure services by runlevel (CLI). Doesn't affect currently

running services. Defaults to runlevels 3,4, and 5 if none specified.
To enable Apache on runlevels 3, 4, and 5:

chkconfig httpd on # If runlevels aren't specified, default is 345
To enable Apache only on runleves 3 & 5:

chkconfig --level 35 httpd on
o ntsysv - Configure services by runlevel (TUI).
Default is to configure current run level. Use "--level" option

to specify a different runlevel.
o tksysv - Configure services by runlevel (GUI) (Deprecated).
2. xinetd services
o chkconfig - Configures running services. Takes effect immediately on

xinetd services.
To start vsftp:
chkconfig vsftp on
o Edit service configuration file in /etc/xinetd.d/ directly. To enable, specify

"disable = no". To disable, specify "disable = yes". After changing file,
xinetd must either be given a USR2 signal so it re-reads it's configuration
file or be restarted.
o killall -USR2 xinetd
o
3. init services
The only way to modify init based services is to edit /etc/inittab.

After modifying the file, activate the changes by executing "init q".
7. User & Group Administration
7.1 Adding Users

1. useradd
o Command line interface
o If not specified, defaults in /etc/defaults/useradd and /etc/login.defs are

used.
o Defaults:
1. userid - lowest unused value >= UID_MIN in /etc/login.defs.
2. home directory - /home/<username>.
3. primary group - a group with the same name as the username.
4. shell - /bin/bash.
o Options:
o -u - userid
o -g - primary group
o -s - shell
o -d - home directory
o -c - comment (Commonly used to specify full name)
o -m - make the home directory if it doesn't already exist
o -M - don't create the user's home directory regardless of the defaults
o -G - a list of supplementary groups that the user will belong to (separate
with commas)
o -n - don't create a group with the same name as the user
o -r - create a system account (uid < UID_MIN in /etc/login.defs)
o -D - displays defaults if no other options are given
o -b - change default home (when used with -D)
o -g - change default group (when used with -D)
o -s - change default shell (when used with -D)
o
o Copies the contents of /etc/skel into user's home directory to setup the
default user environment.
o Can specify a password with useradd using the -p option, but recommend
using /usr/bin/passwd to set the user's password.
o Example - To add user "steve" using all of the defaults and set his
password, type:
o useradd steve
o passwd steve
o
o Login names can contain alphanumeric, -, and _. Maximum length is 256.
2. redhat-config-users
o GUI
o Uses same defaults as useradd.
o Can specify password.
7.2 Modifying Users

1. usermod
o Command line interface.
o Options: Similar as useradd above.
o Example - To change steve's shell to /bin/ksh, type:
usermod -s /bin/ksh steve
7.3 Deleting Users

1. userdel
o Command line interface.
o Options.
-r - removes the user's home directory and mail spool.

o Example - To remove user steve, his home directory, and his mail spool,
type:
userdel -r steve
7.4 Adding Groups

1. groupadd
o If not specified, defaults in /etc/login.defs are used.
o Defaults:
1. groupid - lowest unused value >= GID_MIN in /etc/login.defs.
o Options:
o -g - groupid
o -r - create a system group (gid < GID_MIN in /etc/login.defs)
o -f - exit with an error if group already exists
o
o Example - To add a group called "jedi" using the defaults, type:
groupadd jedi
7.5 Modifying Groups

1. groupmod
o Options:
o -g - new groupid
o -n - new group name
o
o Example - To change the name of group "jedi" to "Jedi", type:
groupmod -n Jedi jedi

7.6 Deleting Groups

1. groupdel
o Options: None
o Example - To remove group "Jedi", type:
groupdel Jedi
7.7 User environment configuration

1. Global
o /etc/profile
1. System wide environment setup for Bourne type shells (ksh, sh,
bash, etc.)
2. Executed only for login shells.
3. Executes /etc/profile.d/*.sh
o /etc/bashrc
1. System wide functions and aliases for Bourne type shells (ksh, sh,
bash, etc.)
2. Executed for all shell invocations.
o /etc/csh.login
1. System wide environment setup for C type shells (ksh, sh, bash,
etc.)
2. Executed only for login shells.
3. Executes /etc/profile.d/*.csh
o /etc/csh.cshrc
1. System wide functions and aliases for C type shells (ksh, sh, bash,
etc.)
2. Executed for all shell invocations.
2. Per User
Each user's home directory may contain several environment

configuration files.
o .bashrc - Same as /etc/bashrc above.
o .bash_profile - same as /etc/profile above.
o .bash_logout - executed when the user logs out.
o .kde, .kderc - KDE configuration information.
o Desktop - GNOME configuration information.
o .xinitrc - Starts various X clients (not used in RH by default, see .Xclients

instead).
o .Xclients - Executes .Xclients-default
o .Xclients-default - Starts the specified window manager
3. /etc/skel
This directory contains all of the default setup files that get
copied to a users home directory when they are created.
7.8 User Private Groups

Red Hat uses the user private groups scheme. With this scheme, each
user has their own primary group in which they are the sole member.
This allows for a default umask of 002.
7.9 Shadow file

With traditional unix, user passwords were stored in the /etc/passwd file.
Because this file has to be world readable in order for the system to
function properly, it allowed everyone on the system to view the
encrypted version of everyone's password. The shadow file fixes this
problem. The user's encrypted password is now stored in the /etc/shadow
file which is only readable by root.
7.10 Communicating with users.

1. Determining who is Logged In
o users - Uses /var/run/utmp by default to determine who is logged. Can

specify another file to use such as /var/log/wtmp.
o w - Uses /var/run/utmp to report who is logged in. Also displays if the user
is idle and the last command executed by the user.
o who - Uses /var/run/utmp by default to determine who is logged. Can

specify another file to use such as /var/log/wtmp. Also shows the tty the
user is logged into, and the time he/she logged in.
2. User Related Commands
o tty - Displays the terminal that the tty command was executed on.
o wall - Sends a message to all users that are logged in locally.
o write - Creates a half-duplex communications with another user.
o mesg - Used to enable/disable incoming messages from other users. When

disabled, it prevents other users from using the "write" command to talk to
you.
7.11 User & Group Quotas

1. Overview
o Allow limitations to be set on the number of files and disk space used.
o Configured by user and/or group.
o ext2, ext3, and reiser file systems only (reiser supported as of RH 7.1).
o Kernel must be compiled with quota support (CONFIG_QUOTA=y).
o Enabled at boot time by rc.sysinit for any file system that has usrquota or
grpquota listed in it's options field.
o Quota information maintained by kernel while system is running.

2. File System Configuration
o /etc/fstab
Must set usrquota/grpquota options in /etc/fstab. For

example, to enable user and group quota's on /home:
LABEL=/home /home ext3 defaults 1 2
should be changed to:

LABEL=/home /home ext3 defaults,usrquota,grpquota 1 2
o aquota.user & aquota.group
1. Exist in the root of each file system in which quotas are configured.
2. Store quota information.
3. Create with quotacheck:
quotacheck -vug /home
or
quotacheck -avug
To check all file systems that have quota's enabled in

/etc/fstab.
quotacheck checks the current quota information for all

users. It must be ran to collect initial quota
information.
 Options:
 -a - scan all file systems with quotas enabled in /etc/fstab
 -v - verbose
 -g - scan for group quotas
 -u - scan for user quotas

3. Modifying quotas
edquota is used to modify user and group quotas.
o Users
edquota -u steve
Displays quota information for user steve in a text editor for

editing. All file systems with quotas enabled are shown.
Inode and block information can be changed.
o Groups
edquota -g users
Same as above only for group users instead.
o Prototypes
Once a user's quota has been configured, he/she can be

used as a prototype for other users. For example, to use
steve's quotas as a prototype for other users, type:
edquota -p steve luke darth yoda
This will copy steve's quota settings to luke, darth and

yoda.
4. Enabling/Disabling Quotas
o To enable:
quotaon -ug /home
for a specific file system, or
quotaon -aug
for all file systems with quotas enabled in /etc/fstab
o To disable:
Same as quotaon, only use quotaoff instead.
5. Limits
o Soft
Maximum amount of space or files user/group can use.
o Hard
Only used if grace periods are in effect, otherwise they are
ignored and soft limits are used to enforce file system
limits.
o Grace Periods
If used, users may exceed their soft limits up to their hard

limits for a period of days specified by the grace period.
After the grace period expires, the user can no longer
exceed their soft limit.
Grace periods are set using edquota -t.
6. Reporting
To report quota information, use repquota:

repquota -a
repquota -u /
repquota -u steve
The first line shows quota information for all users and groups for all file systems.
The second line shows user quota information for the / file system. The third line
shows quota information for user steve on all file systems.
7. Quota Conversion
Changes were made to quotas in RH 7.1. To convert older quotas

from pre RH 7.1, use the convertquota:
convertquota -ug /home
Converts old quotas in the /home file system to the new quotas.
Note that the old quotas used quota.user and quota.group instead
of aquota.user and aquota.group.
8. Quotas over NFS
Since NFS maps remote users to local users, set the quotas on the
local users that you plan to map the remote users to.
8. Network Administration
8.1 Utilities
1. ifconfig
ifconfig is used to configure network interfaces.
Example:
ifconfig eth0 192.168.1.10 netmask 255.255.255.0 up
This configures interface eth0 with an IP of

192.168.1.10/255.255.255.0. Note that "up" is assumed if left off.
A default network mask will also be determined by the IP if it is
not specified.
2. route
route is used configure routing information.
Example:
route add -net 10.20.30.40 netmask 255.255.255.248 eth0
route add -net 10.20.30.48 netmask 255.255.255.248 gw 10.20.30.41
The first line states that the route to network

10.20.30.40/255.255.255.248 is through our local interface eth0.
The second line states that the route to network
10.20.30.48/255.255.255.248 is through gateway 10.20.30.41
3. arp
arp is used to administer the arp cache. It can view, add, and
delete entries in the cache.
o View arp cache:
arp
This will display something like:

Address HWtype HWaddress Flags Mask Iface
192.168.1.1 ether 00:60:08:27:CE:A2 C eth0
192.168.1.12 ether 00:80:5F:01:74:13 C eth0
192.168.1.15 ether 00:60:08:27:CE:B2 CM eth0
192.168.1.20 ether 00:A0:CC:25:9F:4C C eth0
The "C" flag means it's a complete entry. The "M" flag
indicates it's an entry added manually and it is permanent.
o Add an entry:
arp -s 192.168.33.15 00:60:08:27:CE:B2
o Delete an entry:
arp -d 192.168.33.15
4. ping
ping is used to troubleshoot network/host connectivity. It uses

ICMP echo request and echo reply to test the connectivity. If a
host doesn't respond, it could be for any number of reasons:
o The remote host is down.
o The remote host is filtering ICMP packets.
o Some point in the network in-between the two hosts is down.
o A device in-between the two hosts is filtering ICMP packets.
Examples:
ping 192.168.1.12
ping -b 192.168.1.0
The first line pings a single host, 192.168.1.12. The second line performs a
broadcast ping to all hosts on the 192.168.1.0 network.
5. traceroute
traceroute is also used to test network/host connectivity.

However, it displays each hop along the way from the source to
the destination. It can help you determine if the problem is with
the remote host itself, or some point in-between the hosts.
Example:
traceroute 192.168.10.100
This will print a line for each hop in-between the local and remote
host (192.168.10.100) as well as a line for the final destination up
to a maximum of 30 hops.
6. netstat
netstat provides a lot of useful information, including:
o Routing tables.
o Interface statistics (dropped packets, buffer overruns, etc.)
o Network connections.
o Multicast memberships.
Examples:
netstat -i # Display interface statistics
netstat -lpe # Display all listening sockets and the programs that own them
netstat -r # Display routing information
netstat -ape # Show all listening and non-listening sockets
7. netconfig
o TUI based.
o Used to configure network interface.
o Used by text based installation methods.
8. redhat-config-network
This is a GUI administration tool that allows you to configure

several aspects of your networking: interfaces, boot protocols,
host resolution, routing, and more.
9. ifup / ifdown
These shell script wrappers allow you to bring an interface up and

take it down. They use the configuration information in the
/etc/sysconfig directory to configure the interface specified.
For example, to bring up interface eth0, simply type:
ifup eth0
8.2 Configuring Interfaces
1. Configuration files
The configuration files for network interfaces all reside in

/etc/sysconfig. For a complete description of these configuration
files, see /usr/share/doc/initscripts-X.XX/sysconfig.txt where X.XX is the
version of initscripts that you have installed.
o network
Options:
NETWORKING=yes
HOSTNAME=localhost.localdomain
The first option enables networking, and the second sets the host name. A
default gateway can also be specified here using the "GATEWAY=" option,
but it is usually specified in the "ifcfg-<device>" scripts for devices now.
o network-scripts/ifcfg-<device>
This contains the configuration options for a single

interface.
1. For a device that uses DHCP, it may look like:

2. DEVICE=eth0
3. BOOTPROTO=dhcp
4. ONBOOT=yes # Start at boot up?
5. IPXPRIMARY_802_2="no"
6. IPXACTIVE_802_2="no"
9. IPXPRIMARY_ETHERII="no"
10. IPXACTIVE_ETHERII="no"
11. IPXPRIMARY_SNAP="no"
12. IPXACTIVE_SNAP="no"
13. TYPE=Ethernet
14. USERCTL=no # Allow users to control this interface?
15. NETWORK=192.168.33.0
16. BROADCAST=192.168.33.255
17. PEERDNS=no # Should we modify /etc/resolv.conf if
using DHCP or BOOTP?
18.
Most of the items above should be self explanatory. The only

required options for a client using DHCP are "DEVICE" and
"BOOTPROTO".
19. For a device using a statically assigned IP, it will look similar to
this.
20. DEVICE=eth0
21. BOOTPROTO=static
22. ONBOOT=yes # Start at boot up?
27. IPXPRIMARY_ETHERII="no"
28. IPXACTIVE_ETHERII="no"
29. IPXPRIMARY_SNAP="no"
30. IPXACTIVE_SNAP="no"
31. TYPE=Ethernet
32. USERCTL=no # Allow users to control this interface?
33. NETWORK=192.168.33.0
34. BROADCAST=192.168.33.255
35. PEERDNS=no # Should we modify /etc/resolv.conf if
using msdns?
36. IPADDR=192.168.33.50
37. GATEWAY=192.168.33.1 # Default Gateway
38. NETMASK=255.255.255.0
39.
The only required options are "DEVICE" and "IPADDR". Most of

the other options can be derived from the IPADDR if your network
is configured based on network classes. If you aren't subnetting on
an octet, a netmask is required.
2. Manual Configuration
One way to configure an interface is to edit the above files

directly with a text editor. After you are done editing them,
execute an "ifdown" followed by an "ifup". This should reset your
interfaces to the new values you've specified.
3. GUI Configuration
You can also use the "redhat-config-network" tool to configure

your interfaces.
8.3 Configuring Routes

1. Configuration files
The configuration files for routing are also located under

/etc/sysconfig.
o static-routes
This file contains static routing information that should be

added to the routing tables when interfaces are brought up.
It has the following format:
<device> host|net <arguments to route command>
For example:
eth0 net 10.20.30.0 netmask 255.0.0.0 gw 192.168.1.50
Adds a route to network 10.20.30.0/255.0.0.0 using the

gateway at 192.168.1.50 to device eth0.
o network-scripts/ifcfg-<device>
For devices with static IPs, this file is typically used to

specify the default gateway for the device (see Interface
Configuration above).
2. Manual Configuration
Same as "Interface Manual Configuration" above.
3. GUI Configuration
Same as "Interface GUI Configuration" above.
8.4 Host Resolution

1. DNS
Host names can be resolved using DNS or through a local lookup

file /etc/hosts. By default, /etc/hosts is consulted before performing a
DNS lookup. However, the resolution order can be changed by
modifying /etc/nsswitch.conf.
o /etc/hosts format:
o IP address Host Name Aliases
o
Example:
127.0.0.1 localhost
192.168.1.1 gateway.somedomain.com gateway gate gw
192.168.1.20 somehost.somedomain.com somehost some
192.168.1.25 otherhost.somedomain.com otherhost
o /etc/resolv.conf
This contains the ip addresses of up to 3 DNS servers that

will be consulted when trying to perform host name
lookups.
Format:
nameserver 192.168.1.2
nameserver 192.168.1.3
domain somedomain.com
search somedomain.com otherdomain.com
The "domain" options specifies the local domain. If a host lookup is

performed and a FQDN isn't specified, this domain is appended to the host
name to create the FQDN. The "search" options specifies the order in
which the domains should be queried if a host lookup is requested without
specifying a FQDN. The "domain" and "search" options are mutually
exclusive. If both are specified, the last one given is used.
2. NIS
COMPLETE ME!
3. LDAP
COMPLETE ME!
Next Previous Contents Next Previous Contents
9. Other System Administration
9.1 Date/Time
1. redhat-config-time
o a.k.a redhat-config-date, dateconfig
o GUI based.
o Set system time/date.
o Select timezone.
o Enable Network Time Protocol (NTP).
o Set whether hardware clock is set to UTC.
2. timeconfig
o TUI based.
o Select timezone.
o Set whether hardware clock is set to UTC.
3. date
o CLI based.
o Set system date/time.
4. hwclock
o Used to query/set hardware clock.
o Can sync the hardware clock to the system clock and vice-versa.
o Hardware clock used at boot up to set system clock, then never used again
during normal operation.
o Hardware clock is synced to the system clock at shutdown.

9.2 Keyboard
1. kbdconfig
o TUI based.
o Sets the default keyboard map.
o Value stored in /etc/syconfig/keyboard (KEYTABLE="us").
2. kbdrate
Sets keyboard repeat rate and delay:
kbdrate -r30 -d0
Sets the repeat rate to 30 characters per second (the max) and a
repeat delay of 250 ms (lowest possible).
9.3 Mouse
1. mouseconfig
o Configures file links and modifies configuration files necessary to use a

mouse.
o TUI or CLI
o Modifies X Configuration file
o CLI Options:
o --modifyx # Modify X configuration file
o --device <dev> # Specify device to use for mouse
o --noprobe # No automatic probing is done
o --emulthree # Enable 3 button emulation
o --kickstart # Forces mouseconfig to run in non-interactive mode and
o # probe for as much information about the mouse as possible
o
2. Xconfigurator
See section on X for more information.
9.4 Sound
1. sndconfig
o TUI based.
o Options:
o --noprobe # Prevent probing of PnP cards
o --noautoconfig # Allow user to choose settings for card
o
9.5 RH System configuration files

RH stores many sys config files under /etc/sysconfig:
Note: The following is taken from the sysconfig.txt file provided in Red
Hat's initscripts (version 6.40) package. Obsolete options have been
removed.
/etc/sysconfig/authconfig
used by authconfig to store information about the system's user

information and authentication setup; changes made to this file
have no effect until the next time authconfig is run
USEHESIOD=no
Whether or not the hesiod naming service is in use. If not set,
authconfig examines the passwd setting in /etc/nsswitch.conf.
USELDAP=no
Whether or not LDAP is used as a naming service. If not set,
authconfig examines the passwd setting in /etc/nsswitch.conf.
USENIS=no
Whether or not NIS is in use. If not set, authconfig examines
the passwd setting in /etc/nsswitch.conf.
USEKERBEROS=no
Whether or not Kerberos is in use. If not set, authconfig examines
the settings in /etc/pam.d/system-auth.
USELDAPAUTH=no
Whether or not LDAP is being used for authentication. If not set,
authconfig examines the settings in /etc/pam.d/system-auth. Note
that this option is separate from USELDAP, and that neither implies
the other.
USEMD5=no
Whether or not MD5-based hashing should be used when setting passwords.
If not set, authconfig examines the settings in /etc/pam.d/system-auth.
This option affects authentication using both local files and LDAP.
USESHADOW=no
Whether or not shadow passwords are in use. If not set, authconfig
checks for the existence of /etc/shadow.
USESMBAUTH=no
Whether or not SMB authentication is in use. If not set, authconfig
examines the settings in /etc/pam.d/system-auth.
/etc/sysconfig/autofsck
does not normally exist; if it does, it can influence a choice
whether or not to fsck after a crash
AUTOFSCK_TIMEOUT=5
Number of seconds to wait for console user to make a choice
AUTOFSCK_DEF_CHECK=no
If the user does not respond, choose whether or not to fsck
/etc/sysconfig/clock:
UTC=true indicates that the clock is set to UTC; anything
else indicates that it is set to local time
ARC=true on alpha only indicates the ARC console's
42-year time offset is in effect; otherwise the normal
Unix epoch is assumed
ZONE="filename" indicates the zone file under /usr/share/zoneinfo
that /etc/localtime is a copy of, for example:
ZONE="US/Eastern"
/etc/sysconfig/desktop:
DESKTOP=GNOME|KDE|AnotherLevel
This determines the display manager started by /etc/X11/prefdm
/etc/sysconfig/init:
BOOTUP=<some boot up mode>
BOOTUP=color means new (as of RH6.0) boot display.
BOOTUP=verbose means old style display
Anything else means new display, but without ANSI-formatting
LOGLEVEL=<a number>
Sets the initial console logging level for the kernel.
The default is 7. 8 means everything (including debugging);
1 means nothing except kernel panics. syslogd will override
this once it starts.
RES_COL=<a number>
Column of the screen to start status labels at. Defaults to 60
MOVE_TO_COL=<a command>
A command to move the cursor to $RES_COL. Defaults to nasty
ANSI sequences output by echo -e.
SETCOLOR_SUCCESS=<a command>
A command to set the color to a color indicating success.
Defaults to nasty ANSI sequences output by echo -e setting
the color to green.
SETCOLOR_FAILURE=<a command>
A command to set the color to a color indicating failure.
the color to red.
SETCOLOR_WARNING=<a command>
A command to set the color to a color indicating warning.
the color to yellow.
SETCOLOR_NORMAL=<a command>
A command to set the color to 'normal'. Defaults to nasty
ANSI sequences output by echo -e.
PROMPT=yes|no
Set to 'no' to disable the key check for interactive mode.
/etc/sysconfig/keyboard:
KEYTABLE=<keytable file>
for example: KEYTABLE="/usr/lib/kbd/keytables/us.map"
If you dump a keymap (using 'dumpkeys') to

/etc/sysconfig/console/default.kmap
it will be loaded on bootup before file systems are mounted/checked.
This could be useful if you need to emergency type the root password.
This has to be a dumped keymap, as opposed to copying the shipped
keymap files, as the shipped files include other maps from the
/usr/lib/kbd/keytables directory.
KEYBOARDTYPE=sun|pc
on SPARC only, sun means a sun keyboard is attached on /dev/kbd,
pc means a PS/2 keyboard is on ps/2 port.
/etc/sysconfig/mouse:
MOUSETYPE=microsoft|mouseman|mousesystems|ps/2|msbm|logibm|atibm|
logitech|mmseries|mmhittab
XEMU3=yes|no (emulate three buttons with two buttons whenever
necessary, most notably in X)
DEVICE=<a device node> (the device of the mouse)
In addition, /dev/mouse points to the mouse device.

/etc/sysconfig/network:
NETWORKING=yes|no
HOSTNAME=<fqdn by default, but whatever hostname you want>
GATEWAY=<gateway IP>
GATEWAYDEV=<gateway device> (e.g. eth0)
NISDOMAIN=<nis domain name>
IPX=yes|no
IPXAUTOPRIMARY=on|off (note, that MUST be on|off, not yes|no)
IPXAUTOFRAME=on|off (again, not yes|no)
IPXINTERNALNETNUM=<netnum>
IPXINTERNALNODENUM=<nodenum>
NETWORKING_IPV6=yes|no
Enable or disable global IPv6 initialization
IPV6FORWARDING=yes|no
Enable or disable global forwarding of incoming IPv6 packes
on all interfaces.
Note: Actual packet forwarding cannot be controlled per-device.
IPV6INIT=yes|no
Enable or disable IPv6 configuration for all interfaces.
Use with caution!
IPV6_AUTOCONF=yes|no
Sets the default for device-based autoconfiguration.
Default: yes if IPV6FORWARDING=no, no if IPV6FORWARDING=yes
IPV6_ROUTER=yes|no
Sets the default for device-based Host/Router behaviour.
Default: yes if IPV6FORWARDING=yes, no if IPV6FORWARDING=no
IPV6_AUTOTUNNEL=yes|no
Controls automatic IPv6 tunneling.
IPV6_TUNNELMODE=IP|NBMA [OPTIONAL: IP by default]

Mode of tunnel setup
IP: separate tunnel device mode (now recommeded)
NBMA: NBMA-styled tunnel mode (now mostly obsolete)
All IPv6 options can be overridden in interface-specific configuration.
All the IPX stuff is optional, and should default to off.

/etc/sysconfig/static-routes:
Contains lines of the form:
<device> host|net <arguments to route command>
<device> may be a device name to have the route brought up and

down with the device, or "any" to have the correct devices calculated
at run time.
For example:
eth0 host 192.168.2.2 eth0
adds a host route through eth0 to 192.168.2.2, while
any net 192.168.2.0 netmask 255.255.255.0 ppp0
adds a network route to the 192.168.2.0 network through ppp0.

/etc/sysconfig/static-routes-ipv6:
Contains lines of the form:
<device> ipv6network ipv6gateway

<tunneldevice> ipv6network
<device> must be a device name to have the route brought up and

down with the device
For example:
eth0 fec0:0:0:2::/64 fec0:0:0:1:0:0:0:20

adds a route for IPv6 network fec0:0:0:2::/64 through fec0:0:0:1:0:0:0:20
eth0 2000::/3 3ffe:400:100:f101::1

eth0 3ffe::/16 3ffe:400:100:f101::1
so-called "default" route for clients
sit1 2000::/3
sit1 3ffe::/16
adds routes through virtual tunnel sit1
/etc/sysconfig/routed:
SILENT=yes|no
EXPORT_GATEWAY=yes|no
/etc/sysconfig/rawdevices:
This is used for setting up raw device to block device mappings.
It has the format:
<rawdev> <major> <minor>
<rawdev> <blockdev>
For example:
/dev/raw/raw1 /dev/sda1
/dev/raw/raw2 8 5
/etc/sysconfig/pcmcia:
PCMCIA=yes|no
PCIC=i82365|tcic
PCIC_OPTS=<socket driver (i82365 or tcic) timing parameters>
CORE_OPTS=<pcmcia_core options>
CARDMGR_OPTS=<cardmgr options>
/etc/sysconfig/amd:
ADIR=/.automount (normally never changed)
MOUNTPTS='/net /etc/amd.conf' (standard automount stuff)
AMDOPTS= (extra options for AMD)
/etc/sysconfig/tape:
DEV=/dev/nst0
Tape device. Use the non-rewinding one for these scripts.
For SCSI tapes this is /dev/nst#, where # is the number of the

tape drive you want to use. If you only have one then use
nst0.
For IDE tapes you use /dev/ht#, where # is the number of the tape
drive you want to use (usually ht0).
For floppy tape drives use /dev/ftape.
ADMIN=root
Person to mail to if the backup fails for any reason
SLEEP=5
Time to sleep between tape operations. Some drives need a bit
more than others, but 5 seems to work for 8mm, 4mm, and DLT
BLOCKSIZE=32768
This worked fine for 8mm, then 4mm, and now DLT. An optimal
setting is probably however much data your drive writes at one
time.
SHORTDATE=$(date +%y:%m:%d:%H:%M)
A short date string, used in backup log filenames.
DAY=$(date +log-%y:%m:%d)
This is used for the log file directory.
DATE=$(date)
Regular date string, used in log files.
LOGROOT=/var/log/backup
Root of the logging directory
LIST=$LOGROOT/incremental-list
This is the file name the incremental backup will use to store
the incremental list. It will be $LIST-{some number}.
DOTCOUNT=$LOGROOT/.count
For counting as you go to know which incremental list to use
COUNTER=$LOGROOT/counter-file
For rewinding when done...might not use.
BACKUPTAB=/etc/backuptab
The file in which we keep our list of backup(s) we want to make.
/etc/sysconfig/sendmail:
DAEMON=yes|no
yes implies -bd (i.e., listen on port 25 for new mail)
QUEUE=1h
given to sendmail as -q$QUEUE
-q option is not given to sendmail if /etc/sysconfig/sendmail
exists and QUEUE is empty or undefined.
/etc/sysconfig/i18n
LANG= set locale for all categories, can be any two letter ISO
language code
LC_CTYPE= localedata configuration for classification and conversion
of characters
LC_COLLATE= localedata configuration for collation (sort order) of
strings
LC_MESSAGES= localedata configuration for translation of yes and no
messages
LC_NUMERIC= localedata configuration for non-monetary numeric data
LC_MONETARY= localedata configuration for monetary data
LC_TIME= localedata configuration for date and time
LC_ALL= localedata configuration overriding all of the above
LANGUAGE= can be a : separated list of ISO language codes
LINGUAS= can be a ' ' separated list of ISO language codes
The above variables are used in /etc/profile.d/lang.sh.
SYSFONT= any font that is legal when used as

/usr/bin/consolechars -f $SYSFONT ...
(See console-tools package for consolechars command)
UNIMAP= any SFM (screen font map, formerly called Unicode mapping
table - see consolechars(8))
/usr/bin/consolechars -f $SYSFONT --sfm $UNIMAP
SYSFONTACM= any ACM (application charset map - see consolechars(8))

/usr/bin/consolechars -f $SYSFONT --acm $SYSFONTACM
The above is used by the /sbin/setsysfont command (which is run

by rc.sysinit at boot time.)
/etc/sysconfig/harddisks
/etc/sysconfig/harddiskhd[a-h] (for specific devices)
These options are used to tune (E)IDE hard drives -

read the hdparm man page for more information
USE_DMA=1
Set this to 1 to enable DMA. This might cause some
data corruption on certain chipset / hard drive
combinations. USE WITH CAUTION AND BACKUP.
This is used with the "-d" option
MULTIPLE_IO=16
Multiple sector I/O. a feature of most modern IDE hard drives,
permitting the transfer of multiple sectors per I/O interrupt,
rather than the usual one sector per interrupt. When this feature
is enabled, it typically reduces operating system overhead for disk
I/O by 30-50%. On many systems, it also provides increased data
throughput of anywhere from 5% to 50%. Some drives, however (most
notably the WD Caviar series), seem to run slower with multiple mode
enabled. Under rare circumstances, such failures can result in
massive filesystem corruption. USE WITH CAUTION AND BACKUP.
This is the sector count for multiple sector I/O - the "-m" option
EIDE_32BIT=3
(E)IDE 32-bit I/O support (to interface card). USE WITH CAUTION.
LOOKAHEAD=1
Enable drive read-lookahead (safe)
EXTRA_PARAMS=<anything>
Add any extra parameters you want to pass to hdparm here.
/etc/sysconfig/network-scripts/ifup:
/etc/sysconfig/network-scripts/ifdown:
Symlinks to /sbin/ifup and /sbin/ifdown, respectively.

These are the only two scripts "in" this directory that should
be called directly; these two scripts call all the other
scripts as needed. These symlinks are here for legacy purposes
only -- they'll will probably be removed in future versions, so
only /sbin/ifup and /sbin/ifdown should currently be used.
These scripts take one argument normally: the name of the device
(e.g. eth0). They are called with a second argument of "boot"
during the boot sequence so that devices that are not meant to
be brought up on boot (ONBOOT=no, see below) can be ignored at
that time.
/etc/sysconfig/network-scripts/init.ipv6-global:
Not really a public file. Contains different basic settings that
are set from /etc/rc.d/init.d/network at different stages of
network initialization.
/etc/sysconfig/network-scripts/network-functions:
Not really a public file. Contains functions which the scripts use
for bringing interfaces up and down. In particular, it contains
most of the code for handling alternative interface configurations
and interface change notification through netreport.
/etc/sysconfig/network-scripts/network-functions-ipv6:
Not really a public file. Contains functions which the scripts use
for bringing IPv6 on interfaces up and down, like addresses, routes,
forwarding handling and static or automatic tunneling.
/etc/sysconfig/network-scripts/ifcfg-<interface-name> and
/etc/sysconfig/network-scripts/ifcfg-<interface-name>:<alias-name>:
The first defines an interface, and the second contains

only the parts of the definition that are different in a
"alias" (or alternative) interface. For example, the
network numbers might be different, but everything else
might be the same, so only the network numbers would be
in the alias file, but all the device information would
be in the base ifcfg file.
The items that can be defined in an ifcfg file depend on the

interface type. The really obvious ones I'm not going to
bother to define; you can figure out what "IPADDR" is, I
think... :-)
Base items:
NAME=<friendly name for users to see>
Most important for PPP. Only used in front ends.
DEVICE=<name of physical device (except dynamically-allocated PPP
devices where it is the "logical name")>
IPADDR=
NETMASK=
GATEWAY=
ONBOOT=yes|no
USERCTL=yes|no
BOOTPROTO=none|bootp|dhcp
MTU=
PEERDNS=yes|no
modify /etc/resolv.conf if peer uses msdns extension (PPP only) or
DNS{1,2} are set, or if using pump or dhcpcd. default to "yes".
DNS{1,2}=<ipaddress>
provide DNS addresses that are dropped into the resolv.conf
file if PEERDNS is not set to "no".
FIREWALL_MODS=yes|no
modify firewall to attempt to allow DNS through. Defaults to 'yes'.
If BOOTPROTO is not "none", then the only other item that

must be set is the DEVICE item; all the rest will be determined
by the boot protocol. No "dummy" entries need to be created.
Base items being deprecated:

NETWORK=<will be calculated automatically with ifcalc>
BROADCAST=<will be calculated automatically with ifcalc>
IPv6-only items for real interfaces:

IPV6INIT=yes|no
Enable or disable IPv6 configuration for this interface
IPV6FORWARDING=yes|no
Enable or disable global forwarding of incoming IPv6 packets
Note! Obsolete in interface specification.
IPV6ADDR=<ipv6address>/<prefixlength>
specify primary static IPv6 address here
Example:
IPV6ADDR="3ffe:400:100:f101::1/64"
IPV6ADDR_SECONDARIES=<list of ipv6 addresses>
a list of secondary IPv6 addresses (perhaps useful for virtual hosting)
Example:
IPV6ADDR_SECONDARIES="3ffe:400:100:f101::10/64 3ffe:400:100:f101::11/64"
IPV6_MTU="<MTU of link>" [optional]
Note: Must be greater or equal to 1280.
Optional, dedicated MTU of this link
Example:
IPV6_MTU="1280"
Special configuration options for multi-homed hosts etc.

IPV6_ROUTER=yes|no: controls IPv6 autoconfiguration
IPV6_AUTOCONF=yes|no: controls IPv6 autoconfiguration
defaults:
global IPV6FORWARDING=yes: IPV6_AUTOCONF=no, IPV6_ROUTER=yes
global IPV6FORWARDING=no: IPV6_AUTOCONF=yes
Optional settings for a 6to4 tunnel

IPV6TO4INIT=yes|no
Enable or disable 6to4 tunneling setup
IPV6TO4_RELAY=<ipv4address>
IPv4 address of the remote 6to4 relay
IPV6TO4_IPV4ADDR=<ipv6address> [OPTIONAL]
overwrite local IPv4 address which is accessable from the Internet
(optional, in case of NAT or other special scenarios)
IPV6TO4_ROUTING=<LAN-routing-setup-tokens> [OPTIONAL]
a list of routing tokens to setup proper IPv6 routes on the LAN
Example:
IPV6TO4_ROUTING="eth0-:f101::0/64 eth1-:f102::0/64"
Will create one route per eth0 and eth1, taking given SLA
IPV6TO4_CONTROL_RADVD=yes|no [OPTIONAL]
Enable signalling radvd that the 6to4 prefix has been changed
IPV6TO4_RADVD_PIDFILE=<path-to-pid-file> [OPTIONAL]
location of PID file to get PID for sending signal
default is "/var/run/radvd/radvd.pid"
Example:
IPV6TO4_RADVD_PIDFILE="/some/other/location/radvd.pid"
IPv6-only items for automatic tunnel interface:

Virtual interface name: sit0
IPV6INIT=yes|no
Obsolete now, see IPV6_AUTOTUNNEL in /etc/sysconfig/network
IPv6-only items for static unnumbered tunnel interface:

Virtual interface name: sit1..
IPV6INIT=yes|no
IPV6TUNNELIPV4=<ipv4 address of foreign tunnel endpoint>
specify IPv4 address of a foreign IPv6-in-IPv4 tunnel endpoint
Example:
IPV6TUNNELIPV4="195.226.187.50"
IPV6ADDR=<ipv6address>/<prefixlength> [OPTIONAL]
local IPv6 address of a numbered tunnel
Ethernet-only items:
{IPXNETNUM,IPXPRIMARY,IPXACTIVE}_{802_2,802_3,ETHERII,SNAP}
configuration matrix for IPX. Only used if IPX is active.
Managed from /etc/sysconfig/network-scripts/ifup-ipx
ARP=yes|no (adds 'arp' flag to ifconfig, for use with the
ethertap device)
Deprecated:
PROMISC=yes|no (enable or disable promiscuous mode)
ALLMULTI=yes|no (enable or disable all-multicast mode)
To properly set these, use the packet socket interface.
PPP/SLIP items:
PERSIST=yes|no
MODEMPORT=<device, say /dev/modem>
LINESPEED=<speed, say 115200>
DEFABORT=yes|no (tells netcfg whether or not to put default
abort strings in when creating/editing the chat script and/or
dip script for this interface)
(meaningless with WVDIALSECT)
PPP-specific items
WVDIALSECT=<list of sections from wvdial.conf to use>
If this variable is set, then the chat script (if it
exists) is ignored, and wvdial is used to open the
PPP connection.
DEFROUTE=yes|no (set this interface as default route? yes is default)
DEBUG=yes|no (defaults to yes)
turns on/off pppd and chat (if used) debugging.
ESCAPECHARS=yes|no (simplified interface here doesn't let people
specify which characters to escape; almost everyone can use
asyncmap 00000000 anyway, and they can set PPPOPTIONS to
asyncmap foobar if they want to set options perfectly)
HARDFLOWCTL=yes|no (yes imples "modem crtscts" options)
PPPOPTIONS=<arbitrary option string; is placed last on the
command line, so it can override other options like asyncmap
that were specified differently>
PAPNAME=<"name $PAPNAME" on pppd command line> (note that
the "remotename" option is always specified as the logical
ppp device name, like "ppp0" (which might perhaps be the
physical device ppp1 if some other ppp device was brought
up earlier...), which makes it easy to manage pap/chap
files -- name/password pairs are associated with the
logical ppp device name so that they can be managed
together.
REMIP=<remote ip address, normally unspecified>
MTU=
MRU=
DISCONNECTTIMEOUT=<number of seconds, default currently 5>
(time to wait before re-establishing the connection after
a successfully-connected session terminates before attempting
to establish a new connection.)
RETRYTIMEOUT=<number of seconds, default currently 60>
(time to wait before re-attempting to establish a connection
after a previous attempt fails.)
RETRYCONNECT=yes|no (defaults to yes)
If this is yes, then we will re-run pppd if it exits with a
"connect script failed" status. Otherwise, only one attempt
is made to bring up the connection. Note that some connect
scripts (for example, wvdial) might do their own retries (such
as BUSY or NO DIALTONE conditions).
MAXFAIL=<number>
If this is set, this will cause ppp-watch to exit after
the specified number of attempts.
DEMAND=yes|no
Switches on demand-dialing mode using pppd's "demand" option.
IDLETIMEOUT=600
The amount of time the link needs to be inactive before pppd will
bring it down automatically.
BOOTTIMEOUT=30
The amount of time to wait at boot before giving up on the
connection.
IPPP-specific items (ISDN)

PROVIDER=<ProviderName>
USER=<Login>
PASSWORD=<Password>
ENCAP=[syncppp|]
DIALMODE=[manual|auto]
SECURE=off|on
MSN=<>
PHONE_IN=<Callback.Number>
AREACODE=<>
REGIONCODE=<>
PHONE_OUT=<PhoneNumber>
BUNDLING=off|on
HUPTIMEOUT=<number>
DNS1=<PrimaryDNS>
DNS2=<SecondaryDNS>
DOMAIN=""
LAYER=[HDLC|]
CALLBACK=off|on
CHARGEHUP=<number>
CHARGEINT=<number>
CBHUP=<number>
CBDELAY=<number>
DIALMAX=<number>
AUTH=[+pap] [-chap]
IHUP=<>
DELDEFAULTROUTE=[enabled|disabled]
CBCP=off|on
VJ=off|on
VJCCOMP=off|on
AC=off|on
PC=off|on
BSDCOMP=off|on
CCP=off|on
SLAVE_DEVICE=ippp[0-9]
ippp0 items being deprecated:

BOOT=[on|off] will be converted to ONBOOT=[yes|no] by netconf
LOCAL_IP= will be converted to IPADDR by netconf
REMOTE_IP= will be converted to GATEWAY by netconf
/etc/sysconfig/network-scripts/chat-<interface-name>:
chat script for PPP or SLIP connection intended to establish
the connection. For SLIP devices, a DIP script is written
from the chat script; for PPP devices, the chat script is used
directly.
/etc/sysconfig/network-scripts/dip-<interface-name>
A write-only script created from the chat script by netcfg.
Do not modify this. In the future, this file may disappear
by default and created on-the-fly from the chat script if
it does not exist.
/etc/sysconfig/network-scripts/ifup-post
Called when any network device EXCEPT a SLIP device comes
up. Calls /etc/sysconfig/network-scripts/ifup-routes to
bring up static routes that depend on that device. Calls
/etc/sysconfig/network-scripts/ifup-aliases to bring up
aliases for that device. Sets the hostname if it is not
already set and a hostname can be found for the IP for that
device. Sends SIGIO to any programs that have requested
notification of network events.
Could be extended to fix up nameservice configuration, call

arbitrary scripts, etc, as needed.
/etc/sysconfig/network-scripts/ifup-routes
Set up static routes for a device.
/etc/sysconfig/network-scripts/ifup-aliases
Bring up aliases for a device.
/etc/sysconfig/network-scripts/ifdhcpc-done
Called by dhcpcd once dhcp configuration is complete; sets
up /etc/resolv.conf from the version dhcpcd dropped in
/etc/dhcpc/resolv.conf
9.6 File System Administration

1. Monitor Usage
o df - Report disk usage by file system.

o df -k # Show disk usage by file system in KB
o df -h # Show disk usage by file system in the largest unit possible
o
o du - Report disk usage.

o du /etc # Report the number of KB use in /etc and all of it's
subdirectories by file
o du -s /etc # Report the total number of KB used in /etc and all of it's
subdirectories
o du /etc | sort -n -r # Display disk usage by directory in /etc and sort
from largest to smallest
o du -a /etc | sort -n -r # Same as before, only list each file and directory
in the report
o
2. Cleanup Unused Files
tmpwatch - Ran by cron daily to clean out temporary directories

(e.g. /tmp & /var/tmp). The default installation deletes all files older
than 10 days.
3. File System Corruption
e2fsck must be ran on non-journaled file systems if they are not

unmounted cleanly. This fixes any meta data that is not in the
proper state.
e2fsck /dev/hda1
By default, the superblock is stored every 8192 blocks. If you

have a corrupt superblock, this will cause e2fsck to fail unless you
specify an alternate superblock to use:
e2fsck -b 8193 /dev/hda1
4. Journaled File Systems
o Journaled file systems write critical information about file system

operations to a journal before actually modifying files. In the event of an
unclean shutdown, the file system can be recovered more quickly by
reading the journal instead of performing fsck.
o 3 Journaling Options available in ext3
1. data=ordered - This is the default mode. Only meta data is

journaled.
2. data=journaled - Meta data and data are journaled.
3. data=writeback - Not as good as "data=ordered", but allows for a

quicker fsck than standard ext2.
o Converting from ext2 to ext3
Because of their close relation, it is fairly simple to upgrade

from ext2 to ext3:
1. Modify file system type in /etc/fstab
2. Create the journal:

3. tune2fs -j /dev/hda1
4.
5. Verify that ext2 is either compiled into the kernel or create an initial
ramdisk so it can be loaded as a module at boot time.
6. Verify that the file systems are indeed mounted as ext3 by checking
/proc/mounts.
5. Monitor Permissions
o Keep a close watch on SUID and SGID files:

o find / -perm +6000 # Find all files that are either setuid or
setgid
o find / -perm -2000 -o -perm -4000 # Same thing
o
o Find files that don't have an owner or a group:

o find / -nouser -o -nogroup
o
o Find all files and directories that are world writable:

o find / $ -type f -o -type d $ -a -perm -0002
o find / $ -type f -o -type d $ -a -perm -2 # Same thing as above
o
o Tripwire
1. Provides a fingerprint from critical files.
2. Tripwire can monitor all of the following:
 File Size
 atime (Last Access Time)
 mtime (Last Modification Time)
 ctime (Timestamp on Inode)
 User
 Group
 Permissions
3. Configuration
 Edit twcfg.txt and twpol.txt in order to define the policy for

your system.
 Run /etc/tripwire/twinstall.sh
 Execute tripwire --init to create the initial database (stored in

/var/lib/tripwire/<hostname>.twd).
 To check the system against the database, run tripwire

--check
 To view an integrity check report, run twprint -m -r --twrfile

<report_file>
 To update the tripwire database according to the previously

ran report, run tripwire --update --twrfile <report_file>
9.7 System Logging

klogd handles kernel messages and syslogd handles messages sent
from other sources such as system daemons.
1. Configuration
o /etc/syslog.conf - Primary Configuration file.
o Standard RH configuration creates these log files:
1. /var/log/secure - Logs authentication messages (e.g. xinetd

services, failed ssh logins).
2. /var/log/xferlog - Logs FTP transactions.
3. /var/log/maillog - Logs mail transactions (SMTP, POP3, IMAP,

etc.)
4. /var/log/messages - Logs most other system messages. This

information usually includes:
 Date and time of the message logged.
 Name of the program or daemon that wrote the message.

 The action or event that occurred.
 The name of the host that this occurred on.
o /etc/syslog.conf - Primary Configuration file.
1. Format
2. # There must be at least one TAB separating the two entries
below:
3. facility.priority log location
4.
5. Facilities
11 authpriv - Security & authorization messages
11 cron - clock daemons such as crond and atd
11 daemon - other daemon messages
11 kern - Kernel messages
11 lpr - Printing related messages
11 mail - Mail system messages
11 news - News system mesages
11 syslog - Syslog messages
11 user - Generic user level messages
111 local[0-7]- Facilities reserved for local use
2. Priorities
11 debug - Debugging information
11 info - Informational messages
11 notice - A normal condition occurred that should be

noticed
11 warning - Warning messages
11 err - An error occurred
11 crit - A critical error occurred

11 alert - An error occurred that requires immediate
attention
11 emerg - Usually indicates a service (or the system) is

no longer available
3. Example Configuration
4. mail.info /var/log/mail # Log all mail messages of priority
info or greater
5. daemon.=emerg /var/log/emerg # Log all daemon messages
with a priority of emergency
6. lpr.=!notice /var/log/lpr # Log all lpr messages where the
priority isn't of notice level
7.
2. Log Rotation
o Log rotation is handled by /usr/sbin/logrotate which is part of the

logrotate package.
o logrotate is executed daily by cron to check if any logs need rotating.
o Basic setup and log rotation of the default system logs are configured in
/etc/logrotate.conf.
o Additional, package related, log rotation scripts are placed in

/etc/logrotate.d.
3. Logwatch
o Runs daily.
o Primary configuration file is /etc/log.d/conf/logwatch.conf.
o Creates a daily report that is e-mail to the user specified (root by default).
4. Other System Logging
o /var/run/utmp - This file must always exist. It contains information about

currently running processes. Used by many system utilities (e.g. who, w).
You can prevent users from viewing who else is on the machine by
removing permissions to this file.
o /var/log/wtmp - This file stores information about logins and logouts. It is

used by init and login. To view information in this file, use the last
command.
5. Process Control
o Nice Value - Affects the priority of a job. Can be altered using nice/renice
commands.
1. nice - Can be used when launching a process to alter it's priority.
2. renice - Can be used on existing processes to alter their priority.
3. Examples:
4. nice +10 find / -name xyz # Give find command a lower priority
than normal
5. renice -10 `pidof X` # Give X server a higher priority
6.
o Jobs - Jobs excuted at the shell prompt normally run in the foreground.
This prevents you from executing other commands from the same shell
until the command returns. You can force jobs to run in the background by
placing an "&" after the command.
Background jobs will not be terminated when a user logs

out. However, any output from a background process that
has not been redirected will be lost.
tar zxvf linux-2.2.20.tar.gz &
tar zxvf linux-2.2.20-ow2.tar.gz &
top
The two 'tar' commands will execute in the background and 'top' will be
executed in the foreground.
Job Control Commands:
1. fg - Bring a specified background job into the foreground.

2. fg %1 # Bring background job number 1 into the foreground
3.
4. bg - Start a stopped background job.

5. bg %7 # Causes background job number 7 to resume
execution
6.
7. jobs - List background jobs.
8. kill - You can also use job numbers with the kill command instead
of process ids.
9. kill %4 # Kill background job number 4
10.
9.8 Creating a Swap File

If you don't have a partition free to allocate additional swap space, you
can create a swapfile on an existing file system.
The following example creates and enables a 16 MB swapfile called

/var/swapfile:
dd if=/dev/zero of=/var/swapfile bs=1024 count=16384
mkswap /var/swapfile
swapon /var/swapfile
10. Package Management with RPM
10.1 Installation
-i # Install a package.
-U # Upgrade existing package or install if it doesn't already exist.
-e # Remove a package.
-F # Freshen. Only upgrade package if it's already installed.
-v # Print verbose information
-h # Use a hash mark (#) to indicate progress
--nodeps # Don't perform a dependency check when installing or upgrading a
package
--replacefiles # Install package even if it overwrites existing files
--replacepkgs # Install package even if it's already installed
--oldpackage # Install package even if it's older than the one installed
--force # Combination of --replacefiles, --replacepkgs, and --oldpackage
Examples:
rpm -ivh groff-1.17.1-3.i386.rpm # Install groff from local file sytsem
rpm -Uvh groff-1.17.2-3.i386.rpm # Upgrade groff from local file system
rpm -e groff # Remove groff
# Install groff from anonymous ftp server
rpm -ivh ftp://somehost.com/rpms/groff-1.17.1-3.i386.rpm
# Install groff from non-anonymous ftp server

rpm -ivh ftp://<user>:<password>@somehost.com/rpms/groff-1.17.1-3.i386.rpm
10.2 Verification
--checksig <package> # Verify md5 and gpg signatures.
-K <package> # Same as --checksig.
--nogpg # Don't verify gpg signature (must be used with --checksig).
-V <package> # Verify installed files against package info and report changes.
-Va # Verify all packages
10.3 Query
-q <package> # Returns package version.
-qf <file> # Returns name of package that owns file.
-ql <package> # Returns list of files own by package.
-qi <package> # Returns package info.
-qpi <package> # Returns info of uninstalled package
-qpl <package> # Returns list of files in an uninstalled package
10.4 Source RPMs

Source RPMS install their contents into /usr/src/redhat. They contain
everything necessary to build a binary package from the source (source
code, init scripts, config files, man pages, documentation, etc.)
/usr/src/redhat:
• SOURCES - Contains source code and patches necessary to build rpm.
• BUILD - A work directory used to build the rpm.
• SPECS - Holds the spec files which describe how to build the rpm.
• SRPMS - Stores the completed source RPM after it's built.
• RPMS - Stores the completed binary RPM after it's built.
10.5 Spec Files

The RPM spec file contains the necessary instructions required to build
an RPM. It contains many sections:
Preamble # Contains package information
Prep # Prepares source code for building (unpacking, patching, etc.)
Build # Steps taken to build source
Install # Commands used to install package
Install & Uninstall Scripts # Scripts that install/uninstall package from a system
Verify # Extra verification steps to take when verifying packages
Clean # Cleanup script
File List # List of files in the package
10.6 Build Options

-bp # Only execute prep stage
-bl # verify all files exist
-bc # Execute only the build stage
-bi # Execute only the install section
-bs # Only build SRPM
-ba # Build binary and source RPMs
-bb # Build binary RPM only
11. PCMCIA
11.1 Support
PCMCIA support is currently included in the kernel, but it's better
supported by the kernel modules located at http://pcmcia-
cs.sourceforge.net
11.2 Device Management

1. cardmgr
o Monitors PCMCIA sockets for card insertion and removal.
o Looks up cards in database when inserted and loads appropriate kernel

module.
o Can execute preconfigured commands upon insertion or removal.
o Unloads kernel module upon removal.
2. cardctl
o Monitor and control PCMCIA sockets.
o Non-root users can only view information about sockets.
o Commands:
1. status - Display socket status.
2. config - Display socket configuration (includes power settings,

IRQs, ioports).
3. ident - Display card identification.
4. suspend - Shutdown and disable power for socket.
5. resume - Restore power to socket and re-configure for use.
6. reset - Send reset signal to device.
7. eject - Notifies all drivers that this card will be ejected and then cuts
power.
8. insert - Notify all drivers that a card has just been inserted.
9. scheme - Display scheme if none is specified, otherwise

reconfigure PCMCIA to the new scheme specified.
3. PCMCIA drivers
o Automatically loads devices and configures ioports to nonconflicting

values.
o Can specify ioports not to use in /etc/pcmcia/config.opts
o Can view loaded cards in /var/lib/pcmcia/stab.
12. RAID
12.1 Overview
Stands for Redundant Array of Inexpensive Disks or Redundant Array of
Independent Disks. It uses multiple disks to increase performance
and/or reduce the chances of data loss due to hardware failure.
12.2 Supported Versions

1. Striping (RAID 0)
o No Redundancy
o Fastest read/write performance.
o Requires 2 or more disks.
2. Mirroring (RAID 1)
o Fast read performance.
o Requires 2x actual storage size requirements.
3. Data and Parity Striping (RAID 5)
o More efficient use of disk space than RAID 1.
12.3 Partition Type

Set partition type to 0xFD for auto detection of RAID devices (use
option 't' in fdisk).
12.4 Configuration File (/etc/raidtab)

See raidtab man page for an example.
Sample file:
### RAID 1
raiddev /dev/md0
raid-level 1 # Mirroring
nr-raid-disks 3 # Number of disks to use
nr-spare-disks 1 # Hot standby in case another fails
persistent-superblock 1 # Required for auto detection
chunk-size 32 # In KB
device /dev/hda3
raid-disk 0
device /dev/hdb3
raid-disk 1
device /dev/hde5
raid-disk 2
device /dev/hdc4
spare-disk 0
### RAID 5
raiddev /dev/md1
raid-level 5 # Data and parity striping
nr-raid-disks 3 # Number of disks to use
nr-spare-disks 1 # Hot standby in case another fails
persistent-superblock 1 # Required for auto detection
chunk-size 32 # In KB
parity-algorithm right-symmetric
device /dev/sda1
raid-disk 0
device /dev/sdb3
raid-disk 1
device /dev/sdc5
raid-disk 2
device /dev/sdd4
spare-disk 0
12.5 Initializing RAID devices

mkraid /dev/md0
mkraid /dev/md1
NOTE: mkraid also causes necessary RAID modules to be loaded by kernel as if raidstart
had been executed.
12.6 Formatting RAID devices

mke2fs -b 4096 -R stride=8 /dev/md0
mke2fs -b 4096 -R stride=8 /dev/md1
"-R" is used to set RAID related options for the file system. Stride is the
number of blocks per chunk. In the previous examples we are using a
32K chunk size with a 4K block size, so stride has to be 8 (4K * 8 =
32K).
12.7 RAID 5 parity options

Specify parity algorithm with the "parity-algorithm" option in /etc/raidtab.
Possible values are:
1. left-asymmetric
2. right-asymmetric
3. left-symmetric
4. right-symmetric
Left-symmetric offers the maximum performance on typical disks with

rotating platters.
12.8 Auto detection of RAID arrays

Requires:
1. Partition type must be set to 0xFD.
2. Auto detection must be turned on in kernel.
3. Must specify "persistent-superblock 1" in /etc/raidtab
13. Advanced Power Management (APM)
13.1 Overview
1. Monitor and control system battery on laptops.
2. Can be used on workstations to implement "standby" and "suspend" power modes.
13.2 Viewing power status

1. /proc/apm
2. apm
o With no options, reports power status.
o -s - Put machine in suspend mode.
o -S - Put machine in standby mode.
13.3 Options
Specified in /etc/sysconfig/apmd
14. Kernel
14.1 Types
1. Monolithic
o Drivers compiled into kernel directly.
o Uses more memory because unused drivers take up space.
o Generally slows system down due to memory usage.
o However, communicates with hardware faster.
2. Modular
o Drivers are compiled as modules.
o Uses less memory since only necessary drivers can be loaded.
o More flexible because more drivers can be compiled as modules.

14.2 Modules
1. Overview
o Auto loaded by kmod (a kernel thread).
o Module options specified in /etc/modules.conf

o install module <command> # Specify command to use to install
modules (default: insmod)
o remove module <command> # Specify command to use to remove
modules (default: rmmod)
o alias eth0 tulip # Creates an alias for the tulip module
o options tulip irq=9 # Pass IRQ that device is using to module
o pre-install tulip <command> # Execute <command> before loading
the tulip module
o post-install tulip <command> # Execute <command> after loading the
tulip module
o pre-remove tulip <command> # Execute <command> before
removing the tulip module
o post-remove tulip <command> # Execute <command> after removing
the tulip module
o
2. Dependencies
depmod -a - Build dependencies for all modules
3. Managing
o Viewing
o lsmod
o cat /proc/modules
o
o Loading
o modprobe tulip # Load a single module
o modprobe -t net \* # Load all modules in "net" category
o modprobe \* # Load all modules
o
o Unloading
o modprobe -r 3c503 # Unload 3c503 module
o rmmod -r 3c503 # Unload 3c503 module and all of it's dependencies
o
14.3 Installing From Source

1. Required Packages
o kernel-headers
o kernel-source
o dev86
o make
o glibc-devel
o cpp
o ncurses (For "make menuconfig")
o ncurses-devel (For "make menuconfig")
o binutils
o gcc
NOTE: A working X installation is required if you wish to use "make

xconfig
2. Installation steps
3. cd /usr/src
4. bzcat linux-2.4.17.tar.bz | tar xvf -
5. cd linux
6. make config | make menuconfig | make xconfig
7. make dep
8. make clean
9. make bzImage
10. make modules (if modular kernel)
11. make modules_install (if modular kernel)
12. cp System.map /boot/System.map-2.4.17
13. cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.17
14. cp .config /boot/config-2.4.17
15. mkinitrd /boot/initrd-<version> <kernel version> # Depending on kernel
configuration
16. Update LILO or GRUB
17. Reboot into new kernel
18. new-kernel-pkg
New to RH 7.2 is a script called "new-kernel-pkg". This script

performs several of the necessary kernel installation steps such
as building module dependencies, creating an initial ramdisk, and
updating the grub configuration.
For example, to install kernel 2.4.18, build modules dependencies,

and create an initial ramdisk, execute the following command:
new-kernel-pkg --install --depmod --mkinitrd 2.4.18
NOTE: If you are using lilo, you will have to manually update it's configuration
file.
14.4 Installing from RPM

1. Required Packages
o kernel
o kernel-pcmcia-cs (for laptops)
2. Packages that may need to be upgraded
o mkinitrd
o SysVinit
o initscripts
3. Optional Packages
o kernel-headers
o kernel-source
o kernel-doc
o kernel-debug
4. Install Steps
5. rpm -Uvh mkinitrd-<version>.rpm # If necessary
6. rpm -Uvh SysVinit-<version>.rpm # If necessary
7. rpm -Uvh initscripts-<version>.rpm # If necessary
8. rpm -Uvh kernel-headers-<version>.rpm # Optional
9. rpm -Uvh kernel-source-<version>.rpm # Optional
10. rpm -ivh kernel-<version>.rpm --force
11. rpm -ivh kernel-pcmcia-cs-<version>.rpm --force # For laptops
12. mkinitrd /boot/initrd-<version> <kernel version> # Depending on kernel
configuration
13. Update LILO or GRUB
14. Reboot into new kernel
NOTE: It is recommended that you install and not upgrade the

kernel and kernel-pcmcia-cs packages. That way if the new kernel
doesn't work, you can boot into a previous kernel that does.
14.5 Adding a module to an already
compiled kernel
For those times where you need to add a new driver to a modular
kernel, you can just compile the needed module and install it without
recompiling the entire kernel. Just follow these steps:
cd /usr/src/linux
make config | make menuconfig | make xconfig
(Choose the driver as a module)
make dep
make modules
make modules_install
depmod -a
You should now be able to use the new module.
15. PAM
15.1 Files
1. Configuration files located in /etc/pam.d.
2. Separate configuration file for each service that uses pam.

3. Modules located in /lib/security.
15.2 Module Types

1. auth
Prompts for user identification.
2. account
Account based restrictions (time of day, tty, host, etc.) a.k.a. login
restrictions.
3. session
Session oriented limits (file sizes, # of processes, etc.) and tasks

performed before/after users logs in.
4. password
Password management (updating).
15.3 Module Control Flags

1. required
This test must pass in order for the overall check to succeed. The
remaining tests are still performed even if this one fails.
2. requisite
This test must pass in order for the overall check to succeed.
However, unlike 'required', no other tests are performed if this
one fails.
3. sufficient
This test doesn't have to pass for the overall check to succeed.
However, if it does pass, it grants immediate access. If it's failed,
the remaining tests are still performed as with 'required'.
4. optional
This test has no effect on the overall check.

15.4 Custom PAM Example
This example limits who can use SSH based on a list of users.
1. In /etc/pam.d/sshd, add the following line:

2. auth required /lib/security/pam_listfile.so onerr=fail item=user sense=allow
file=/etc/sshd_users
The above will allow a user to login via sshd if they are listed in the
/etc/sshd_users file. The options specified have the following meanings:
o onerr=fail - If an error occurs (file specified isn't found, or an improperly

formatted entry is found in the file), fail this test. This will deny the user
access via sshd. The other possible option for "onerr" is "succeed".
o item=user - This states that we are testing or verifying the user's login
name.
o sense=allow - This means that if the user is found in the file specified,
this test succeeds. This will allow the user access if all other PAM tests
succeed as well. The other possible option for "sense" is "deny".
o file=/etc/sshd_users - This specifies the file that will contain the list of
users (one per line) that are allowed to access sshd.
15.5 Time Based Restrictions

These examples will limit the login times of certain users. See
/etc/security/time.conf for more information/examples. In order to place
time restrictions on user logins, the following must be placed in
/etc/pam.d/login:
account required /lib/security/pam_time.so

The remaining lines should be placed in /etc/security/time.conf.
1. Only allow user steve to login during on weekdays between 7 am and 5 pm.
2. login;*;steve;Wd0700-1700
3. Allow users Bilbo & Frodo to login on all days between 8 am and 5 pm except for
Sunday.
4. login;*;bilbo|frodo;AlSu0800-1700
If a day is specified more than once, it is unset. So in the above example, Sunday is
specified twice (Al = All days, Su = Sunday). This causes it to be unset, so this rule
applies to all days except Sunday.
15.6 Access Based Restrictions

can be used to restrict access by terminal or host.
/etc/security/access.conf
The following must be placed in /etc/pam.d/login in order for these
examples to work:
account required /lib/security/pam_access.so
1. Deny steve login access on all terminals except for tty1:

2. -:steve:ALL EXCEPT tty1
3. Users in the group jedi are only allowed to login from a local terminal:
4. -:jedi:ALL EXCEPT LOCAL
5. Allow user gandalf to only login from a trusted server:

6. -:gandalf:ALL EXCEPT trusted.somedomain.com
16. Cron & At
16.1 Overview
1. Cron & at provides a way to schedule tasks.
2. Packages
o vixie-cron - Provides crond daemon and crontab editing utilities.
o crontabs - Provides default root crontab files.
o at - Provides atd daemon and command line utilities.
16.2 Crontab Files

User or system defined files that contain a command to execute and
the time to execute it. Crond wakes every minute to see if any crontab
files have changed and re-reads them if they have.
1. User crontabs
o Stored as /var/spool/cron/<user>
o View with: crontab -l
o Edit with: crontab -e
o Edit a specific users crontab(root only): crontab -u <user>
2. System crontabs
o /etc/crontab
Crontab file that configures when scripts in cron.hourly,

cron.daily, cron.weekly, and cron.monthly are executed.
o /etc/cron.d
This directory contains actual crontab files that are

configured just like user crontab files.
o /etc/cron.hourly
Scripts in this directory are executed on the first minute of

every new hour.
o /etc/cron.daily
Scripts in this directory are executed at 4:02 AM every day.
o /etc/cron.weekly
Scripts in this directory are executed at 4:22 AM every

Sunday.
o /etc/cron.monthly
Scripts in this directory are executed at 4:42 AM on the first

day of the month.
3. Crontab Format
4. <minute> <hour> <day of month> <month> <day of week> <command to
execute>
Valid values:
Minute - 0-59
Hour - 0-23
Day of Month - 1-31
Month - 1-12 *or*
- Jan, Feb, Apr, etc.
Day of Week - 0-7 (0 or 7 = Sunday) *or*
- Sun, Mon, Tue, Wed, Thu, Fri, Sat
Can specify comma separate lists and ranges for each parameter but only in a
numeric format (e.g. 1-5 is ok for day of week, but not Mon-Fri).
# To execute foo every 5 minutes.
0,5,10,15,20,25,30,35,40,45,50,55 * * * * foo
# - OR -
*/5 * * * * foo
# Executes bar during the bottom of every hour
# during working hours on week days.
30 8-5 * * 1-5 bar
16.3 At Jobs
1. "at" jobs are configured from the command prompt. No crontab style files.
2. At uses the existing environment that the "at" command was executed in to run the
specified command(s) at the indicated time. This typically makes at jobs
easier/quicker to setup than crontab jobs because the environment is already
configured for the job.
3. Examples
4. at 8:00 am March 12 # Execute specified commands at 8:00 am on March
12th
5. at now +3 hours # Execute specified commands 3 hours from now
6. at 9:30 pm -f ~/cmds # Execute commands in the ~/cmds file at 9:30 pm
After specifying a time, the user is prompted for the commands to execute unless
the "-f" option is used to specify a file containing the commands to execute.
7. Managing At Jobs
o atq - List pending jobs for a user.
o atrm - Delete pending jobs.

o atrm 1 # Remove job number 1 from pending queue
o
o batch - Execute specified command when system load levels are low
enough to permit it.
16.4 Access Control
1. /etc/cron.allow
If it exists, a user must be listed in this file in order to use crontab.
2. /etc/cron.deny
If it exists, a user must not be listed in this file in order to user

crontab.
3. /etc/at.allow
Same as cron.allow, only for "at".
4. /etc/at.deny
Same as cron.deny, only for "at".
17. Sendmail
17.1 Packages
1. sendmail
Contains the actual binaries and configuration files.
2. sendmail-cf
This package is required if you every want to reconfigure

sendmail.
3. sendmail-doc
Contains documentation about sendmail.
Examples for the various configuration files are provided in

/usr/share/doc/sendmail/README.cf.
17.2 Configuration Files

1. /etc/sendmail.cf
o Primary configuration file for sendmail.
o It's recommended that you don't edit this file by hand.
o Edit /etc/mail/sendmail.mc instead and regenerate /etc/sendmail.cf from

it.
o mv /etc/sendmail.cf /etc/sendmail.cf.old
o m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
o
2. /etc/mail/sendmail.mc
o Used to generate /etc/sendmail.cf (see above).
o Easier to configure than /etc/sendmail.cf
o Default Redhat /etc/mail/sendmail.mc:

o divert(-1)
o dnl This is the sendmail macro config file. If you make changes to this
file,
o dnl you need the sendmail-cf rpm installed and then have to generate a
o dnl new /etc/sendmail.cf by running the following command:
o dnl
o dnl m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
o dnl
o include(`/usr/share/sendmail-cf/m4/cf.m4')
o VERSIONID(`linux setup for Red Hat Linux')dnl
o OSTYPE(`linux')
o define(`confDEF_USER_ID',``8:12'')dnl
o undefine(ÙUCP_RELAY')dnl
o undefine(`BITNET_RELAY')dnl
o define(`confAUTO_REBUILD')dnl
o define(`confTO_CONNECT', `1m')dnl
o define(`confTRY_NULL_MX_LIST',true)dnl
o define(`confDONT_PROBE_INTERFACES',true)dnl
o define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
o define(ÀLIAS_FILE', `/etc/aliases')dnl
o dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl
o define(ÙUCP_MAILER_MAX', `2000000')dnl
o define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
o define(`confPRIVACY_FLAGS',
àuthwarnings,novrfy,noexpn,restrictqrun')dnl
o define(`confAUTH_OPTIONS', À')dnl
o dnl TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
o dnl define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN
PLAIN')dnl
o dnl define(`confTO_QUEUEWARN', `4h')dnl
o dnl define(`confTO_QUEUERETURN', `5d')dnl
o dnl define(`confQUEUE_LA', `12')dnl
o dnl define(`confREFUSE_LA', `18')dnl
o dnl FEATURE(delay_checks)dnl
o FEATURE(`no_default_msa',`dnl')dnl
o FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
o FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
o FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
o FEATURE(redirect)dnl
o FEATURE(always_add_domain)dnl
o FEATURE(use_cw_file)dnl
o FEATURE(use_ct_file)dnl
o FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
o FEATURE(àccess_db',`hash -o /etc/mail/access.db')dnl
o FEATURE(`blacklist_recipients')dnl
o EXPOSED_USER(`root')dnl
o dnl This changes sendmail to only listen on the loopback device
127.0.0.1
o dnl and not on any other network devices. Comment this out if you want
o dnl to accept email over the network.
o DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
o dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires
o dnl a kernel patch
o dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6,
Family=inet6')
o dnl We strongly recommend to comment this one out if you want to
protect
o dnl yourself from spam. However, the laptop and users on computers
that do
o dnl not have 24x7 DNS do need this.
o FEATURE(àccept_unresolvable_domains')dnl
o dnl FEATURE(`relay_based_on_MX')dnl
o MAILER(smtp)dnl
o MAILER(procmail)dnl
o Cwlocalhost.localdomain
o
o sendmail.mc options:
o define('confDEF_USER_ID',"8:12") # Specifies user (8) and group
(12) to run sendmail as
o OSTYPE('linux') # Imports OS specific information
o undefine('UUCP_RELAY') # Disable UUCP relaying
o undefine('BITNET_RELAY') # Disable bitnet relaying
o define('confAUTO_REBUILD') # Rebuild /etc/aliases
automatically
o define('confTO_CONNECT','1m') # Set time limit for SMTP
connections to 1 minute
o define('confTRY_NULL_MX_LIST',true) # If no mx record exists,
contact host directly
o define('confDONT_PROBE_INTERFACES,true) # ????
o define('PROCMAIL_MAILER_PATH','/usr/bin/procmail') # Specify location
of procmail
o FEATURE('smrsh','/usr/sbin/smrsh') # Specify location of sendmail
restricted shell
o
o ### Enable virtusertable, mailertable, and access and specify their
locations:
o ###
o FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
o FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
o FEATURE(àccess_db',`hash -o /etc/mail/access.db')dnl
o
o FEATURE(redirect) # ???
o FEATURE(always_add_domain) # Append local hostname to
locally delivered e-mail
o FEATURE(use_cw_file) # Read aliases to use from
/etc/mail/local-host-names
o FEATURE(local_procmail) # Use procmail as the local MDA
o
o FEATURE('blacklist_reipients') # Allows e-mail to be blocked
based on destination
o FEATURE('accept_unresolvable_domains') # Accept e-mail even if the
reverse lookup of
o # the sender's domain doesn't work
o FEATURE('rbl') # Iplements Realtime Blackhole List to
fight spam.
o FEATURE('relay_based_on_MX') # Automatically allow relaying if
sendmail server
o # is listed as the target domain's MX record.
o # This appears to only work if the hostname is
set
o # to the same value as the MX record.
o FEATURE(domaintable) # Enable use of domaintable
o FEATURE(mailertable) # Enable use of mailertable
o
o ### The following sets a "smart host" that all of your mail will be
relayed through.
o define(SMART_HOST,mail.yourdomain.com)
o
o ### The following line tells sendmail to only listen on the localhost
interface.
o DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
o
o ### The following 3 allow a host to masquerade as another host.
Useful for hiding
o ### internal machine names from the outside world. Note that any
user specified in
o ### an "EXPOSED_USER" (e.g. root), will not have their e-mail address
masqueraded.
o MASQUERADE_AS(yourdomain.net) # Specifies domain to use in
FROM and envelope addresses.
o FEATURE(allmasquerade) # Turn on masquerading for all e-
mail
o FEATURE(masquerade_envelope) # Masquerade the envelope
address also
o
3. /etc/aliases (& /etc/aliases.db)
o Contains aliases for e-mail addresses. For example, it allows you to send
mail destined for user 'daemon' to 'root'.
o Only local names may be aliased.
o Example /etc/aliases:
o daemon: root # Messages sent to user daemon are
redirected to root
o root: steve # Messages sent to root are redirected to
steve
o webmaster: steve bob sue # Messages sent to webmaster are
redirected to steve, bob and sue
o steve@foo.com: bob # This entry is invalid unless the local
host name is foo.com
o # or foo.com is listed in /etc/mail/local-host-names
o
o After editing /etc/aliases, you must regenerate /etc/aliases.db with the

newaliases command.
4. /etc/mail/access (& /etc/mail/access.db)
o Controls which hosts are allowed to use sendmail.
o Example /etc/mail/access:
o localhost.localdomain RELAY #
o localhost RELAY ### These 3 permit the localhost to relay
o 127.0.0.1 RELAY #
o
o 10.22 REJECT # Reject mail from any host with an IP that
starts with 10.22
o nobody@ REJECT # Rejects any mail addressed to user
'nobody' regardless
o # of the domain it's sent to.
o foo.com OK # Accept mail from foo.com (not for relaying)
even
o # if other rules might reject it
o bar.com REJECT # Reject all mail from bar.com and send
message to sender
o foobar.com DISCARD # Like REJECT, except sender doesn't
receive a message
o
o # The following sends the specfied RFC error code back to the sender
along with the
o # message specified after it.
o someone.com 550 We don't accept your mail.
o
o After editing /etc/mail/access, you must regenerate /etc/mail/access.db by
going into /etc/mail and typing make.
5. /etc/mail/mailertable (& /etc/mail/mailertable.db)
o Useful for overriding DNS or if DNS isn't available.
o Allows you to perform domain translation.
o Can specify the deliver agent.
o Example /etc/mail/mailertable
o foo.net smtp:bar.net # Forward mail addressed to foot.net to
bar.net
o foobar.net smtp:[192.168.1.20] # Forward mail addressed to
foobar.com to the host at 192.168.1.20
o
o Regenerate /etc/mail/mailertable.db by going to /etc/mail and typing

make.
6. /etc/mail/virtusertable (& /etc/mail/virtusertable.db)
o Allows you to map multiple virtual domains and users to other addresses.
o Example /etc/mail/virtusertable:
o webmaster@foo.com steve # Mail sent to webmaster@foo.com
is redirected to local user steve
o postmaster@bar.com steve@foo.com # Mail sent to
postmaster@bar.com is redirected to steve@foo.com
o
o @somedomain.com joe@foo.com # Mail addressed to _any_ user
at somedomain.com is redirected
o # to joe@foo.com
o @foobar.com %1@bar.com # Mail addressed to a user at
foobar.com is redirected to the same
o # user at barr.com.
o
o Regenerate /etc/mail/virtualusertable.db by going to /etc/mail and typing

make.
7. /etc/mail/domaintable (& /etc/mail/domaintable.db)
o Allows an old domain to be mapped to a new one.

o Example /etc/mail/domaintable:
o NEED TO FIND MORE INFO ABOUT domaintable
o
o Regenerate /etc/mail/domaintable.db by going to /etc/mail and typing

make.
8. /etc/mail/local-host-names
o This file must contain the sendmail server's machine name and any aliases.
Sendmail must be restarted after changing this file in order for it to take
effect.
o Example:
o foo.com
o bar.com
o foobar.com
o
Specifies that foo.com, bar.com, and foobar.com are all local domains.
9. /usr/share/sendmail-cf/cf/
Contains various sample configuration files for sendmail.
10. /etc/mail/helpfile
This file contains the help information that is display when

someone uses the SMTP "help" command during an SMTP session.
11. /etc/mail/statistics
Stores statistics about processed mail.
17.3 A Simple Client Configuration

1. Configures client machines to send mail to a central smart host.
2. Masquerades their mail domain as the mail domain of the smart host.
3. Example:
Host workstation.somedomain.com needs to be able to send mail

to the outside world. However, we want mail coming from
workstation.somedomain.com to have a from address of
user@somedomain.com, not user@workstation.somedomain.com.
The central mail hub for the somedomain.com is
mail.somedomain.com.
Make these changes in /etc/sendmail.cf on

workstation.somedomain.com.
o The DR line specifies sendmail's forwarding agent for unqualified domain

names. Change it to:
o DRmail.somedomain.com
o
o The DH line specifies which host all local e-mail traffic should be
forwarded to. Change it to:
o DHmail.somedomain.com
o
o The DS line specifies the smart relay host. Change it to:

o DSmail.somedomain.com
o
o The DM specifies what the client should masquerade as. Change it to:
o DMsomedomain.com
o
The smart host mail.somedomain.com will also need to be

configured to allow relaying from subnets that the client machines
exist on.
17.4 Debugging Sendmail

1. mail -v <user>
Shows information about message delivery while it's being

processed.
2. debug mode
To enable debug mode, run sendmail with the "-d" option and
specify a debug # after it.
3. Display Queue Contents
Type: mailq or sendmail -bp
4. Running the Queue

Type: sendmail -q
5. Hostname Problems
In order to make sure sendmail is identifying the hostname of

your machine correctly, type:
sendmail -d0 < /dev/null
If sendmail thinks your hostname is localhost, check to see if /etc/hosts is

configured correctly. Try removing all hostnames except for localhost and try
again.
18. Apache
18.1 Defaults
1. Configuration File: /etc/httpd/conf/httpd.conf
2. Server root: /etc/httpd
3. Document root: /var/www/html
4. Logging location: /var/log/httpd
5. User: apache
6. Group: apache
7. Ports: 80 TCP (HTTP) and 443 TCP (HTTPS)
8. Modules stored in /etc/httpd/modules
9. MinSpareServers 5
10. MaxSpareServers 10
11. StartServers 8
12. MaxClients 150
13. MaxRequestsPerChild 1000
14. Default Pages Served

Whenever a URL is requested that ends in a directory and not a
file, a default file within the directory will be loaded. The
DirectoryIndex directive is used to specify what this default file or
files will be.
DirectoryIndex index.html index.htm index.shtml index.php index.php4

index.php3 index.cgi
With the above configuration, if a user were to request the

following URL: http://www.somedomain.com, Apache would
search it's document root for the files specified in the
DirectoryIndex directive. The files are searched for in the order in
which they appear in the directive. So, it first checks to see if a
file named index.html exists, then index.htm, then index.shtml
and so on.
18.2 Resource Control

1. MinSpareServers
Minimum # of idle server processes that must be available to

handle incoming requests.
2. MaxSpareServers
Maximum # of idle server processes that wait for client

connections.
3. StartServers
Initial # of servers to start when Apache is started.
4. MaxClients
Maximum # of clients that can be served at once. This effectively

limits the maximum number of httpd processes started since it
requires 1 process per client.
5. MaxRequestsPerChild
Maximum # of requests to handle per child. After this number is

attained, the child is killed and a new child process is spawned to
replace it. This is used to help prevent memory leaks from eating
up system resources.
18.3 Logging
1. Error Log
Use ErrorLog directive to specify. For example:
ErrorLog /var/log/httpd/error_log
2. Access Log
No AccessLog directive. Instead use the CustomLog directive.
CustomLog /var/log/httpd/access_log combined
"combined" is a previously defined log format (defined with

LogFormat directive).
"common" is another previously defined log format that logs less

information than "combined".
18.4 User Web Space

1. Specify name of user www directory with UserDir directive:
UserDir public_html
2. User must create a "public_html" directory in their home directory.
3. Anything placed in the public_html directory can be accessed through the web if
permissions allow Apache to access it.
4. In order to visit a user's "public_html" directory, specify ~user after the base URL:
www.somedomain.com/~steve
18.5 Access Restrictions

1. Provides directory and file level access control.
2. Are recursively applied to directories underneath the directory specified unless

overridden.
3. / should be configured to be VERY restrictive. Then, start configuring directories

from the document root on down.
4. If "AllowOverride" is specified for a directory in the httpd.conf file, then
permissions can be overridden by placing a .htaccess file in the directory.
Permissions are then specified in the .htaccess file.
5. AllowOverride Options:
o None
Nothing can be overridden.
o Authconfig
Allows use of user/group authorization directives

(AuthName, AuthUserFile, AuthGroupFile, Require).
o FileInfo
Allows use of directives controlling document types.
o Indexes
Allows use of directives that control directory indexes.
o Limit
Allow directives that control access based on browser,

hostname, and network.
o Options
6. Access Control Setup
o order
1. allow,deny
allow acls processed before deny acls. Default deny -

hosts not explicitly allowed are denied.
2. deny,allow
deny acls processed before allow acls. Default allow -

hosts not explicitly denied are allowed.
3. mutual-failure
All explicitly allowed hosts that are not also denied

are allowed.
o allow from
Specifies which hosts should be allowed access.
o deny from
Specifies which hosts should be denied access.
o Examples
o <Directory /var/www/html>
o order allow,deny # In this case, no one would be granted
access
o allow from 199.151.220 # because denys are processed after
allows.
o deny from All
o <Directory>
o <Directory /var/www/html>
o order deny,allow # In this case, only those hosts in the
199.151.220.0/24
o allow from 199.151.220 # network will be allowed in.
o deny from All
o <Directory>
o
18.6 Authentication
1. User/password database
o Use AuthUserFile directive to specify a password file. Can be used in a

<Directory> directive or in an .htaccess file (if "AllowOverride authconfig"
is specified for the directory).
o Create the password file and add user "steve" to it:
htpasswd -c /var/www/userpasswd steve
Only use the "-c" option when you create the file. After that,
leave it off. Otherwise you will wipe out your existing
password file.
2. Authentication Type
Specify an AuthType (Basic or Digest)

3. Realm
Specify a realm using AuthName.
4. Authentication Requirements
Specify authentication requirements using require
5. Example .htaccess file

6. AuthName "My Realm"
7. AuthType Basic
8. AuthUserFile /var/www/passwd
9. require valid-user
The above example allows any valid user ("valid-user" must be in all lower case)
to access this directory. Valid meaning that the user is defined in
/var/www/passwd.
If only certain users are allowed to access this directory, you can
specify them instead of "valid-user":
require bob sue steve
In this case, only users bob, sue, and steve will be allowed to
access this directory.
18.7 CGI
1. Defining a directory for CGI scripts
o ScriptAlias
ScriptAlias /cgi-bin/ /var/www/cgi-bin/
Don't forget the trailing "/" on both parameters.
This specifies that the /var/www/cgi-bin can contain cgi scripts

and it can be reached when a user accesses the web
address and appends /cgi-bin/ to the base URL. For example:
http://www.somehost.com/cgi-bin/cgi-test
Would cause the cgi script called cgi-test to be executed if it

exists in the /var/www/cgi-bin directory.
o ExecCGI
A directory can also be specified as containing cgi scripts by
specifying Options ExecCGI within a <Directory> directive or
an .htaccess file.
o Sample CGI scripts can be found in /usr/share/doc/apache-X.X.XX/cgi-bin.
18.8 Virtual Hosts

1. IP Based
o Requires host to have a separate IP for each virtual host.
o Use <VirtualHost> directive to specify.
o Must at least specify ServerName.
o Recommend specifying a separate document root, error log, and script alias
for each virtual host.
o Example:
o <VirtualHost 192.168.1.10>
o ServerName www.somedomain.com
o ServerAdmin webmaster@somedomain.com
o DocumentRoot /var/www/www.somedomain.com/html
o ScriptAlias /cgi-bin/ /var/www/www.somedomain.com/cgi-bin/
o ErrorLog /var/log/httpd/www.somedomain.com/error_log
o CustomLog /var/log/httpd/www.somedomain.com/access_log
combined
o <Directory /var/www/www.somedomain.com/html>
o Options Indexes Includes
o order deny,allow
o Allow from All
o </Directory>
o </VirtualHost>
2. Name Based
o Very similar to IP based.
o Must specify IP to use for virtual hosting with the NameVirtualHost

directive. All further <VirtualHost> directives that reference the IP
specified by NameVirtualHost automatically become a named based virtual
host.
o The first virtual host becomes the default host.
o ServerAlias allows you to specify an alternate name for a name based

virtual host.
o Example:
o NameVirtualHost 192.168.1.11
o <VirtualHost 192.168.1.11>
o ServerName www.someotherdomain.com
o ServerAlias www1.someotherdomain.com
o ServerAdmin webmaster@someotherdomain.com
o DocumentRoot /var/www/www.someotherdomain.com/html
o ScriptAlias /cgi-bin/ /var/www/www.someotherdomain.com/cgi-bin/
o ErrorLog /var/log/httpd/www.someotherdomain.com/error_log
o CustomLog /var/log/httpd/www.someotherdomain.com/access_log
combined
o <Directory /var/www/www.someotherdomain.com/html>
o Options Indexes Includes
o order deny,allow
o Allow from All
o </Directory>
o </VirtualHost>
3. Troubleshooting
o If accessing any of the defined named based virtual hosts always causes the
default virtual host to be viewed, verify that the names specified for each
virtual host (ServerName) are correct.
o To view virtual host settings, type:

o httpd -S
o
18.9 SSL
1. mod_ssl
2. Encryption Configuration
o Certificate stored in /etc/httpd/conf/ssl.crt/server.crt
o Private key stored in /etc/httpd/conf/ssl.key/server.key

o Certificate/Key Generation
1. Use openssl
2. RH provided Makefile at /usr/share/ssl/certs/Makefile:
 make testcert - Self-signed certificate
 make certreg - Certificate signature request to get a

certificate authority signed certificate.
19. BIND
19.1 Overview
1. BIND 9
2. Resolves hostnames to IP addresses(forward lookup).
3. Resolves IP addresses to hostnames(reverse lookup).
4. Provides e-mail routing information.
5. Packages
o bind - Primary package. Provides binaries, documentation, configs, etc.
o bind-utils - Tools used to query DNS servers.
o bind-conf - Contains tools to configure a DNS server.
o caching-nameserver - Includes necessary configuration files to make

BIND a caching only nameserver.
Important files provided by caching-nameserver:

/var/named/localhost.zone # Forward zone for localhost
/var/named/named.ca # "Hints" file. Contains root servers
/var/named/named.local # Reverse zone for localhost
o openssl - Needed for some of BIND's security features.
6. Ports
o 53 UDP - DNS queries
o 53 TCP - Zone transfers and DNS queries > 512 bytes.
7. redhat-config-bindconf
GUI configuration utility provided by bindconf package.

1. /etc/named.conf
o Specifies zones, options, and access controls.
o SEMI-COLON placement is critical!
o Sample named.conf
o options {
o directory "/var/named"; // Working directory of server
o allow-query { any; }; // Specify which hosts are allowed to
query this server
o allow-transfer { 192.168.1.0/24; }; // Specify hosts that are allowed
to receive zone
o // transfers from this server
o recursion yes; // Enable recursive queries
o allow-recursion {192.168.1.0/24; }; // Specify which hosts can
perform recursive queries.
o version "Surely you must be joking"; // Set version reported by ndc
and when querying
o // version.bind in the chaos class
o };
o
o // The following controls who can access this server using rndc.
o // Bind to 127.0.0.1 and allow only localhost access.
o controls {
o inet 127.0.0.1 allow { localhost; } keys { rndckey; };
o };
o
o zone "." IN { // Hints file containing root servers
o type hint;
o file "named.ca";
o };
o
o zone "localhost" IN {
o type master;
o file "localhost.zone";
o allow-update { none; };
o };
o
o zone "0.0.127.in-addr.arpa" IN {
o type master;
o file "named.local";
o };
o
o zone "xyz.com" IN { // Forward lookup zone for xyz.com
o type master; // This is a master zone
o file "db.xyz.com"; // Zone information stored in
/var/named/db.xyz.com
o };
o
o zone "zyx.com" IN { // Forward lookup zone for zyx.com
o type master; // This is a master zone
o file "db.zyx.com"; // Zone information stored in
/var/named/db.zyx.com
o };
o
o zone "somedomain.com" IN { // Forward lookup zone for
somedomain.com
o type slave; // This is a slave zone
o file "db.somedomain.com"; // Optional for slave zones. If set, a
copy of the zone
o // information is kept locally on disk under
/var/named.
o };
o
o include "/etc/rndc.key"; // Private key used for secure remote
administration
o
See the end of the named.conf man page for more configuration examples.
SECURITY NOTE:
If the following options are left unspecified, they default to

allowing access from all hosts.
allow-query
allow-transfer
allow-recursion
2. /etc/nsswitch.conf
o Not part of BIND, but must be setup correctly in order for local processes
to use BIND for host resolution.
o Specifies the order in which resources are queried in order to resolve

hostnames, IP addresses, etc.
o Partial example:
o hosts: files dns
o networks: files
o protocols: files nisplus
o
The "hosts" line specifies that we should first check our local files (e.g.
/etc/hosts for hostname resolution before consulting DNS services. The
"networks" line states that only our local files (e.g. /etc/networks) should
be consulted for network information. The "protocols" line says we should
first consult our local files (e.g. /etc/protocols) for protocol information,
and then consult nisplus services if it isn't found in our local files.
3. /etc/hosts
o Not part of BIND, but must be setup correctly in order for host resolution
to work.
o See host resolution above.
4. /etc/resolv.conf
o Not part of BIND, but must be setup correctly in order for host resolution
to work.
o See host resolution above.

19.3 Caching Only Name Servers
1. Not authoritative for any zone.
2. Uses DNS root servers or another name server known as a forwarder to resolve
DNS queries.
3. To create a Forwarding Name Server, put the following line in the "options"
section of the /etc/named.conf file:
4. forwarders { 192.168.1.20; };
5. If you want BIND to only use it's forwarders to resolve hosts and not the root name
servers, put the following line in the "options" section of the /etc/named.conf file:
6. forward only;
The "forwarders" option specifies which DNS or DNS servers queries should be
forwarded to for resolution.
19.4 Zones
1. Overview
o Specified in /etc/named.conf.
o No trailing "." on FQDN.
o "IN" after zone name is optional (see sample named.conf above for
example).
2. Master Zones
o DNS server is authoritative for that zone.
o All domains must have one.
o Example:
o zone "somedomain.com" {
o type master;
o file "db.somedomain.com";
o allow-transfer { 192.168.3.4; };
o };
o
3. Slave Zones
o Provides backup service to "masters".
o Example:
o zone "somedomain.com" {
o type slave;
o masters { 192.168.1.50; };
o file "db.somedomain.com";
o };
o
o masters - Specifies the DNS server that is the "master" of this domain.
o - Not required for slave. If specified, indicates the name of the local file
file
where the zone information is kept.
o When a slave server starts, it checks the serial number for the zone on them
master. If it's been updated, the slave performs a zone transfer to get the
latest information. If it hasn't, and the slave has the zone on disk (e.g. the
file directive was used), it will load the information directly from disk
reducing network traffic.
o Slaves must be given permission to perform zone transfers by the master

server. In /etc/named.conf:
o options {
o ...
o allow-transfer { 192.168.1.45; };
o ...
o };
o
Or you can specify the "allow-transfer" directive on a per zone basis as

shown above.
4. Reverse Lookup Zones
o Used to resolve IP to hostname.
o Special domain .in-addr.arpa is used.
o Zone name is created by reversing the octets in the network portion of the
IP address and appending .in-addr.arpa to it.
For example, to provide reverse lookups for all hosts in the

IP range 192.168.1.0/24, use the following zone name:
1.168.192.in-addr.arpa
o Example:
o zone "1.168.192.in-addr.arpa" {
o type master;
o file "db.1.168.192.in-addr.arpa";
o };
o
o zone "0.0.127.in-addr.arpa" { # Loopback zone
o type master; # Should NEVER be a slave
o file "db.0.0.127.in-addr.arpa";
o };
o
5. Root Zone
o Special zone that specifies the root servers.
o Zone type is "hint".
o Example:
o zone "." {
o type hint;
o file "named.ca"; # Contains root DNS servers
o }
o
o Used when a query isn't resolvable by any of the other configured zones.
o Update root servers from ftp://rs.internic.net/domain/named.ca or used dig:

o dig @<rootserver>
o dig @a.root-servers.net
o
6. Zone Delegation
o Divides up a larger domain into smaller, more manageable domains.
o For example, support.somedomain.com and development.somedomain.com

can be delegated to someone else's control to ease the management of the
somedomain.com domain.
o Example. In the zone file for somedomain.com, put the following entries:
o support.somedomain.com. IN NS ns.support.somedomain.com.
o ns.support IN A 192.168.44.10
o
o development.somedomain.com IN NS
ns.development.somedomain.com.
o ns.development IN A 192.168.45.10
o
o Both the NS and A records are required in order to delegate a zone.
o These are known as "glue" records that help queries go from one name
server to another.
19.5 Resource Records

1. Format
2. [domain/@] [ttl] [class] <type> <rdata> [comment]
o domain/@ - Optional. If left blank, defaults to the same value as the last
resource record. @ represents the domain name specified in
/etc/named.conf for the zone. Otherwise, any name specified will have the
domain appended to it unless it ends in a ".".
o ttl - Optional. Time-to-Live. Defaults to the value specified by the $TTL

directive if left unspecified. Specifies how long the record can be cached.
o class - Optional. If left unspecified, defaults to IN??
o type - Specifies the type of RR.
o rdata - Specifies RR related data.
o comment - Comments about the RR.
3. Character Restrictions
Hostnames can only consist of A-Z (case insensitive), 0-9, and -.
4. Start of Authority (SOA)
o Every zone must have one and only one.
o Preamble of the zone file.
o Example:
o @ 1D IN SOA ns root (
o 2002011201 ; serial
o 3H ; refresh
o 15M ; retry
o 1W ; expire
o 1D ) ; minimum
o
o @ 1D IN SOA ns.somedomain.com. root.somedomain.com. (
o 2002011201 ; serial
o 3H ; refresh
o 15M ; retry
o 1W ; expire
o 1D ) ; minimum
o
Both of the above two sample SOA RR are identical when the $ORIGIN is
somedomain.com. The name server specified in the SOA record must be a
machine with an A record. You cannot use machine named defined by a
CNAME record in the SOA record.
Component Definitions:
1. serial - Used for version control. Every time an update is made to

the zone, the serial number must be updated so the slave zones
know there has been an update.
2. refresh - How often the slave servers should check the serial
number on the master for changes.
3. retry - Amount of time a slave should wait before attempting

another "refresh" after a previous refresh has failed.
4. expire - How long a slave should use it's DNS information without
a refresh from the master.
5. minimum - How long a server should cache negative hits (e.g. no

such domain/host).
Values for the above entries can be specified in seconds

(default), minutes (M), hours(H), days(D), and weeks(W).
You must use a capital letter to specify the unit and there
can't be a space between the number and the unit.
86400 = 24H = 1D
5. Name Server (NS)
o Every zone must have at least the master name server specified.
o A FQDN must be used for NS resource records.
o Example:
o @ IN NS ns1.somewhere.com.
o somewhere.com. IN NS ns2.somewhere.com.
o IN NS ns3.somewhere.com.
o
All 3 lines refer to the same domain. The @ in the first line refers to the
origin (specified by the zone directive in /etc/named.conf. The second line
explicitly states the domain (notice the trailing ".") The third line doesn't
specify the domain or an @ so it defaults to the domain in the RR above it.)
6. Address (A)
o Maps a hostname to an IP address.
o Used by forward lookups.
o Example:
o ns1.somewhere.com. IN A 192.168.20.10 # FQDN specified. Notice
trailing "."
o ns2 IN A 192.168.20.11 # FQDN isn't required. In the last 4
lines,
o ns3 IN A 192.168.20.12 # somedomain.com. is appended
to ns2, ns3,
o www IN A 192.168.20.15 # www, and mail
o mail IN A 192.168.20.20
o
7. Canonical Name (CNAME)
o Provides an "alias" or alternate name for an existing host.
o A CNAME record should never be referred to by another CNAME record,

an MX record, or an SOA record.
o Example:
o pop IN CNAME mail
o imap IN CNAME mail
o
In this case, both pop and imap refer to the "mail" address (A) record in the
previous example.
8. Pointer (PTR)
o Maps an IP address to hostname.
o Used in "in-addr.arpa" zones.
o Example (assume a zone of 1.168.192.in-addr.arpa):

o 10 IN PTR ns1.somewhere.com.
o 15.1.168.192.in-addr.arpa. IN PTR www.somewhere.com.
o 20 IN PTR mail.somewhere.com.
o
Again, if a FQDN isn't specified, the domain is appended to the entry.
9. Mail Exchange (MX)
o Define a mail exchange for a zone.
o Requires a priority be specified right after the "MX" but before the
hostname. The lower the number, the higher the priority.
o Used by MTAs to deliver mail to the zone.
o Should not be used in reverse lookup zones.
o Example:
o @ IN MX 5 mail.somewhere.com. ### Highest priority
o somewhere.com. IN MX 10 mail2.somewhere.com.
o IN MX 15 mail3.somewhere.com. ### Lowest priority
o
10. Host Information (HINFO)
o Provides information about your host.
o Generally not a good idea to give out any host information due to security
concerns.
o Should not be used in reverse lookup zones.
o Example:
o mail IN HINFO i686 Linux-2.4.18
o www IN HINFO i686 Linux-2.4.17-pre2
o
19.6 Zone Files

1. Generally located in /var/named.
2. Must begin with a Start Of Authority (SOA) resource record.
3. Contain other resource records.
4. $TTL directive must be specified.
5. Always specify the last "." for a FQDN.
6. Example Forward Zone File:

7. $TTL 86400
8. $ORIGIN xyz.com. ; If not specified, it's taken from named.conf
9.
10. ; ns1 is a nameserver for the domain. root is the
11. ; e-mail address of the owner of the domain. The domain
12. ; is appended to each of these values since they don't
13. ; end with a period. (e.g. they become ns1.xyz.com
14. ; and root.xyz.com);
15. @ 1D IN SOA ns1 root (
16. 2002011901 ; serial
17. 3H ; refresh
18. 15M ; retry
19. 1W ; expire
20. 1D ) ; minimum
21.
22.
23. ; These two lines specify the same domain.
24. ; @ means take it from the $ORIGIN or the zone
25. ; specified in named.conf
26. @ IN NS ns1.xyz.com.
27. xyz.com. IN NS ns2.xyz.com.
28.
29. ns1 IN A 192.168.1.20
30. ns2 IN A 192.168.1.21
31.
32. www IN A 192.168.1.22
33. kashyyyk IN CNAME www
34. coruscant IN CNAME kashyyyk # BAD IDEA!!
35.
36. www1.xyz.com. IN A 192.168.1.23
37. endor IN CNAME www1
38.
39. mail IN A 192.168.1.24
40. backup-mail IN A 192.168.1.25
41.
42. @ IN MX 5 mail # Both lines reference
43. xyz.com. IN MX 20 backup-mail # the same domain
44.
45. support.xyz.com. IN NS ns.support.xyz.com. # Zone delegation
46. ns.support IN A 192.168.2.20
47.
48. development.xyz.com. IN NS ns.development.xyz.com. # Zone delegation
49. ns.development.xyz.com. IN A 192.168.3.20
50. Example Reverse Zone File:

51. $TTL 86400
52. $ORIGIN 1.168.192.in-addr.arpa.
53.
54. @ 1D IN SOA ns1.xyz.com. root.xyz.com. (
55. 2002011901 ; serial
56. 3H ; refresh
57. 15M ; retry
58. 1W ; expire
59. 1D ) ; minimum
60.
61. ; These two lines specify the same domain.
62. ; @ means take it from the $ORIGIN or the zone specified in named.conf
63. @ IN NS ns1.xyz.com.
64. 1.168.192.in-addr.arpa. IN NS ns2.xyz.com.
65.
66. 20 IN PTR ns1.xyz.com. # Domain appended to 20
67. 21.1.168.192.in-addr.arpa. IN PTR ns2.xyz.com. # Domain not appended
(ends with a "." )
68.
69. 22 IN PTR www.xyz.com.
70. 23.1.168.192.in-addr.arpa. IN PTR www1.xyz.com.
71.
72. 24 IN PTR mail.xyz.com.
73. 25 IN PTR mail-backup.xyz.com.
20. DHCP
20.1 Overview
1. Provides dynamic configuration and network information to hosts.
o IP address.
o DNS servers.
o Netbios name servers.
o Gateways.
o Domain name.
2. Only one DHCP server per network segment.
3. Uses broadcast packets to retrieve information.
4. Superset of bootp.
5. Can answer requests from bootp clients.
6. Packages
o Server - dhcpd.
o Client - dhcpcd or pump.
7. Ports
o Server - UDP 67 (bootps)
o Client - UDP 68 (bootpc)
20.2 Server Configuration

1. /etc/dhcpd.conf
Don't forget the trailing semi-colons.
Example:
# Global Options (can also be specified for a specific subnet)
option nis-domain "secret_nis_domain"; # Set NIS domain
option domain-name "somedomain.com"; # Domain name assigned
to client
option domain-name-servers 192.168.1.20, 192.168.1.21; # DNS servers for
domain
option netbios-name-servers 192.168.1.19; # WINS server
# Specifies host that the initial boot file should be loaded from
next-server boot-server;
default-lease-time 600; # Lease time used unless client requests otherwise.

max-lease-time 7200; # Maximum lease time that will be given
# At least one subnet block is required.

# It must correspond with a configured interface.
subnet 192.168.1.0 netmask 255.255.255.0
{
# Definitions in block only apply to this subnet
# Default gateway
option routers 192.168.1.1;
# Range of IPs to use for dynamic configuration

range 192.168.1.100 192.168.1.200;
# Static configuration - The host with the stated MAC address will
# always receive the IP address stated below.
host enterprise
{
hardware ethernet 00:0a:cc:3a:1c:42;
fixed address 192.168.1.11
}
}
An example dhcpd.conf file is available at/usr/share/doc/dhcp-

2.0p15/dhcpd.conf.sample
2. /var/lib/dhcp/dhcpd.leases
Stores information about leased IP addresses. It must exist in

order for dhcp to start! If it doesn't exist, type:
touch /var/lib/dhcp/dhcpd.leases
20.3 Client Configuration

1. dhcpcd
o Default client.
o Used by "ifup" to configure interface.
o Stores information in /etc/dhcpc.
o Common usage:
o /sbin/dhcpcd -n -H eth0
o
o -H = Force dhcpcd to set the hostname of the host to the hostname
option
o supplied by the DHCP server.
o -n = If dhcpcd is already running send it an ALRM signal to cause it to
o attempt to renew it's lease.
o eth0 = Interface to configure.
o
2. pump
o Only used if dhcpcd isn't found.
o Used by "ifup" to configure interface.
o Common usage:
o /sbin/pump --lookup-hostname -i eth0
o
o --lookup-hostname = Get hostname and domain name from DNS
o -i = Specifies interface to configure
o
21. X Window System
21.1 Pieces
1. X Server
The X-server is responsible for managing resources for X-clients.

These resources typically include the screen, keyboard, and
mouse. The X server runs on the machine that the user interacts
with. It passes user input back to the X-clients and outputs
information from the X-clients back to the user via the screen.
2. X Clients
X-clients connect to the X-server in order to use it's resources. X-

clients can be ran locally on the same machine as the X-server or
remotely (in which case they connect to the local X-server).
3. X Protocol
X-clients and X-servers communicate using this protocol.
21.2 Configuration Tools

1. Xconfigurator
o TUI based.
o Primary configuration tool used on RH machines.
o Automatically probes video card for necessary configuration information.
o If probe fails, use "SuperProbe" to determine video card.
o Recommended configuration tool.
o Use "--expert" option in order to override probed values.
2. xf86config
o Character based.
o Xconfigurator recommended over this for exam.
3. SuperProbe
o Part of XFree86.
o Can be used to determine video card if Xconfigurator fails.
o May freeze system when probing.
21.3 Configuration Recommendations

1. Choose "No Clockchip Setting"
2. Select multiple video modes in case one doesn't work
3. If your card is unsupported, choose the generic SVGA or VGA support.
21.4 Hardware Support

1. Websites
o RH Hardware Compatibility Lists -

http://www.redhat.com/corp/support/hardware/index.html
o XFree 3.X - http://www.XFree86.org/cardlist.html
o XFree 4.X - http://www.XFree86.org/4.1.0/Status.html
o Laptops - http://linux-laptop.net
21.5 Files
1. X Configuration
o Default font path - /usr/X11R6/lib/X11/fonts
o User configuration files
1. ~/.xinitrc - Starts specified xclients in background and then execs a

window manager (e.g. exec startkde).
2. ~/.Xclients - execs .Xclients-default. Created by switchdesk.
3. ~/.Xclients-default - Starts desktop environment (e.g. exec

startkde or exec wmaker). This is used to override the default
desktop environment specified in /etc/sysconfig/desktop. This file
is created by switchdesk.
4. ~/.xsession - Used by display managers (e.g. xdm,kdm,gdm).
5. ~/.Xresources -
6. ~/.Xkbmap -
7. ~/.xmodmap -
o System configuration files
1. /etc/X11/<window manager>/ - Window manager specific files.
2. /etc/X11/XF86Config-4 - XFree 4.X primary configuration file.
3. /etc/X11/XF86Config - XFree 3.X primary configuration file.
4. /etc/X11/xinit/xinitrc - Same purpose as .xinitrc in users $HOME.

Only used if .xinitrc doesn't exist.
5. /etc/X11/xinit/xinitrc.d/ - Contains additional init scripts for X

startup. Executed by /etc/X11/xinit/xinitrc
6. /etc/X11/xdm/Xsession - Session configuration. Executed by

display manager (e.g. xdm, kdm, gdm).
7. /etc/X11/xdm/xdm-config - Configuration file for xdm.
o /etc/X11/
1. applnk/ - Directory structure for menu items.
2. fs/ - Built-in font server configuration.
3. <window manager>/ - Window manager specific files.
4. gdm/ - Configuration files for gdm display manager.
5. xdm/ - Configuration files for xdm display manager.
6. xinit/ - Configuration files needed for X startup & initialization.
o /usr/X11R6/
1. bin/ - X binaries
2. lib/
 modules/ - X server extensions/modules.
 xscreensaver/ - Screen saver programs.
 X11/fonts/ - Default font path.
 X11/app-defaults/ - Application defaults.
 X11/locale/ - Locale information.
 X11/xkb/ - X related keyboard information.
2. /etc/X11/X
o XFree 4.X
/etc/X11/X is a symlink to /usr/X11R6/bin/XFree86
o XFree 3.X
/etc/X11/X is a symlink to the actual X server.
3. Common X Client Options

4. -display server:0.0
5. -geometry 100x100+10+20 # A box 100x100 pixels that is 10 pixels from
the left
6. # and 20 from the top of the screen
7. -font font name
8. -background color
9. -foreground color
10. -title string
11. -bordercolor color
12. -borderwidth pixels
21.6 Window Managers

1. A special type of x-client.
2. Controls how other x-clients appear.
3. Causes all x-clients to display with common features (title bar, minimize &
maximize buttons, etc.)
4. Basically controls look & feel of window session.
5. Common Window Managers:

o fvwm - Can be configured to emulate other windowing environments(e.g.
Windows 95, Motif).
o WindowMaker - Resembles NEXTSTEP.
o Enlightenment - Previous default window manager for GNOME.
o Sawfish - Current default window manager for GNOME.
6. Configuration files stored in /etc/X11/<window manager>/
21.7 Desktop Environments

1. Provide more features than a window manager.
2. A window manager is one part of the desktop environment.
3. Attempts to create a consistent environment for all applications.
4. Common Desktop Environments:
o KDE - K Desktop Environment (QT based)
o GNOME - GNU Network Object Model Environment (GTK based)
21.8 Display Managers

1. X-client.
2. Handles authentication.
3. Examples: xdm, gdm, kdm.
4. To change, edit /etc/X11/prefdm
21.9 Session Managers

1. Executes display managers:
o xdm - /usr/bin/xsession
o kdm - /usr/bin/kwm
o gdm - /usr/bin/gnome-session
2. Doesn't execute ~/.xinitrc

3. Will execute ~/.xsession if it exists, otherwise ~/.Xclients is executed.
21.10 Starting X
1. startx
o /usr/X11R6/bin/startx
Basic Operation
if exists (~/.xinitrc)
client = ~/.xinitrc
else
client = /etc/X11/xinit/xinitrc
if exists (~/.xserverrc)
server = ~/.xserverrc
else
server = /etc/X11/xinit/xserverrc
# Authorization setup
xauth add $display_name . $magic_cookie
xinit $client -- $server

# If $server isn't specified, xinit defaults to X:0
o /etc/X11/xinit/xinitrc
o if exists (/etc/X11/Xresources)
o xrdb -merge /etc/X11/Xresources
o if exists (~/.Xresources)
o xrdb -merge ~/.Xresources
o
o if exists (/etc/X11/Xkbmap)
o setxkbmap `cat /etc/X11/Xkbmap`
o if exists (~/.Xkbmap)
o setxkbmap `cat ~/.Xkbmap`
o
o if exists (/etc/X11/Xmodmap)
o xmodmap /etc/X11/Xmodmap
o if exists (~/.Xmodmap)
o xmodmap ~/.Xmodmap
o
o execute any scripts in /etc/X11/xinit/xinitrc.d/
o
o if exists (~/.Xclients)
o exec ~/.Xclients
o else if exists /etc/X11/init/Xclients
o exec /etc/X11/init/Xclients
o else
o exec fvwm2
o
2. xdm (Display Manager)
o /etc/X11/xdm/xsession
Basic Operation
execute any scripts in /etc/X11/xinit/xinitrc.d/
if exists (~/.xsession)
exec ~/.xsession
else if exists (~/.Xclients)
exec ~/.Xclients
else if exists (/etc/X11/xinit/Xclients
exec /etc/X11/xinit/Xclients
else
exec xsm
21.11 Remote Display of X Applications

1. Security
xhost controls access to the local X server. Access information is

stored in ~/.Xauthority.
Format of xhost command:

xhost [+|-]name
Where name is in the format of family:name. Family can be one of the following:
inet(default),dnet,nis,krb,local.
xhost + # Grant access from everywhere
xhost - # Revoke access from everywhere
xhost +server.domain.com # Grant access from server.domain.com
xhost -server.domain.com # Revoke access from server.domain.com
xhost +local:bob # Allow local user bob access
2. Specifying a different display
Two ways to specify a display:
o Per client:
xterm -display server.domain.com:0.0
o For all clients:
export DISPLAY=server.domain.com:0.0
"DISPLAY" used by xclients to determine where to send

output.
3. Putting it all together
To allow remote.xyz.com to display clients on local.xyz.com,

perform the following steps:
o On local.xyz.com:
xhost +remote.xyz.com
o On remote.xyz.com:
o export DISPLAY=remote.xyz.com:0.0
o xterm
o
4. SSH
If X-Forwarding is enabled, SSH automatically configures

everything for you so that can display X-clients from the remote
host to your local host.
21.12 Troubleshooting X
1. Startup Problems
o X starts, but window manager doesn't.
1. Check .xinitrc file to see if the window manager is exec'd at the end.
2. Check to see if window manager files are readable by user.
3. Try renaming user's window manager configuration files and restart

X.
o X won't start.
1. Save existing XF86Config file and use Xconfigurator to build a

new one.
2. Verify selected video card and it's attributes with SuperProbe.
2. Mouse Problems
o Check physcial connection.
o Run mouseconfig.
o If it doesn't work in X or gpm, it's probably a problem with the mouse

itself.
3. Can't login to Display Manager
o Verify that the user can log successfully from a virtual terminal.
o Try a different window manager.
o Rename the user's window manager configuration files and try again.
4. Display Alignment is off
o Try adjusting monitor settings.
o Use xvidtune to adjust mode lines in the XF86Config file.
22. FTP
22.1 Packages.
1. anonftp
o Not an ftp server.
o Required to setup anonymous ftp.
o Sets up the chroot'd env for anonymous ftp in /var/ftp.

o /var/ftp/bin
o /var/ftp/etc
o /var/ftp/lib
o /var/ftp/pub
o
o Cannot work stand alone, requires wu-ftpd.
2. wu-ftpd
o Actual FTP server software.
o Configuration files.
o xinetd configuration file.
o Documentation.
22.2 Configuration files

1. /etc/ftpaccess
Primary configuration file.
2. /etc/ftpusers
List of users that are not allowed to use ftp. This file is
deprecated in RH 7.X. Use deny-uid/deny-gid in /etc/ftpaccess
instead.
3. /etc/ftphosts
Access restrictions by user/host. The last rule that matches wins.

For example, to deny access to steve from everywhere but
192.168.1.0/24, add the following entries:
deny steve *
allow steve 192.168.1.0/24
4. /etc/ftpconversions
Specify file conversions that are to be performed by the ftp
server. It's commonly used to automatically compress and/or
decompress files on the fly for transfer.
5. /etc/ftpgroups
FINISH ME
6. /etc/xinetd.d/wu-ftpd
xinetd configuration file for wu-ftpd.
7. /etc/pam.d/ftp
Pam configuration file for ftp.
22.3 Operation
1. Started by xinetd.
2. Ports: 21 TCP and 20 TCP.
3. Starts as user root, then switches according to login type:
o anonymous: Switches to user ftp.
o user: Switches to the user logging in.
o guest: Switches to user logging in.
22.4 Types of User Accounts

1. Anonymous
o Easy to setup (Automatically configured when anonftp is installed).
o User uses "anonymous" for login and their e-mail address for a password.
o User is chroot'd to /var/ftp by default.
o Cannot upload files by default.
2. Real
o Also easy to setup. Works by default.
o Users use their system logins and passwords to gain access.

o Start out in users home directory.
o User has full access to system.
o Can upload files to any directory where the unix file permissions permit it.
o Can be dangerous to use.
3. Guest
o Requires setup.
o Users use their system logins and passwords to gain access.
o Users are chroot'd to a directory, typically their home directory.
o User only has access to the directories within the chroot'd environment.
o User can upload files if unix file permissions permit it.
o Much safer to use than "Real" user accounts.
22.5 Setting up Guest Users

I this example, we will configure user steve as a guest user.
1. Put /bin/false in /etc/shells so it's recognized as a valid shell by the ftp server.
2. Change steve's shell to /bin/false. Use chsh or edit /etc/passwd directly.) This
prevents the user from logging in via normal means (telnet, ssh, etc.).
3. Edit /etc/passwd and append "/./" (without quotes) to the end of steve's home
directory.
Change:
steve:x:500:500::/home/steve:/bin/false
To:
steve:x:500:500::/home/steve/./:/bin/false
4. Setup the guest user's home directory so it works as a chroot'd env:

5. cp -a /var/ftp/bin ~steve
6. cp -a /var/ftp/etc ~steve
7. cp -a /var/ftp/lib ~steve
8. chmod 0750 ~steve
Note that anonftp must be installed in order for the above steps to work.
9. Create the guestgroup specified in /etc/ftpaccess(default is ftpchroot) as a system

group.
groupadd -r ftpchroot
10. Edit /etc/group and add user steve to the ftpchroot group.
11. Try to ftp to the server as user steve and see if it worked.
22.6 Anonymous Upload

1. Look for "upload" under the "Permission Capabilities" section in the ftpaccess
man page for more information.
2. Create and configure the upload directory:

3. mkdir /var/ftp/incoming
4. chown root.root /var/ftp/incoming
5. chmod 3773 /var/ftp/incoming # Set sticky and setgid bits so no one can
6. # overwrite existing files and all files are
7. # created with the same group as the directory.
8. Add the following entry to /etc/ftpaccess

9. upload /var/ftp /incoming yes root root 0400 nodirs
This states that any user who has a home directory of /var/ftp (e.g. anonymous
users), allow uploads into the incoming directory, but don't let them create
directories. Change the ownership too user root, group root with permissions 0400
so anonymous ftp users can't read the file.
22.7 Virtual Hosts

1. Several domains can be hosted by a single ftp server.
2. Requires an IP per domain. Use separate interfaces or IP aliasing (preferred) on a

single interface.
3. Configure /etc/ftpaccess
4. virtual 192.168.1.10 root /var/virtualftp/somedomain.com
5. virtual 192.168.1.10 banner /var/virtualftp/somedomain.com/banner.msg
6. virtual 192.168.1.10 logfile /var/log/virtualftp/somedomain.com/xferlog
7. virtual 192.168.1.10 allow *
Note: The above directories will need to be created if they don't already exist.
The "root" option specifies the root path for the virtual ftp server.
The "banner" options specifies the location of the file containing
the banner message that is displayed at login. The "logfile"
options specifies where transfers should be logged to. The "allow"
option allows all users to login to the virtual ftp server. You could
also specify specific users to allow.
The above configuration causes anonymous users to be chroot'd

to the "root" of the virtual server. Real users are still placed in
their home directory at login. It is recommended that guest users
be configured for the virtual domain that chroot to the virtual
server's "root".
To disable anonymous ftp to the virtual server, specify:

virtual 192.168.1.10 allow private
23. Print Services
23.1 Overview
1. Packages
LPRng is the only package required to actually print. The other

packages provide printer drivers and utilities to ease printer
configuration.
o LPRng - Provides binaries, configuration files, documentation.
o Omni - Printer drivers.
o Omni-foomatic - Meta information about print drivers.
o printconf - GUI/TUI based printer configuration utility.
o ghostscript - A postscript interpreter.
o ghostscript-fonts - Fonts for ghostscript.
o gv - A user interface to ghostscript.

2. Uses TCP port 515

1. /etc/printcap
This file is auto generated by the printconf utilities. Any changes

made to this file by hand will be lost. The first printer defined in
this file is the default printer.
2. /etc/printcap.local
If you need to make changes to /etc/printcap by hand, put them in

here instead. These custom changes will be included in
/etc/printcap when it is regenerated.
3. /etc/lpd.conf
Configuration file for the LPRng printer spooler system.
4. /etc/lpd.perms
Permissions control file for LPRng printer spooler system.
23.3 Utilities
1. printconf-gui/printconf-tui
Primary method of configuring printers.
2. lpc
Used to administer printing services.
o Disable/enable printers.
o lpc start bj200 # Start a single printer
o lpc stop bj200 # Stop a single printer
o lpc start all # Start all printers
o
o Disable/enable spooling queues.

o lpc enable bj200 # Enable print spool for a single printer
o lpc disable bj200 # Disable print spool for a single printer
o lpc enable all # Enable all print spools
o
o Modify job priorities.

o lpc topq bj200 101 # Move job 101 to the top of the print queue
o
o View status of printers and queues.

o lpc status all # Display the daemon and queue status for all printers
o
o Hold/release print jobs.

o lpc hold bj200 8 # Hold job 8 for printer bj200 from printing
o lpc release bj200 8 # Release job 8 for printing on bj200
o
o Move jobs to another printer.

o lpc move bj200 8 hp697c # Move job 8 from bj200 to hp697c
o lpc move bj200 hp697c # Move all jobs on bj200 to hp697c
o
o Redirect jobs to another printer.

o lpc redirect bj200 hp697c # Redirect all jobs sent to bj200 to hp697c
o lpc redirect bj200 hp697c off # Turn off redirection
o
o Reprint a job.
o lpc redo bj200 7 # Reprint job 7 on printer bj200
o
3. lpr
Used to send print requests to a printer.

lpr /etc/hosts # Print file to default printer
cat /var/log/messages | lpr -P hp697c # Print standard in to hp697c
4. lpq
Display information about and administer print queues.

lpq # Display queue information for default printer
lpq -Php420 # Display queue information for hp420 printer
5. lprm
Remove print jobs from a print queue.

lprm # Remove last job submitted
lprm -Pbj200 12 # Remove job 12 from print queue bj200
lprm -Pbj200 steve # Remove all of steve's jobs from print queue bj200
lprm -a all # Remove all jobs in all print queues
lprm -a steve # Remove all of steve's print jobs in all print queues
6. checkpc
Checks the /etc/printcap file for problems and verifies devices

assigned to printers.
23.4 Remote Printing Requirements

1. Remote LPD
o IP address of remote print server.
o Name of queue on remote print server.
2. Samba
o NetBIOS name or IP address of the Samba server.
o Name of shared print service. This must include the server name (e.g.
//server1/bj200ex not bj200ex)
o Print filter for remote printer installed locally.
o User name to connect to the print share with (usually nobody or guest).
o The password for the user if required.
o The workgroup name of the Samba server providing the print service.
3. Novell
o ncpfs package installed.
o server name/ip.
o printer name.
o valid username and password.

24. NFS
24.1 Overview
1. File sharing service.
2. RPC based service, so it requires Portmap.
3. Packages:
o nfs-utils
Provides:
1. nfsd - Provides userland portion of NFS service.
2. lockd - NFS lock manager (kernel module)
3. rpciod -
4. rpc.mountd - Provides mounting services.
5. rpc.rquotad - Returns quota information.
6. rpc.statd - Used by lockd to recovery locks after a server crash.
o portmap
Provides portmap program. Portmap maps calls made by

other hosts to the correct RPC service. Because portmap is
compiled with tcp wrappers support (libwrap), those that
need to access portmap must be given access via
/etc/hosts.allow and/or /etc/hosts.deny.
4. Ports
o TCP/UDP 111 - portmap
o UDP 2049 - nfsd
o The other NFS related services vary in the port numbers they use. Clients
contact portmap to find out the port number the other RPC services use.
5. Required Services
Listed in startup order:

o NFS Server
1. portmap
2. nfs
o NFS Client
1. portmap
2. nfslock
24.2 Configuration
1. /etc/exports
o NFS server configuration file.
o Format:
o <directory> <host or network>(options) <host or
network>(options) ......
o
It is critical that there not be any spaces between the host/network and it's
options.
o Example:
o # Allow all hosts in the somewhere.com domain to mount /var/ftp/pub
read-only
o
o /var/ftp/pub *.somewhere.com(ro)
o
o
o # Allow all hosts to mount /var/www/html read-only and allow certain
hosts
o # mount it read-write
o
o /var/www/html *(ro) 192.168.1.0/255.255.255.0(rw) 192.168.2.10(rw)
o
o
o # Allow certain hosts to mount /usr read-only and another read-write as
root
o
o /usr 172.16.0.0/255.255.0.0(ro) 172.16.1.10(rw,no_root_squash)
o
o
o # Allow access to /usr/local by everyone, but only as the anonymous
user
o
o /usr/local *(ro,all_squash,anonuid=100,anongid=100)
o
o Restrictions
1. Root can't mount an nfs share as root unless no_root_squash is

used. Normally when root mounts a share, NFS maps root to the
local user nobody.
2. You can't export a directory that is a parent or child of another

exported directory within the same file system.
e.g. You can't export both /usr and /usr/local unless

/usr/local is a separate file system.
o Common Export Options

o no_root_squash - Remote hosts can access local shares as root
(Dangerous!)
o ro - Read-only
o rw - Read/Write
o sync - All file system writes must be committed to disk before the
request can be completed.
o all_squash - All remote users are mapped to a local anonymous user.
o anonuid - Specify the uid to user for anonymous access.
o anongid - Specify the gid to user for anonymous access.
o
2. /etc/fstab
o Used for NFS client configuration
o Example:
o server:/usr /usr nfs user,soft,intr,rsize=8192,wsize=8192 0 0
o
o Common NFS related mount options

o soft - Processes return with an error on a failed I/O attempt
o hard - If a process tries to access an unavailable share, it will hang
until data is retrieved.
o intr - Allows NFS requests to be interrupted or killed if the server is
unreachable
o nolock - Disable file locking in order to work with older NFS servers
o rsize - Sets the number of bytes NFS reads from a share at one time
(default 1024)
o wsize - Sets the number of bytes NFS writes to a share at one time
(default 1024)
o * Setting rsize and wsize to 8192 greatly increases performance.
o
24.3 Auto Mounting NFS shares

1. Requires autofs package to be installed.
2. Create entry in /etc/auto.misc for the NFS share:

3. ftp -fstype=nfs,intr,soft 192.168.1.20:/var/pub/ftp
If the default autofs setup is used, whenever someone accesses /misc/ftp, the
remote NFS share on 192.168.1.20 will be automatically mounted. The options
specified in the /etc/auto.misc have the same meaning as when they are used in
/etc/fstab.
24.4 NFS Utilities

1. exportfs
o Used to maintain the table of exported file systems.
o Example Usage:
o exportfs -r # Refresh the share listing after modifying /etc/exports.
o # This MUST be done in order for your changes to take effect.
o exportfs -v # Display a list of shared directories
o exportfs -a # Exports all shares listed in /etc/exports
o
o # To export a filesystem not in /etc/exports
o exportfs 192.168.1.0/255.255.255.0:/tmp
o
o # Unexport a filesystem
o exportfs -u 192.168.1.0/255.255.255.0:/tmp
o
2. showmount
o Show mount information for an NFS server.
o Does not require that any local NFS services be running in order to use it.
o Example Usage:
o showmount -e 192.168.1.67 # Shows available shares on host
192.168.1.67
o showmount -a 192.168.1.67 # Shows the clients connected to host
192.168.1.67
o # and the shares they have mounted.
o
3. rpcinfo
o Reports RPC information.
o Can determine if RPC services are running on a host.
o Example Usage:
o rpcinfo -p 192.168.1.77 # Display list of RPC services running on
192.168.1.77
o
25. Network Information Service (NIS)
25.1 Overview
1. Central information database
2. Can provide user, group, name resolution, home directory, and authentication
information.
3. Packages
o ypserv - Provides the ypserv and yppasswdd daemons. ypserv provides the
NIS service and yppasswdd allows the user to change their password and
possibly their shell and GECOS information (see below).
o ypbind - Provides ypbind daemon that is used by clients to connect to an
NIS server.
o yp-tools - Provides various NIS client programs.
o portmap - Not part of NIS, but is required for it to work.
4. Ports
Assigned by portmap.
5. Supported NIS Versions
ypbind supports version 1 through 3.
ypserv supports versions 1 & 2.
6. Topology
o Flat namespace. No sub-domains are allowed.
o Only one master per domain.
o Multiple slave servers are allowed. This provides fault tolerance and load
sharing.
7. Limitations
o Low Security - Designed when networks could be trusted (e.g. No sniffers

installed, no one tries to bypass the service).
o Low Scalability - Replication of data between servers isn't very efficient.

NIS has a flat name space that can't be delegated out by subdomain to help
ease administration. This limits the use of NIS in larger networks.
o Only runs on *nix - Limited use in heterogeneous environments.
25.2 NIS Client Info

1. Startup
o Two options for finding NIS server:
1. Broadcast
ypbind contacts it's NIS server by sending a broadcast

message. This can be a security risk since a rogue NIS
server could answer all NIS broadcasts in order to
collect authentication information.
2. /etc/yp.conf
NIS servers for the client's domain can be listed in this

file. This is more secure since clients contact the NIS
server directly instead of broadcasting. This file is
modified by authconfig when you select NIS
authentication.
2. Configuration
o Use authconfig to configure the client machine to use NIS. You must
specified the following:
1. The domain the client will belong to.
2. An NIS domain server (master or slave).
authconfig automatically starts the ypbind daemon for you.
o Configure /etc/nsswitch.conf.
Make sure that "nis" is listed for any information that will be
stored in NIS. For example:
passwd: files nis # Check for users in the local system file first, then
NIS
shadow: files nis # Same as above, only for the users' passwords
hosts: files nis dns # Check the local files, then NIS, then DNS for host
information
The order specified is important. For example, if user steve is defined in

both the system files and the NIS map and we have the same setup as the
nsswitch.conf file above, the information about user steve (passwd,
GECOS, etc.) will be retrieved from the local system files and not from the
NIS map.
To change this, we would need to reverse the order listed

above for the passwd and shadow entries so that "nis"
comes before "files".
3. Client Side Tools

o ypwhich - Determines which master or slave NIS server the client is using.
o ypcat - Used to print keys in an NIS map. For example, to print

information in the passwd file:
o ypcat passwd
o
o ypchfn - Change your GECOS information in NIS.
yppasswdd must be started with "-e chfn" in order for users to

be able change their GECOS information.
o ypchsh - Change your login shell in NIS.
yppasswdd must be started with "-e chsh" in order for users be

able to change their login shell.
o yppasswd - Change your NIS password.
o yppush - Used to copy NIS information from masters to slaves. Called

automatically if "NOPUSH=false" in the /var/yp/Makefile.
o ypmatch - Used to print the value of one or more keys in an NIS map.
For example, to print and entry for user steve in the passwd
file:
ypmatch steve passwd
25.3 NIS Server

1. Configuration
o Specify your domain in /etc/sysconfig/network by inserting the following

line:
o NISDOMAIN=somedomain
o
This will set your domain name at bootup. To set it now, use the
domainname command:
domainname somedomain
SECURITY NOTE: The domain specified should not be the same as your
DNS domain. NIS domains should be kept secret in order to improve
security. If an NIS domain is known and the NIS server can be reached, any
client can connect to the domain.
o Master Servers
1. Make sure the host name has been changed to something other than
localhost.localdomain. This can cause problems for slave servers if
it's not changed.
2. Specify the networks that are allowed to connect to the NIS server
in /var/yp/securenets.
3. Change /var/yp/Makefile to fit your needs. This file includes a list

of possible information that NIS can store.
A few options:
NOPUSH=true # Set to false if you have slave servers
MERGE_PASSWD=true # Should we merge the shadow file with
the password file?
MERGE_GROUP=true # Should we merge the gshadow file with
the group file?
MINUID=500 # Lowest uid to include in the NIS map
MINGID=500 # Lowest gid to include in the NIS map
4. Start portmap and ypserv:

5. service portmap start
6. service ypserv start
7.
8. Create the NIS map:

9. /usr/lib/yp/ypinit -m
10.
You may receiving the following message:

Could not read ypservers map: 3 Can't bind to server which
serves this domain
This does not appear to be a critical error. The NIS map is still
created.
If you only want to include login and group
information in your NIS map, you could use the
following instead of ypinit:
make passwd shadow group
Any time you change information on the master server that affects
the NIS map, you must re-run the "make" command. User
passwords are the exception to this rule. They are updated
automatically.
o Slave Servers
1. Put an entry in /etc/hosts for the master NIS server.
2. All names of the slave servers must be specified in the

/var/yp/ypservers file on the master server.
3. Start portmap and ypserv:

4. service portmap start
5. service ypserv start
6.
7. Execute ypinit:
8. /usr/lib/yp/ypinit -s <masterserver>
9.
If specifying the IP address of the master server doesn't work,

specify the hostname (from /etc/hosts) of the master server instead.
You may see the following message several times:

Trying ypxfrd ... not running
Everything still appears to transfer ok from the master server.
2. Replication
o yppush is automatically called whenever the master server's database are

updated. yppush transfers the NIS map from the master to the slaves. In
order for replication to work, ypbind must be running on the master server.
o ypxfr issimilar to yppush except that it transfers the NIS map from the
NIS server to the localhost. It is usually invoked by ypinit or ypserver.
3. Debugging
o Check NIS using rpcinfo:

o rpcinfo -p localhost
o
o Verify portmap is running.
25.4 Using Automounter to Automount
User Home Directories

1. First, add the following line to /etc/auto.master:
2. /home /etc/auto.home --timeout 60
3. Then, create the /etc/auto.home file with the following contents:

4. * -rw,soft,intr 192.168.1.20:/home/&
In this case, 192.168.1.20 is the IP address of the NFS server.
5. Unmount /home on the client machine if it is a separate partition.
6. Restart autofs.
7. On the NFS server, put the following line in /etc/exports

8. /home 192.168.1.0(rw)
9. Start (or restart) NFS on the NIS server.
26. LDAP
26.1 Overview
1. Distributed directory service.
2. Plaintext is used by default, but can be configured to use TLS.
3. Packages
o openldap - Contains configuration files, libraries, and documentation

needed for OpenLDAP to function.
o openldap-servers - Contains the slapd LDAP daemon and the slurpd
replication daemon as well as several migration scripts.
o openldap-clients - Contains client programs needed for accessing and

modifying openldap directories.
o nss_ldap - Contains two LDAP access clients, nss_ldap and pam_ldap.
o gq - Provides GUI LDAP client gq.
4. Ports
o slapd - TCP 389
o slurpd - ???
5. Terminology
o Distinguished Name (DN) - Used to reference a specific entry in the

directory service. Example DN:
o uid=steve, ou=People, dc=somedomain, dc=com
o
o BaseDN - A server is responsible for all DNs that are within it's BaseDN.
Example BaseDN:
o dc=somedomain, dc=com
o
26.2 LDAP Server

1. slapd
o Stand-alone LDAP Daemon.
o Migration
1. Scripts to migrate existing system data to an LDAP server stored in

/usr/share/openldap/migration.
2. migrate_common.ph - Contains common header information

needed by migration scripts. Need to modify:
 $DEFAULT_MAIL_DOMAIN
 $DEFAULT_BASE
3. After changing defaults, modify /etc/openldap/slapd.conf (see

below) and then run the appropriate migration script. For example:
 migrate_all_offline.sh - Migrates traditional UNIX flat

files.
NOTE: Starting with RH 7.1, protocols and

services were added that contain a + in their
name. These must be commented out of
/etc/protocols and /etc/services because they cause
trouble with the migration scripts.
 migrate_all_nis_offline.sh - Migrates information from

existing NIS services.
 See /usr/share/openldap/migration/README for an

explanation of the various migration scripts.
4. Change the ownership of the ldap database files so slapd can access
them:
5. chown -R ldap:ldap /var/lib/ldap
6.
o Configuration
1. Edit /etc/openldap/slapd.conf and specify the following:
 suffix - The BaseDN
 rootdn - The DN for the administrator
 rootpw - The password for the administrator
2. Access
 Default setup gives rootdn read/write access and read-only

to all others.
 Highly Configurable.
 Compare, search, read, and write access can be configured

for each entry.
26.3 LDAP Clients

1. Command Line
o Configured in /etc/openldap/ldap.conf.
1. Specify which server to bind to.
2. Specify the BaseDN to use.
3. Client utilities usually let you override these defaults.
o Utilities include:
1. ldapadd - Add directory entries.
2. ldapdelete - Delete directory entries.
3. ldapmodify - Modify directory entries.
4. ldappasswd - Change password of an entry.
5. ldapsearch - Searches directory entries.
2. GUI
o gq - Allows user to browse, search, modify, and display directory entries.
26.4 Using LDAP with NSS

1. Requires nss_ldap RPM.
2. Configuration
o /etc/nsswitch.conf - Add "ldap" to the search order of the entries that

will be provided by LDAP.
o /etc/ldap.conf - Configuration file for nss ldap. Note that this is different
from the client configuration file /etc/openldap/ldap.conf.
Common Entries:
host 192.168.1.5 # LDAP server
base dc=xyz,dc=com # Base DN of database
binddn cn=binduser,dc=xyz,dc=com # DN to bind to the server with.
Default is anonymous access.
bindpw super_secret # Password for user to bind with
rootbinddn cn=root,dc=xyz,dc=com # DN to bind to the server with
when the unix uid is 0.
# Password is stored in /etc/ldap.secret in
plaintext (mode 600)
ssl # Use TLS instead of plaintext communication
The rootbinddn is the DN used to attach to the LDAP database when the
userid = 0. It must be set to a DN with proper permissions (typically the
rootdn specified in /etc/openldap/slapd.conf) in order for root to update
user accounts using command line utilities like passwd, chsh, etc.
o /etc/pam.d/system-auth - PAM configuration file used for system

authentication. This is configured by authconfig.
3. Troubleshooting
If, as root, you attempt to change the password of a user stored in

the ldap database and you receive an error about the user being
"Unknown", verify the password in /etc/ldap.secret is correct. It must
be in plain text. When the password is incorrect, root can't bind to
the LDAP database and therefor won't be able to find the user.
27. Samba
27.1 Overview
Samba provides SMB/CIFS services to clients. The smbd daemon
performs authentication, authorization, file, and print sharing services.
The nmbd daemon can act as a netbios name server as well as a WINS
server.
1. Packages
o samba-common
Contains files needed by both the client and server parts of

Samba.
o samba-client
Contains the client side files.
o samba
Contains the server side files.
o samba-swat
A web based administration tool.
2. Ports
o smbd
TCP port 139.
o nmbd
UDP ports 137 & 138
27.2 Configuration
1. /etc/samba/smb.conf
o All configuration is done via editing this file.
o Similar in format to the windows.ini file.
o Sections
1. global
Contains all server wide or generic settings.
2. homes
Used to grant users access to their home directories.
3. printers
Used to configure printer resources/services.
2. Global Configuration
o User/Password Options
1. Encrypted Passwords
To enable encrypted passwords, the following two

lines must be uncommented:
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
To create the password file, simply add a user:
smbpasswd -a steve
OR
smbadduser steve:steve # <unix user>:<nt user>
smbpasswd -u steve
The user must exist in the user system password files before adding
them to the smbpasswd file. The default file created will be the
password file specified by the smb passwd file option in
/etc/samba/smb.conf.
2. username level
Helps Samba determine what the unix user name is.

By default it tries all lower case characters. This
number specifies how many uppercase combinations
should be tried. The larger the number, the longer it
can take to authenticate, but the better chance you'll
have success.
3. password level
Same as username level only for the password.
4. Syncing with Unix passwords
If you want the unix password changed every time

the Samba password is changed, you must specify the
following:
unix password sync = Yes
# unix utility to use

passwd program = /usr/bin/passwd %u
# chat string
passwd chat = *New*password* %n\n *Retype*new*password*
%n\n *passwd:*all*au$ # chat string
o workgroup
The workgroup option specifies the name of the windows

workgroup or NT domain name that the Samba Server will
belong to.
o netbios name
The netbios name options specifies what the Samba server

will advertise as it's netbios name. By default, this is the
same name as the first part of the host's FQDN.
o Restricting Hosts
The hosts allow options allows you to specify which hosts are
allowed to use the Samba service.
hosts allow = 192.168.1. 192.168.2. 192.168.3.20
This allows all hosts in the 192.168.1.0/24 and 192.168.2.0/24 networks

and the single host 192.168.3.20 to access the Samba services.
o Printer Options
o printcap name = /etc/printcap # Specify printer definition file
o load printers = yes # Make all defined printers available to users
o printing = lprng # Specifies printing system used
o
o guest account
The account used for access permissions when connecting

to shares that allow guest access. Make sure to add this
account to /etc/passwd. If it isn't specified, user "nobody" is
used.
o WINS support
Samba can act as a WINS client, or a WINS server, but not

both. As a WINS client it will lookup netbios names using
another WINS server. As a WINS server, it will provide the
netbios name to IP conversion for other clients.
To make Samba a WINS client:

wins server = 192.168.1.5
To make Samba a WINS server:
wins support = yes
name resolve order = wins lmhosts host bcast
The second option is required and defaults to "host lmhosts wins bcast". It
specifies which order to access the various resources for netbios name
resolution.
1. host - Perform the standard host name to IP resolution using

/etc/hosts, NIS, and DNS.
2. lmhosts - Use the name/IP address mappings specified in the

lmhosts file. By default, the lmhosts file is /etc/samba/lmhosts.
3. 127.0.0.1 localhost
4. 192.168.1.5 endor
5.
6. wins - Query the host specified in the wins server option to resolve
the IP address.
7. bcast - Use a netbios broadcast to resolve the IP address. This only

works for hosts connected to the local network.
o Authentication Methods
Specify authentication method with the security option.

Possible values are:
1. user - Authenticate by user using smbpasswd file. The user must be

defined on the unix system. This is the default.
2. share - User authenticates against each individual share.
3. server - Samba validates the user using the server specified by the
password server parameter. The user must still be defined on the
unix system.
4. domain - Samba validates the user using the PDC or BDC as a

normal NT server would. The Samba server must first be added as a
valid machine to the PDC. The user must still be defined on the
unix system.
o Logging Options
o log file = /var/log/samba/%m.log
o max log size = 0
o
The first options specifies that an individual log will be kept for each
machine(%m) that connects to the server. The second options specifies a
size limit to put on the log file (zero = unlimited).
o Browser Options
o local master = yes # Allow Samba to participate in master browser
elections
o os level = 35 # The higher the level, the better chance of winning
the election
o preferred master = yes # Causes Samba to force an election upon
startup
o domain master = yes # Allows Samba to collate browse lists between
subnets
o
o Domain Options
o domain logons = yes # Causes Samba to become a domain logon
server for Windows 95 machines.
o
3. Common Share Options
o public
Share can be accessed by the "guest" account.
o browseable
Makes the share visible in browse lists.
o writable
Allows users to write to the share.
o printable
Specifies the share/resource as a printer not a disk.
o group
Specifies the UNIX group that will be assigned as the default

primary group for all users connecting to the share.
o valid users
Specifies the users that are allowed to connect to the share.
o create mode/create mask
Specifies the unix file permission bits that will always be set
on any file created in this directory by Samba.
o directory mode
Same as 'create mode' only for directories.
o write list
A list of users and/or groups that will be given write access

to the share if the 'writable' option is set to "no".
o path
Specifies the location of the share within the unix file

system.
o only guest/guest only
If set to yes, then only guest connections to the share are

permitted.
o guest ok/public
This permits the guest account to access this share.
o Special shares
Some shares have special meaning to Samba when defined,

these are:
1. [printers]
Printable share that includes all system defined

printers.
2. [homes]
Sets up each user's home directory as a file share

that is accessible only by that user.
3. [netlogon]
Specifies the netlogon directory for Domain Logons
4. Example Shares
o File share for research dept.

o [research]
o comment = Research Dept.
o path = /var/research # Location of share on file system
o public = yes # Shows up in browse lists
o writable = yes # Authenticated users can write to it
o printable = no
o
o Printer share configuration

o [printers] # Special share that defines all printers
o comment = All printers
o path = /var/spool/samba # Location of spooling directory for print
jobs
o browseable = no # Does not show up in browse lists
o guest ok = no # Guest user is not allowed to connect to this
share
o printable = yes # A printer share
o
o File share for accounting dept.

o [accounting]
o comment = Accounting
o path = /usr/local/shares/accounting
o valid users = @accounting # Only users in the unix group
'accounting' can access the share
o public = no
o write list = bob sue steve # Only users bob, sue, and steve can write
to this share
o
o Home directory shares

o [homes]
o comment = Home Directories
o browseable = yes
o writable = yes
o valid users = %S
o create mode = 0664
o directory mode = 0775
o
27.3 Utilities
1. testparm
o Check for errors in smb.conf.
o Test security settings for a particular host

o testparm /etc/samba/smb.conf 192.168.1.20
This would return the resources available to the host at 192.168.1.20.
2. testprns
Determines whether a printer is valid for use through smbd.

testprns <print> /etc/printcap
3. smbclient
Provides command line ftp-style retrieval of files from smb/cifs

shares.
smbclient -L 192.168.1.10 # List accessible share on host 192.168.1.10
smbclient //192.168.1.10/homes # Connect to user home directory
smbclient -U steve //somehost/homes # Connect to homes share as user steve
4. nmblookup
Provides hostname and IP resolution for netbios.

nmblookup -U server -R 'endor' # Lookup host 'endor' using unicast to query
WINS server 'endor'
# and set the recursion flag on (-R)
nmblookup \* # List all machines
5. smbmount
Used to mount smb/cifs shares on a local system.

# Mount share research from server endor onto mount point
/mnt/smb/research as user steve
smbmount //endor/research /mnt/smb/endor -o username=steve
Samba mounts can be performed automatically at boot up by putting them in the

/etc/fstab file.
//endor/research /mnt/smb/endor smbfs
defaults,credentials=/etc/smb/endor.research 0 0
The credentials option specifies the file that contains the username/password pair
to use. Make sure this file is protected adequately. The credentials file should
contain:
username = steve
password = mypassword
27.4 Disabling Encrypted Passwords on
Windows Clients
1. Windows 95 OSR2+ and Windows 98
Using the registry editor(regedit), go to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VNETSUP
Add a DWORD value with the name of EnablePlaintextPassword. Set it's value to
0x01.
2. Windows NT
Using the registry editor(regedit), go to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rdr\Parameters
Add a DWORD value like above.
27.5 Configuring Samba as a Primary
Domain Controller
1. Make sure Samba is only PDC on network.
2. Make sure there is a WINS server on the network (NT or Samba).
3. Samba is set to use "user" level security.
4. Set the following options in the [global] section of your smb.conf file:
5. [global]
6. workgroup = MYGROUP
7. domain logons = yes
8. security = user
9. os level = 34
10. local master = yes
11. preferred master = yes
12. domain master = yes
13.
14. [netlogon]
15. comment = Domain Logon Service
16. path = /var/samba/logon
17. public = no
18. writeable = no
19. browsable = no
20. NT Clients
If you have NT clients on your network, you must also add the
following option:
encrypted passwords = yes
NT client also require a trust account. Trust accounts allow the machine to log in to
the PDC and become a member of the domain. Use the following steps to setup a
trust account on the Samba server for the NT client:
o Add a unix system account for the machine. The logon name will always
end in a "$". Your /etc/password entry should look similar to:
o endor$:x:1000:1000:Trust Account:/dev/null:/dev/null
o
Place an * in the password field of the /etc/shadow file to prevent anyone

from logging into the unix server with this account.
o Add the encrypted password for the machine:

o smbpasswd -a -m endor
o
The "-m" specifies it's a machine trust account. The default password will
be set to the netbios name of the machine. The NT client should log into the
PDC asap so it can change the default password.
27.6 Default Red Hat smb.conf

This is the default smb.conf that comes with RH 7.2.
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings
=====================================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name

workgroup = MYGROUP
# server string is the equivalent of the NT Description field

server string = Samba Server
# This option is important for security. It allows you to restrict

# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
; hosts allow = 192.168.1. 192.168.2. 127.
# if you want to automatically load your printer list rather

# than setting them up individually then you'll need this
printcap name = /etc/printcap
load printers = yes
# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
printing = lprng
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/%m.log
# Put a capping on the size of the log files (in Kb).

max log size = 0
# Security mode. Most people will want user level security. See
# security_level.txt for details.
security = user
# Use password server option only with security = server

# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
# password server = *
; password server = <NT-Server-Name>
# Password Level allows matching of _n_ characters of the password for

# all combinations of upper and lower case.
; password level = 8
; username level = 8
# You may wish to use password encryption. Please read

# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
# The following is needed to keep smbclient from spouting spurious errors

# when Samba is built with support for SSL.
; ssl CA certFile = /usr/share/ssl/certs/ca-bundle.crt
# The following are needed to allow password changing from Windows to

# update the Linux sytsem password also.
# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
# the encrypted SMB passwords. They allow the Unix password
# to be kept in sync with the SMB password.
; unix password sync = Yes
; passwd program = /usr/bin/passwd %u
; passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
# Unix users can map to different SMB User names

; username map = /etc/samba/smbusers
# Using the following line enables you to customise your configuration

# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /etc/samba/smb.conf.%m
# This parameter will control whether or not Samba should obey PAM's
# account and session management directives. The default behavior is
# to use PAM for clear text authentication only and to ignore any
# account or session management. Note that Samba always ignores PAM
# for authentication in the case of encrypt passwords = yes
; obey pam restrictions = yes
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# Configure Samba to use multiple interfaces

# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
# Configure remote browse list synchronisation here

# request announcement to, or browse list sync from:
# a specific host or from / to a whole subnet (see below)
; remote browse sync = 192.168.3.25 192.168.5.255
# Cause this host to announce itself to local subnets here
; remote announce = 192.168.1.255 192.168.2.44
# Browser Control Options:

# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
; local master = no
# OS Level determines the precedence of this server in master browser

# elections. The default value should be reasonable
; os level = 33
# Domain Master specifies Samba to be the Domain Master Browser. This

# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
; domain master = yes
# Preferred Master causes Samba to force a local browser election on startup

# and gives it a slightly higher chance of winning the election
; preferred master = yes
# Enable this if you want Samba to be a domain logon server for

# Windows95 workstations.
; domain logons = yes
# if you enable domain logons then you may want a per-machine or

# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script = %m.bat
# run a specific logon batch file per username
; logon script = %U.bat
# Where to store roving profiles (only for Win95 and WinNT)

# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U
# Windows Internet Name Serving Support Section:

# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
; wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client

# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no
# Case Preservation can be handy - system default is _no_

# NOTE: These can be set on a per share basis
; preserve case = no
; short preserve case = no
# Default case is normally upper case for all DOS files
; default case = lower
# Be very careful with case sensitivity - it can break things!
; case sensitive = no
#============================ Share Definitions

==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
create mode = 0664
directory mode = 0775
# If you want users samba doesn't recognize to be mapped to a guest user
; map to guest = bad user
# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
; comment = Network Logon Service
; path = /usr/local/samba/lib/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;[Profiles]
; path = /usr/local/samba/profiles
; browseable = no
; guest ok = yes
# NOTE: If you have a BSD-style print system there is no need to

# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
# This one is useful for people to share files

;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
; public = yes
# A publicly accessible directory, but read only, except for people in

# the "staff" group
;[public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = @staff
# Other examples.
#
# A private printer, usable only by fred. Spool data will be placed in fred's
# home directory. Note that fred must have write access to the spool directory,
# wherever it is.
;[fredsprn]
; comment = Fred's Printer
; valid users = fred
; path = /home/fred
; printer = freds_printer
; public = no
; writable = no
; printable = yes
# A private directory, usable only by fred. Note that fred requires write
# access to the directory.
;[fredsdir]
; comment = Fred's Service
; path = /usr/somewhere/private
; valid users = fred
; public = no
; writable = yes
; printable = no
# a service which has a different directory for each machine that connects
# this allows you to tailor configurations to incoming machines. You could
# also use the %U option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;[pchome]
; comment = PC Directories
; path = /usr/local/pc/%m
; public = no
; writable = yes
# A publicly accessible directory, read/write to all users. Note that all files
# created in the directory by users will be owned by the default user, so
# any user with access can delete any other user's files. Obviously this
# directory must be writable by the default user. Another user could of course
# be specified, in which case all files would be owned by that user instead.
;[public]
; path = /usr/somewhere/else/public
; public = yes
; only guest = yes
; writable = yes
; printable = no
# The following two entries demonstrate how to share a directory so that two
# users can place files there that will be owned by the specific users. In this
# setup, the directory should be writable by both users and should have the
# sticky bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;[myshare]
; comment = Mary's and Fred's stuff
; path = /usr/somewhere/shared
; valid users = mary fred
; public = no
; writable = yes
; printable = no
; create mask = 0765
28. Squid
28.1 Overview
1. HTTP and FTP caching proxy server.
2. Conforms to Harvest Cache architecture.
3. Uses Inter-Cache Protocol (ICP) to communicate with other cache servers.
4. Only recognizes HTTP on the client side, but will use both FTP and HTTP on the
server side.
5. Required Packages: squid
6. Ports
o Clients connect to TCP port 3128 by default.
o Default port can be changed.
o For accelerator mode, clients will typically connect to TCP port 80.
28.2 Configuration
1. /etc/squid/squid.conf
o Primary configuration file.
o Parent/sibling caches - Squid can be configured to check other caches for a

request before fetching a new object.
 Configuration example:
 # Proxy ICP
 # Host Name Type Port Port
 cache_peer parentcache.xyz.com parent 3128 3130
 cache_peer childcache1.xyz.com sibling 3128 3130
 cache_peer childcache2.xyz.com sibling 3128 3130

o Access Control Lists - Squid has very extensive ACLs for control access.
o See /etc/squid/squid.conf for further configuration examples. It is very

well documented.
o Cache initialization.
The cache is located at /var/spool/squid. If it hasn't been

created, the startup script will automatically created it when
squid is started.
28.3 Client Program (/usr/sbin/client)

1. FINISH ME!
29. INND
29.1 Overview
1. Provides Network News Transport Protocol (NNTP) service.
2. Major newsgroups include: alt,comp,gnu,misc,news,rec,sci,soc, and talk.

3. Newsgroups configured in a hierarchical fashion.
4. Package: inn
5. Port: TCP 119.
29.2 Configuration
1. /etc/news/
Location of configuration files. A minimal leafnode setup requires

that you modify the following files:
o inn.conf
Set the following options. The defaults for the remaining

options should be fine.
organization: MyOrganization
domain: mydomain.com
server: news.mydomain.com
o incoming.conf
Place your ISP's news server information in here.

# Peer definition
# MyISP.com (800) 555-1212 news@MyISP.com
peer myisp.com {
hostname: news.myisp.com
}
o newsfeeds
If you want to post articles, you need to modify newsfeeds.

news.myisp.com:comp.*,!comp.sources.*,comp.sources.unix/!
foo:Tf,Wnm:news.myisp.com
The colon is the field delimiter used above. The format of that above line
is:
sitename[/exclude,exclude,...]:pattern,pattern,...
[/distrib,distrib,..]:flag,flag,...:param
Options:
1. sitename - Names the site to which this feed relates. It can be called
anything you want and does not have to be the domain name of the
site.
2. pattern - Indicates which news groups are to be sent to this site.

The default is to send all groups (leave it blank if that's what you
want). The above example will cause all "comp" groups to be
received, but not any group under "comp.sources" except for
"comp.sources.unix".
 distribution - If specified, and an article has a

"Distribution" header, it is check against this value. If the
distribution specified matches the distribution header in the
article, it is sent. However, if the distribution specified starts
with an exclamation point, and the distribution header in the
article matches, it is not sent. In the above example, any
article with a distribution header containing "foo" will not
be sent.
3. flag - Specify various options about the newsfeed. The above

options specify that this is a file feed type (Tf), and that only
articles "message-id" and "token" (Wmn) should be written.
4. param - Meaning varies depending on the feed type. When the feed
type is "file" as in the example above, it specifies the file to write an
entry to when an article is received. If not an absolute path, it is
relative to the "pathoutgoing" option in inn.conf.
o readers.conf - Edit this file if you want to allow readers on other

computers.
o motd.news - If you allow readers, it is a good idea to put a banner in this

file that relays your usage policies to your readers.
2. Run inncheck to correct any permissions problems and catch any configuration
file errors.
3. Run makehistory to initialize the INN history database.
4. Run makedbz to rebuild the dbz database files.

29.3 Troubleshooting
1. innd won't start
o Use inncheck.
o Check logs under /var/log/news.
2. Readers can't read
o Verify that the reader is allowed access by checking nnrp.access.
o Make sure innd is running.
o telnet to port 119 and see if a banner comes up.
3. Posters can't post
o Confirm poster is allowed to post by checking nnrp.access.
o telnet to port 119 and see if a banner comes up with (posting allowed).
30. NTP
30.1 Overview
1. Network Time Protocol
o Uses a distributed hierarchy to synchronize time to UTC (Universal

Coordinated Time).
o Each server is at a certain stratum. The lower the stratum, the closer it is to
an external source of UTC.
o Stratum 1 servers have direct access to an external UTC source. (e.g. a

radio clock synchronized to time signal broadcasts).
o A stratum 2 server gets its time from a stratum 1 server. A stratum 3 gets it
from a stratum 2, and so on and so on.
o To avoid synchronization problems, the maximum number of strata is 15.
o Ideally, NTP likes to have at least 3 sources of time available to

synchronize to.
o NTP never runs a system clock backwards, but can slow it down if it's
running too fast.
o When NTP is first started, it starts to compute the frequency of the clock on
the computer it's running on. It usually takes a day or so for NTP to
determine the error or "drift" of the local clock. This "drift" is stored in a
local file so it doesn't have to be recomputed if NTP is restarted.
2. Packages
ntp
3. Port
UDP 123
30.2 Configuration
1. /etc/ntp.conf
o Primary configuration file.
o Example:
o server rackety.udel.edu
o server umd1.umd.edu
o server lilben.tn.cornell.edu
o
o driftfile /etc/ntp/drift
o
The "server" keyword is used to indicate the servers that should be used to
synchronize to UTC. This host can receive synchronization from one of the
listed servers, but cannot provide it to them.
The "driftfile" directive indications the file that contains the

current value of the frequency error of the clock on the
computer.
31. PPP
31.1 Overview
1. Point-to-Point Protocol.
2. Typically used by dial-up users.
3. Packages
o ppp - Provides pppd daemon and other tools necessary to setup a ppp client
or server.
o rp-pppoe - Required for ADSL connections that run PPP over Ethernet.
o wvdial - wvdial is an easy to use ppp client configuration tool.
o mgetty - Needed for a pppd server to listen on a serial port.
31.2 Client Configuration

1. Use wvdial to configure the client.
2. wvdial automatically detects and configures your modem.
3. Configuration Steps:
o As root, execute: /usr/bin/wvdialconf /etc/wvdial.conf - This creates the

configuration file for wvdial based on your modem.
o Edit /etc/wvdial.conf and specify the phone number, login name, and
password that's needed to login to your ISP. Uncomment the 3 lines that
already exist for this purpose and fill in the necessary information.
4. Connecting to your ISP
To connect to your ISP, all you need to do is execute /usr/bin/wvdial
31.3 Server Configuration

1. General pppd configuration options are placed in /etc/ppp/*
2. Configure mgetty to listen on your serial port. In /etc/inittab put the an entry
similar to the following:
3. ppp0:35:respawn:/sbin/mingetty ttyS0
This tells mgetty to listen on serial port /dev/ttyS0.
4. Then, you must tell mgetty to perform automatic PPP negotiation. Put the
following line in /etc/mgetty+sendfax/login.conf:
5. /AutoPPP/ - - /usr/sbin/pppd auth -chap +pap login
32. OpenSSH
32.1 Overview
1. Replaces insecure network communication applications.
2. Can authenticate via user and/or token.
3. Can tunnel insecure protocols through an encrypted tunnel.
4. Packages
o openssh - Provides core components for both openssh-servers and openssh-

clients.
o openssh-server - Contains sshd, the secure shell daemon.
o openssh-clients - Includes ssh, slogin, ssh-agent, ssh-add, sftp.
o openssh-askpass - Provides X11 based pass phrase dialog.
o openssh-askpass-gnome - A GNOME specific X11 based pass phrase

dialog.
o openssl - Provides cryptographic libraries.
5. Ports
o sshd - TCP 22
32.2 Configuration
1. /etc/ssh/
o Client and Server configurations stored here.
o Server Related Files
1. sshd_config - Primary server configuration file.
Sample options:
Port 22 # Port to bind to
Protocol 2,1 # Protocol versions and order to use
them in.
#ListenAddress 0.0.0.0 # Bind to all addresses.
ListenAddress 192.168.1.20 # Bind to a specific interface.
HostKey /etc/ssh/ssh_host_key # Specify Host key files
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768 # Size of server key for SSHv1
protocol
LoginGraceTime 600
KeyRegenerationInterval 3600 # How often server key is
regenerated in SSHv1 protocol
PermitRootLogin no # Don't allow root to login directly
IgnoreRhosts yes # Ignore .rhost files
IgnoreUserKnownHosts yes # Ignore user's known_hosts
files.
StrictModes yes # Tells sshd to check file modes and
ownerhsip of
# user files before allowing login
X11Forwarding yes # Permit X11 Forwarding
X11DisplayOffset 10 # Specifies which display to use
when forwarding
# Enable secure ftp

Subsystem sftp /usr/libexec/openssh/sftp-server
2. ssh_known_hosts - Contains a list of hostnames and their

associated public key.
3. ssh_host_key & ssh_host_key.pub - Private/Public RSA key-
pair for SSHv1 protocol.
4. ssh_host_rsa_key & ssh_host_rsa_key.pub - Private/Public

RSA key-pair for SSHv2 protocol.
5. ssh_host_dsa_key & ssh_host_dsa_key.pub - Private/Public

DSA key-pair for SSHv2 protocol.
o Client Related File(s)
1. ssh_config - Client configuration file.
Default configuration:
# Site-wide defaults for various options
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsAuthentication no
# RhostsRSAAuthentication yes
# RSAAuthentication yes
# PasswordAuthentication yes
# FallBackToRsh no
# UseRsh no
# BatchMode no
# CheckHostIP yes
# StrictHostKeyChecking yes
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_rsa
# Port 22
# Protocol 2,1
# Cipher blowfish
# EscapeChar ~
32.3 Client Usage

1. ssh
2. ssh 192.168.1.25 # Login to host 192.168.1.25 via ssh as local user
initiating session
3. ssh server.xyz.com # Login to host server.xyz.com
4. ssh steve@192.168.1.25 # Login to host 192.168.1.25 as user steve
5. ssh 192.168.1.25 ls -la # Execute 'ls -la' on host 192.168.1.25
6.
7. scp - Secure Copy

8. scp essay steve@192.168.1.25:school_dir # Copy local file 'essay' to
directory school_dir
9. # in steve's home directory on the remote host
10. scp essay steve@192.168.1.25:english_paper # Copy local file 'essay' to
remote host and rename
11. # it to 'english_paper' on the remote host
12. scp -r ~/docs steve@192.168.1.25 # Copy the local directory docs and
all of it's
13. # contents to the remote host
14.
15. sftp - Secure ftp

16. sftp steve@192.168.1.25 # Logs into host 192.168.1.25 as user steve and
provides an
17. # ftp like session.
18. sftp -C steve@192.168.1.25 # Same as above, only enables compression too.
19.
32.4 Authentication Methods Supported
by sshd
1. password - Sent securely through encrypted tunnel.
2. Public Key - Put public key in /.ssh/authorized_keys on remote host. Private key
is then used to authenticate user with remote host.
3. Kerberos
4. s/key
5. SecureID
32.5 ssh-agent usage

eval `ssh-agent`
ssh-add
32.6 Keys
1. Generate with ssh-keygen.
2. ssh-keygen -b 1024 # Generate 1024 bit RSA key for SSHv1 protocol
3. ssh-keygen -t dsa -b 1024 # Generate a 1024 bit DSA key for SSHv2 protocol
4. ssh-keygen -t rsa -b 1024 # Generate a 1024 bit RSA key for SSHv2 protocol
5. Key Location:
o RSA (SSHv1 protocol) - ~/.ssh/identity and ~/.ssh/identity.pub
o RSA (SSHv2 protocol) - ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub
o DSA (SSHv2 protocol) - ~/.ssh/id_dsa and ~/.ssh/id_dsa.pub
33. Security
33.1 TCP Wrappers

1. Provides host based security.
2. Configuration files: /etc/hosts.allow & /etc/hosts.deny.
o hosts.allowis checked first. If access isn't explicitly permitted, then

hosts.deny is checked. If access isn't explicitly denied, then access is
granted.
o Configuration File Format:

o <service_list>:<client_list> [:options]
o
o Special keywords
1. ALL - Can be used to represent all clients and/or all services. For
example, to deny access to every service from all clients, place the
following in /etc/hosts.deny
2. ALL:ALL
3.
4. EXCEPT - Can be used with ALL to provide exceptions. For

example, to deny access to all services except sshd and vsftp from
all clients, place the following in /etc/hosts.deny
5. ALL EXCEPT sshd EXCEPT vsftp:ALL
6.
7. LOCAL - Can be used to represent all hosts without a dot in their

name.
8. UNKNOWN - All hosts or users that can't be looked up.
9. KNOWN - All hosts or users that can be resolved.
10. PARANOID - All hosts where the forward and reverse lookups do
not match.
3. tcpd
o The tcpd program checks permissions and launches the specified service if
access is permitted.
o tcpd is typically used with inetd type services.
4. libwrap
o Programs compiled against libwrap can use tcp wrappers configuration

files for determining access without having to use the 'tcpd' program.
o Many programs in Red Hat Linux are compiled against libwrap. These
include:
o sendmail
o slapd
o sshd
o stunnel
o tcpd
o xinetd # This includes all services executed by xinetd
o gdm
o gnome-session
o ORBit
o portmap
o
5. Options
o Can be used to execute a command when a rule match occurs. For example,
to e-mail root a warning message every time someone tries to telnet in from
cracker.org, put the following in /etc/hosts.deny:
o in.telnetd: .cracker.org : spawn echo \
o "login attempt from %c to %s" | \
o mail -s "Telnet login warning" root
o
o Variable replacements:
o %c - client information (user@host)
o %s - service information (service@host)
o %h - client's hostname or IP address if hostname is unavailable
o %p - The server process id
o
o See hosts_options man page for more information.
6. Example Setup
o /etc/hosts.allow
o # Allow all clients in the 192.168.1.0/24 network and the client at

63.21.45.2 access
o # to sshd and imapd.
o
o sshd, imapd:192.168.1. 63.21.45.2
o
o # For a multi-homed host, you can specify the interface. This allows all
hosts
o # in the 192.168.1.0/24 to access in.ftpd, but only if it's through the
192.168.1.10 interface.
o
o in.ftpd@192.168.1.10:192.168.1.
o
o # Allow access to pop3d by all hosts in the somedomain.com domain.
o
o pop3d:.somedomain.com
o
o # Another way to specify network netmasks
o
o vsftp:192.168.1.0/255.255.255.0
o
o # Allow access to telnet from the 'research' network (specified in
/etc/networks or NIS)
o
o in.telnetd:@research
o
o /etc/hosts.deny
o # Deny access to all services that aren't explicitly permitted in

/etc/hosts.allow
o
o ALL:ALL
o
33.2 xinetd based security

1. Overview
o xinetd has it's own host based access controls built-in.
o TCP Wrappers are checked first. If TCP Wrappers permits access, then
xinetd's access controls are checked.
o Provides some additional restrictions that TCP Wrappers doesn't provide:

time, max # of instances, and number of instances per source allowed.
2. Access Controls
o only_from - Specifies which hosts are allowed to access this service.

o only_from 192.168.1.0/24
o
o no_access - Specifically deny a host or hosts.

o no_access = 192.168.1.20
o
NOTE: - If both only_from and no_access are specified, the one that is
more specific wins. In this case no_access wins because it specifies a
specific host within the 192.168.1.0/24 network.
o access_times - Specifies a time period where access is allowed.

o access_times 07:30-17:30
o
o instances - Specifies the maximum number of instances of this service

that may be launched.
o instances = 100
o
o per_source - Specifies the maximum number of instances that can be

initiated per IP address
o per_source 3
o
33.3 IPCHAINS
1. Overview
o Ipchains is the packet filter provided in the 2.2 kernels.
o Also supported by 2.4 kernels with the ipchains compatibility module.
o Format:
o ipchains [action] [chain] [options] [target]
o ipchains -A input -i eth0 -p tcp -s 192.168.1.20 -d 0.0.0.0 -j
ACCEPT
o
2. Capabilities
o Actions
o -A = Append rule to end of chain
o -I = Insert rule at beginning of chain
o -D = Delete existing rule in chain
o -N = Create new chain
o -X = Delete a chain (user defined only)
o -P = Set default policy for chain (ACCEPT, DENY, or REJECT)
o -F = Flush all rules in a chain
o -L = List existing rules (can specify a specific chain)
o
o Chains - 3 Built-in chains. Names in lower case.

o input - All packets that come into the interface pass through this chain.
Even packets that
o are being routed to another interface pass through this chain.
o forward - All packets that come in one interface and leave on another
pass through this chain.
o output - All packets leaving an interface pass through this chain. Even
packets that are
o being routed from another interface pass through this chain.
o
o Options
o -i = Interface (eth0, eth1, lo)
o -p = Protocol (udp,tcp,icmp, or the protocol number)
o -s = Source address of packet (192.168.1.20, 192.168.1.0/24, etc.)
o Can also include the source port for tcp/udp (192.168.1.20 80)
o -d = Same as -s, only for the destination address
o -y = Matches a packet that has only the SYN flag set (First step in TCP
handshake)
o -l = Log the packet
o
o --source-port = Specify a source port without a source address
o --destination-port = Specify a destination port without a destination
address
o
o Targets
o DENY = Drop packet without sending any sort of response to the
source
o REJECT = Drop packet, but send the source an ICMP error message
o ACCEPT = Accept the packet
o <CHAIN> = Specify a user defined chain to jump to for further
processing
o
3. Examples
4. # Set the default Policies to DENY
5. ipchains -P input DENY
6. ipchains -P output DENY
7. ipchains -P forward DENY
8.
9. # Allow all incoming tcp connections on interface eth0 to port 80 (www)
10. ipchains -A input -i eth0 -p tcp -s 0.0.0.0 1024: --destination-port 80 -j ACCEPT
11.
12. # We must also allow packets back out in order for the connection to work
13. ipchains -A output -i eth0 -p tcp --source-port 80 -d 0.0.0.0 1024: -j ACCEPT
14.
15. # Allow outgoing connections to other web servers
16. ipchains -A output -i eth0 -p tcp --source-port 1024: -d 0.0.0.0 80 -j ACCEPT
19.
20. # We must now allow TCP packets back in on ports >= 1024 to complete the
connection. However,
21. # we don't want to allow any packet through with the SYN flag set since that
would indicate
22. # someone is trying to make a connection to us.
23. ipchains -A input -i eth0 -p tcp ! -y -s 0.0.0.0 80 --destination-port 1024: -j
ACCEPT
ACCEPT
ACCEPT
26.
27. # Allow external access to our DNS services.
28. ipchains -A input -i eth0 -p udp --destination-port 53 -j ACCEPT
29. ipchains -A output -i eth0 -p udp --source-port 53 -j ACCEPT
30.
31. # If you leave out a source (-s) or destination(-d) address it's like specifying
0.0.0.0
32. # for it.
33.
34. #
35. # MASQUERADING
36. #
37. # In these examples, eth0 is the external interface on the firewall, and eth1 is
the
38. # internal interface.
39.
40. # Set Masquerade Timeouts
41. # Set a 2 hour (7200 sec) time out for TCP session timeouts
42. # Set a 15 second timeout for TCP/IP traffic after a FIN is received
43. # Set a 3 minute (180 sec) time out for UDP traffic
44. /sbin/ipchains -M -S 7200 15 180
45.
46. # Set up the Masquerading
47. # Remember that the default policy is set to DENY above. Otherwise we would
set it here.
48. /sbin/ipchains -A forward -i eth0 -s $INTERNAL_LAN -j MASQ
33.4 IPTABLES (Netfilter)

1. Overview
o 2.4 kernels only.
o Many benefits over ipchains:
1. Connection Tracking.
2. Rate Limiting.
3. Support for true NAT.
4. Many more filtering options: All TCP flags, MAC addresses, user,
etc.
5. Improved logging.
o Format
o iptables [table] [action] [chain] [options]
[target]
o iptables -t filter -A INPUT -m state --state NEW -p tcp -s
192.168.1.0/24 -j ACCEPT
o
2. Capabilities
o Table - Specifies which table the chain applies to: nat, filter, or mangle/
o Action - See IPCHAINS actions above.
o Chains - 5 Built-in chains. Names capitalized unlike IPCHAINS.

o # Filter Table:
o INPUT - All packets entering an interface that are destined for a local
process use this
o chain. Note that packets that are being routed from one interface
to another
o do NOT go through this chain as is the case with IPCHAINS.
o FORWARD - Only packets routed from one interface to another pass
through this chain.
o OUTPUT - All packets leaving an interface that originated from a local
process use this
o chains. Note that packets that are being routed from one
interface to another
o do NOT go through this chain as is the case with IPCHAINS.
o
o # Nat Table:
o PREROUTING - Rules in this chain occur before it is determined
whether the packet will
o use the INPUT or FORWARD chain. Destination NAT (DNAT) is
configured
o using this chain.
o POSTROUTING - Rules in this chain occur after the OUTPUT and
FORWARD chains. Source NAT
o (SNAT) is configured using this chain.
o
o Options
o -i = Input interface (eth0, eth1, lo)
o -o = Output interface (eth0, eth1, lo)
o -p = Protocol (udp,tcp,icmp, or the protocol number)
o -s = Source address of packet (192.168.1.20, 192.168.1.0/24, etc.)
o -d = Same as -s, only for the destination address
o -m = Specify an extension module to load (e.g. -m state). This must be
the first option
o specified if it is used
o
o --sport = Source port
o --dport = Destination port
o
o Targets
o # 3 Default Targets
o DROP = DROP the packet without returning an indication that it was
dropped to the source
o ACCEPT = Accept the packet
o <CHAIN> = A user defined chain
o
o # Additional Targets provided by modules:
o LOG = Log the packet
o REJECT = Reject the packet and send the source a user defined
response (defaults to an icmp
o error message)
o
o Connection Tracking
1. Requires state module (-m state).
2. Packet STATES:
3. NEW = A new connection
4. ESTABLISHED = Packet is part of an existing connection
5. RELATED = Packet is related to an existing connection (e.g.
ICMP error messages)
6. INVALID = Packet doesn't belong to any other connection
7.
8. Tracking FTP Connections:
Because of the nature of the FTP protocol, tracking ftp

connections requires a special kernel module:
ip_conntrack_ftp. If you wish to use NAT with ftp
connection tracking, you must also load the ip_nat_ftp
kernel module
3. Examples
4. # Set the default Policies to DENY
5. iptables -P INPUT DENY
6. iptables -P OUTPUT DENY
7. iptables -P FORWARD DENY
8.
9. # Allow all incoming tcp connections on interface eth0 to port 80 (www)
10. iptables -A INPUT -i eth0 -p tcp -s 0.0.0.0 --sport 1024: --dport 80 -j ACCEPT
11.
12. # We must also allow packets back out in order for the connection to work
since we aren't
13. # using connection tracking
14. iptables -A OUTPUT -o eth0 -p tcp --sport 80 -d 0.0.0.0 --dport 1024: -j ACCEPT
15.
16. # Allow outgoing connections to all ports, and use connection tracking so
17. # we don't have to create rules to allow us to receive the packets coming back.
18. iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED \
19. -o eth0 -p tcp --sport 1024: -j ACCEPT
20. iptables -A INPUT -m state --state ESTABLISHED,RELATED \
21. -i eth0 -p tcp --dport 1024: -j ACCEPT
22.
23. # Allow external access to our DNS services, and keep state on the connection.
24. iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED \
25. -i eth0 -p udp --dport 53 -j ACCEPT
26. iptables -A OUTPUT -m state --state ESTABLISHED,RELATED \
27. -o eth0 -p udp --sport 53 -j ACCEPT
28.
29. # Redirect all incoming traffic that hits port 8080 to port 80 on a web server
30. # in our internal LAN
31. iptables -t nat -A PREROUTING \
32. -p tcp -i eth0 --dport 8080 \
33. -j DNAT --to 192.168.1.10:80
34.
35. # Source NAT
36. iptables -t nat -A POSTROUTING \
37. -o eth0 -s 192.168.1.0/24 \
38. -j SNAT --to-source $EXTERNAL_IP_ADDRESS
39.
40. # Allow ICMP echo requests, but limit them to 1 per second. A burst of 3 will
allow
41. # a burst of up to 3 ICMP packets before the rate limiting kicks in.
42. iptables -A INPUT -i eth0 -p icmp --icmp-type 8 \
43. -m state --state NEW,ESTABLISHED \
44. -m limit --limit 1/s --limit-burst 3 \
45. -j ACCEPT
46.
47. iptables -A OUTPUT -o eth0 -p icmp -m state --state ESTABLISHED -j ACCEPT
34. Process Accounting
34.1 Overview
1. Keeps track of user processes.
2. Originally intended as a way to keep track of resources in order to bill
departments/users for their usage.
3. Packages
psacct
34.2 Turning On/Off

1. Enabling - Use accton command and specify the file for storing the accounting
information.
2. /sbin/accton /var/log/pacct
3. Disabling - Use accton command without specifying a file.

4. /sbin/accton
34.3 Viewing Information

1. ac - The 'ac' command is used to print out a report of connection times.
Examples:
ac # Print total connection time.
ac -dp # Give daily (-d) connection totals by person (-p)
ac --complain # Print out any problems in wtmp file (time-warps, missing
records, etc.)
2. sa - The 'sa' command is used to summarize accounting information.
Examples:
sa # Print information about all commands in the process accounting file
sa -u # Print command information by user
3. lastcomm - Displays which commands have been executed.
Examples:
lastcomm # Display all commands executed on system
lastcomm rm # Display information about all invocations of the 'rm' command
35. Kickstart
35.1 Overview
1. Kickstart provides a way to do automated installations.
2. The Kickstart configuration file (ks.cfg) answers all the questions that are normally
asked during a normal install.
3. Allows you to automate most of the installation, including the following:
o Language Selection
o Mouse Configuration
o Keyboard Selection/Configuration
o Boot Loader Installation
o Disk Partitioning
o Network Configuration
o Authentication (NIS, LDAP,Kerberos, Samba, and Hesoid)
o Firewall Configuration
o X Window System Configuration
o Package Selection
4. Packages
o mkkickstart - This package provides utilities that will create a kickstart

file based on the current machine's configuration.
o ksconfig - Provides a graphical interface for creating kickstart files.
35.2 Creating a Kickstart File

1. Manual
Copy the sample.ks kickstart file from the RH-DOCS directory on

the documentation CD and modify it to meet your requirements.
Be careful when editing it because the sections must remain in
order. The order is:
o Command Section
o %package Section
o %pre & %post Sections
2. mkkickstart
Use the mkkickstart utility to create a kickstart configuration file

based on the current system's configuration.
3. ksconfig
Use the GUI tool ksconfig to create a kickstart file.
35.3 Kickstart Installation Types

1. Network
o Requires a DHCP/BOOTP server.
o ks.cfg file must be accessible from NFS, FTP, HTTP, or Samba (although
I've only been able to get it to work when the ks.cfg file is on NFS).
o Can install from NFS, FTP, HTTP, & Samba.
2. Local
o ks.cfg file must be put on a floppy boot disk.
o Can install from a local CD-ROM or a local hard drive.
35.4 Kickstart Installation

1. Boot with a boot floppy. For a local kickstart installation, the ks.cfg must be
located in the root of the boot disk.
2. When SYSLINUX installation screen comes up, specify one of the following
options:
o ks=floppy - If ks.cfg is located on the floppy.
o ks=hd:fd0/ks.cfg - Same as ks=floppy above.
o ks=floppy dd - When ks.cfg is located on the floppy and you need a driver
disk.
o ks=nfs:<server>:/path - ks.cfg file is on an NFS server.

o ks=http:<server>:/path - ks.cfg file is on an HTTP server.
o ks=ftp:<server>:/path - ks.cfg file is on an FTP server.
35.5 Additional Network Installation Info

1. When specifying "linux ks" at the installation prompt:
o The ks.cfg file must be available via NFS.
o By default, it is assumed that the ks.cfg file will be on the same server as
the DHCP/BOOTP server. To specify a different server for the ks.cfg file,
specify the following in the /etc/dhcpd.conf file:
o filename "/path/to/ks.cfg"
o next-server <hostname or IP>
o
If the path specified in the "filename" clause ends with a "/", then the file
that is looked for is: "/specified/path/<IP>-kickstart" where <IP> is the IP
address of the machine making the request.
Note that the path specified in the "filename" clause must

be the full path to the file and not the relative path from the
NFS export. Kickstart will automatically try to mount the
NFS export based on the path's name. In the above
example, it would first try to mount "/path", then if that
failed, "/path/to".
2. If you don't wish to use DHCP to specify the location of the kickstart file, you can
specify one of the options listed above to point to the location of the ks.cfg file.
3. To install from NFS, the following directive must be used in the ks.cfg file right
after the "install" directive:
4. nfs --server <server> --dir <dir>
5. To install from HTTP or FTP, the following directive must be used in the ks.cfg
file right after the "install" directive:
6. url --url http://<server>/path
7. url --url ftp://<server>/path

36. Procmail
36.1 Overview
1. Mail processor.
2. Can be invoked via the .forward file, or directly by sendmail.
3. User configuration file is $HOME/.procmailrc.
4. Package: procmail
36.2 Configuration File Syntax

1. Format:
2. :0 [flags] [ : [locallockfile] ]
3. <zero or more conditions (one per line)>
4. <exactly one action line>
5. Flags
See procmailrc(5) man page for a description of the flags.
6. Special characters
o :
Indicates the start of a recipe. Commonly used with a zero

following it. In the old days, the zero was replaced with the
number of conditions that follow.
o *
Indicates the start of a condition.
o !
When used in a condition, it means to invert the condition.

When used in an action line, it means to forward the mail to
the addresses that follow.
o Pipe (|)
Starts the program specified after it when used in the action

line.
o {}
When followed by at least one space, tab, or newline, it

marks the beginning of a nesting block for the action line.
36.3 Example .procmailrc

:0
*^From.*bob # Condition
*^Subject:.*Computers
{ :0 c # "c" flag means create a carbon copy
! steve@somedomain.org # Action - Forward to steve and keep a local copy
:0
COMPUTERS
}
This will forward mail from bob about computers to steve and also keep a local copy in
the COMPUTERS folder.
37. IMAP & POP
37.1 Overview
1. Package
o imap
1. The imap package includes the POP daemon also.
2. Provides POP2, POP3, and POP3s (POP3 over SSL) service.
3. Provides IMAP and IMAPs (IMAP over SSL) service.
2. Ports
o POP2 - TCP 109
o POP3 - TCP 110
o POP3S (over SSL) - TCP 995
o IMAP - TCP 143

o IMAPS (over SSL) - TCP 993
37.2 Setup
1. Executed by xinetd.
2. Simply install the imap package and enable service(s) in xinetd.
38. Encryption (GPG & OpenSSL)
38.1 Overview
1. Why use it?
o Prevent password and data sniffing.
o Maintain integrity of data.
o Prevents authentication manipulation.
2. Packages
o OpenSSL - Provides crypto-graphic libraries used by other programs

which communicate via the network.
o gnupg - Used to insure integrity and encrypt files (e.g. data, e-mail, etc.)
o OpenSSH - A secure replacement for ftp, telnet, rsh, rlogin, etc. Covered
elsewhere.
o stunnel - Provides network encryption services for those applications

which don't already have it. Covered elsewhere.
38.2 Encryption Types and Requirements

1. Random Numbers
o In order for encryption to be effective, it needs a good source of entropy to

create random numbers.
o Entropy is usually created based on several things. For example: keyboard

events, mouse events, and block device interrupts.
o The Linux Kernel provides 2 sources of entropy:
1. /dev/random - Best source of entropy. If the entropy pool runs

out, it blocks until more entropy is gathered.
2. /dev/urandom - Uses entropy pool until it's exhausted, and then

falls back to pseudorandom generation.
2. One-Way Hashes
o One-Way hashes take input of any length and created a fixed length output
string known as a fingerprint.
o If any part of the input data changes, it will create a different fingerprint.
o "One-way" means you can't recreate the original data from the fingerprint.
o Examples include: md5, rmd160, sha, sha1, haval, and crc-32.
3. Symmetric Encryption
o The same key is used to both encrypt and decrypt the data.
o Examples of symmetric algorithms: DES, 3DES, Blowfish, RC2, RC4,

RC5, and AES.
o Utilities that use symmetric encryption: passwd (traditional unix), gpg, and
openssl.
o Minimum recommended key size: 128 bits.
4. Asymmetric Encryption
o a.k.a. Public Key Encryption
o One key is used to encrypt and another key is used to decrypt.
o Standard Operation
1. Recipient generates a private/public key pair: S & P.
2. The Recipient then publishes public key P and keeps private key S a
secret.
3. Sender uses Recipient's public key P to encrypt a message for the

Recipient.
4. Recipient uses private key S to decrypt the message from the
sender.
o Digital Signatures
1. Provide a way to verify authenticity.
2. Sender encrypts message with private key S.
3. Recipient then decrypts message with Sender's public key P. As

long as the sender's private key S hasn't been compromised, this
guarantee's that it's from the Sender.
4. Detached Signatures
 Similar to above operation, only Sender creates a one-way

hash of the message and encrypts the one-way hash instead.
The encrypted one-way hash is known as the "detached
signature".
 The Recipient then uses the Sender's public key P to decrypt

the detached signature.
 The Recipient then performs their own one-way hash on the

message and compares it to the one-way hash sent by the
Sender. If the two match, it guarantees the document hasn't
been tampered with.
o Combining Standard Operation with Digital Signatures
1. This can be used so that only the Recipient can decrypt a message,
while at the same time verifying that it was sent by the Sender.
2. Process:
 Sender encrypts the message with the Sender's private key

S.
 Sender then encrypts the message with the Recipients public

key P.
 The Recipient will then decrypt the message with the

Recipient's private key S.
 The Recipient then decrypts the message with the Sender's

public key P.
5. Digital Certificates
o Commonly used by on-line merchants(as well as others) to verify their

identity to someone else, typically a customer.
o Issued by a certificate authority (CA).
o Standard Certificate Format is X.509, and consists of the following

information:
1. Country
2. Province or State
3. Organization Name
4. Common Name
5. E-mail
o Certificate Creation Process
1. The merchant generates a private/public key pair.
2. The merchant must then prove their identity to a CA and provide

their public key to the CA.
3. The CA then creates a one-way hash of the following information:
 The CA's identity.
 The merchant's identity.
 The merchant's public key.
 Period of validity.
4. The one-way has is then encrypted with the CA's private key
creating a detached digital signature.
5. The digital certificate is made up of the combined information

above and the detached digital signature.
6. The CA then issues this to the merchant.
38.3 Using GPG

1. Key Generation
2. gpg # Initialize GPG for this user (e.g. create ~/.gnupg). Only have to
run once.
3. gpg --gen-key # Start key generation process. Follow prompts.
4. Viewing Keys
5. gpg --list-keys # View public keys
6. gpg --list-secret-keys # View private keys
7. Exporting Public Keys

8. gpg --export <name of key owner> # Exports key in binary format
9. gpg --export --armor <name of key owner> # Export in a usable, ASCII format
10. Importing Public Keys

11. gpg --import /path/to/public/key/file
12. Encrypting a Message

13. gpg --encrypt --armor --recipient <recipient> message_file # Creates
encrypted message in
14. # an ASCII format
15. Decrypting a Message

16. gpg encrypted_message_file
You will be prompted for the filename to use for the output of the decryption
process.
17. Encrypting with a Symmetric Key

18. gpg --symmetric --armor message_file
19. Signing and Encrypting a Message

20. gpg --sign --encrypt --armor --recipient <recipient> message_file
21. Creating a Detached Signature

22. gpg --detach-sign --armor message_file # Sender
23. gpg --verify message_file.asc message_file # Recipient
24. Signing Another's Public Key
Alice is going to sign Bob's key.

# First, Alice must do:
gpg --sign-key bob
gpg --export --armor bob > bob.key
# Then, Bob must do:

gpg --import bob.key
38.4 Using OpenSSL

1. Generating a Certificate & Key in the PEM Format
o Long Way
o openssl req -new -newkey rsa:1024 -nodes -x509 -keyout ~/key -out
~/cert
o echo >> ~/key
o cat ~/cert >> ~/key
o echo >> ~/key
o mv ~/key /usr/share/ssl/certs/give_me_a_name.pem
o rm ~/cert
o
o Short Way
o cd /usr/share/ssl/certs
o make give_me_a_name.pem
o
39. stunnel
39.1 Overview
1. Provides encryption services for applications without modifying the application.
2. Uses public key encryption.
3. Packages
stunnel
39.2 Configuration
1. Create stunnel.pem
2. # Generate private key and certificate
3.
4. openssl req -new -newkey rsa:1024 -nodes -x509 -keyout /tmp/key -out
/tmp/cert
5.
6. # Create stunnel.pem
7.
8. echo >> /tmp/key
9. cat /tmp/cert >> /tmp/key
10. echo >> /tmp/key
11. rm /tmp/cert
12. mv /tmp/key /usr/share/ssl/certs/stunnel.pem
13. chmod 600 /usr/share/ssl/certs/stunnel.pem
-OR-
cd /usr/share/ssl/certs
make stunnel.pem
14. Sample IMAPS Configuration

15. stunnel -d 192.168.1.20:993 -r localhost:143
This starts stunnel in daemon mode (-d) and causes it to listen on port 993 of
interface 192.168.1.20. Incoming connections received on port 993 are then
redirected to port 143.
libwrap NOTE: - Because stunnel uses libwrap, you need to

configure access via /etc/hosts.allow and /etc/hosts.deny. When
stunnel starts, it will write the name of the service to
/var/log/messages that it will be checking for via tcp wrappers. For
example, the above stunnel configuration created the following
log entry:
stunnel[1128]: Using 'localhost.143' as tcpwrapper service name
You will need to use "localhost.143" as the service name in /etc/hosts.allow and
/etc/hosts.deny.
40. Fetchmail Made Simple (really simple)

40.1 /.fetchmailrc
1. Create a .fetchmailrc file in your home directory similar to the following:
2. poll pop3.somedomain.com with protocol pop3:
3. user steve there is user gandalf here
4. password "super_secret"
The first line says that pop3.somedomain.com hosts our pop3 account and that we
will contact it using the pop3 protocol. The second line states that the user account
on the pop3 server is steve and our local account is gandalf. The last line contains
our password for the pop3 account.
5. Secure the .fetchmailrc file:

6. chmod 0600 ~/.fetchmailrc
7. Then retrieve your mail by typing:

8. fetchmail
Use the "-v" option to cause fetchmail to be more verbose during mail retreival.
See "CONFIGURATION EXAMPLES" in the fetchmail man page.
41. Copyright & Disclaimer
41.1 General Disclaimer

First off, I was not an RHCE when I originally created this document. I
did pass the RHCE exam on April 19th of 2002. I created this guide to
help myself study for the exam. While the information in this document
is correct to the best of my knowledge, I DO NOT guarantee the
accuracy of ANY of the information contained in this document. This
information comes without any warranty of any kind, implied or
otherwise. I am not responsible for any damage that may be caused by
using the information in this document whether the damage is to your
computer, your brain, or anything else. In short, USE AT YOUR OWN
RISK. You have been warned.
The amount of detail per topic varies greatly for many reasons, some of
which include:
• My personal familiarity and comfort level with the topic.
• How relevant I personally feel it will be on the exam.
In other words, just because I cover something in great detail doesn't

mean it will be on the test. Likewise, if I cover a topic briefly, it doesn't
mean that it won't be covered in detail on the exam. In short, only you
know what areas you need to improve in, and there is no way to be
certain what will be asked on the exam.
This document will in no way prepare you for the RHCE exam by itself.
You need a lot of hands on experience. I recommend taking some of Red
Hat's excellent training courses. If you live in or near Denver, consider
yourself lucky. The instructor there is excellent in my opinion.
All network addresses, hostnames, and domain names used in this

document were made up. I attempted to pick names that no one would
actually use. Where possible, I stayed within those IP addresses
reserved for internal use.
Since I have now taken the exam, I will not be making any updates to
this study guide except to correct errors. If you find an error in any of
the information provided in this study guide, please report it to me per
the instructions at the top of this document.
41.2 Why am I sharing this document?

I think it will help the Linux movement by having more certified
technical people in the job market that can support Linux. While it is
true that a certification is not the only measure of technical expertise, I
believe it is important that there be a large group of certified individuals
available to help push Linux into areas where it isn't currently a major
player (e.g. the desktop). So, if this document helps even one other
person attain their RHCE, then I think it was worth sharing it.
41.3 Copyright
This document is copyright(c) 2002 Steve Bremer. I've gathered this
information from various sources including but not limited to:
1. The Manuals that come with Red Hat Linux.
2. Red Hat Certified Engineer Linux Study Guide 2nd Edition from Global
Knowledge (with the aide of Syngress Media, Inc. and Osborne McGraw-Hill)
3. Materials provided by Red Hat in their excellent training courses that I've taken.
4. Documentation provided within Red Hat's packages.
5. Man pages.
6. Various web sites.
I've always tried to give credit where credit is due if I've copied
anything directly out of one of the above mentioned documents. If you
noticed any place where I've failed to do so, please contact me via e-
mail.

Rhce Study Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Rhce Study Guide

Uploaded by

Copyright:

Available Formats

Next Previous Contents

Invocation of the boot loader usually occurs in one of two ways:

There are two different ways to configure a boot loader:

other=/dev/hda1 # Image definition

See lilo.conf man page for an example.

2. Command Line Options

o -t - Test lilo configuration, but don't actually install.

3. Boot Time arguments

Command line options can be entered at the boot prompt by

linux root=/dev/hda5 mem=128M 1

If lilo has been password protected, you will be required to enter

o LIL? = Second stage loaded at an incorrect address because of invalid

o LIL- = Descriptor table is corrupt. Caused by invalid parms in /etc/lilo.conf

o LILO = All of LILO loaded correctly.

o Must be installed on the 1st or 2nd IDE drive.

o Limited by BIOS (uses BIOS to load kernel off of disk).

o Must re-run /sbin/lilo every time you change your configuration.

6. Fixing a corrupt MBR

Use lilo to fix:

To restore the original boot sector, use the dd command:

8. Initial RAM Disk

o Need: Allows necessary drivers to be loaded at boot time that aren't

o Creation: Use mkinitrd to create the initial RAM disk:

o Setup: Specify in /etc/lilo.conf file as shown above.

o Command line interface available at boot prompt.

o Password protection using MD5

o Changes to configuration file take effect immediately. Don't have to re-

title Red Hat Linux (2.4.17) # First definition

title Red Hat Linux (2.4.17pre2-pk) # Second definition

title Red Hat Linux (2.4.17pre2)

title Windows 98SE

3. Boot Time arguments

In order to pass arguments to the image being booted, you must

4. Device Names according to Grub

o (fd0) - First floppy drive detected by BIOS

o (hd0) - First hard drive detected by BIOS (SCSI or IDE)

5. Fixing a corrupt MBR

Use grub-install to fix:

In this situation, we have a nameless OS installed on /dev/hda

o Launch a grub shell:

Note: The remaining steps will performed from within the

o Set the root device:

o Specify where to install various boot stages:

install (hd1,0)/grub/stage1 d (hd0) (hd1,0)/grub/stage2 p

The above command line can be broken down as follows:

install <stage-1> d <install-disk> <stage-2> p <config file>

2. Syslinux - Used by RH installation program.

Next Previous Contents

4. Chosen kernel then booted and devices are initialized.

5. Kernel then executes init process.

6. Init starts services according to /etc/inittab:

o rc.sysinit - System initialization scripts

2. Configures Kernel parameters (via sysctl)

3. Configures system clock.

4. Sets host name.

5. Initialize USB and HID devices.

7. Determines module dependencies.

8. Setup any RAID devices.

9. Performs file system checks if needed.

11. Starts user quotas.

12. Enable process accounting.

13. Starts swap.

14. Initialize serial ports.

15. Dump boot messages to /var/log/dmesg