Rhce 1

Steve's RHCE Study Guide
1. Hardware
1.1 Device Information
1.2 BIOS Limitations
1.3 Disk Drives
1.4 RAM
1.5 Serial Ports
1. IR!s
1." Pl#$ %n% Pla&
1.' P( (ar) *P(M(IA+
1., -ar).are (onflicts
1.1/ A))in$ a Peri01eral
2. Linux Hardware Support
2.1 Arc1itect#res
2.2 (P2
2.3 S.a0 Limitations
3. Installation
3.1 Installation 3&0es4(lasses
3.2 Installation So#rces
3.3 Installation Met1o)
3.4 Partition%less Installs
3.5 (reatin$ Disk Ima$es
3. Startin$ t1e installation from DOS.
3." Partitionin$
3.' Resc#e Mo)e
3., Boot Disks
3.1/ Packa$e Selection
4. oot Loaders
4.1 (once0ts
4.2 Lilo
4.3 5r#6
4.4 DOS Base)
!. oot up
5.1 Ste0s
5.2 4etc4initta6
5.3 7ie.in$ 6oot #0 information.
5.4 R#n Levels
5.5 Defa#lt R#n Levels
". Servi#e $ana%e&ent
.1 3&0es of services
.2 Mana$ement tools
'. (ser ) Group *d&inistration
".1 A))in$ 2sers
".2 Mo)if&in$ 2sers
".3 Deletin$ 2sers
".4 A))in$ 5ro#0s
".5 Mo)if&in$ 5ro#0s
". Deletin$ 5ro#0s
"." 2ser environment confi$#ration
".' 2ser Private 5ro#0s
"., S1a)o. file
".1/ (omm#nicatin$ .it1 #sers.
".11 2ser 8 5ro#0 !#otas
+. ,etwor- *d&inistration
'.1 2tilities
'.2 (onfi$#rin$ Interfaces
'.3 (onfi$#rin$ Ro#tes
'.4 -ost Resol#tion
.. /t0er Syste& *d&inistration
,.1 Date43ime
,.2 9e&6oar)
,.3 Mo#se
,.4 So#n)
,.5 R- S&stem confi$#ration files
,. :ile S&stem A)ministration
,." S&stem Lo$$in$
,.' (reatin$ a S.a0 :ile
11. 2a#-a%e $ana%e&ent wit0 R2$
1/.1 Installation
1/.2 7erification
1/.3 !#er&
1/.4 So#rce RPMs
1/.5 S0ec :iles
1/. B#il) O0tions
11. 2C$CI*
11.1 S#00ort
11.2 Device Mana$ement
12. R*I3
12.1 Overvie.
12.2 S#00orte) 7ersions
12.3 Partition 3&0e
12.4 (onfi$#ration :ile * /etc/raidtab +
12.5 Initiali;in$ RAID )evices
12. :ormattin$ RAID )evices
12." RAID 5 0arit& o0tions
12.' A#to )etection of RAID arra&s
13. *dvan#ed 2ower $ana%e&ent 4*2$5
13.1 Overvie.
13.2 7ie.in$ 0o.er stat#s
13.3 O0tions
14. 6ernel
14.1 3&0es
14.2 Mo)#les
14.3 Installin$ :rom So#rce
14.4 Installin$ from RPM
14.5 A))in$ a mo)#le to an alrea)& com0ile) kernel
1!. 2*$
15.1 :iles
15.2 Mo)#le 3&0es
15.3 Mo)#le (ontrol :la$s
15.4 (#stom PAM <=am0le
15.5 3ime Base) Restrictions
15. Access Base) Restrictions
1". Cron ) *t
1.1 Overvie.
1.2 (ronta6 :iles
1.3 At >o6s
1.4 Access (ontrol
1'. Send&ail
1".1 Packa$es
1".2 (onfi$#ration :iles
1".3 A Sim0le (lient (onfi$#ration
1".4 De6#$$in$ Sen)mail
1+. *pa#0e
1'.1 Defa#lts
1'.2 Reso#rce (ontrol
1'.3 Lo$$in$
1'.4 2ser ?e6 S0ace
1'.5 Access Restrictions
1'. A#t1entication
1'." (5I
1'.' 7irt#al -osts
1'., SSL
1.. I,3
1,.1 Overvie.
1,.2 (onfi$#ration :iles
1,.3 (ac1in$ Onl& @ame Servers
1,.4 Aones
1,.5 Reso#rce Recor)s
1,. Aone :iles
21. 3HC2
2/.1 Overvie.
2/.2 Server (onfi$#ration
2/.3 (lient (onfi$#ration
21. 7 8indow Syste&
21.1 Pieces
21.2 (onfi$#ration 3ools
21.3 (onfi$#ration Recommen)ations
21.4 -ar).are S#00ort
21.5 :iles
21. ?in)o. Mana$ers
21." Deskto0 <nvironments
21.' Dis0la& Mana$ers
21., Session Mana$ers
21.1/ Startin$ B
21.11 Remote Dis0la& of B A00lications
21.12 3ro#6les1ootin$ B
22. 9:2
22.1 Packa$es.
22.2 (onfi$#ration files
22.3 O0eration
22.4 3&0es of 2ser Acco#nts
22.5 Settin$ #0 5#est 2sers
22. Anon&mo#s 20loa)
22." 7irt#al -osts
23. 2rint Servi#es
23.1 Overvie.
23.2 (onfi$#ration :iles
23.3 2tilities
23.4 Remote Printin$ ReC#irements
24. ,9S
24.1 Overvie.
24.2 (onfi$#ration
24.3 A#to Mo#ntin$ @:S s1ares
24.4 @:S 2tilities
2!. ,etwor- In;or&ation Servi#e 4,IS5
25.1 Overvie.
25.2 @IS (lient Info
25.3 @IS Server
25.4 2sin$ A#tomo#nter to A#tomo#nt 2ser -ome Directories
2". L3*2
2.1 Overvie.
2.2 LDAP Server
2.3 LDAP (lients
2.4 2sin$ LDAP .it1 @SS
2'. Sa&<a
2".1 Overvie.
2".2 (onfi$#ration
2".3 2tilities
2".4 Disa6lin$ <ncr&0te) Pass.or)s on ?in)o.s (lients
2".5 (onfi$#rin$ Sam6a as a Primar& Domain (ontroller
2". Defa#lt Re) -at sm6.conf
2+. S=uid
2'.1 Overvie.
2'.2 (onfi$#ration
2'.3 (lient Pro$ram *4#sr4s6in4client+
2.. I,,3
2,.1 Overvie.
2,.2 (onfi$#ration
2,.3 3ro#6les1ootin$
31. ,:2
3/.1 Overvie.
3/.2 (onfi$#ration
31. 222
31.1 Overvie.
31.2 (lient (onfi$#ration
31.3 Server (onfi$#ration
32. /penSSH
32.1 Overvie.
32.2 (onfi$#ration
32.3 (lient 2sa$e
32.4 A#t1entication Met1o)s S#00orte) 6& ss1)
32.5 ss1%a$ent #sa$e
32. 9e&s
33. Se#urity
33.1 3(P ?ra00ers
33.2 =inet) 6ase) sec#rit&
33.3 IP(-AI@S
33.4 IP3ABL<S *@etfilter+
34. 2ro#ess *##ountin%
34.1 Overvie.
34.2 3#rnin$ On4Off
34.3 7ie.in$ Information
3!. 6i#-start
35.1 Overvie.
35.2 (reatin$ a 9ickstart :ile
35.3 9ickstart Installation 3&0es
35.4 9ickstart Installation
35.5 A))itional @et.ork Installation Info
3". 2ro#&ail
3.1 Overvie.
3.2 (onfi$#ration :ile S&nta=
3.3 <=am0le .0rocmailrc
3'. I$*2 ) 2/2
3".1 Overvie.
3".2 Set#0
3+. En#ryption 4G2G ) /penSSL5
3'.1 Overvie.
3'.2 <ncr&0tion 3&0es an) ReC#irements
3'.3 2sin$ 5P5
3'.4 2sin$ O0enSSL
3.. stunnel
3,.1 Overvie.
3,.2 (onfi$#ration
41. 9et#0&ail $ade Si&ple 4really si&ple5
4/.1 4.fetc1mailrc
41. Copyri%0t ) 3is#lai&er
41.1 5eneral Disclaimer
41.2 ?1& am I s1arin$ t1is )oc#mentD
41.3 (o0&ri$1t
1. Hardware
1.1 3evi#e In;or&ation
31e follo.in$ information s1o#l) 6e collecte) a6o#t &o#r )evices 6efore &o# 6e$in t1e
installation.
1. 3is- 3rives
o Make
o Mo)el
o (a0acit&
o 5eometr& *(4-4S+
2. C3>R/$ 3rives
o S(SI or ID< % S1o#l) .ork fine
o Ol)er (D%ROM .it1 0ro0rietar& interfaceE
1. Make
2. Mo)el
3. IR!
3. SCSI Controllers
o Make
o Mo)el
4. ,IC
o Make
o Mo)el
o IR! *if nee)e)+
o io0ort *if nee)e)+
5. ?ideo Card
o Make
o Mo)el
o Amo#nt of Memor&
. Sound Card 4in#ludin% %a&e adapters5
o Make
o Mo)el
o IR! *if nee)e)+
". $onitor
o Make
o Mo)el
o Resol#tions
o :reC#encies *6ot1 vertical an) 1ori;ontal+
'. $ouse
o 3&0e of Mo#se Interface
1. Serial
Ma& nee) to assi$n IR! if F 3 serial )evices
, or 25 0in rectan$#lar
/dev/ttyS[0-3]
Protocols %% MicrosoftG Lo$itec1
2. PS42
IR! 12 reserve)
0in mini DI@
/dev/psaux
Protocols %% PS42
3. B#smo#se
Ro#n) , 0in connector
Pl#$s into car) *set IR! an) io0ort .it1 H#m0ers+
Protocols %% Most #se B#sMo#seG 6#t ot1er o0tions incl#)eE
In0ort*Microsoft+G Lo$itec1G A3I%BL
/dev/inportbm *In0ort+
/dev/logibm *Lo$itec1+
/dev/atibm *A3I%BL+
1.2 I/S Li&itations
1. (an see onl& t1e first 1/24 c&lin)ers on a )isk )rive *DoesnIt a00l& to S(SI )rives
since t1e controllers 1ave t1eir o.n BIOS+
2. (an onl& access first 2 <ID< )rives at 6oot *incl#)in$ (D%ROM+
3. Boota6le )rives m#st 6e on first t.o ID< c1annels *e.$. m#st 6e one of
1)aG1)6G1)cG1))+
1.3 3is- 3rives
1. I3E@EI3E
o Device @ames % /dev/hd[a-t]
o 1 0artitions *15 #sa6le+
1. 4 Primar& 0artitions ma=
/dev/hd?[1-4]
2. 1 <=ten)e) 0artition ma= *takes 0lace of 1 0rimar& 0artition if
#se)+
(an 6e one of /dev/hd?[2-4]
3. 20 to 12 lo$ical 0artitions .it1in an <=ten)e) 0artition
Start at /dev/hd?5
o ID< *A3A+ % 5/4 MB ma= si;e
o <ID< *A3A%2 or :astA3A+ %% ' 5B ma= .4o Lo$ical Block A))ressin$
*LBA+
o (ontroller s0ecificG @O3 )rive s0ecific *e.$. 3o s.itc1 from ID< to <ID<
&o# re0lace t1e controllerG not t1e )isk )rive+
o LBA %% Allo.s )rives .it1 F 1/24 c&lin)ers to 6e #se) 6& a)H#stin$ t1e
J-<ADJ val#e.
<=am0leE A )rive .it1 2/4' (&lin)ersG 1 -ea)sG an) 3 Sectors a00ears
to t1e BIOS as 1avin$ 1/24 (&lin)ersG 32 -ea)sG an) 3 Sectors
2. SCSI
o Device names
1. :irst controller %% /dev/sda, /dev/sdaa, /dev/sdabG etc.
2. Secon) controller %% /dev/sdb, /dev/sdba, /dev/sdbbG etc.
o 15 0artitions *all #sa6le+
o @ot affecte) 6& BIOS limitations like ID< )rives.
1.4 R*$
1. 2.2.x 6ernels % 4 5B ma=
2. 2.4.x 6ernels
o 1 5B on Defa#lt 9ernel
o 4 5B on i' 9ernel
o 4 5B .it1 <nter0rise 9ernel on Penti#m II an) 1i$1er s&stems t1at
s#00ort PA< *P1&sical A))ress <=tensions+
1.! Serial 2orts
1. Stan)ar) serial 0orts are /dev/ttyS[0-3] *(OM1 % (OM4 in t1e DOS .orl)+
2. IR!s can 6e s1are) on 9ernels FK 2.2.=
o /dev/ttyS0 an) /dev/ttyS2 s1are IR! 4
o /dev/ttyS1 an) /dev/ttyS3 s1are IR! 3
3. :or kernels L 2.2./G IR!s m#st 6e e=0licitl& )efine) #sin$ setserial.
e.$. /sbin/setserial /dev/ttyS0 irq 4
1." IRAs
1. Standard *ssi%n&ent
2. 0 - Nonmaskable interrupt (NMI)
3. 1 - System Timer
4. 2 - Cascade for controller 2
5. 3 - /dev/ttyS1 and /dev/ttyS3 (Serial ports)
6. 4 - /dev/ttyS0 and /dev/ttyS2 (Serial ports)
7. 5 - Usually used for Sound card, but can be Parallel port 2
8. 6 - Floppy disk controller
9. 7 - Parallel port 1
10. 8 - Real-time clock
11. 9 - Redirected to IRQ2
12. 10 - Not assigned (usually used for network cards)
13. 11 - Not assigned
14. 12 - PS/2
15. 13 - Coprocessor
16. 14 - Hard disk controller 1
17. 15 - Hard disk controller 2
1'. A Bare Bones s&stem .ill 1ave IR!s 5G "G ,G 1/G 11G an) 12 free
1.' 2lu% >n> 2lay
1. IS*
o 2.2.= 9ernels %% reC#ires isa0n0tools to confi$#re
o 2.4.= 9ernels %% 5enerall& a#tomatic
2. 2CI %% 5enerall& a#tomatic
1.+ 2C Card 42C$CI*5
31e J(ar) ServicesJ 0acka$es 1an)les confi$#ration of P( car)s a#tomaticall&.
1.. Hardware Con;li#ts
Most common 0ro6lems .it1 1ar).are occ#r )#e to reso#rce conflicts.
1. DMA (1annels
2. IR!s
3. I4O Port A))resses
1.11 *ddin% a 2erip0eral
1. If t1e 0eri01eral 1as an& H#m0ers or s.itc1esG set t1em to val#es t1at .onIt
conflict .it1 an& of t1e e=istin$ 1ar).are )evices in &o#r mac1ine.
2. S1#t)o.n &o#r s&stem an) a)) t1e 0eri01eral.
3. Restart t1e s&stem an) e)it an& necessar& confi$#ration files.
4. If t1e e=istin$ kernel )oesnIt s#00ort t1e 0eri01eralG re6#il) t1e kernel or 6#il) t1e
necessar& mo)#le*s+.
2. Linux Hardware Support
2.1 *r#0ite#tures
1. I*>32
2. I*>"4
3. *lp0a
4. S3.1
2.2 C2(
1. 32 2ro#essor support
2. + C2('s typi#al on I*>32
2.3 Swap Li&itations
1. 4 5B ma=im#m.
2. ' S.a0 0artitions ma=im#m.
3. 2 5B ma=im#m si;e 0er s.a0 0artition.
3. Installation
3.1 Installation :ypes@Classes
1. Server
o S0ace ReC#irements
1. Minim#m *no 52I+ %% 1 5B
2. <ver&t1in$ *no 52I+ %% 1.3 5B
3. <ver&t1in$G incl#)in$ 52I *9D< 8 5@OM<+ %% 2 5B
o :ile S&stem Set#0
1. / K 3'4 MB
2. /boot K 5/ MB *Intel arc1 onl&+
3. /dos K 1 MB *Al01a arc1 onl&+
4. /var K 25 MB
5. /home K 512 MB minimum
. /usr K 14// MB minimum
". swap K 1 % 2= RAM )e0en)in$ on availa6le )isk s0ace
o Removes all e=istin$ 0artitions4OSes
2. 8or-station
1. 9D< or 5@OM< %% 1.5 5B
2. 9D< 8 5@OM< %% 1.' 5B
o :ile S&stem Set#0
1. / K 11// MB minimum
4. swap K 1 % 2= RAM )e0en)in$ on availa6le )isk s0ace
o =inet) no lon$er installe) 6& )efa#lt. Increases sec#rit&.
o Previo#sl& installe) OSes are left intact
o Deletes all e=istin$ e=t2 an) e=t3 0artitions
o ?ill 6e confi$#re) to )#al 6oot if anot1er OS is 0resent
3. Laptop
o S0ace ReC#irements %% Same as ?orkstation
o :ile S&stem Set#0 %% Same as ?orkstation
o =inet) no lon$er installe) 6& )efa#lt. Increases sec#rit&.
o Previo#sl& installe) OSes are left intact.
o Deletes all e=istin$ e=t2 an) e=t3 0artitions
o ?ill 6e confi$#re) to )#al 6oot if anot1er OS is 0resent.
o Installs la0to0 relate) 0acka$es *car) servicesG etc.+
4. Custo&
1. Minim#m %% 35/ MB
2. <ver&t1in$ %% 3.4 5B
o :ile S&stem La&o#t
?it1 a#tomatic 0artitionin$E
1. / K "// MB
4. swap K 1 % 2= RAM )e0en)in$ on availa6le )isk s0ace
If a#tomatic 0artitionin$ is not c1osenG t1en t1e #ser confi$#res t1e la&o#t.
o Most fle=i6le installation met1o).
5. (p%rade
o <=istin$ installation m#st 6e at least R- 3./.3.
o <=istin$ )ata is not lost.
o 20$ra)es t1e kernel an) all c#rrentl& installe) soft.are 0acka$es.
3.2 Installation Sour#es
1. C3>R/$
o Most convenient met1o).
o (an 6oot )irectl& from (D%ROMG or create a 6oot flo00& from
6oot.im$40cmcia.im$.
2. ,9S
o (reate net.ork 6oot flo00& from 6ootnet.im$ *or 0cmcia.im$ for la0to0s+.
o Allo.s for sim#ltaneo#s installations on m#lti0le mac1ines.
3. 9:2
o -an)les more sim#ltaneo#s installations t1an @:S.
4. H::2
5. Sa&<a
. Lo#al 0ard drive
o (reate 6oot flo00& from 6oot.im$.
3.3 Installation $et0od
1. G(I
o Most #ser frien)l&.
o Onl& availa6le for @:S or (D%ROM installations.
2. :ext $ode
o 2se) for 1tt0G sam6aG an) ft0 installs.
o (an 6e #se) for ot1er installs if c1osen.
o 3&0e Jlinux textJ at 6oot 0rom0t to enter te=t mo)e.
3. Expert $ode
o Permits man#al set#0 of 1ar).are )evices.
o 3&0e Jlinux expertJ at 6oot 0rom0t to enter e=0ert mo)e.
4. 6i#-start
o A#tomate) installation.
o M#st create a 9ickstart confi$#ration file*ks.cf$+ )escri6in$ t1e install.
o ks.cf$ can 6e locate) locall&G or on t1e net.ork.
1. Local % flo00&G c)%romG or 1ar) )rive.
2. @et.ork % M#st 6e locate) on an @:S server. ReC#ires D-(P to
6e confi$#re) an) #se).
o Installation so#rce can 6e (D%ROMG 1tt0G ft0G or nfs.
3.4 2artition>less Installs
Partitionless installs allo. t1e #ser to install on an e=istin$ :A3 0artition. In t1is case
:A3 refers to a re$#lar :A3 or a :A332 0artition. 31is installation met1o) is not
recommen)e)M
1. Re=uire&ents
o <no#$1 s0ace on :A3 0artition for install.
o A 6oot )isk is necessar& since LILO .ill not 6e installe).
o :A3 0artition m#st 6e formatte) 0rior to installation.
2. Setup
D#rin$ t1e installG c1oose an e=istin$ :A3 0artition an) assi$n &o#r 4 0artition to
it.
3. Li&itations
o S&stem .ill 6e slo.er.
o (annot 1ave m#lti0le 0artitions )e)icate) to Lin#=.
o ReC#ires 6oot )isk.
3.! Creatin% 3is- I&a%es
31e 6oot ima$es are store) on t1e (D #n)er /images. Ima$es can 6e create) from DOS
or in Lin#=.
1. 9ro& 3/S %% #se RAWRITE.COM an) follo. t1e 0rom0ts.
2. 9ro& Linux %% dd if=image of=/dev/fd0 bs=1k
3. *vaila<le i&a%esB
o 6ootnet.im$ % 2se) for net.ork 6ase) install.
o 6oot.im$ % 2se) for (D%ROM an) 1ar) )rive 6ase) install.
o 0cmcia.im$ % 2se) for installin$ on la0to0 mac1ines.
o 0cmcia)).im$ % P(M(IA Driver )isk.
o )rv6lock.im$ % A))itional 6lock )rivers.
o )rvnet.im$ % A))itional net.ork )rivers.
o ol)c)rom.im$ % A))itional (D%ROM )rivers.
3." Startin% t0e installation ;ro& 3/S.
<=ec#te t1e follo.in$ on t1e (D%ROME E:\DOSUTILS\AUTOBOOT.BAT
3.' 2artitionin%
1. $anual
o Allo.s #ser to c#stomi;e 0artitions.
o (an #se eit1er :DIS9 or Disk Dr#i)E
1. Disk Dr#i)
<asier to #se.
Onl& availa6le at install time.
Allo.s eas& confi$#ration for RAID )evices.
2. :DIS9
Al.a&s availa6le.
5reater learnin$ c#rve t1an Disk Dr#i).
Offers more feat#res t1an Disk Dr#i).
2. *uto&ati#
Partitions are a#tomaticall& confi$#re) accor)in$ to installation t&0e as )escri6e)
a6ove.
3. 2artition :ypes
o Lin#= @ative K '3
o Lin#= S.a0 K '2
3.+ Res#ue $ode
1. RH ".x % ReC#ires boot.img an) rescue.img
2. RH '.x % M#st 6e 6oote) from (D%ROM
3. <=istin$ files&stem .ill 6e mo#nte) #n)er /mnt/sysimage *".= onl&+
3.. oot 3is-s
2se mkbootdisk to create a 6oot flo00&. No# m#st s0ecif& a )evice an) a kernel to #se.
mkbootdisk --device /dev/fd0 ùname -r`
mkbootdisk ùname -r` # Same as above. Default
device is /dev/fd0
*@oteE O#name %rO ret#rns t1e kernel version.+
3.11 2a#-a%e Sele#tion
(#stom installations allo. &o# to c1oose .1ic1 0acka$e $ro#0s an)4or 0acka$es &o#
.is1 to install. Packa$e $ro#0s are )efine) in /RedHat/base/comps. No# can mo)if&
e=istin$ $ro#0s an) )efine &o#r o.n 0acka$e $ro#0s.
4. oot Loaders
4.1 Con#epts
1. Invo#ation
Invocation of t1e 6oot loa)er #s#all& occ#rs in one of t.o .a&sE
o BIOS loa)s t1e first sta$e 6oot loa)er from t1e )riveIs MBR.
o BIOS loa)s anot1er 6oot loa)er .1ic1 t1en loa)s t1e first sta$e 6oot
loa)er from a 0artitionIs 6oot sector.
31e first sta$e 6oot loa)er is also kno.n as Initial Pro$ram Loa)er *IPL+. It m#st
6e less t1an 512 6&tes in si;eG so it is fairl& limite). ItIs 0rimar& Ho6 is to loa) a
more f#nctional 6oot loa)er *a.k.a. t1e secon) sta$e 6oot loa)er+.
2. Con;i%uration
31ere are t.o )ifferent .a&s to confi$#re a 6oot loa)erE
o Install t1e first sta$e of t1e 6oot loa)er on t1e MBR. It can t1en 6e
confi$#re) to 0ass control to an& )esire) o0eratin$ s&stem.
o Install t1e first sta$e of t1e 6oot loa)er in t1e 6oot sector of a 0artition.
Anot1er 6oot loa)er is t1en installe) on t1e MBR. 31is ot1er 6oot loa)er
m#st 6e confi$#re) to 0ass control to t1e Lin#= 6oot loa)er.
4.2 Lilo
1. Con;i%uration 9ile
o /etc/lilo.conf
Sam0le :ileE
prompt # Present lilo prompt so user can
interact with lilo
timeout=50 # Timeout in milliseconds to wait
for user interaction
default=linux # Default image to boot
boot=/dev/hda6 # Specifies boot device (Location
to install primary boot loader)
# To install in the MBR, specify
/dev/hda
map=/boot/map # Location of map file
install=/boot/boot.b # Location of Second stage boot
loader
password=some_passwd # A password required to boot
restricted # Password only required if options
are entered at boot prompt
message=/boot/message # Text message or splash screen
(PCX) that will be displayed at boot time.
linear
# Image definition
image=/boot/vmlinuz-2.4.7-10 # Specifies
location of the virtual memory compressed kernel
label=linux
initrd=/boot/initrd-2.4.7-10.img # Initial RAM Disk
read-only
root=/dev/hda9 # Location of root
file system
other=/dev/hda1 # Image definition
optional
label=windows

See lilo.conf man 0a$e for an e=am0le.
2. Co&&and Line /ptions
o -t % 3est lilo confi$#rationG 6#t )onIt act#all& install.
o -v % 7er6ose
3. oot :i&e ar%u&ents
(omman) line o0tions can 6e entere) at t1e 6oot 0rom0t 6& a00en)in$ it to t1e
ima$e t1at &o# are 6ootin$. :or e=am0leE
linux root=/dev/hda5 mem=128M 1
3ells lilo to 6oot t1e kernel .it1 a la6el of Jlin#=J into r#nlevel 1 #sin$ 4)ev41)a5
as t1e root files&stem. It also states t1e mac1ine 1as 12' MB of RAM.
If lilo 1as 6een 0ass.or) 0rotecte)G &o# .ill 6e reC#ire) to enter t1e 0ass.or)
6efore 6ootin$.
4. Errors
31e ILILOI 0rom0t itself can 6e #se) to 1el0 )ia$nose 6oot relate) errors. 31e
n#m6er of letters 0resente) at t1e LILO 0rom0t can in)icate t1e s#ccess or fail#re
of t1e 6oot loa)er.
o L K :irst sta$e 6oot loa)e) an) starte). 2s#all& in)icates )isk 0ro6lems or
invali) o0tions in /etc/lilo.conf.
o LI K Secon) sta$e 6oot loa)e) from 46ootG 6#t /etc/lilo.conf 1as
invali) 0arameters or /boot/boot.b .as move) .it1o#t re%r#nnin$
/sbin/lilo.
o LIL K Secon) sta$e loa)er starte)G 6#t t1e )escri0tor ta6le canIt 6e loa)e)
)#e to a 6a) )isk or invali) 0arms in /etc/lilo.conf.
o LIL? K Secon) sta$e loa)e) at an incorrect a))ress 6eca#se of invali)
0arms in /etc/lilo.conf or /boot/boot.b .as move) .it1o#t re%
r#nnin$ /sbin/lilo.
o LIL- K Descri0tor ta6le is corr#0t. (a#se) 6& invali) 0arms in
/etc/lilo.conf or /boot/boot.b .as move) .it1o#t re%r#nnin$
/sbin/lilo.
o LILO K All of LILO loa)e) correctl&.
5. Li&itations
o M#st 6e installe) on t1e 1st or 2n) ID< )rive.
o Limite) 6& BIOS *#ses BIOS to loa) kernel off of )isk+.
o M#st re%r#n /sbin/lilo ever& time &o# c1an$e &o#r confi$#ration.
. 9ixin% a #orrupt $R
2se lilo to fi=E
/sbin/lilo
". (ninstallin% LIL/
?1en LILO over.rites an e=istin$ 6oot sectorG it saves a co0& of t1e ori$inal 6oot
sector in /boot. 31e name of t1e ori$inal 6oot sector .ill 6e boot.MMmm .1ere
IMMI is t1e maHor )evice n#m6er an) ImmI is t1e minor )evice n#m6er. SoG t1e
ori$inal 6oot sector from /dev/hda .ill 6e /boot/boot.0300.
3o restore t1e ori$inal 6oot sectorG #se t1e dd comman)E
dd if=/boot/boot.0300 of=/dev/hda bs=446 count=1
31e ori$inal 6oot sector is act#all& 512 6&tes in len$t1G 6#t t1e remainin$ 6&tes
after 44 are 0art of t1e 0artition ta6le an) .e )onIt .ant to over.rite t1at in case
itIs c1an$e).
'. Initial R*$ 3is-
o ,eedB Allo.s necessar& )rivers to 6e loa)e) at 6oot time t1at arenIt
com0ile) )irectl& into t1e kernel.
o CreationB 2se &-initrd to create t1e initial RAM )iskE
o mkinitrd /boot/initrd-2.4.7-10 2.4.7-10
o SetupB S0ecif& in /etc/lilo.conf file as s1o.n a6ove.
4.3 Gru<
1. 9eatures
o (omman) line interface availa6le at 6oot 0rom0t.
o (an 6oot from m#lti0le file s&stems incl#)in$ e=t243G ReiserfsG :A3G
mini=G an) ::S
o Pass.or) 0rotection #sin$ MD5
o (1an$es to confi$#ration file take effect imme)iatel&. DonIt 1ave to re%
install MBR.
2. Con;i%uration 9ile
o /boot/grub/grub.conf
Sam0le (onfi$#ration
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making
changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to
/boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/hdb5
# initrd /initrd-version.img
#boot=/dev/hdb
default=0 # Default to
First definition for booting
timeout=10 # Time in
seconds to wait for user interaction
splashimage=(hd1,0)/grub/splash.xpm.gz # Splash Screen
password --md5 $1$EXt$Z.............. # Password
protection
title Red Hat Linux (2.4.17) # First
definition
root (hd1,0)
kernel /vmlinuz-2.4.17 ro root=/dev/hdb5
title Red Hat Linux (2.4.17pre2-pk) # Second
definition
root (hd1,0)
kernel /vmlinuz-2.4.17pre2-pk ro root=/dev/hdb5
title Red Hat Linux (2.4.17pre2)
root (hd1,0)
kernel /vmlinuz-2.4.17pre2 ro root=/dev/hdb5
title Windows 98SE
rootnoverify (hd0,0)
makeactive
chainloader +1
3. oot :i&e ar%u&ents
In or)er to 0ass ar$#ments to t1e ima$e 6ein$ 6oote)G &o# m#st enter men#
e)itin$ mo)eG or enter t1e $r#6 comman) line. If 5R2B 1as 6een 0ass.or)
0rotecte)G &o#Ill nee) to enter I0I follo.e) 6& &o#r 0ass.or) first.
3o enter men# e)itin$ mo)eG select an) entr& an) 0ress IeI. 31is .ill allo. &o# to
mo)if& an e=istin$ 6oot set#0 an) 0ass o0tions to t1e kernel as .ell as init.
31e 5R2B comman) line allo.s &o# to create 6oot comman)s t1at )onIt e=ist in
&o#r $r#6.conf file. No# can also r#n )ia$nostic tests an) vie. t1e contents of
files on &o#r file s&stems.
4. 3evi#e ,a&es a##ordin% to Gru<
o (fd0) % :irst flo00& )rive )etecte) 6& BIOS
o (hd0) % :irst 1ar) )rive )etecte) 6& BIOS *S(SI or ID<+
o (hd1,3) % :o#rt1 0artition on t1e 2n) 1ar) )rive )etecte) 6& t1e BIOS
5. 9ixin% a #orrupt $R
2se grub-install to fi=E
/sbin/grub-install /dev/hda
. $ulti>dis- s#enario
In t1is sit#ationG .e 1ave a nameless OS installe) on 4)ev41)a an) Lin#= installe)
on 4)ev41)6. ?e nee) to set#0 $r#6 to 6oot 6ot1 OSes. 31is involves installin$
t1e first sta$e of $r#6 on t1e MBR of 4)ev41)a an) t1e secon) sta$e of $r#6 on t1e
46oot 0artition of 4)ev41)6. ?e .ill #se t1e $r#6 confi$#ration file liste) a6ove.
31is scenario ass#mes &o# eit1er 1ave a .orkin$ s&stem or are r#nnin$ in resc#e
mo)e c1rootI) to 4mnt4s&sima$e.
o La#nc1 a $r#6 s1ellE
/sbin/grub
@oteE 31e remainin$ ste0s .ill 0erforme) from .it1in t1e J$r#6 s1ellJ.
o Set t1e root )eviceE
root (hd0,0)
o S0ecif& .1ere to install vario#s 6oot sta$esE
install (hd1,0)/grub/stage1 (hd0) (hd1,0)/grub/stage2 p
(hd1,0)/grub/grub.conf
31e a6ove comman) line can 6e 6roken )o.n as follo.sE
install <stage-1> <install-disk> <stage-2> p <config file>
4.4 3/S ased
1. Loadlin % (a0a6le of 6ootin$ m#lti0le OSes
2. Syslinux % 2se) 6& R- installation 0ro$ram.
!. oot up
!.1 Steps
1. BIOS loa)s first sta$e 6oot loa)er from t1e first sector of availa6le )isks *flo00&G
1ar) )riveG c)%romG etc.+
2. :irst sta$e 6oot loa)er t1en loa)s t1e secon) sta$e 6oot loa)er.
3. Secon) sta$e 6oot loa)er allo.s #ser to c1oose .1at kernel to 6oot.
4. (1osen kernel t1en 6oote) an) )evices are initiali;e).
5. 9ernel t1en e=ec#tes init 0rocess.
. Init starts services accor)in$ to /etc/inittabE
o rc.sysinit % S&stem initiali;ation scri0ts
1. Mo#nts 40roc.
2. (onfi$#res 9ernel 0arameters *via s&sctl+
3. (onfi$#res s&stem clock.
4. Sets 1ost name.
5. Initiali;e 2SB an) -ID )evices.
. (onfi$#re PnP.
". Determines mo)#le )e0en)encies.
'. Set#0 an& RAID )evices.
,. Performs file s&stem c1ecks if nee)e).
1/. Mo#nts file s&stems.
11. Starts #ser C#otas.
12. <na6le 0rocess acco#ntin$.
13. Starts s.a0.
14. Initiali;e serial 0orts.
15. D#m0 6oot messa$es to /var/log/dmesg
1. M#c1 more....
o rc % (onfi$#res services 6ase) on r#nlevel
1. Sto0 services t1at 6e$in .it1 J9J in 4etc4rcB.) .1ere B is t1e
r#nlevel.
2. Start services t1at 6e$in .it1 JSJ in 4etc4rcB.) .1ere B is t1e
r#nlevel.
o rc.local % (onfi$#res an& s&stem s0ecific information *)e0recate)+.
o Ot1erG r#nlevel s0ecific services starte) accor)in$ to /etc/inittab.
1. min$ett& *e=ce0t for r#nlevel 1+.
2. =)m *r#nlevel 5+.
!.2 @et#@initta<
31is file contains information nee)e) 6& init to confi$#re t1e s&stem. <ntries in t1e file
1ave a s0ecific formatE
id:runlevel:style:command to run
1. id % A 1%4 c1aracter fiel) t1e creates a #niC#e i)entifier for t1e entr&.
2. runlevel % S0ecifies t1e r#nlevel*s+ t1at t1e entr& a00lies to.
3. style % S0ecifies 1o. t1e comman) is e=ec#te).
o res0a.n % Process is restarte) if it ever )ies.
o .ait % Process is starte) once .1en t1e s0ecifie) r#nlevel is entere). Init
.ill .ait for it to finis1 6efore 0rocee)in$.
o once % Process .ill 6e e=ec#te) once .1en t1e s0ecifie) r#nlevel is
entere).
o 6oot % Process .ill 6e e=ec#te) )#rin$ s&stem 6oot *r#nlevel fiel) is
i$nore)+.
o 6oot.ait % Same as 6ootG e=ce0t init .ill .ait for it to com0lete 6efore
contin#in$.
o init)efa#lt % S0ecifies )efa#lt r#n level *comman) fiel) i$nore)+.
o s&sinit % Process e=ec#te) )#rin$ 6oot 6efore an& 6oot or 6oot.ait entries.
o 0o.er.ait % Process e=ec#te) .1en 0o.er $oes )o.n. Init .aits for it to
com0lete.
o 0o.erfail % Same as 0o.er.aitG e=ce0t init )oesnIt .ait for it to com0lete.
o 0o.erok.ait % <=ec#te) .1en 0o.er is restore). Init .aits for it to
com0lete.
o 0o.erfailno. % <=ec#te) .1en 6atter& on 2PS is almost )ea).
o ctrlalt)el % Process e=ec#te) .1en init receives SI5I@3 si$nal
*(3RLPAL3PD<L .as 0resse)+.
4. #o&&and % S0ecifies 0rocess to e=ec#te.
!.3 ?iewin% <oot up in;or&ation.
1. Boot information )is0la&e) )#rin$ 6oot #0 is store) in /var/log/dmesg.
2. 2se IdmesgI comman) to vie..
!.4 Run Levels
0 - Halt (Don't set default runlevel to this!)
1 - Single User mode
2 - Multi-user mode without NFS
3 - Full multi-user mode
4 - Unused
5 - X11 (with networking)
6 - Reboot (Don't set default runlevel to this!)
!.! 3e;ault Run Levels
1. 8or-station@Laptop K 5
2. Server K 3
3. Custo& wit0 7 K 5
4. Custo& w@o 7 K 3
". Servi#e $ana%e&ent
".1 :ypes o; servi#es
1. Syste& ? servi#es
o Mana$e) 6& S&stem 7 init scri0ts
o Scri0ts are store) in /etc/init.d
2. xinetd servi#es
o Services starte) 6& t1e =inet) )aemon.
o =inet) service control files locate) in /etc/xinetd.d
o Defa#lts for =inet) set in /etc/xinetd.conf
o =inet) itself is a S&stem 7 service.
3. init servi#es
o (onfi$#re) in /etc/inittab.
o Provi)es res0a.n ca0a6ilit& if service )ies.
".2 $ana%e&ent tools
1. Syste& ? servi#es
o servi#e % Start4Sto0 services *(LI+.
<=am0leE 3o restart A0ac1eE
service httpd stop
service httpd start

or
service httpd restart

o #0-#on;i% % (onfi$#re services 6& r#nlevel *(LI+. DoesnIt affect c#rrentl&
r#nnin$ services. Defa#lts to r#nlevels 3G4G an) 5 if none s0ecifie).
3o ena6le A0ac1e on r#nlevels 3G 4G an) 5E
chkconfig httpd on # If runlevels aren't specified,
default is 345

3o ena6le A0ac1e onl& on r#nleves 3 8 5E
chkconfig --level 35 httpd on

o ntsysv % (onfi$#re services 6& r#nlevel *32I+.
Defa#lt is to confi$#re c#rrent r#n level. 2se J--levelJ o0tion to s0ecif&
a )ifferent r#nlevel.
o t-sysv % (onfi$#re services 6& r#nlevel *52I+ *De0recate)+.
2. xinetd servi#es
o c1kconfi$ % (onfi$#res r#nnin$ services. 3akes effect imme)iatel& on
=inet) services.
3o start vsft0E
chkconfig vsftp on

o <)it service confi$#ration file in /etc/xinetd.d/ )irectl&. 3o ena6leG
s0ecif& Jdisable = noJ. 3o )isa6leG s0ecif& Jdisable = yesJ. After
c1an$in$ fileG =inet) m#st eit1er 6e $iven a 2SR2 si$nal so it re%rea)s itIs
confi$#ration file or 6e restarte).
o killall -USR2 xinetd
o
3. init servi#es
31e onl& .a& to mo)if& init 6ase) services is to e)it /etc/inittab. After
mo)if&in$ t1e fileG activate t1e c1an$es 6& e=ec#tin$ Jinit qJ.
'. (ser ) Group *d&inistration
'.1 *ddin% (sers
1. useradd
o (omman) line interface
o If not s0ecifie)G )efa#lts in /etc/defaults/useradd an)
/etc/login.defs are #se).
o 3e;aultsB
1. #seri) % lo.est #n#se) val#e FK 2IDQMI@ in /etc/login.defs.
2. 1ome )irector& % /home/<username>.
3. 0rimar& $ro#0 % a $ro#0 .it1 t1e same name as t1e #sername.
4. s1ell % /bin/bash.
o /ptionsB
o -u - userid
o -g - primary group
o -s - shell
o -d - home directory
o -c - comment (Commonly used to specify full name)
o -m - make the home directory if it doesn't already exist
o -M - don't create the user's home directory regardless of
the defaults
o -G - a list of supplementary groups that the user will
belong to (separate with commas)
o -n - don't create a group with the same name as the user
o -r - create a system account (uid < UID_MIN in
/etc/login.defs)
o -D - displays defaults if no other options are given
o -b - change default home (when used with -D)
o -g - change default group (when used with -D)
o -s - change default shell (when used with -D)
o
o (o0ies t1e contents of /etc/skel into #serIs 1ome )irector& to set#0 t1e
)efa#lt #ser environment.
o (an s0ecif& a 0ass.or) .it1 #sera)) #sin$ t1e -p o0tionG 6#t recommen)
#sin$ /usr/bin/passwd to set t1e #serIs 0ass.or).
o <=am0le % 3o a)) #ser JsteveJ #sin$ all of t1e )efa#lts an) set 1is
0ass.or)G t&0eE
o useradd steve
o passwd steve
o
o Lo$in names can contain al01an#mericG %G an) Q. Ma=im#m len$t1 is 25.
2. red0at>#on;i%>users
o 52I
o 2ses same )efa#lts as #sera)).
o (an s0ecif& 0ass.or).
'.2 $odi;yin% (sers
1. user&od
o (omman) line interface.
o /ptionsB Similar as #sera)) a6ove.
o <=am0le % 3o c1an$e steveIs s1ell to 46in4ks1G t&0eE
usermod -s /bin/ksh steve
'.3 3eletin% (sers
1. userdel
o (omman) line interface.
o /ptions.
-r - removes the user's home directory and mail spool.
o <=am0le % 3o remove #ser steveG 1is 1ome )irector&G an) 1is mail s0oolG
t&0eE
userdel -r steve
'.4 *ddin% Groups
1. %roupadd
o If not s0ecifie)G )efa#lts in /etc/login.defs are #se).
o 3e;aultsB
1. $ro#0i) % lo.est #n#se) val#e FK 5IDQMI@ in /etc/login.defs.
o /ptionsB
o -g - groupid
o -r - create a system group (gid < GID_MIN in
/etc/login.defs)
o -f - exit with an error if group already exists
o
o <=am0le % 3o a)) a $ro#0 calle) JHe)iJ #sin$ t1e )efa#ltsG t&0eE
groupadd jedi
'.! $odi;yin% Groups
1. %roup&od
o O0tionsE
o -g - new groupid
o -n - new group name
o
o <=am0le % 3o c1an$e t1e name of $ro#0 JHe)iJ to J>e)iJG t&0eE
groupmod -n Jedi jedi
'." 3eletin% Groups
1. %roupdel
o O0tionsE @one
o <=am0le % 3o remove $ro#0 J>e)iJG t&0eE
groupdel Jedi
'.' (ser environ&ent #on;i%uration
1. Glo<al
o @et#@pro;ile
1. S&stem .i)e environment set#0 for Bo#rne t&0e s1ells *ks1G s1G
6as1G etc.+
2. <=ec#te) onl& for lo$in s1ells.
3. <=ec#tes /etc/profile.d/*.sh
o @et#@<as0r#
1. S&stem .i)e f#nctions an) aliases for Bo#rne t&0e s1ells *ks1G s1G
6as1G etc.+
2. <=ec#te) for all s1ell invocations.
o @et#@#s0.lo%in
1. S&stem .i)e environment set#0 for ( t&0e s1ells *ks1G s1G 6as1G
etc.+
2. <=ec#te) onl& for lo$in s1ells.
3. <=ec#tes /etc/profile.d/*.csh
o @et#@#s0.#s0r#
1. S&stem .i)e f#nctions an) aliases for ( t&0e s1ells *ks1G s1G 6as1G
etc.+
2. <=ec#te) for all s1ell invocations.
2. 2er (ser
<ac1 #serIs 1ome )irector& ma& contain several environment confi$#ration files.
o .6as1rc % Same as 4etc46as1rc a6ove.
o .6as1Q0rofile % same as 4etc40rofile a6ove.
o .6as1Qlo$o#t % e=ec#te) .1en t1e #ser lo$s o#t.
o .k)eG .k)erc % 9D< confi$#ration information.
o Deskto0 % 5@OM< confi$#ration information.
o .=initrc % Starts vario#s B clients *not #se) in R- 6& )efa#ltG see .Bclients
instea)+.
o .Bclients % <=ec#tes .Bclients%)efa#lt
o .Bclients%)efa#lt % Starts t1e s0ecifie) .in)o. mana$er
3. @et#@s-el
31is )irector& contains all of t1e )efa#lt set#0 files t1at $et co0ie) to a #sers
1ome )irector& .1en t1e& are create).
'.+ (ser 2rivate Groups
Re) -at #ses t1e #ser 0rivate $ro#0s sc1eme. ?it1 t1is sc1emeG eac1 #ser 1as t1eir o.n
0rimar& $ro#0 in .1ic1 t1e& are t1e sole mem6er. 31is allo.s for a )efa#lt #mask of //2.
'.. S0adow ;ile
?it1 tra)itional #ni=G #ser 0ass.or)s .ere store) in t1e /etc/passwd file. Beca#se t1is
file 1as to 6e .orl) rea)a6le in or)er for t1e s&stem to f#nction 0ro0erl&G it allo.e)
ever&one on t1e s&stem to vie. t1e encr&0te) version of ever&oneIs 0ass.or). 31e
s1a)o. file fi=es t1is 0ro6lem. 31e #serIs encr&0te) 0ass.or) is no. store) in t1e
/etc/shadow file .1ic1 is onl& rea)a6le 6& root.
'.11 Co&&uni#atin% wit0 users.
1. 3eter&inin% w0o is Lo%%ed In
o users % 2ses /var/run/utmp 6& )efa#lt to )etermine .1o is lo$$e). (an
s0ecif& anot1er file to #se s#c1 as /var/log/wtmp.
o w % 2ses /var/run/utmp to re0ort .1o is lo$$e) in. Also )is0la&s if t1e
#ser is i)le an) t1e last comman) e=ec#te) 6& t1e #ser.
o w0o % 2ses /var/run/utmp 6& )efa#lt to )etermine .1o is lo$$e). (an
s0ecif& anot1er file to #se s#c1 as /var/log/wtmp. Also s1o.s t1e tt& t1e
#ser is lo$$e) intoG an) t1e time 1e4s1e lo$$e) in.
2. (ser Related Co&&ands
o tty % Dis0la&s t1e terminal t1at t1e tt& comman) .as e=ec#te) on.
o wall % Sen)s a messa$e to all #sers t1at are lo$$e) in locall&.
o write % (reates a 1alf%)#0le= comm#nications .it1 anot1er #ser.
o &es% % 2se) to ena6le4)isa6le incomin$ messa$es from ot1er #sers. ?1en
)isa6le)G it 0revents ot1er #sers from #sin$ t1e J.riteJ comman) to talk to
&o#.
'.11 (ser ) Group Auotas
1. Overvie.
o Allo. limitations to 6e set on t1e n#m6er of files an) )isk s0ace #se).
o (onfi$#re) 6& #ser an)4or $ro#0.
o e=t2G e=t3G an) reiser file s&stems onl& *reiser s#00orte) as of R- ".1+.
o 9ernel m#st 6e com0ile) .it1 C#ota s#00ort *(O@:I5Q!2O3AK&+.
o <na6le) at 6oot time 6& rc.s&sinit for an& file s&stem t1at 1as #srC#ota or
$r0C#ota liste) in itIs o0tions fiel).
o !#ota information maintaine) 6& kernel .1ile s&stem is r#nnin$.
2. 9ile Syste& Con;i%uration
o /etc/fstab
M#st set #srC#ota4$r0C#ota o0tions in /etc/fstab. :or e=am0leG to
ena6le #ser an) $ro#0 C#otaIs on /homeE
LABEL=/home /home ext3 defaults 1 2

s1o#l) 6e c1an$e) toE
LABEL=/home /home ext3 defaults,usrquota,grpquota
1 2

o aquota.user 8 aquota.group
1. <=ist in t1e root of eac1 file s&stem in .1ic1 C#otas are
confi$#re).
2. Store C#ota information.
3. (reate .it1 quotacheckE
quotacheck -vug /home
or
quotacheck -avug
3o c1eck all file s&stems t1at 1ave C#otaIs ena6le) in /etc/fstab.
quotacheck c1ecks t1e c#rrent C#ota information for all #sers. It
m#st 6e ran to collect initial C#ota information.
O0tionsE
-a - scan all file systems with quotas enabled in
/etc/fstab
-v - verbose
-g - scan for group quotas
-u - scan for user quotas

3. $odi;yin% =uotas
edquota is #se) to mo)if& #ser an) $ro#0 C#otas.
o 2sers
edquota -u steve
Dis0la&s C#ota information for #ser steve in a te=t e)itor for e)itin$. All
file s&stems .it1 C#otas ena6le) are s1o.n. Ino)e an) 6lock information
can 6e c1an$e).
o 5ro#0s
edquota -g users
Same as a6ove onl& for $ro#0 #sers instea).
o Protot&0es
Once a #serIs C#ota 1as 6een confi$#re)G 1e4s1e can 6e #se) as a 0rotot&0e
for ot1er #sers. :or e=am0leG to #se steveIs C#otas as a 0rotot&0e for ot1er
#sersG t&0eE
edquota -p steve luke darth yoda
31is .ill co0& steveIs C#ota settin$s to l#keG )art1 an) &o)a.
4. Ena<lin%@3isa<lin% Auotas
o 3o ena6leE
quotaon -ug /home
for a s0ecific file s&stemG or
quotaon -aug
for all file s&stems .it1 C#otas ena6le) in /etc/fstab
o 3o )isa6leE
Same as C#otaonG onl& #se C#otaoff instea).
5. Li&its
o Soft
Ma=im#m amo#nt of s0ace or files #ser4$ro#0 can #se.
o -ar)
Onl& #se) if $race 0erio)s are in effectG ot1er.ise t1e& are i$nore) an)
soft limits are #se) to enforce file s&stem limits.
o 5race Perio)s
If #se)G #sers ma& e=cee) t1eir soft limits #0 to t1eir 1ar) limits for a
0erio) of )a&s s0ecifie) 6& t1e $race 0erio). After t1e $race 0erio)
e=0iresG t1e #ser can no lon$er e=cee) t1eir soft limit.
5race 0erio)s are set #sin$ edquota -t.
. Reportin%
3o re0ort C#ota informationG #se repquotaE
repquota -a
repquota -u /
repquota -u steve
31e first line s1o.s C#ota information for all #sers an) $ro#0s for all file s&stems.
31e secon) line s1o.s #ser C#ota information for t1e 4 file s&stem. 31e t1ir) line
s1o.s C#ota information for #ser steve on all file s&stems.
". Auota Conversion
(1an$es .ere ma)e to C#otas in R- ".1. 3o convert ol)er C#otas from 0re R-
".1G #se t1e convertquotaE
convertquota -ug /home
(onverts ol) C#otas in t1e 41ome file s&stem to t1e ne. C#otas. @ote t1at t1e ol)
C#otas #se) C#ota.#ser an) C#ota.$ro#0 instea) of aC#ota.#ser an) aC#ota.$ro#0.
'. Auotas over ,9S
Since @:S ma0s remote #sers to local #sersG set t1e C#otas on t1e local #sers t1at
&o# 0lan to ma0 t1e remote #sers to.
+. ,etwor- *d&inistration
+.1 (tilities
1. i;#on;i%
ifconfi$ is #se) to confi$#re net.ork interfaces.
<=am0leE
ifconfig eth0 192.168.1.10 netmask 255.255.255.0 up
31is confi$#res interface et1/ .it1 an IP of 1,2.1'.1.1/4255.255.255./. @ote
t1at J#0J is ass#me) if left off. A )efa#lt net.ork mask .ill also 6e )etermine)
6& t1e IP if it is not s0ecifie).
2. route
ro#te is #se) confi$#re ro#tin$ information.
<=am0leE
route add -net 10.20.30.40 netmask 255.255.255.248 eth0
route add -net 10.20.30.48 netmask 255.255.255.248 gw 10.20.30.41

31e first line states t1at t1e ro#te to net.ork 1/.2/.3/.4/4255.255.255.24' is
t1ro#$1 o#r local interface et1/. 31e secon) line states t1at t1e ro#te to net.ork
1/.2/.3/.4'4255.255.255.24' is t1ro#$1 $ate.a& 1/.2/.3/.41
3. arp
ar0 is #se) to a)minister t1e ar0 cac1e. It can vie.G a))G an) )elete entries in t1e
cac1e.
o 7ie. ar0 cac1eE
arp
31is .ill )is0la& somet1in$ likeE
Address HWtype HWaddress Flags Mask
Iface
192.168.1.1 ether 00:60:08:27:CE:A2 C
eth0
192.168.1.12 ether 00:80:5F:01:74:13 C
eth0
192.168.1.15 ether 00:60:08:27:CE:B2 CM
eth0
192.168.1.20 ether 00:A0:CC:25:9F:4C C
eth0

31e J(J fla$ means itIs a com0lete entr&. 31e JMJ fla$ in)icates itIs an
entr& a))e) man#all& an) it is 0ermanent.
o A)) an entr&E
arp -s 192.168.33.15 00:60:08:27:CE:B2
o Delete an entr&E
arp -d 192.168.33.15
4. pin%
0in$ is #se) to tro#6les1oot net.ork41ost connectivit&. It #ses I(MP ec1o reC#est
an) ec1o re0l& to test t1e connectivit&. If a 1ost )oesnIt res0on)G it co#l) 6e for
an& n#m6er of reasonsE
o 31e remote 1ost is )o.n.
o 31e remote 1ost is filterin$ I(MP 0ackets.
o Some 0oint in t1e net.ork in%6et.een t1e t.o 1osts is )o.n.
o A )evice in%6et.een t1e t.o 1osts is filterin$ I(MP 0ackets.
<=am0lesE
ping 192.168.1.12
ping -b 192.168.1.0

31e first line 0in$s a sin$le 1ostG 1,2.1'.1.12. 31e secon) line 0erforms a
6roa)cast 0in$ to all 1osts on t1e 1,2.1'.1./ net.ork.
5. tra#eroute
tracero#te is also #se) to test net.ork41ost connectivit&. -o.everG it )is0la&s
eac1 1o0 alon$ t1e .a& from t1e so#rce to t1e )estination. It can 1el0 &o#
)etermine if t1e 0ro6lem is .it1 t1e remote 1ost itselfG or some 0oint in%6et.een
t1e 1osts.
<=am0leE
traceroute 192.168.10.100
31is .ill 0rint a line for eac1 1o0 in%6et.een t1e local an) remote 1ost
*1,2.1'.1/.1//+ as .ell as a line for t1e final )estination #0 to a ma=im#m of 3/
1o0s.
. netstat
netstat 0rovi)es a lot of #sef#l informationG incl#)in$E
o Ro#tin$ ta6les.
o Interface statistics *)ro00e) 0acketsG 6#ffer overr#nsG etc.+
o @et.ork connections.
o M#lticast mem6ers1i0s.
<=am0lesE
netstat -i # Display interface statistics
netstat -lpe # Display all listening sockets and the programs
that own them
netstat -r # Display routing information
netstat -ape # Show all listening and non-listening sockets

". net#on;i%
o 32I 6ase).
o 2se) to confi$#re net.ork interface.
o 2se) 6& te=t 6ase) installation met1o)s.
'. red0at>#on;i%>networ-
31is is a 52I a)ministration tool t1at allo.s &o# to confi$#re several as0ects of
&o#r net.orkin$E interfacesG 6oot 0rotocolsG 1ost resol#tionG ro#tin$G an) more.
,. i;up @ i;down
31ese s1ell scri0t .ra00ers allo. &o# to 6rin$ an interface #0 an) take it )o.n.
31e& #se t1e confi$#ration information in t1e /etc/sysconfig )irector& to
confi$#re t1e interface s0ecifie).
:or e=am0leG to 6rin$ #0 interface et1/G sim0l& t&0eE
ifup eth0
+.2 Con;i%urin% Inter;a#es
1. Con;i%uration ;iles
31e confi$#ration files for net.ork interfaces all resi)e in /etc/sysconfig. :or a
com0lete )escri0tion of t1ese confi$#ration filesG see
/usr/share/doc/initscripts-X.XX/sysconfig.txt .1ere B.BB is t1e
version of initscri0ts t1at &o# 1ave installe).
o network
O0tionsE
NETWORKING=yes
HOSTNAME=localhost.localdomain

31e first o0tion ena6les net.orkin$G an) t1e secon) sets t1e 1ost name. A
)efa#lt $ate.a& can also 6e s0ecifie) 1ere #sin$ t1e J5A3<?ANKJ
o0tionG 6#t it is #s#all& s0ecifie) in t1e Jifcf$%L)eviceFJ scri0ts for
)evices no..
o network-scripts/ifcfg-<device>
31is contains t1e confi$#ration o0tions for a sin$le interface.
1. :or a )evice t1at #ses D-(PG it ma& look likeE
2. DEVICE=eth0
3. BOOTPROTO=dhcp
4. ONBOOT=yes # Start at boot up?
5. IPXPRIMARY_802_2="no"
6. IPXACTIVE_802_2="no"
9. IPXPRIMARY_ETHERII="no"
10. IPXACTIVE_ETHERII="no"
11. IPXPRIMARY_SNAP="no"
12. IPXACTIVE_SNAP="no"
13. TYPE=Ethernet
14. USERCTL=no # Allow users to control
this interface?
15. NETWORK=192.168.33.0
16. BROADCAST=192.168.33.255
17. PEERDNS=no # Should we modify
/etc/resolv.conf if using DHCP or BOOTP?
18.
Most of t1e items a6ove s1o#l) 6e self e=0lanator&. 31e onl&
reC#ire) o0tions for a client #sin$ D-(P are JD<7I(<J an)
JBOO3PRO3OJ.
1,. :or a )evice #sin$ a staticall& assi$ne) IPG it .ill look similar to
t1is.
20. DEVICE=eth0
21. BOOTPROTO=static
22. ONBOOT=yes # Start at boot up?
27. IPXPRIMARY_ETHERII="no"
28. IPXACTIVE_ETHERII="no"
29. IPXPRIMARY_SNAP="no"
30. IPXACTIVE_SNAP="no"
31. TYPE=Ethernet
32. USERCTL=no # Allow users to control
this interface?
33. NETWORK=192.168.33.0
34. BROADCAST=192.168.33.255
35. PEERDNS=no # Should we modify
/etc/resolv.conf if using msdns?
36. IPADDR=192.168.33.50
37. GATEWAY=192.168.33.1 # Default Gateway
38. NETMASK=255.255.255.0
39.
31e onl& reC#ire) o0tions are JD<7I(<J an) JIPADDRJ. Most of
t1e ot1er o0tions can 6e )erive) from t1e IPADDR if &o#r net.ork
is confi$#re) 6ase) on net.ork classes. If &o# arenIt s#6nettin$ on
an octetG a netmask is reC#ire).
2. $anual Con;i%uration
One .a& to confi$#re an interface is to e)it t1e a6ove files )irectl& .it1 a te=t
e)itor. After &o# are )one e)itin$ t1emG e=ec#te an Jif)o.nJ follo.e) 6& an
Jif#0J. 31is s1o#l) reset &o#r interfaces to t1e ne. val#es &o#Ive s0ecifie).
3. G(I Con;i%uration
No# can also #se t1e Jre)1at%confi$%net.orkJ tool to confi$#re &o#r interfaces.
+.3 Con;i%urin% Routes
1. Con;i%uration ;iles
31e confi$#ration files for ro#tin$ are also locate) #n)er /etc/sysconfig.
o static-routes
31is file contains static ro#tin$ information t1at s1o#l) 6e a))e) to t1e
ro#tin$ ta6les .1en interfaces are 6ro#$1t #0. It 1as t1e follo.in$ formatE
<device> host|net <arguments to route command>
:or e=am0leE
eth0 net 10.20.30.0 netmask 255.0.0.0 gw 192.168.1.50
A))s a ro#te to net.ork 1/.2/.3/./4255./././ #sin$ t1e $ate.a& at
1,2.1'.1.5/ to )evice et1/.
o network-scripts/ifcfg-<device>
:or )evices .it1 static IPsG t1is file is t&0icall& #se) to s0ecif& t1e )efa#lt
$ate.a& for t1e )evice *see Interface (onfi$#ration a6ove+.
2. $anual Con;i%uration
Same as JInterface Man#al (onfi$#rationJ a6ove.
3. G(I Con;i%uration
Same as JInterface 52I (onfi$#rationJ a6ove.
+.4 Host Resolution
1. 3,S
-ost names can 6e resolve) #sin$ D@S or t1ro#$1 a local look#0 file
/etc/hosts. B& )efa#ltG /etc/hosts is cons#lte) 6efore 0erformin$ a D@S
look#0. -o.everG t1e resol#tion or)er can 6e c1an$e) 6& mo)if&in$
/etc/nsswitch.conf.
o /etc/hosts formatE
o IP address Host Name Aliases
o
<=am0leE
127.0.0.1 localhost
192.168.1.1 gateway.somedomain.com gateway gate gw
192.168.1.20 somehost.somedomain.com somehost some
192.168.1.25 otherhost.somedomain.com otherhost

o /etc/resolv.conf
31is contains t1e i0 a))resses of #0 to 3 D@S servers t1at .ill 6e
cons#lte) .1en tr&in$ to 0erform 1ost name look#0s.
:ormatE
nameserver 192.168.1.2
nameserver 192.168.1.3
domain somedomain.com
search somedomain.com otherdomain.com

31e J)omainJ o0tions s0ecifies t1e local )omain. If a 1ost look#0 is
0erforme) an) a :!D@ isnIt s0ecifie)G t1is )omain is a00en)e) to t1e 1ost
name to create t1e :!D@. 31e Jsearc1J o0tions s0ecifies t1e or)er in
.1ic1 t1e )omains s1o#l) 6e C#erie) if a 1ost look#0 is reC#este) .it1o#t
s0ecif&in$ a :!D@. 31e J)omainJ an) Jsearc1J o0tions are m#t#all&
e=cl#sive. If 6ot1 are s0ecifie)G t1e last one $iven is #se).
2. @IS
(OMPL<3< M<M
3. LDAP
(OMPL<3< M<M
.. /t0er Syste& *d&inistration
..1 3ate@:i&e
1. red0at>#on;i%>ti&e
o a.k.a red0at>#on;i%>dateG date#on;i%
o 52I 6ase).
o Set s&stem time4)ate.
o Select time;one.
o <na6le @et.ork 3ime Protocol *@3P+.
o Set .1et1er 1ar).are clock is set to 23(.
2. ti&e#on;i%
o 32I 6ase).
o Select time;one.
o Set .1et1er 1ar).are clock is set to 23(.
3. date
o (LI 6ase).
o Set s&stem )ate4time.
4. 0w#lo#-
o 2se) to C#er&4set 1ar).are clock.
o (an s&nc t1e 1ar).are clock to t1e s&stem clock an) vice%versa.
o -ar).are clock #se) at 6oot #0 to set s&stem clockG t1en never #se) a$ain
)#rin$ normal o0eration.
o -ar).are clock is s&nce) to t1e s&stem clock at s1#t)o.n.
..2 6ey<oard
1. -<d#on;i%
o 32I 6ase).
o Sets t1e )efa#lt ke&6oar) ma0.
o 7al#e store) in /etc/syconfig/keyboard *9<N3ABL<KJ#sJ+.
2. -<drate
Sets ke&6oar) re0eat rate an) )ela&E
kbdrate -r30 -d0
Sets t1e re0eat rate to 3/ c1aracters 0er secon) *t1e ma=+ an) a re0eat )ela& of
25/ ms *lo.est 0ossi6le+.
..3 $ouse
1. &ouse#on;i%
o (onfi$#res file links an) mo)ifies confi$#ration files necessar& to #se a
mo#se.
o 32I or (LI
o Mo)ifies B (onfi$#ration file
o (LI O0tionsE
o --modifyx # Modify X configuration file
o --device <dev> # Specify device to use for mouse
o --noprobe # No automatic probing is done
o --emulthree # Enable 3 button emulation
o --kickstart # Forces mouseconfig to run in non-
interactive mode and
o # probe for as much information about the
mouse as possible
o
2. 7#on;i%urator
See section on B for more information.
..4 Sound
1. snd#on;i%
o 32I 6ase).
o O0tionsE
o --noprobe # Prevent probing of PnP cards
o --noautoconfig # Allow user to choose settings for card
o
..! RH Syste& #on;i%uration ;iles
R- stores man& s&s confi$ files #n)er /etc/sysconfigE
@oteE 31e follo.in$ is taken from t1e s&sconfi$.t=t file 0rovi)e) in Re) -atIs initscri0ts
*version .4/+ 0acka$e. O6solete o0tions 1ave 6een remove).
/etc/sysconfig/authconfig
used by authconfig to store information about the system's user
information and authentication setup; changes made to this file
have no effect until the next time authconfig is run
USEHESIOD=no
Whether or not the hesiod naming service is in use. If not set,
authconfig examines the passwd setting in /etc/nsswitch.conf.
USELDAP=no
Whether or not LDAP is used as a naming service. If not set,
authconfig examines the passwd setting in /etc/nsswitch.conf.
USENIS=no
Whether or not NIS is in use. If not set, authconfig examines
the passwd setting in /etc/nsswitch.conf.
USEKERBEROS=no
Whether or not Kerberos is in use. If not set, authconfig
examines
the settings in /etc/pam.d/system-auth.
USELDAPAUTH=no
Whether or not LDAP is being used for authentication. If not set,
authconfig examines the settings in /etc/pam.d/system-auth. Note
that this option is separate from USELDAP, and that neither
implies
the other.
USEMD5=no
Whether or not MD5-based hashing should be used when setting
passwords.
If not set, authconfig examines the settings in
/etc/pam.d/system-auth.
This option affects authentication using both local files and
LDAP.
USESHADOW=no
Whether or not shadow passwords are in use. If not set,
authconfig
checks for the existence of /etc/shadow.
USESMBAUTH=no
Whether or not SMB authentication is in use. If not set,
authconfig
examines the settings in /etc/pam.d/system-auth.
/etc/sysconfig/autofsck
does not normally exist; if it does, it can influence a choice
whether or not to fsck after a crash
AUTOFSCK_TIMEOUT=5
Number of seconds to wait for console user to make a choice
AUTOFSCK_DEF_CHECK=no
If the user does not respond, choose whether or not to fsck
/etc/sysconfig/clock:
UTC=true indicates that the clock is set to UTC; anything
else indicates that it is set to local time
ARC=true on alpha only indicates the ARC console's
42-year time offset is in effect; otherwise the normal
Unix epoch is assumed
ZONE="filename" indicates the zone file under /usr/share/zoneinfo
that /etc/localtime is a copy of, for example:
ZONE="US/Eastern"
/etc/sysconfig/desktop:
DESKTOP=GNOME|KDE|AnotherLevel
This determines the display manager started by /etc/X11/prefdm
/etc/sysconfig/init:
BOOTUP=<some boot up mode>
BOOTUP=color means new (as of RH6.0) boot display.
BOOTUP=verbose means old style display
Anything else means new display, but without ANSI-formatting
LOGLEVEL=<a number>
Sets the initial console logging level for the kernel.
The default is 7. 8 means everything (including debugging);
1 means nothing except kernel panics. syslogd will override
this once it starts.
RES_COL=<a number>
Column of the screen to start status labels at. Defaults to 60
MOVE_TO_COL=<a command>
A command to move the cursor to $RES_COL. Defaults to nasty
ANSI sequences output by echo -e.
SETCOLOR_SUCCESS=<a command>
A command to set the color to a color indicating success.
Defaults to nasty ANSI sequences output by echo -e setting
the color to green.
SETCOLOR_FAILURE=<a command>
A command to set the color to a color indicating failure.
the color to red.
SETCOLOR_WARNING=<a command>
A command to set the color to a color indicating warning.
the color to yellow.
SETCOLOR_NORMAL=<a command>
A command to set the color to 'normal'. Defaults to nasty
ANSI sequences output by echo -e.
PROMPT=yes|no
Set to 'no' to disable the key check for interactive mode.
/etc/sysconfig/keyboard:
KEYTABLE=<keytable file>
for example: KEYTABLE="/usr/lib/kbd/keytables/us.map"
If you dump a keymap (using 'dumpkeys') to
/etc/sysconfig/console/default.kmap
it will be loaded on bootup before file systems are
mounted/checked.
This could be useful if you need to emergency type the root
password.
This has to be a dumped keymap, as opposed to copying the shipped
keymap files, as the shipped files include other maps from the
/usr/lib/kbd/keytables directory.
KEYBOARDTYPE=sun|pc
on SPARC only, sun means a sun keyboard is attached on /dev/kbd,
pc means a PS/2 keyboard is on ps/2 port.
/etc/sysconfig/mouse:
MOUSETYPE=microsoft|mouseman|mousesystems|ps/2|msbm|logibm|atibm|
logitech|mmseries|mmhittab
XEMU3=yes|no (emulate three buttons with two buttons whenever
necessary, most notably in X)
DEVICE=<a device node> (the device of the mouse)
In addition, /dev/mouse points to the mouse device.
/etc/sysconfig/network:
NETWORKING=yes|no
HOSTNAME=<fqdn by default, but whatever hostname you want>
GATEWAY=<gateway IP>
GATEWAYDEV=<gateway device> (e.g. eth0)
NISDOMAIN=<nis domain name>
IPX=yes|no
IPXAUTOPRIMARY=on|off (note, that MUST be on|off, not yes|no)
IPXAUTOFRAME=on|off (again, not yes|no)
IPXINTERNALNETNUM=<netnum>
IPXINTERNALNODENUM=<nodenum>
NETWORKING_IPV6=yes|no
Enable or disable global IPv6 initialization
IPV6FORWARDING=yes|no
Enable or disable global forwarding of incoming IPv6 packes
on all interfaces.
Note: Actual packet forwarding cannot be controlled per-device.
IPV6INIT=yes|no
Enable or disable IPv6 configuration for all interfaces.
Use with caution!
IPV6_AUTOCONF=yes|no
Sets the default for device-based autoconfiguration.
Default: yes if IPV6FORWARDING=no, no if IPV6FORWARDING=yes
IPV6_ROUTER=yes|no
Sets the default for device-based Host/Router behaviour.
Default: yes if IPV6FORWARDING=yes, no if IPV6FORWARDING=no
IPV6_AUTOTUNNEL=yes|no
Controls automatic IPv6 tunneling.
IPV6_TUNNELMODE=IP|NBMA [OPTIONAL: IP by default]
Mode of tunnel setup
IP: separate tunnel device mode (now recommeded)
NBMA: NBMA-styled tunnel mode (now mostly obsolete)
All IPv6 options can be overridden in interface-specific
configuration.
All the IPX stuff is optional, and should default to off.
/etc/sysconfig/static-routes:
Contains lines of the form:
<device> host|net <arguments to route command>
<device> may be a device name to have the route brought up and
down with the device, or "any" to have the correct devices calculated
at run time.
For example:
eth0 host 192.168.2.2 eth0
adds a host route through eth0 to 192.168.2.2, while
any net 192.168.2.0 netmask 255.255.255.0 ppp0
adds a network route to the 192.168.2.0 network through ppp0.
/etc/sysconfig/static-routes-ipv6:
Contains lines of the form:
<device> ipv6network ipv6gateway
<tunneldevice> ipv6network
<device> must be a device name to have the route brought up and
down with the device
For example:
eth0 fec0:0:0:2::/64 fec0:0:0:1:0:0:0:20
adds a route for IPv6 network fec0:0:0:2::/64 through
fec0:0:0:1:0:0:0:20
eth0 2000::/3 3ffe:400:100:f101::1
eth0 3ffe::/16 3ffe:400:100:f101::1
so-called "default" route for clients
sit1 2000::/3
sit1 3ffe::/16
adds routes through virtual tunnel sit1
/etc/sysconfig/routed:
SILENT=yes|no
EXPORT_GATEWAY=yes|no
/etc/sysconfig/rawdevices:
This is used for setting up raw device to block device mappings.
It has the format:
<rawdev> <major> <minor>
<rawdev> <blockdev>
For example:
/dev/raw/raw1 /dev/sda1
/dev/raw/raw2 8 5
/etc/sysconfig/pcmcia:
PCMCIA=yes|no
PCIC=i82365|tcic
PCIC_OPTS=<socket driver (i82365 or tcic) timing parameters>
CORE_OPTS=<pcmcia_core options>
CARDMGR_OPTS=<cardmgr options>
/etc/sysconfig/amd:
ADIR=/.automount (normally never changed)
MOUNTPTS='/net /etc/amd.conf' (standard automount stuff)
AMDOPTS= (extra options for AMD)
/etc/sysconfig/tape:
DEV=/dev/nst0
Tape device. Use the non-rewinding one for these scripts.
For SCSI tapes this is /dev/nst#, where # is the number of the
tape drive you want to use. If you only have one then use
nst0.
For IDE tapes you use /dev/ht#, where # is the number of the tape
drive you want to use (usually ht0).
For floppy tape drives use /dev/ftape.
ADMIN=root
Person to mail to if the backup fails for any reason
SLEEP=5
Time to sleep between tape operations. Some drives need a bit
more than others, but 5 seems to work for 8mm, 4mm, and DLT
BLOCKSIZE=32768
This worked fine for 8mm, then 4mm, and now DLT. An optimal
setting is probably however much data your drive writes at one
time.
SHORTDATE=$(date +%y:%m:%d:%H:%M)
A short date string, used in backup log filenames.
DAY=$(date +log-%y:%m:%d)
This is used for the log file directory.
DATE=$(date)
Regular date string, used in log files.
LOGROOT=/var/log/backup
Root of the logging directory
LIST=$LOGROOT/incremental-list
This is the file name the incremental backup will use to store
the incremental list. It will be $LIST-{some number}.
DOTCOUNT=$LOGROOT/.count
For counting as you go to know which incremental list to use
COUNTER=$LOGROOT/counter-file
For rewinding when done...might not use.
BACKUPTAB=/etc/backuptab
The file in which we keep our list of backup(s) we want to make.
/etc/sysconfig/sendmail:
DAEMON=yes|no
yes implies -bd (i.e., listen on port 25 for new mail)
QUEUE=1h
given to sendmail as -q$QUEUE
-q option is not given to sendmail if /etc/sysconfig/sendmail
exists and QUEUE is empty or undefined.
/etc/sysconfig/i1n
LANG= set locale for all categories, can be any two letter ISO
language code
LC_CTYPE= localedata configuration for classification and conversion
of characters
LC_COLLATE= localedata configuration for collation (sort order) of
strings
LC_MESSAGES= localedata configuration for translation of yes and no
messages
LC_NUMERIC= localedata configuration for non-monetary numeric data
LC_MONETARY= localedata configuration for monetary data
LC_TIME= localedata configuration for date and time
LC_ALL= localedata configuration overriding all of the above
LANGUAGE= can be a : separated list of ISO language codes
LINGUAS= can be a ' ' separated list of ISO language codes
The above variables are used in /etc/profile.d/lang.sh.
SYSFONT= any font that is legal when used as
/usr/bin/consolechars -f $SYSFONT ...
(See console-tools package for consolechars command)
UNIMAP= any SFM (screen font map, formerly called Unicode mapping
table - see consolechars(8))
/usr/bin/consolechars -f $SYSFONT --sfm $UNIMAP
SYSFONTACM= any ACM (application charset map - see consolechars(8))
/usr/bin/consolechars -f $SYSFONT --acm $SYSFONTACM
The above is used by the /sbin/setsysfont command (which is run
by rc.sysinit at boot time.)
/etc/sysconfig/harddisks
/etc/sysconfig/harddiskhd!a-h" $for specific devices%
These options are used to tune (E)IDE hard drives -
read the hdparm man page for more information
USE_DMA=1
Set this to 1 to enable DMA. This might cause some
data corruption on certain chipset / hard drive
combinations. USE WITH CAUTION AND BACKUP.
This is used with the "-d" option
MULTIPLE_IO=16
Multiple sector I/O. a feature of most modern IDE hard drives,
permitting the transfer of multiple sectors per I/O interrupt,
rather than the usual one sector per interrupt. When this feature
is enabled, it typically reduces operating system overhead for disk
I/O by 30-50%. On many systems, it also provides increased data
throughput of anywhere from 5% to 50%. Some drives, however (most
notably the WD Caviar series), seem to run slower with multiple mode
enabled. Under rare circumstances, such failures can result in
massive filesystem corruption. USE WITH CAUTION AND BACKUP.
This is the sector count for multiple sector I/O - the "-m" option
EIDE_32BIT=3
(E)IDE 32-bit I/O support (to interface card). USE WITH CAUTION.
LOOKAHEAD=1
Enable drive read-lookahead (safe)
EXTRA_PARAMS=<anything>
Add any extra parameters you want to pass to hdparm here.
/etc/sysconfig/network-scripts/ifup:
/etc/sysconfig/network-scripts/ifdown:
Symlinks to /sbin/ifup and /sbin/ifdown, respectively.
These are the only two scripts "in" this directory that should
be called directly; these two scripts call all the other
scripts as needed. These symlinks are here for legacy purposes
only -- they'll will probably be removed in future versions, so
only /sbin/ifup and /sbin/ifdown should currently be used.
These scripts take one argument normally: the name of the device
(e.g. eth0). They are called with a second argument of "boot"
during the boot sequence so that devices that are not meant to
be brought up on boot (ONBOOT=no, see below) can be ignored at
that time.
/etc/sysconfig/network-scripts/init&ipv6-global:
Not really a public file. Contains different basic settings that
are set from /etc/rc.d/init.d/network at different stages of
network initialization.
/etc/sysconfig/network-scripts/network-functions:
Not really a public file. Contains functions which the scripts use
for bringing interfaces up and down. In particular, it contains
most of the code for handling alternative interface configurations
and interface change notification through netreport.
/etc/sysconfig/network-scripts/network-functions-ipv6:
Not really a public file. Contains functions which the scripts use
for bringing IPv6 on interfaces up and down, like addresses, routes,
forwarding handling and static or automatic tunneling.
/etc/sysconfig/network-scripts/ifcfg-'interface-name( and
/etc/sysconfig/network-scripts/ifcfg-'interface-name(:'alias-name(:
The first defines an interface, and the second contains
only the parts of the definition that are different in a
"alias" (or alternative) interface. For example, the
network numbers might be different, but everything else
might be the same, so only the network numbers would be
in the alias file, but all the device information would
be in the base ifcfg file.
The items that can be defined in an ifcfg file depend on the
interface type. The really obvious ones I'm not going to
bother to define; you can figure out what "IPADDR" is, I
think... :-)
Base items:
NAME=<friendly name for users to see>
Most important for PPP. Only used in front ends.
DEVICE=<name of physical device (except dynamically-allocated PPP
devices where it is the "logical name")>
IPADDR=
NETMASK=
GATEWAY=
ONBOOT=yes|no
USERCTL=yes|no
BOOTPROTO=none|bootp|dhcp
MTU=
PEERDNS=yes|no
modify /etc/resolv.conf if peer uses msdns extension (PPP only) or
DNS{1,2} are set, or if using pump or dhcpcd. default to "yes".
DNS{1,2}=<ipaddress>
provide DNS addresses that are dropped into the resolv.conf
file if PEERDNS is not set to "no".
FIREWALL_MODS=yes|no
modify firewall to attempt to allow DNS through. Defaults to
'yes'.
If BOOTPROTO is not "none", then the only other item that
must be set is the DEVICE item; all the rest will be determined
by the boot protocol. No "dummy" entries need to be created.
Base items being deprecated:
NETWORK=<will be calculated automatically with ifcalc>
BROADCAST=<will be calculated automatically with ifcalc>
IPv6-only items for real interfaces:
IPV6INIT=yes|no
Enable or disable IPv6 configuration for this interface
IPV6FORWARDING=yes|no
Enable or disable global forwarding of incoming IPv6 packets
Note! Obsolete in interface specification.
IPV6ADDR=<ipv6address>/<prefixlength>
specify primary static IPv6 address here
Example:
IPV6ADDR="3ffe:400:100:f101::1/64"
IPV6ADDR_SECONDARIES=<list of ipv6 addresses>
a list of secondary IPv6 addresses (perhaps useful for virtual
hosting)
Example:
IPV6ADDR_SECONDARIES="3ffe:400:100:f101::10/64
3ffe:400:100:f101::11/64"
IPV6_MTU="<MTU of link>" [optional]
Note: Must be greater or equal to 1280.
Optional, dedicated MTU of this link
Example:
IPV6_MTU="1280"
Special configuration options for multi-homed hosts etc.
IPV6_ROUTER=yes|no: controls IPv6 autoconfiguration
IPV6_AUTOCONF=yes|no: controls IPv6 autoconfiguration
defaults:
global IPV6FORWARDING=yes: IPV6_AUTOCONF=no, IPV6_ROUTER=yes
global IPV6FORWARDING=no: IPV6_AUTOCONF=yes
Optional settings for a 6to4 tunnel
IPV6TO4INIT=yes|no
Enable or disable 6to4 tunneling setup
IPV6TO4_RELAY=<ipv4address>
IPv4 address of the remote 6to4 relay
IPV6TO4_IPV4ADDR=<ipv6address> [OPTIONAL]
overwrite local IPv4 address which is accessable from the Internet
(optional, in case of NAT or other special scenarios)
IPV6TO4_ROUTING=<LAN-routing-setup-tokens> [OPTIONAL]
a list of routing tokens to setup proper IPv6 routes on the LAN
Example:
IPV6TO4_ROUTING="eth0-:f101::0/64 eth1-:f102::0/64"
Will create one route per eth0 and eth1, taking given SLA
IPV6TO4_CONTROL_RADVD=yes|no [OPTIONAL]
Enable signalling radvd that the 6to4 prefix has been changed
IPV6TO4_RADVD_PIDFILE=<path-to-pid-file> [OPTIONAL]
location of PID file to get PID for sending signal
default is "/var/run/radvd/radvd.pid"
Example:
IPV6TO4_RADVD_PIDFILE="/some/other/location/radvd.pid"
IPv6-only items for automatic tunnel interface:
Virtual interface name: sit0
IPV6INIT=yes|no
Obsolete now, see IPV6_AUTOTUNNEL in /etc/sysconfig/network
IPv6-only items for static unnumbered tunnel interface:
Virtual interface name: sit1..
IPV6INIT=yes|no
IPV6TUNNELIPV4=<ipv4 address of foreign tunnel endpoint>
specify IPv4 address of a foreign IPv6-in-IPv4 tunnel endpoint
Example:
IPV6TUNNELIPV4="195.226.187.50"
IPV6ADDR=<ipv6address>/<prefixlength> [OPTIONAL]
local IPv6 address of a numbered tunnel
Ethernet-only items:
{IPXNETNUM,IPXPRIMARY,IPXACTIVE}_{802_2,802_3,ETHERII,SNAP}
configuration matrix for IPX. Only used if IPX is active.
Managed from /etc/sysconfig/network-scripts/ifup-ipx
ARP=yes|no (adds 'arp' flag to ifconfig, for use with the
ethertap device)
Deprecated:
PROMISC=yes|no (enable or disable promiscuous mode)
ALLMULTI=yes|no (enable or disable all-multicast mode)
To properly set these, use the packet socket interface.
PPP/SLIP items:
PERSIST=yes|no
MODEMPORT=<device, say /dev/modem>
LINESPEED=<speed, say 115200>
DEFABORT=yes|no (tells netcfg whether or not to put default
abort strings in when creating/editing the chat script and/or
dip script for this interface)
(meaningless with WVDIALSECT)
PPP-specific items
WVDIALSECT=<list of sections from wvdial.conf to use>
If this variable is set, then the chat script (if it
exists) is ignored, and wvdial is used to open the
PPP connection.
DEFROUTE=yes|no (set this interface as default route? yes is
default)
DEBUG=yes|no (defaults to yes)
turns on/off pppd and chat (if used) debugging.
ESCAPECHARS=yes|no (simplified interface here doesn't let people
specify which characters to escape; almost everyone can use
asyncmap 00000000 anyway, and they can set PPPOPTIONS to
asyncmap foobar if they want to set options perfectly)
HARDFLOWCTL=yes|no (yes imples "modem crtscts" options)
PPPOPTIONS=<arbitrary option string; is placed last on the
command line, so it can override other options like asyncmap
that were specified differently>
PAPNAME=<"name $PAPNAME" on pppd command line> (note that
the "remotename" option is always specified as the logical
ppp device name, like "ppp0" (which might perhaps be the
physical device ppp1 if some other ppp device was brought
up earlier...), which makes it easy to manage pap/chap
files -- name/password pairs are associated with the
logical ppp device name so that they can be managed
together.
REMIP=<remote ip address, normally unspecified>
MTU=
MRU=
DISCONNECTTIMEOUT=<number of seconds, default currently 5>
(time to wait before re-establishing the connection after
a successfully-connected session terminates before attempting
to establish a new connection.)
RETRYTIMEOUT=<number of seconds, default currently 60>
(time to wait before re-attempting to establish a connection
after a previous attempt fails.)
RETRYCONNECT=yes|no (defaults to yes)
If this is yes, then we will re-run pppd if it exits with a
"connect script failed" status. Otherwise, only one attempt
is made to bring up the connection. Note that some connect
scripts (for example, wvdial) might do their own retries (such
as BUSY or NO DIALTONE conditions).
MAXFAIL=<number>
If this is set, this will cause ppp-watch to exit after
the specified number of attempts.
DEMAND=yes|no
Switches on demand-dialing mode using pppd's "demand" option.
IDLETIMEOUT=600
The amount of time the link needs to be inactive before pppd will
bring it down automatically.
BOOTTIMEOUT=30
The amount of time to wait at boot before giving up on the
connection.
IPPP-specific items (ISDN)
PROVIDER=<ProviderName>
USER=<Login>
PASSWORD=<Password>
ENCAP=[syncppp|]
DIALMODE=[manual|auto]
SECURE=off|on
MSN=<>
PHONE_IN=<Callback.Number>
AREACODE=<>
REGIONCODE=<>
PHONE_OUT=<PhoneNumber>
BUNDLING=off|on
HUPTIMEOUT=<number>
DNS1=<PrimaryDNS>
DNS2=<SecondaryDNS>
DOMAIN=""
LAYER=[HDLC|]
CALLBACK=off|on
CHARGEHUP=<number>
CHARGEINT=<number>
CBHUP=<number>
CBDELAY=<number>
DIALMAX=<number>
AUTH=[+pap] [-chap]
IHUP=<>
DELDEFAULTROUTE=[enabled|disabled]
CBCP=off|on
VJ=off|on
VJCCOMP=off|on
AC=off|on
PC=off|on
BSDCOMP=off|on
CCP=off|on
SLAVE_DEVICE=ippp[0-9]
ippp0 items being deprecated:
BOOT=[on|off] will be converted to ONBOOT=[yes|no] by netconf
LOCAL_IP= will be converted to IPADDR by netconf
REMOTE_IP= will be converted to GATEWAY by netconf
/etc/sysconfig/network-scripts/chat-'interface-name(:
chat script for PPP or SLIP connection intended to establish
the connection. For SLIP devices, a DIP script is written
from the chat script; for PPP devices, the chat script is used
directly.
/etc/sysconfig/network-scripts/dip-'interface-name(
A write-only script created from the chat script by netcfg.
Do not modify this. In the future, this file may disappear
by default and created on-the-fly from the chat script if
it does not exist.
/etc/sysconfig/network-scripts/ifup-post
Called when any network device EXCEPT a SLIP device comes
up. Calls /etc/sysconfig/network-scripts/ifup-routes to
bring up static routes that depend on that device. Calls
/etc/sysconfig/network-scripts/ifup-aliases to bring up
aliases for that device. Sets the hostname if it is not
already set and a hostname can be found for the IP for that
device. Sends SIGIO to any programs that have requested
notification of network events.
Could be extended to fix up nameservice configuration, call
arbitrary scripts, etc, as needed.
/etc/sysconfig/network-scripts/ifup-routes
Set up static routes for a device.
/etc/sysconfig/network-scripts/ifup-aliases
Bring up aliases for a device.
/etc/sysconfig/network-scripts/ifdhcpc-done
Called by dhcpcd once dhcp configuration is complete; sets
up /etc/resolv.conf from the version dhcpcd dropped in
/etc/dhcpc/resolv.conf
.." 9ile Syste& *d&inistration
1. $onitor (sa%e
o d; % Re0ort )isk #sa$e 6& file s&stem.
o df -k # Show disk usage by file system in KB
o df -h # Show disk usage by file system in the largest
unit possible
o
o du % Re0ort )isk #sa$e.
o du /etc # Report the number of KB use in /etc and all
of it's subdirectories by file
o du -s /etc # Report the total number of KB used in /etc
and all of it's subdirectories
o du /etc | sort -n -r # Display disk usage by directory
in /etc and sort from largest to smallest
o du -a /etc | sort -n -r # Same as before, only list each
file and directory in the report
o
2. Cleanup (nused 9iles
tmpwatch % Ran 6& cron )ail& to clean o#t tem0orar& )irectories *e.$. /tmp 8
/var/tmp+. 31e )efa#lt installation )eletes all files ol)er t1an 1/ )a&s.
3. 9ile Syste& Corruption
e2;s#- m#st 6e ran on non%Ho#rnale) file s&stems if t1e& are not #nmo#nte)
cleanl&. 31is fi=es an& meta )ata t1at is not in t1e 0ro0er state.
e2fsck /dev/hda1

B& )efa#ltG t1e s#0er6lock is store) ever& '1,2 6locks. If &o# 1ave a corr#0t
s#0er6lockG t1is .ill ca#se e2fsck to fail #nless &o# s0ecif& an alternate
s#0er6lock to #seE
e2fsck -b 8193 /dev/hda1

4. Cournaled 9ile Syste&s
o >o#rnale) file s&stems .rite critical information a6o#t file s&stem
o0erations to a Ho#rnal 6efore act#all& mo)if&in$ files. In t1e event of an
#nclean s1#t)o.nG t1e file s&stem can 6e recovere) more C#ickl& 6&
rea)in$ t1e Ho#rnal instea) of 0erformin$ fsck.
o 3 >o#rnalin$ O0tions availa6le in e=t3
1. dataDordered % 31is is t1e )efa#lt mo)e. Onl& meta )ata is
Ho#rnale).
2. dataDEournaled % Meta )ata an) )ata are Ho#rnale).
3. dataDwrite<a#- % @ot as $oo) as J)ataKor)ere)JG 6#t allo.s for a
C#icker fsck t1an stan)ar) e=t2.
o (onvertin$ from e=t2 to e=t3
Beca#se of t1eir close relationG it is fairl& sim0le to #0$ra)e from e=t2 to
e=t3E
1. Mo)if& file s&stem t&0e in /etc/fstab
2. (reate t1e Ho#rnalE
3. tune2fs -j /dev/hda1
4.
5. 7erif& t1at e=t2 is eit1er com0ile) into t1e kernel or create an
initial ram)isk so it can 6e loa)e) as a mo)#le at 6oot time.
. 7erif& t1at t1e file s&stems are in)ee) mo#nte) as e=t3 6&
c1eckin$ /proc/mounts.
5. $onitor 2er&issions
o 9ee0 a close .atc1 on S2ID an) S5ID filesE
o find / -perm +6000 # Find all files that
are either setuid or setgid
o find / -perm -2000 -o -perm -4000 # Same thing
o
o :in) files t1at )onIt 1ave an o.ner or a $ro#0E
o find / -nouser -o -nogroup
o
o :in) all files an) )irectories t1at are .orl) .rita6leE
o find / $ -type f -o -type d $ -a -perm -0002
o find / $ -type f -o -type d $ -a -perm -2 # Same
thing as above
o
o :ripwire
1. Provi)es a fin$er0rint from critical files.
2. 3ri0.ire can monitor all of t1e follo.in$E
:ile Si;e
atime *Last Access 3ime+
mtime *Last Mo)ification 3ime+
ctime *3imestam0 on Ino)e+
2ser
5ro#0
Permissions
3. Con;i%uration
<)it twcfg.txt an) twpol.txt in or)er to )efine t1e
0olic& for &o#r s&stem.
R#n /etc/tripwire/twinstall.sh
<=ec#te tripwire --init to create t1e initial )ata6ase
*store) in /var/lib/tripwire/<hostname>.twd+.
3o c1eck t1e s&stem a$ainst t1e )ata6aseG r#n tripwire
--check
3o vie. an inte$rit& c1eck re0ortG r#n twprint -m -r
--twrfile <report_file>
3o #0)ate t1e tri0.ire )ata6ase accor)in$ to t1e 0revio#sl&
ran re0ortG r#n tripwire --update --twrfile
<report_file>
..' Syste& Lo%%in%
-lo%d 1an)les kernel messa$es an) syslo%d 1an)les messa$es sent from ot1er so#rces
s#c1 as s&stem )aemons.
1. Con;i%uration
o /etc/syslog&conf % Primar& (onfi$#ration file.
o Stan)ar) R- confi$#ration creates t1ese lo$ filesE
1. /var/log/secure % Lo$s a#t1entication messa$es *e.$. =inet)
servicesG faile) ss1 lo$ins+.
2. /var/log/)ferlog % Lo$s :3P transactions.
3. /var/log/maillog % Lo$s mail transactions *SM3PG POP3G
IMAPG etc.+
4. /var/log/messages % Lo$s most ot1er s&stem messa$es. 31is
information #s#all& incl#)esE
Date an) time of t1e messa$e lo$$e).
@ame of t1e 0ro$ram or )aemon t1at .rote t1e messa$e.
31e action or event t1at occ#rre).
31e name of t1e 1ost t1at t1is occ#rre) on.
o /etc/syslog&conf % Primar& (onfi$#ration file.
1. 9or&at
2. # There must be at least one TAB separating the two
entries below:
3. facility.priority log location
4.
5. 9a#ilities
11 authpriv - Sec#rit& 8 a#t1ori;ation messa$es
11 cron - clock )aemons s#c1 as cron) an) at)
11 daemon - ot1er )aemon messa$es
11 kern - 9ernel messa$es
11 lpr - Printin$ relate) messa$es
11 mail - Mail s&stem messa$es
11 news - @e.s s&stem mesa$es
11 syslog - S&slo$ messa$es
11 user - 5eneric #ser level messa$es
111 local[0-7]- :acilities reserve) for local #se
2. 2riorities
11 debug - De6#$$in$ information
11 info - Informational messa$es
11 notice - A normal con)ition occ#rre) t1at s1o#l) 6e
notice)
11 warning - ?arnin$ messa$es
11 err - An error occ#rre)
11 crit - A critical error occ#rre)
11 alert - An error occ#rre) t1at reC#ires imme)iate
attention
11 emerg - 2s#all& in)icates a service *or t1e s&stem+ is no
lon$er availa6le
3. Exa&ple Con;i%uration
4. mail.info /var/log/mail # Log all mail
messages of priority info or greater
5. daemon.=emerg /var/log/emerg # Log all daemon
messages with a priority of emergency
6. lpr.=!notice /var/log/lpr # Log all lpr
messages where the priority isn't of notice level
7.
2. Lo% Rotation
o Lo$ rotation is 1an)le) 6& /usr/sbin/logrotate .1ic1 is 0art of t1e
logrotate 0acka$e.
o lo$rotate is e=ec#te) )ail& 6& cron to c1eck if an& lo$s nee) rotatin$.
o Basic set#0 an) lo$ rotation of t1e )efa#lt s&stem lo$s are confi$#re) in
/etc/logrotate.conf.
o A))itionalG 0acka$e relate)G lo$ rotation scri0ts are 0lace) in
/etc/logrotate.d.
3. Lo%wat#0
o R#ns )ail&.
o Primar& confi$#ration file is /etc/log.d/conf/logwatch.conf.
o (reates a )ail& re0ort t1at is e%mail to t1e #ser s0ecifie) *root 6& )efa#lt+.
4. /t0er Syste& Lo%%in%
o /var/run/utmp % 31is file m#st al.a&s e=ist. It contains information
a6o#t c#rrentl& r#nnin$ 0rocesses. 2se) 6& man& s&stem #tilities *e.$.
.1oG .+. No# can 0revent #sers from vie.in$ .1o else is on t1e mac1ine
6& removin$ 0ermissions to t1is file.
o /var/log/wtmp % 31is file stores information a6o#t lo$ins an) lo$o#ts. It
is #se) 6& init an) lo$in. 3o vie. information in t1is fileG #se t1e last
comman).
5. 2ro#ess Control
o ,i#e ?alue % Affects t1e 0riorit& of a Ho6. (an 6e altere) #sin$ nice4renice
comman)s.
1. ni#e % (an 6e #se) .1en la#nc1in$ a 0rocess to alter itIs 0riorit&.
2. reni#e % (an 6e #se) on e=istin$ 0rocesses to alter t1eir 0riorit&.
3. <=am0lesE
4. nice +10 find / -name xyz # Give find command a
lower priority than normal
5. renice -10 `pidof X` # Give X server a higher
priority
6.
o Co<s % >o6s e=c#te) at t1e s1ell 0rom0t normall& r#n in t1e fore$ro#n).
31is 0revents &o# from e=ec#tin$ ot1er comman)s from t1e same s1ell
#ntil t1e comman) ret#rns. No# can force Ho6s to r#n in t1e 6ack$ro#n) 6&
0lacin$ an J)J after t1e comman).
Back$ro#n) Ho6s .ill not 6e terminate) .1en a #ser lo$s o#t. -o.everG
an& o#t0#t from a 6ack$ro#n) 0rocess t1at 1as not 6een re)irecte) .ill 6e
lost.
tar zxvf linux-2.2.20.tar.gz &
tar zxvf linux-2.2.20-ow2.tar.gz &
top

31e t.o ItarI comman)s .ill e=ec#te in t1e 6ack$ro#n) an) Ito0I .ill 6e
e=ec#te) in t1e fore$ro#n).
>o6 (ontrol (omman)sE
1. ;% % Brin$ a s0ecifie) 6ack$ro#n) Ho6 into t1e fore$ro#n).
2. fg %1 # Bring background job number 1 into the
foreground
3.
4. <% % Start a sto00e) 6ack$ro#n) Ho6.
5. bg %7 # Causes background job number 7 to resume
execution
6.
". Eo<s % List 6ack$ro#n) Ho6s.
'. -ill % No# can also #se Ho6 n#m6ers .it1 t1e kill comman) instea)
of 0rocess i)s.
9. kill %4 # Kill background job number 4
10.
..+ Creatin% a Swap 9ile
If &o# )onIt 1ave a 0artition free to allocate a))itional s.a0 s0aceG &o# can create a
s.a0file on an e=istin$ file s&stem.
31e follo.in$ e=am0le creates an) ena6les a 1 MB s.a0file calle) 4var4s.a0fileE
dd if=/dev/zero of=/var/swapfile bs=1024 count=16384
mkswap /var/swapfile
swapon /var/swapfile
11. 2a#-a%e $ana%e&ent wit0 R2$
11.1 Installation
-i # Install a package.
-U # Upgrade existing package or install if it doesn't
already exist.
-e # Remove a package.
-F # Freshen. Only upgrade package if it's already
installed.
-v # Print verbose information
-h # Use a hash mark (#) to indicate progress
--nodeps # Don't perform a dependency check when installing or
upgrading a package
--replacefiles # Install package even if it overwrites existing files
--replacepkgs # Install package even if it's already installed
--oldpackage # Install package even if it's older than the one
installed
--force # Combination of --replacefiles, --replacepkgs, and
--oldpackage
<=am0lesE
rpm -ivh groff-1.17.1-3.i386.rpm # Install groff from local file
sytsem
rpm -Uvh groff-1.17.2-3.i386.rpm # Upgrade groff from local file
system
rpm -e groff # Remove groff
# Install groff from anonymous ftp server
rpm -ivh ftp://somehost.com/rpms/groff-1.17.1-3.i386.rpm
# Install groff from non-anonymous ftp server
rpm -ivh ftp://<user>:<password>@somehost.com/rpms/groff-1.17.1-
3.i386.rpm
11.2 ?eri;i#ation
--checksig <package> # Verify md5 and gpg signatures.
-K <package> # Same as --checksig.
--nogpg # Don't verify gpg signature (must be used with
--checksig).
-V <package> # Verify installed files against package info and
report changes.
-Va # Verify all packages
11.3 Auery
-q <package> # Returns package version.
-qf <file> # Returns name of package that owns file.
-ql <package> # Returns list of files own by package.
-qi <package> # Returns package info.
-qpi <package> # Returns info of uninstalled package
-qpl <package> # Returns list of files in an uninstalled package
11.4 Sour#e R2$s
So#rce RPMS install t1eir contents into /usr/src/redhat. 31e& contain ever&t1in$
necessar& to 6#il) a 6inar& 0acka$e from t1e so#rce *so#rce co)eG init scri0tsG confi$
filesG man 0a$esG )oc#mentationG etc.+
/usr/src/redhatE
SO2R(<S % (ontains so#rce co)e an) 0atc1es necessar& to 6#il) r0m.
B2ILD % A .ork )irector& #se) to 6#il) t1e r0m.
SP<(S % -ol)s t1e s0ec files .1ic1 )escri6e 1o. to 6#il) t1e r0m.
SRPMS % Stores t1e com0lete) so#rce RPM after itIs 6#ilt.
RPMS % Stores t1e com0lete) 6inar& RPM after itIs 6#ilt.
11.! Spe# 9iles
31e RPM s0ec file contains t1e necessar& instr#ctions reC#ire) to 6#il) an RPM. It
contains man& sectionsE
Preamble # Contains package information
Prep # Prepares source code for building
(unpacking, patching, etc.)
Build # Steps taken to build source
Install # Commands used to install package
Install & Uninstall Scripts # Scripts that install/uninstall package
from a system
Verify # Extra verification steps to take when
verifying packages
Clean # Cleanup script
File List # List of files in the package
11." uild /ptions
-bp # Only execute prep stage
-bl # verify all files exist
-bc # Execute only the build stage
-bi # Execute only the install section
-bs # Only build SRPM
-ba # Build binary and source RPMs
-bb # Build binary RPM only
11. 2C$CI*
11.1 Support
P(M(IA s#00ort is c#rrentl& incl#)e) in t1e kernelG 6#t itIs 6etter s#00orte) 6& t1e
kernel mo)#les locate) at 1tt0E440cmcia%cs.so#rcefor$e.net
11.2 3evi#e $ana%e&ent
1. #ard&%r
o Monitors P(M(IA sockets for car) insertion an) removal.
o Looks #0 car)s in )ata6ase .1en inserte) an) loa)s a00ro0riate kernel
mo)#le.
o (an e=ec#te 0reconfi$#re) comman)s #0on insertion or removal.
o 2nloa)s kernel mo)#le #0on removal.
2. #ard#tl
o Monitor an) control P(M(IA sockets.
o @on%root #sers can onl& vie. information a6o#t sockets.
o (omman)sE
1. status % Dis0la& socket stat#s.
2. #on;i% % Dis0la& socket confi$#ration *incl#)es 0o.er settin$sG
IR!sG io0orts+.
3. ident % Dis0la& car) i)entification.
4. suspend % S1#t)o.n an) )isa6le 0o.er for socket.
5. resu&e % Restore 0o.er to socket an) re%confi$#re for #se.
. reset % Sen) reset si$nal to )evice.
". eEe#t % @otifies all )rivers t1at t1is car) .ill 6e eHecte) an) t1en
c#ts 0o.er.
'. insert % @otif& all )rivers t1at a car) 1as H#st 6een inserte).
,. s#0e&e % Dis0la& sc1eme if none is s0ecifie)G ot1er.ise
reconfi$#re P(M(IA to t1e ne. sc1eme s0ecifie).
3. 2C$CI* drivers
o A#tomaticall& loa)s )evices an) confi$#res io0orts to nonconflictin$
val#es.
o (an s0ecif& io0orts not to #se in /etc/pcmcia/config.opts
o (an vie. loa)e) car)s in /var/lib/pcmcia/stab.
12. R*I3
12.1 /verview
Stan)s for Re)#n)ant Arra& of Ine=0ensive Disks or Re)#n)ant Arra& of In)e0en)ent
Disks. It #ses m#lti0le )isks to increase 0erformance an)4or re)#ce t1e c1ances of )ata
loss )#e to 1ar).are fail#re.
12.2 Supported ?ersions
1. Stripin% 4R*I3 15
o @o Re)#n)anc&
o :astest rea)4.rite 0erformance.
o ReC#ires 2 or more )isks.
2. $irrorin% 4R*I3 15
o :ast rea) 0erformance.
o ReC#ires 2= act#al stora$e si;e reC#irements.
3. 3ata and 2arity Stripin% 4R*I3 !5
o More efficient #se of )isk s0ace t1an RAID 1.
12.3 2artition :ype
Set 0artition t&0e to 1x93 for a#to )etection of RAID )evices *#se o0tion ItI in f)isk+.
12.4 Con;i%uration 9ile 4/etc/raidtab5
See raidtab man 0a$e for an e=am0le.
Sam0le fileE
### RAID 1
raiddev /dev/md0
raid-level 1 # Mirroring
nr-raid-disks 3 # Number of disks to use
nr-spare-disks 1 # Hot standby in case another fails
persistent-superblock 1 # Required for auto detection
chunk-size 32 # In KB
device /dev/hda3
raid-disk 0
device /dev/hdb3
raid-disk 1
device /dev/hde5
raid-disk 2
device /dev/hdc4
spare-disk 0
### RAID 5
raiddev /dev/md1
raid-level 5 # Data and parity striping
nr-raid-disks 3 # Number of disks to use
nr-spare-disks 1 # Hot standby in case another fails
persistent-superblock 1 # Required for auto detection
chunk-size 32 # In KB
parity-algorithm right-symmetric
device /dev/sda1
raid-disk 0
device /dev/sdb3
raid-disk 1
device /dev/sdc5
raid-disk 2
device /dev/sdd4
spare-disk 0
12.! InitialiFin% R*I3 devi#es
mkraid /dev/md0
mkraid /dev/md1
@O3<E mkrai) also ca#ses necessar& RAID mo)#les to 6e loa)e) 6& kernel as if
raidstart 1a) 6een e=ec#te).
12." 9or&attin% R*I3 devi#es
mke2fs -b 4096 -R stride=8 /dev/md0
mke2fs -b 4096 -R stride=8 /dev/md1
J%RJ is #se) to set RAID relate) o0tions for t1e file s&stem. Stri)e is t1e n#m6er of
6locks 0er c1#nk. In t1e 0revio#s e=am0les .e are #sin$ a 329 c1#nk si;e .it1 a 49
6lock si;eG so stri)e 1as to 6e ' *49 R ' K 329+.
12.' R*I3 ! parity options
S0ecif& 0arit& al$orit1m .it1 t1e J0arit&%al$orit1mJ o0tion in /etc/raidtab. Possi6le
val#es areE
1. left%as&mmetric
2. ri$1t%as&mmetric
3. left%s&mmetric
4. ri$1t%s&mmetric
Left%s&mmetric offers t1e ma=im#m 0erformance on t&0ical )isks .it1 rotatin$ 0latters.
12.+ *uto dete#tion o; R*I3 arrays
ReC#iresE
1. Partition t&0e m#st 6e set to /=:D.
2. A#to )etection m#st 6e t#rne) on in kernel.
3. M#st s0ecif& J0ersistent%s#0er6lock 1J in /etc/raidtab
13. *dvan#ed 2ower $ana%e&ent 4*2$5
13.1 /verview
1. Monitor an) control s&stem 6atter& on la0to0s.
2. (an 6e #se) on .orkstations to im0lement Jstan)6&J an) Js#s0en)J 0o.er
mo)es.
13.2 ?iewin% power status
1. /proc/apm
2. a0m
o ?it1 no o0tionsG re0orts 0o.er stat#s.
o %s % P#t mac1ine in s#s0en) mo)e.
o %S % P#t mac1ine in stan)6& mo)e.
13.3 /ptions
S0ecifie) in /etc/sysconfig/apmd
14. 6ernel
14.1 :ypes
1. $onolit0i#
o Drivers com0ile) into kernel )irectl&.
o 2ses more memor& 6eca#se #n#se) )rivers take #0 s0ace.
o 5enerall& slo.s s&stem )o.n )#e to memor& #sa$e.
o -o.everG comm#nicates .it1 1ar).are faster.
2. $odular
o Drivers are com0ile) as mo)#les.
o 2ses less memor& since onl& necessar& )rivers can 6e loa)e).
o More fle=i6le 6eca#se more )rivers can 6e com0ile) as mo)#les.
14.2 $odules
1. /verview
o A#to loa)e) 6& kmo) *a kernel t1rea)+.
o Mo)#le o0tions s0ecifie) in /etc/modules.conf
o install module <command> # Specify command to use to
install modules (default: insmod)
o remove module <command> # Specify command to use to
remove modules (default: rmmod)
o alias eth0 tulip # Creates an alias for the
tulip module
o options tulip irq=9 # Pass IRQ that device is
using to module
o pre-install tulip <command> # Execute <command> before
loading the tulip module
o post-install tulip <command> # Execute <command> after
loading the tulip module
o pre-remove tulip <command> # Execute <command> before
removing the tulip module
o post-remove tulip <command> # Execute <command> after
removing the tulip module
o
2. 3ependen#ies
depmod -a % B#il) )e0en)encies for all mo)#les
3. $ana%in%
o 7ie.in$
o lsmod
o cat /proc/modules
o
o Loa)in$
o modprobe tulip # Load a single module
o modprobe -t net \* # Load all modules in "net" category
o modprobe \* # Load all modules
o
o 2nloa)in$
o modprobe -r 3c503 # Unload 3c503 module
o rmmod -r 3c503 # Unload 3c503 module and all of it's
dependencies
o
14.3 Installin% 9ro& Sour#e
1. Re=uired 2a#-a%es
o kernel%1ea)ers
o kernel%so#rce
o )ev'
o make
o $li6c%)evel
o c00
o nc#rses *:or Jmake menuconfigJ+
o nc#rses%)evel *:or Jmake menuconfigJ+
o 6in#tils
o $cc
@O3<E A .orkin$ B installation is reC#ire) if &o# .is1 to #se Jmake xconfig
2. Installation steps
3. cd /usr/src
4. bzcat linux-2.4.17.tar.bz | tar xvf -
5. cd linux
6. make config | make menuconfig | make xconfig
7. make dep
8. make clean
9. make bzImage
10. make modules (if modular kernel)
11. make modules_install (if modular kernel)
12. cp System.map /boot/System.map-2.4.17
13. cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.17
14. cp .config /boot/config-2.4.17
15. mkinitrd /boot/initrd-<version> <kernel version> # Depending on
kernel configuration
16. Update LILO or GRUB
17. Reboot into new kernel
1'. new>-ernel>p-%
@e. to R- ".2 is a scri0t calle) Jne.%kernel%0k$J. 31is scri0t 0erforms several of
t1e necessar& kernel installation ste0s s#c1 as 6#il)in$ mo)#le )e0en)enciesG
creatin$ an initial ram)iskG an) #0)atin$ t1e $r#6 confi$#ration.
:or e=am0leG to install kernel 2.4.1'G 6#il) mo)#les )e0en)enciesG an) create an
initial ram)iskG e=ec#te t1e follo.in$ comman)E
new-kernel-pkg --install --depmod --mkinitrd 2.4.18
,/:EB If &o# are #sin$ liloG &o# .ill 1ave to man#all& #0)ate itIs confi$#ration
file.
14.4 Installin% ;ro& R2$
1. Re=uired 2a#-a%es
o kernel
o kernel%0cmcia%cs *for la0to0s+
2. 2a#-a%es t0at &ay need to <e up%raded
o mkinitr)
o S&s7init
o initscri0ts
3. /ptional 2a#-a%es
o kernel%1ea)ers
o kernel%so#rce
o kernel%)oc
o kernel%)e6#$
4. Install Steps
5. rpm -Uvh mkinitrd-<version>.rpm # If necessary
6. rpm -Uvh SysVinit-<version>.rpm # If necessary
7. rpm -Uvh initscripts-<version>.rpm # If necessary
8. rpm -Uvh kernel-headers-<version>.rpm # Optional
9. rpm -Uvh kernel-source-<version>.rpm # Optional
10. rpm -ivh kernel-<version>.rpm --force
11. rpm -ivh kernel-pcmcia-cs-<version>.rpm --force # For laptops
12. mkinitrd /boot/initrd-<version> <kernel version> # Depending on
kernel configuration
13. Update LILO or GRUB
14. Reboot into new kernel
@O3<E It is recommen)e) t1at &o# install an) not #0$ra)e t1e kernel an) kernel%
0cmcia%cs 0acka$es. 31at .a& if t1e ne. kernel )oesnIt .orkG &o# can 6oot into a
0revio#s kernel t1at )oes.
14.! *ddin% a &odule to an already #o&piled -ernel
:or t1ose times .1ere &o# nee) to a)) a ne. )river to a mo)#lar kernelG &o# can H#st
com0ile t1e nee)e) mo)#le an) install it .it1o#t recom0ilin$ t1e entire kernel. >#st
follo. t1ese ste0sE
cd /usr/src/linux
make config | make menuconfig | make xconfig
(Choose the driver as a module)
make dep
make modules
make modules_install
depmod -a
No# s1o#l) no. 6e a6le to #se t1e ne. mo)#le.
1!. 2*$
1!.1 9iles
1. (onfi$#ration files locate) in /etc/pam.d.
2. Se0arate confi$#ration file for eac1 service t1at #ses 0am.
3. Mo)#les locate) in /lib/security.
1!.2 $odule :ypes
1. aut0
Prom0ts for #ser i)entification.
2. a##ount
Acco#nt 6ase) restrictions *time of )a&G tt&G 1ostG etc.+ a.k.a. lo$in restrictions.
3. session
Session oriente) limits *file si;esG S of 0rocessesG etc.+ an) tasks 0erforme)
6efore4after #sers lo$s in.
4. password
Pass.or) mana$ement *#0)atin$+.
1!.3 $odule Control 9la%s
1. re=uired
31is test m#st 0ass in or)er for t1e overall c1eck to s#ccee). 31e remainin$ tests
are still 0erforme) even if t1is one fails.
2. re=uisite
31is test m#st 0ass in or)er for t1e overall c1eck to s#ccee). -o.everG #nlike
IreC#ire)IG no ot1er tests are 0erforme) if t1is one fails.
3. su;;i#ient
31is test )oesnIt 1ave to 0ass for t1e overall c1eck to s#ccee). -o.everG if it )oes
0assG it $rants imme)iate access. If itIs faile)G t1e remainin$ tests are still
0erforme) as .it1 IreC#ire)I.
4. optional
31is test 1as no effect on t1e overall c1eck.
1!.4 Custo& 2*$ Exa&ple
31is e=am0le limits .1o can #se SS- 6ase) on a list of #sers.
1. In /etc/pam&d/sshdG a)) t1e follo.in$ lineE
2. auth required /lib/security/pam_listfile.so onerr=fail item=user
sense=allow file=/etc/sshd_users
31e a6ove .ill allo. a #ser to lo$in via ss1) if t1e& are liste) in t1e
/etc/sshd_users file. 31e o0tions s0ecifie) 1ave t1e follo.in$ meanin$sE
o onerr*fail % If an error occ#rs *file s0ecifie) isnIt fo#n)G or an
im0ro0erl& formatte) entr& is fo#n) in t1e file+G fail t1is test. 31is .ill
)en& t1e #ser access via ss1). 31e ot1er 0ossi6le o0tion for JonerrJ is
Js#ccee)J.
o item*user % 31is states t1at .e are testin$ or verif&in$ t1e #serIs lo$in
name.
o sense*allow % 31is means t1at if t1e #ser is fo#n) in t1e file s0ecifie)G
t1is test s#ccee)s. 31is .ill allo. t1e #ser access if all ot1er PAM tests
s#ccee) as .ell. 31e ot1er 0ossi6le o0tion for JsenseJ is J)en&J.
o file*/etc/sshd+users % 31is s0ecifies t1e file t1at .ill contain t1e list
of #sers *one 0er line+ t1at are allo.e) to access ss1).
1!.! :i&e ased Restri#tions
31ese e=am0les .ill limit t1e lo$in times of certain #sers. See
/etc/security/time.conf for more information4e=am0les. In or)er to 0lace time
restrictions on #ser lo$insG t1e follo.in$ m#st 6e 0lace) in /etc/pam.d/loginE
account required /lib/security/pam_time.so
31e remainin$ lines s1o#l) 6e 0lace) in /etc/security/time.conf.
1. Onl& allo. #ser steve to lo$in )#rin$ on .eek)a&s 6et.een " am an) 5 0m.
2. login;*;steve;Wd0700-1700
3. Allo. #sers Bil6o 8 :ro)o to lo$in on all )a&s 6et.een ' am an) 5 0m e=ce0t for
S#n)a&.
4. login;*;bilbo|frodo;AlSu0800-1700
If a )a& is s0ecifie) more t1an onceG it is #nset. So in t1e a6ove e=am0leG S#n)a&
is s0ecifie) t.ice *Al K All )a&sG S# K S#n)a&+. 31is ca#ses it to 6e #nsetG so t1is
r#le a00lies to all )a&s e=ce0t S#n)a&.
1!." *##ess ased Restri#tions
/etc/security/access.conf can 6e #se) to restrict access 6& terminal or 1ost. 31e
follo.in$ m#st 6e 0lace) in /etc/pam.d/login in or)er for t1ese e=am0les to .orkE
account required /lib/security/pam_access.so
1. Den& steve lo$in access on all terminals e=ce0t for tt&1E
2. -:steve:ALL EXCEPT tty1
3. 2sers in t1e $ro#0 He)i are onl& allo.e) to lo$in from a local terminalE
4. -:jedi:ALL EXCEPT LOCAL
5. Allo. #ser $an)alf to onl& lo$in from a tr#ste) serverE
6. -:gandalf:ALL EXCEPT trusted.somedomain.com
1". Cron ) *t
1".1 /verview
1. (ron 8 at 0rovi)es a .a& to sc1e)#le tasks.
2. 2a#-a%es
o vixie>#ron % Provi)es cron) )aemon an) cronta6 e)itin$ #tilities.
o #ronta<s % Provi)es )efa#lt root cronta6 files.
o at % Provi)es at) )aemon an) comman) line #tilities.
1".2 Cronta< 9iles
2ser or s&stem )efine) files t1at contain a comman) to e=ec#te an) t1e time to e=ec#te it.
(ron) .akes ever& min#te to see if an& cronta6 files 1ave c1an$e) an) re%rea)s t1em if
t1e& 1ave.
1. (ser #ronta<s
o Store) as /var/spool/cron/<user>
o 7ie. .it1E crontab -l
o <)it .it1E crontab -e
o <)it a s0ecific #sers cronta6*root onl&+E crontab -u <user>
2. Syste& #ronta<s
o /etc/crontab
(ronta6 file t1at confi$#res .1en scri0ts in cron.1o#rl&G cron.)ail&G
cron..eekl&G an) cron.mont1l& are e=ec#te).
o /etc/cron.d
31is )irector& contains act#al cronta6 files t1at are confi$#re) H#st like
#ser cronta6 files.
o /etc/cron.hourly
Scri0ts in t1is )irector& are e=ec#te) on t1e first min#te of ever& ne.
1o#r.
o /etc/cron.daily
Scri0ts in t1is )irector& are e=ec#te) at 4E/2 AM ever& )a&.
o /etc/cron.weekly
Scri0ts in t1is )irector& are e=ec#te) at 4E22 AM ever& S#n)a&.
o /etc/cron.monthly
Scri0ts in t1is )irector& are e=ec#te) at 4E42 AM on t1e first )a& of t1e
mont1.
3. Cronta< 9or&at
4. <minute> <hour> <day of month> <month> <day of week> <command to
execute>
7ali) val#esE
Minute - 0-59
Hour - 0-23
Day of Month - 1-31
Month - 1-12 *or*
- Jan, Feb, Apr, etc.
Day of Week - 0-7 (0 or 7 = Sunday) *or*
- Sun, Mon, Tue, Wed, Thu, Fri, Sat
(an s0ecif& comma se0arate lists an) ran$es for eac1 0arameter 6#t onl& in a
n#meric format *e.$. 1%5 is ok for )a& of .eekG 6#t not Mon%:ri+.
# To execute foo every 5 minutes.
0,5,10,15,20,25,30,35,40,45,50,55 * * * * foo
# - OR -
*/5 * * * * foo
# Executes bar during the bottom of every hour
# during working hours on week days.
30 8-5 * * 1-5 bar
1".3 *t Co<s
1. JatJ Ho6s are confi$#re) from t1e comman) 0rom0t. @o cronta6 st&le files.
2. At #ses t1e e=istin$ environment t1at t1e JatJ comman) .as e=ec#te) in to r#n
t1e s0ecifie) comman)*s+ at t1e in)icate) time. 31is t&0icall& makes at Ho6s
easier4C#icker to set#0 t1an cronta6 Ho6s 6eca#se t1e environment is alrea)&
confi$#re) for t1e Ho6.
3. Exa&ples
4. at 8:00 am March 12 # Execute specified commands at 8:00 am on
March 12th
5. at now +3 hours # Execute specified commands 3 hours from
now
6. at 9:30 pm -f ~/cmds # Execute commands in the ~/cmds file at
9:30 pm
After s0ecif&in$ a timeG t1e #ser is 0rom0te) for t1e comman)s to e=ec#te #nless
t1e J%fJ o0tion is #se) to s0ecif& a file containin$ t1e comman)s to e=ec#te.
". $ana%in% *t Co<s
o at= % List 0en)in$ Ho6s for a #ser.
o atr& % Delete 0en)in$ Ho6s.
o atrm 1 # Remove job number 1 from pending queue
o
o <at#0 % <=ec#te s0ecifie) comman) .1en s&stem loa) levels are lo.
eno#$1 to 0ermit it.
1".4 *##ess Control
1. /etc/cron&allow
If it e=istsG a #ser m#st 6e liste) in t1is file in or)er to #se cronta6.
2. /etc/cron&deny
If it e=istsG a #ser m#st not 6e liste) in t1is file in or)er to #ser cronta6.
3. /etc/at&allow
Same as cron.allowG onl& for JatJ.
4. /etc/at&deny
Same as cron.denyG onl& for JatJ.
1'. Send&ail
1'.1 2a#-a%es
1. send&ail
(ontains t1e act#al 6inaries an) confi$#ration files.
2. send&ail>#;
31is 0acka$e is reC#ire) if &o# ever& .ant to reconfi$#re sen)mail.
3. send&ail>do#
(ontains )oc#mentation a6o#t sen)mail.
<=am0les for t1e vario#s confi$#ration files are 0rovi)e) in
@usr@s0are@do#@send&ail@RE*3$E.#;.
1'.2 Con;i%uration 9iles
1. /etc/sendmail&cf
o Primar& confi$#ration file for sen)mail.
o ItIs recommen)e) t1at &o# )onIt e)it t1is file 6& 1an).
o <)it /etc/mail/sendmail.mc instea) an) re$enerate /etc/sendmail.cf
from it.
o mv /etc/sendmail.cf /etc/sendmail.cf.old
o m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
o
2. /etc/mail/sendmail&mc
o 2se) to $enerate /etc/sendmail.cf *see a6ove+.
o <asier to confi$#re t1an /etc/sendmail.cf
o Defa#lt Re)1at /etc/mail/sendmail.mcE
o divert(-1)
o dnl This is the sendmail macro config file. If you make
changes to this file,
o dnl you need the sendmail-cf rpm installed and then have to
generate a
o dnl new /etc/sendmail.cf by running the following command:
o dnl
o dnl m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
o dnl
o include(`/usr/share/sendmail-cf/m4/cf.m4')
o VERSIONID(`linux setup for Red Hat Linux')dnl
o OSTYPE(`linux')
o define(`confDEF_USER_ID',``8:12'')dnl
o undefine(ÙUCP_RELAY')dnl
o undefine(`BITNET_RELAY')dnl
o define(`confAUTO_REBUILD')dnl
o define(`confTO_CONNECT', `1m')dnl
o define(`confTRY_NULL_MX_LIST',true)dnl
o define(`confDONT_PROBE_INTERFACES',true)dnl
o define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
o define(ÀLIAS_FILE', `/etc/aliases')dnl
o dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl
o define(ÙUCP_MAILER_MAX', `2000000')dnl
o define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
o define(`confPRIVACY_FLAGS',
àuthwarnings,novrfy,noexpn,restrictqrun')dnl
o define(`confAUTH_OPTIONS', À')dnl
o dnl TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
o dnl define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5
LOGIN PLAIN')dnl
o dnl define(`confTO_QUEUEWARN', `4h')dnl
o dnl define(`confTO_QUEUERETURN', `5d')dnl
o dnl define(`confQUEUE_LA', `12')dnl
o dnl define(`confREFUSE_LA', `18')dnl
o dnl FEATURE(delay_checks)dnl
o FEATURE(`no_default_msa',`dnl')dnl
o FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
o FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
o FEATURE(`virtusertable',`hash -o
/etc/mail/virtusertable.db')dnl
o FEATURE(redirect)dnl
o FEATURE(always_add_domain)dnl
o FEATURE(use_cw_file)dnl
o FEATURE(use_ct_file)dnl
o FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
o FEATURE(àccess_db',`hash -o /etc/mail/access.db')dnl
o FEATURE(`blacklist_recipients')dnl
o EXPOSED_USER(`root')dnl
o dnl This changes sendmail to only listen on the loopback
device 127.0.0.1
o dnl and not on any other network devices. Comment this out
if you want
o dnl to accept email over the network.
o DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
o dnl NOTE: binding both IPv4 and IPv6 daemon to the same
port requires
o dnl a kernel patch
o dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6,
Family=inet6')
o dnl We strongly recommend to comment this one out if you
want to protect
o dnl yourself from spam. However, the laptop and users on
computers that do
o dnl not have 24x7 DNS do need this.
o FEATURE(àccept_unresolvable_domains')dnl
o dnl FEATURE(`relay_based_on_MX')dnl
o MAILER(smtp)dnl
o MAILER(procmail)dnl
o Cwlocalhost.localdomain
o
o sen)mail.mc o0tionsE
o define('confDEF_USER_ID',"8:12") # Specifies user
(8) and group (12) to run sendmail as
o OSTYPE('linux') # Imports OS
specific information
o undefine('UUCP_RELAY') # Disable UUCP
relaying
o undefine('BITNET_RELAY') # Disable bitnet
relaying
o define('confAUTO_REBUILD') # Rebuild
/etc/aliases automatically
o define('confTO_CONNECT','1m') # Set time limit
for SMTP connections to 1 minute
o define('confTRY_NULL_MX_LIST',true) # If no mx record
exists, contact host directly
o define('confDONT_PROBE_INTERFACES,true) # ????
o define('PROCMAIL_MAILER_PATH','/usr/bin/procmail') #
Specify location of procmail
o FEATURE('smrsh','/usr/sbin/smrsh') # Specify location
of sendmail restricted shell
o
o ### Enable virtusertable, mailertable, and access and
specify their locations:
o ###
o FEATURE(`virtusertable',`hash -o
/etc/mail/virtusertable.db')dnl
o FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
o FEATURE(àccess_db',`hash -o /etc/mail/access.db')dnl
o
o FEATURE(redirect) # ???
o FEATURE(always_add_domain) # Append local
hostname to locally delivered e-mail
o FEATURE(use_cw_file) # Read aliases to
use from /etc/mail/local-host-names
o FEATURE(local_procmail) # Use procmail as
the local MDA
o
o FEATURE('blacklist_reipients') # Allows e-mail to
be blocked based on destination
o FEATURE('accept_unresolvable_domains') # Accept e-mail
even if the reverse lookup of
o # the sender's
domain doesn't work
o FEATURE('rbl') # Iplements
Realtime Blackhole List to fight spam.
o FEATURE('relay_based_on_MX') # Automatically
allow relaying if sendmail server
o # is listed as the
target domain's MX record.
o # This appears to
only work if the hostname is set
o # to the same
value as the MX record.
o FEATURE(domaintable) # Enable use of
domaintable
o FEATURE(mailertable) # Enable use of
mailertable
o
o ### The following sets a "smart host" that all of your
mail will be relayed through.
o define(SMART_HOST,mail.yourdomain.com)
o
o ### The following line tells sendmail to only listen on the
localhost interface.
o DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
o
o ### The following 3 allow a host to masquerade as another
host. Useful for hiding
o ### internal machine names from the outside world. Note
that any user specified in
o ### an "EXPOSED_USER" (e.g. root), will not have their e-
mail address masqueraded.
o MASQUERADE_AS(yourdomain.net) # Specifies domain
to use in FROM and envelope addresses.
o FEATURE(allmasquerade) # Turn on
masquerading for all e-mail
o FEATURE(masquerade_envelope) # Masquerade the
envelope address also
o
3. /etc/aliases *8 /etc/aliases.db+
o (ontains aliases for e%mail a))resses. :or e=am0leG it allo.s &o# to sen)
mail )estine) for #ser I)aemonI to IrootI.
o Onl& local names ma& 6e aliase).
o <=am0le /etc/aliasesE
o daemon: root # Messages sent to user
daemon are redirected to root
o root: steve # Messages sent to root
are redirected to steve
o webmaster: steve bob sue # Messages sent to
webmaster are redirected to steve, bob and sue
o steve@foo.com: bob # This entry is invalid
unless the local host name is foo.com
o # or foo.com is listed in
/etc/mail/local-host-names
o
o After e)itin$ /etc/aliasesG &o# m#st re$enerate /etc/aliases.db .it1
t1e newaliases comman).
4. /etc/mail/access *8 /etc/mail/access.db+
o (ontrols .1ic1 1osts are allo.e) to #se sen)mail.
o <=am0le /etc/mail/accessE
o localhost.localdomain RELAY #
o localhost RELAY ### These 3 permit the
localhost to relay
o 127.0.0.1 RELAY #
o
o 10.22 REJECT # Reject mail from any host
with an IP that starts with 10.22
o nobody@ REJECT # Rejects any mail
addressed to user 'nobody' regardless
o # of the domain it's sent
to.
o foo.com OK # Accept mail from foo.com
(not for relaying) even
o # if other rules might
reject it
o bar.com REJECT # Reject all mail from
bar.com and send message to sender
o foobar.com DISCARD # Like REJECT, except
sender doesn't receive a message
o
o # The following sends the specfied RFC error code back to
the sender along with the
o # message specified after it.
o someone.com 550 We don't accept your mail.
o
o After e)itin$ /etc/mail/accessG &o# m#st re$enerate
/etc/mail/access.db 6& $oin$ into /etc/mail an) t&0in$ make.
5. /etc/mail/mailertable *8 /etc/mail/mailertable.db+
o 2sef#l for overri)in$ D@S or if D@S isnIt availa6le.
o Allo.s &o# to 0erform )omain translation.
o (an s0ecif& t1e )eliver a$ent.
o <=am0le /etc/mail/mailertable
o foo.net smtp:bar.net # Forward mail addressed
to foot.net to bar.net
o foobar.net smtp:[192.168.1.20] # Forward mail addressed to
foobar.com to the host at 192.168.1.20
o
o Re$enerate /etc/mail/mailertable.db 6& $oin$ to /etc/mail an)
t&0in$ make.
. /etc/mail/virtusertable *8 /etc/mail/virtusertable.db+
o Allo.s &o# to ma0 m#lti0le virt#al )omains an) #sers to ot1er a))resses.
o <=am0le /etc/mail/virtusertableE
o webmaster@foo.com steve # Mail sent to
webmaster@foo.com is redirected to local user steve
o postmaster@bar.com steve@foo.com # Mail sent to
postmaster@bar.com is redirected to steve@foo.com
o
o @somedomain.com joe@foo.com # Mail addressed to
_any_ user at somedomain.com is redirected
o # to joe@foo.com
o @foobar.com %1@bar.com # Mail addressed to a
user at foobar.com is redirected to the same
o # user at barr.com.
o
o Re$enerate /etc/mail/virtualusertable.db 6& $oin$ to /etc/mail
an) t&0in$ make.
". /etc/mail/domaintable *8 /etc/mail/domaintable.db+
o Allo.s an ol) )omain to 6e ma00e) to a ne. one.
o <=am0le /etc/mail/domaintableE
o NEED TO FIND MORE INFO ABOUT domaintable
o
o Re$enerate /etc/mail/domaintable.db 6& $oin$ to /etc/mail an)
t&0in$ make.
'. /etc/mail/local-host-names
o 31is file m#st contain t1e sen)mail serverIs mac1ine name an) an& aliases.
Sen)mail m#st 6e restarte) after c1an$in$ t1is file in or)er for it to take
effect.
o <=am0leE
o foo.com
o bar.com
o foobar.com
o
S0ecifies t1at foo.comG 6ar.comG an) foo6ar.com are all local )omains.
,. /usr/share/sendmail-cf/cf/
(ontains vario#s sam0le confi$#ration files for sen)mail.
1/. /etc/mail/helpfile
31is file contains t1e 1el0 information t1at is )is0la& .1en someone #ses t1e
SM3P J1el0J comman) )#rin$ an SM3P session.
11. /etc/mail/statistics
Stores statistics a6o#t 0rocesse) mail.
1'.3 * Si&ple Client Con;i%uration
1. (onfi$#res client mac1ines to sen) mail to a central smart 1ost.
2. MasC#era)es t1eir mail )omain as t1e mail )omain of t1e smart 1ost.
3. <=am0leE
-ost workstation.somedomain.com nee)s to 6e a6le to sen) mail to t1e o#tsi)e
.orl). -o.everG .e .ant mail comin$ from workstation.somedomain.com to
1ave a from a))ress of user@somedomain.comG not
user@workstation.somedomain.com. 31e central mail 1#6 for t1e
somedomain.com is mail.somedomain.com.
Make t1ese c1an$es in /etc/sendmail.cf on workstation.somedomain.com.
o 31e DR line s0ecifies sen)mailIs for.ar)in$ a$ent for #nC#alifie) )omain
names. (1an$e it toE
o DRmail.somedomain.com
o
o 31e D- line s0ecifies .1ic1 1ost all local e%mail traffic s1o#l) 6e
for.ar)e) to. (1an$e it toE
o DHmail.somedomain.com
o
o 31e DS line s0ecifies t1e smart rela& 1ost. (1an$e it toE
o DSmail.somedomain.com
o
o 31e DM s0ecifies .1at t1e client s1o#l) masC#era)e as. (1an$e it toE
o DMsomedomain.com
o
31e smart 1ost mail.somedomain.com .ill also nee) to 6e confi$#re) to allo.
rela&in$ from s#6nets t1at t1e client mac1ines e=ist on.
1'.4 3e<u%%in% Send&ail
1. &ail >v GuserH
S1o.s information a6o#t messa$e )eliver& .1ile itIs 6ein$ 0rocesse).
2. de<u% &ode
3o ena6le )e6#$ mo)eG r#n sen)mail .it1 t1e J%)J o0tion an) s0ecif& a )e6#$ S
after it.
3. 3isplay Aueue Contents
3&0eE mailq or sendmail -bp
4. Runnin% t0e Aueue
3&0eE sendmail -q
5. Hostna&e 2ro<le&s
In or)er to make s#re sen)mail is i)entif&in$ t1e 1ostname of &o#r mac1ine
correctl&G t&0eE
sendmail -d0 < /dev/null
If sen)mail t1inks &o#r 1ostname is localhostG c1eck to see if /etc/hosts is
confi$#re) correctl&. 3r& removin$ all 1ostnames e=ce0t for local1ost an) tr&
a$ain.
1+. *pa#0e
1+.1 3e;aults
1. (onfi$#ration :ileE /etc/httpd/conf/httpd.conf
2. Server rootE /etc/httpd
3. Doc#ment rootE /var/www/html
4. Lo$$in$ locationE /var/log/httpd
5. 2serE a0ac1e
. 5ro#0E a0ac1e
". PortsE '/ 3(P *-33P+ an) 443 3(P *-33PS+
'. Mo)#les store) in /etc/httpd/modules
,. MinS0areServers 5
1/. Ma=S0areServers 1/
11. StartServers '
12. Ma=(lients 15/
13. Ma=ReC#estsPer(1il) 1///
14. Defa#lt Pa$es Serve)
?1enever a 2RL is reC#este) t1at en)s in a )irector& an) not a fileG a )efa#lt file
.it1in t1e )irector& .ill 6e loa)e). 31e DirectoryIndex )irective is #se) to
s0ecif& .1at t1is )efa#lt file or files .ill 6e.
DirectoryIndex index.shtml index.htm index.shtml index.php
index.php4 index.php3 index.cgi
?it1 t1e a6ove confi$#rationG if a #ser .ere to reC#est t1e follo.in$ 2RLE
http://www.somedomain.comG A0ac1e .o#l) searc1 itIs )oc#ment root for t1e
files s0ecifie) in t1e Director&In)e= )irective. 31e files are searc1e) for in t1e
or)er in .1ic1 t1e& a00ear in t1e )irective. SoG it first c1ecks to see if a file
name) in)e=.s1tml e=istsG t1en in)e=.1tmG t1en in)e=.s1tml an) so on.
1+.2 Resour#e Control
1. MinSpareServers
Minim#m S of i)le server 0rocesses t1at m#st 6e availa6le to 1an)le incomin$
reC#ests.
2. MaxSpareServers
Ma=im#m S of i)le server 0rocesses t1at .ait for client connections.
3. StartServers
Initial S of servers to start .1en A0ac1e is starte).
4. MaxClients
Ma=im#m S of clients t1at can 6e serve) at once. 31is effectivel& limits t1e
ma=im#m n#m6er of 1tt0) 0rocesses starte) since it reC#ires 1 0rocess 0er client.
5. MaxRequestsPerChild
Ma=im#m S of reC#ests to 1an)le 0er c1il). After t1is n#m6er is attaine)G t1e
c1il) is kille) an) a ne. c1il) 0rocess is s0a.ne) to re0lace it. 31is is #se) to
1el0 0revent memor& leaks from eatin$ #0 s&stem reso#rces.
1+.3 Lo%%in%
1. <rror Lo$
2se ErrorLog )irective to s0ecif&. :or e=am0leE
ErrorLog /var/log/httpd/error_log
2. Access Lo$
@o AccessLo$ )irective. Instea) #se t1e CustomLog )irective.
CustomLog /var/log/httpd/access_log combined
JcombinedJ is a 0revio#sl& )efine) lo$ format *)efine) .it1 LogFormat
)irective+.
JcommonJ is anot1er 0revio#sl& )efine) lo$ format t1at lo$s less information t1an
JcombinedJ.
1+.4 (ser 8e< Spa#e
1. S0ecif& name of #ser ... )irector& .it1 UserDir )irectiveE
UserDir public_html
2. 2ser m#st create a J0#6licQ1tmlJ )irector& in t1eir 1ome )irector&.
3. An&t1in$ 0lace) in t1e 0#6licQ1tml )irector& can 6e accesse) t1ro#$1 t1e .e6 if
0ermissions allo. A0ac1e to access it.
4. In or)er to visit a #serIs J0#6licQ1tmlJ )irector&G s0ecif& ~user after t1e 6ase
2RLE
www.somedomain.com/~steve
1+.! *##ess Restri#tions
1. Provi)es )irector& an) file level access control.
2. Are rec#rsivel& a00lie) to )irectories #n)erneat1 t1e )irector& s0ecifie) #nless
overri))en.
3. 4 s1o#l) 6e confi$#re) to 6e 7<RN restrictive. 31enG start confi$#rin$ )irectories
from t1e )oc#ment root on )o.n.
4. If JAllo.Overri)eJ is s0ecifie) for a )irector& in t1e 1tt0).conf fileG t1en
0ermissions can 6e overri))en 6& 0lacin$ a .1taccess file in t1e )irector&.
Permissions are t1en s0ecifie) in t1e .1taccess file.
5. Allo.Overri)e O0tionsE
o ,one
@ot1in$ can 6e overri))en.
o *ut0#on;i%
Allo.s #se of #ser4$ro#0 a#t1ori;ation )irectives *A#t1@ameG
A#t12ser:ileG A#t15ro#0:ileG ReC#ire+.
o 9ileIn;o
Allo.s #se of )irectives controllin$ )oc#ment t&0es.
o Indexes
Allo.s #se of )irectives t1at control )irector& in)e=es.
o Li&it
Allo. )irectives t1at control access 6ase) on 6ro.serG 1ostnameG an)
net.ork.
o /ptions
. Access Control Setup
o order
1. allowIdeny
allo. acls 0rocesse) 6efore )en& acls. Defa#lt )en& % 1osts not
e=0licitl& allo.e) are )enie).
2. denyIallow
)en& acls 0rocesse) 6efore allo. acls. Defa#lt allo. % 1osts not
e=0licitl& )enie) are allo.e).
3. &utual>;ailure
All e=0licitl& allo.e) 1osts t1at are not also )enie) are allo.e).
o allow ;ro&
S0ecifies .1ic1 1osts s1o#l) 6e allo.e) access.
o deny ;ro&
S0ecifies .1ic1 1osts s1o#l) 6e )enie) access.
o Exa&ples
o <Directory /var/www/html>
o order allow,deny # In this case, no one
would be granted access
o allow from 199.151.220 # because denys are
processed after allows.
o deny from All
o <Directory>
o <Directory /var/www/html>
o order deny,allow # In this case, only those
hosts in the 199.151.220.0/24
o allow from 199.151.220 # network will be allowed
in.
o deny from All
o <Directory>
o
1+." *ut0enti#ation
1. (ser@password data<ase
o 2se AuthUserFile )irective to s0ecif& a 0ass.or) file. (an 6e #se) in a
LDirector&F )irective or in an .1taccess file *if JAllo.Overri)e
a#t1confi$J is s0ecifie) for t1e )irector&+.
o (reate t1e 0ass.or) file an) a)) #ser JsteveJ to itE
htpasswd -c /var/www/userpasswd steve
Onl& #se t1e J%cJ o0tion .1en &o# create t1e file. After t1atG leave it off.
Ot1er.ise &o# .ill .i0e o#t &o#r e=istin$ 0ass.or) file.
2. *ut0enti#ation :ype
S0ecif& an AuthType *Basic or Di$est+
3. Real&
S0ecif& a realm #sin$ AuthName.
4. *ut0enti#ation Re=uire&ents
S0ecif& a#t1entication reC#irements #sin$ require
5. Exa&ple .0ta##ess ;ile
6. AuthName "My Realm"
7. AuthType Basic
8. AuthUserFile /var/www/passwd
9. require valid-user
31e a6ove e=am0le allo.s an& vali) #ser *Jvali)%#serJ m#st 6e in all lo.er case+
to access t1is )irector&. 7ali) meanin$ t1at t1e #ser is )efine) in
/var/www/passwd.
If onl& certain #sers are allo.e) to access t1is )irector&G &o# can s0ecif& t1em
instea) of Jvali)%#serJE
require bob sue steve
In t1is caseG onl& #sers 6o6G s#eG an) steve .ill 6e allo.e) to access t1is )irector&.
1+.' CGI
1. 3e;inin% a dire#tory ;or CGI s#ripts
o Scri0tAlias
ScriptAlias /cgi-bin/ /var/www/cgi-bin/
3on't ;or%et t0e trailin% J@J on <ot0 para&eters.
31is s0ecifies t1at t1e /var/www/cgi-bin can contain c$i scri0ts an) it
can 6e reac1e) .1en a #ser accesses t1e .e6 a))ress an) a00en)s /cgi-
bin/ to t1e 6ase 2RL. :or e=am0leE
http://www.somehost.com/cgi-bin/cgi-test
?o#l) ca#se t1e c$i scri0t calle) c$i%test to 6e e=ec#te) if it e=ists in t1e
/var/www/cgi-bin )irector&.
o <=ec(5I
A )irector& can also 6e s0ecifie) as containin$ c$i scri0ts 6& s0ecif&in$
Options ExecCGI .it1in a LDirector&F )irective or an .1taccess file.
o Sam0le (5I scri0ts can 6e fo#n) in /usr/share/doc/apache-
X.X.XX/cgi-bin.
1+.+ ?irtual Hosts
1. I2 ased
o ReC#ires 1ost to 1ave a se0arate IP for eac1 virt#al 1ost.
o 2se L7irt#al-ostF )irective to s0ecif&.
o M#st at least s0ecif& ServerName.
o Recommen) s0ecif&in$ a se0arate )oc#ment rootG error lo$G an) scri0t
alias for eac1 virt#al 1ost.
o <=am0leE
o <VirtualHost 192.168.1.10>
o ServerName www.somedomain.com
o ServerAdmin webmaster@somedomain.com
o DocumentRoot /var/www/www.somedomain.com/html
o ScriptAlias /cgi-bin/ /var/www/www.somedomain.com/cgi-
bin/
o ErrorLog /var/log/httpd/www.somedomain.com/error_log
o CustomLog
/var/log/httpd/www.somedomain.com/access_log combined
o <Directory /var/www/www.somedomain.com/html>
o Options Indexes Includes
o order deny,allow
o Allow from All
o </Directory>
o </VirtualHost>
2. ,a&e ased
o 7er& similar to IP 6ase).
o M#st s0ecif& IP to #se for virt#al 1ostin$ .it1 t1e NameVirtualHost
)irective. All f#rt1er L7irt#al-ostF )irectives t1at reference t1e IP
s0ecifie) 6& NameVirtualHost a#tomaticall& 6ecome a name) 6ase)
virt#al 1ost.
o 31e first virt#al 1ost 6ecomes t1e )efa#lt 1ost.
o ServerAlias allo.s &o# to s0ecif& an alternate name for a name 6ase)
virt#al 1ost.
o <=am0leE
o NameVirtualHost 192.168.1.11
o <VirtualHost 192.168.1.11>
o ServerName www.someotherdomain.com
o ServerAlias www1.someotherdomain.com
o ServerAdmin webmaster@someotherdomain.com
o DocumentRoot /var/www/www.someotherdomain.com/html
o ScriptAlias /cgi-bin/
/var/www/www.someotherdomain.com/cgi-bin/
o ErrorLog
/var/log/httpd/www.someotherdomain.com/error_log
o CustomLog
/var/log/httpd/www.someotherdomain.com/access_log combined
o <Directory /var/www/www.someotherdomain.com/html>
o Options Indexes Includes
o order deny,allow
o Allow from All
o </Directory>
o </VirtualHost>
3. :rou<les0ootin%
o If accessin$ an& of t1e )efine) name) 6ase) virt#al 1osts al.a&s ca#ses
t1e )efa#lt virt#al 1ost to 6e vie.e)G verif& t1at t1e names s0ecifie) for
eac1 virt#al 1ost *ServerName+ are correct.
o 3o vie. virt#al 1ost settin$sG t&0eE
o httpd -S
o
1+.. SSL
1. &odKssl
2. En#ryption Con;i%uration
o (ertificate store) in /etc/httpd/conf/ssl.crt/server.crt
o Private ke& store) in /etc/httpd/conf/ssl.key/server.key
o (ertificate49e& 5eneration
1. 2se o0enssl
2. R- 0rovi)e) Makefile at 4#sr4s1are4ssl4certs4MakefileE
make testcert % Self%si$ne) certificate
make certreg % (ertificate si$nat#re reC#est to $et a
certificate a#t1orit& si$ne) certificate.
1.. I,3
1..1 /verview
1. BI@D ,
2. Resolves 1ostnames to IP a))resses*for.ar) look#0+.
3. Resolves IP a))resses to 1ostnames*reverse look#0+.
4. Provi)es e%mail ro#tin$ information.
5. 2a#-a%es
o <ind % Primar& 0acka$e. Provi)es 6inariesG )oc#mentationG confi$sG etc.
o <ind>utils % 3ools #se) to C#er& D@S servers.
o <ind>#on; % (ontains tools to confi$#re a D@S server.
o #a#0in%>na&eserver % Incl#)es necessar& confi$#ration files to make
BI@D a cac1in$ onl& nameserver.
Im0ortant files 0rovi)e) 6& cac1in$%nameserverE
/var/named/localhost.zone # Forward zone for localhost
/var/named/named.ca # "Hints" file. Contains root
servers
/var/named/named.local # Reverse zone for localhost

o openssl % @ee)e) for some of BI@DIs sec#rit& feat#res.
. 2orts
o 53 2DP % D@S C#eries
o 53 3(P % Aone transfers an) D@S C#eries F 512 6&tes.
". red0at>#on;i%><ind#on;
52I confi$#ration #tilit& 0rovi)e) 6& 6in)conf 0acka$e.
1..2 Con;i%uration 9iles
1. /etc/named&conf
o S0ecifies ;onesG o0tionsG an) access controls.
o SE$I>C/L/, pla#e&ent is #riti#alL
o Sam0le name).conf
o options {
o directory "/var/named"; // Working
directory of server
o allow-query { any; }; // Specify which
hosts are allowed to query this server
o allow-transfer { 192.168.1.0/24; }; // Specify hosts
that are allowed to receive zone
o // transfers from
this server
o recursion yes; // Enable
recursive queries
o allow-recursion {192.168.1.0/24; }; // Specify which
hosts can perform recursive queries.
o version "Surely you must be joking"; // Set version
reported by ndc and when querying
o // version.bind in
the chaos class
o };
o
o // The following controls who can access this server using
rndc.
o // Bind to 127.0.0.1 and allow only localhost access.
o controls {
o inet 127.0.0.1 allow { localhost; } keys { rndckey;
};
o };
o
o zone "." IN { // Hints file containing root
servers
o type hint;
o file "named.ca";
o };
o
o zone "localhost" IN {
o type master;
o file "localhost.zone";
o allow-update { none; };
o };
o
o zone "0.0.127.in-addr.arpa" IN {
o type master;
o file "named.local";
o };
o
o zone "xyz.com" IN { // Forward lookup zone for
xyz.com
o type master; // This is a master zone
o file "db.xyz.com"; // Zone information stored
in /var/named/db.xyz.com
o };
o
o zone "zyx.com" IN { // Forward lookup zone for
zyx.com
o type master; // This is a master zone
o file "db.zyx.com"; // Zone information stored
in /var/named/db.zyx.com
o };
o
o zone "somedomain.com" IN { // Forward lookup zone
for somedomain.com
o type slave; // This is a slave zone
o file "db.somedomain.com"; // Optional for slave
zones. If set, a copy of the zone
o // information is kept
locally on disk under /var/named.
o };
o
o include "/etc/rndc.key"; // Private key used for secure
remote administration
o
See t1e en) of t1e named.conf man 0a$e for more confi$#ration
e=am0les.
SEC(RI:M ,/:EB
If t1e follo.in$ o0tions are left #ns0ecifie)G t1e& )efa#lt to allo.in$
access from all 1osts.
allow-query
allow-transfer
allow-recursion

2. /etc/nsswitch&conf
o @ot 0art of BI@DG 6#t m#st 6e set#0 correctl& in or)er for local 0rocesses
to #se BI@D for 1ost resol#tion.
o S0ecifies t1e or)er in .1ic1 reso#rces are C#erie) in or)er to resolve
1ostnamesG IP a))ressesG etc.
o Partial e=am0leE
o hosts: files dns
o networks: files
o protocols: files nisplus
o
31e J1ostsJ line s0ecifies t1at .e s1o#l) first c1eck o#r local files *e.$.
/etc/hosts for 1ostname resol#tion 6efore cons#ltin$ D@S services. 31e
Jnet.orksJ line states t1at onl& o#r local files *e.$. /etc/networks+
s1o#l) 6e cons#lte) for net.ork information. 31e J0rotocolsJ line sa&s .e
s1o#l) first cons#lt o#r local files *e.$. /etc/protocols+ for 0rotocol
informationG an) t1en cons#lt nis0l#s services if it isnIt fo#n) in o#r local
files.
3. /etc/hosts
o @ot 0art of BI@DG 6#t m#st 6e set#0 correctl& in or)er for 1ost resol#tion
to .ork.
o See 1ost resol#tion a6ove.
4. /etc/resolv&conf
o @ot 0art of BI@DG 6#t m#st 6e set#0 correctl& in or)er for 1ost resol#tion
to .ork.
o See 1ost resol#tion a6ove.
1..3 Ca#0in% /nly ,a&e Servers
1. @ot a#t1oritative for an& ;one.
2. 2ses D@S root servers or anot1er name server kno.n as a for.ar)er to resolve
D@S C#eries.
3. 3o create a :or.ar)in$ @ame ServerG 0#t t1e follo.in$ line in t1e Jo0tionsJ
section of t1e /etc/named.conf fileE
4. forwarders { 192.168.1.20; };
5. If &o# .ant BI@D to onl& #se itIs for.ar)ers to resolve 1osts an) not t1e root
name serversG 0#t t1e follo.in$ line in t1e Jo0tionsJ section of t1e
/etc/named.conf fileE
6. forward only;
31e Jfor.ar)ersJ o0tion s0ecifies .1ic1 D@S or D@S servers C#eries s1o#l) 6e
for.ar)e) to for resol#tion.
1..4 Nones
1. /verview
o S0ecifie) in /etc/named.conf.
o ,o trailin% J.J on 9A3,.
o JI@J after ;one name is o0tional *see sam0le name).conf a6ove for
e=am0le+.
2. $aster Nones
o D@S server is a#t1oritative for t1at ;one.
o All )omains m#st 1ave one.
o <=am0leE
o zone "somedomain.com" {
o type master;
o file "db.somedomain.com";
o allow-transfer { 192.168.3.4; };
o };
o
3. Slave Nones
o Provi)es 6ack#0 service to JmastersJ.
o <=am0leE
o zone "somedomain.com" {
o type slave;
o masters { 192.168.1.50; };
o file "db.somedomain.com";
o };
o
o masters % S0ecifies t1e D@S server t1at is t1e JmasterJ of t1is )omain.
o file % @ot reC#ire) for slave. If s0ecifie)G in)icates t1e name of t1e local
file .1ere t1e ;one information is ke0t.
o ?1en a slave server startsG it c1ecks t1e serial n#m6er for t1e ;one on
t1em master. If itIs 6een #0)ate)G t1e slave 0erforms a ;one transfer to $et
t1e latest information. If it 1asnItG an) t1e slave 1as t1e ;one on )isk *e.$.
t1e file )irective .as #se)+G it .ill loa) t1e information )irectl& from
)isk re)#cin$ net.ork traffic.
o Slaves m#st 6e $iven 0ermission to 0erform ;one transfers 6& t1e master
server. In 4etc4name).confE
o options {
o ...
o allow-transfer { 192.168.1.45; };
o ...
o };
o
Or &o# can s0ecif& t1e Jallo.%transferJ )irective on a 0er ;one 6asis as
s1o.n a6ove.
4. Reverse Loo-up Nones
o 2se) to resolve IP to 1ostname.
o S0ecial )omain &in-addr&arpa is #se).
o Aone name is create) 6& reversin$ t1e octets in t1e net.ork 0ortion of t1e
IP a))ress an) a00en)in$ .in-addr.arpa to it.
:or e=am0leG to 0rovi)e reverse look#0s for all 1osts in t1e IP ran$e
1,2.1'.1./424G #se t1e follo.in$ ;one nameE
1.168.192.in-addr.arpa

o <=am0leE
o zone "1.168.192.in-addr.arpa" {
o type master;
o file "db.1.168.192.in-addr.arpa";
o };
o
o zone "0.0.127.in-addr.arpa" { # Loopback zone
o type master; # Should NEVER be a
slave
o file "db.0.0.127.in-addr.arpa";
o };
o
5. Root None
o S0ecial ;one t1at s0ecifies t1e root servers.
o Aone t&0e is J1intJ.
o <=am0leE
o zone "." {
o type hint;
o file "named.ca"; # Contains root DNS servers
o }
o
o 2se) .1en a C#er& isnIt resolva6le 6& an& of t1e ot1er confi$#re) ;ones.
o 20)ate root servers from ft0E44rs.internic.net4)omain4name).ca or #se)
)i$E
o dig @<rootserver>
o dig @a.root-servers.net
o
. None 3ele%ation
o Divi)es #0 a lar$er )omain into smallerG more mana$ea6le )omains.
o :or e=am0leG support.somedomain.com an)
development.somedomain.com can 6e )ele$ate) to someone elseIs control
to ease t1e mana$ement of t1e somedomain.com )omain.
o <=am0le. In t1e ;one file for somedomain.comG 0#t t1e follo.in$ entriesE
o support.somedomain.com. IN NS
ns.support.somedomain.com.
o ns.support IN A 192.168.44.10
o
o development.somedomain.com IN NS
ns.development.somedomain.com.
o ns.development IN A 192.168.45.10
o
o Bot1 t1e @S an) A recor)s are reC#ire) in or)er to )ele$ate a ;one.
o 31ese are kno.n as J$l#eJ recor)s t1at 1el0 C#eries $o from one name
server to anot1er.
1..! Resour#e Re#ords
1. 9or&at
2. [domain/@] [ttl] [class] <type> <rdata> [comment]
o do&ain@O % O0tional. If left 6lankG )efa#lts to t1e same val#e as t1e last
reso#rce recor). T re0resents t1e )omain name s0ecifie) in
/etc/named.conf for t1e ;one. Ot1er.iseG an& name s0ecifie) .ill 1ave
t1e )omain a00en)e) to it #nless it en)s in a J.J.
o ttl % O0tional. 3ime%to%Live. Defa#lts to t1e val#e s0ecifie) 6& t1e U33L
)irective if left #ns0ecifie). S0ecifies 1o. lon$ t1e recor) can 6e cac1e).
o #lass % O0tional. If left #ns0ecifie)G )efa#lts to I@DD
o type % S0ecifies t1e t&0e of RR.
o rdata % S0ecifies RR relate) )ata.
o #o&&ent % (omments a6o#t t1e RR.
3. C0ara#ter Restri#tions
-ostnames can onl& consist of A%A *case insensitive+G /%,G an) %.
4. Start o; *ut0ority 4S/*5
o <ver& ;one &ust 1ave one an) onl& one.
o Pream6le of t1e ;one file.
o <=am0leE
o @ 1D IN SOA ns root (
o 2002011201 ; serial
o 3H ; refresh
o 15M ; retry
o 1W ; expire
o 1D ) ; minimum
o
o @ 1D IN SOA ns.somedomain.com.
root.somedomain.com. (
o 2002011201 ; serial
o 3H ; refresh
o 15M ; retry
o 1W ; expire
o 1D ) ; minimum
o
Bot1 of t1e a6ove t.o sam0le SOA RR are i)entical .1en t1e UORI5I@
is somedomain.com. 31e name server s0ecifie) in t1e SOA recor) m#st
6e a mac1ine .it1 an A recor). No# cannot #se mac1ine name) )efine)
6& a (@AM< recor) in t1e SOA recor).
(om0onent DefinitionsE
1. serial % 2se) for version control. <ver& time an #0)ate is ma)e to
t1e ;oneG t1e serial n#m6er m#st 6e #0)ate) so t1e slave ;ones
kno. t1ere 1as 6een an #0)ate.
2. refresh % -o. often t1e slave servers s1o#l) c1eck t1e serial
n#m6er on t1e master for c1an$es.
3. retry % Amo#nt of time a slave s1o#l) .ait 6efore attem0tin$
anot1er Jrefres1J after a 0revio#s refres1 1as faile).
4. expire % -o. lon$ a slave s1o#l) #se itIs D@S information .it1o#t
a refres1 from t1e master.
5. minimum % -o. lon$ a server s1o#l) cac1e ne$ative 1its *e.$. no
s#c1 )omain41ost+.
7al#es for t1e a6ove entries can 6e s0ecifie) in secon)s *)efa#lt+G min#tes
*M+G 1o#rs*-+G )a&s*D+G an) .eeks*?+. No# m#st #se a ca0ital letter to
s0ecif& t1e #nit an) t1ere canIt 6e a s0ace 6et.een t1e n#m6er an) t1e
#nit.
'4// K 24- K 1D
5. ,a&e Server 4,S5
o <ver& ;one m#st 1ave at least t1e master name server s0ecifie).
o A :!D@ m#st 6e #se) for @S reso#rce recor)s.
o <=am0leE
o @ IN NS ns1.somewhere.com.
o somewhere.com. IN NS ns2.somewhere.com.
o IN NS ns3.somewhere.com.
o
All 3 lines refer to t1e same )omain. 31e T in t1e first line refers to t1e
ori$in *s0ecifie) 6& t1e ;one )irective in /etc/named.conf. 31e secon)
line e=0licitl& states t1e )omain 4noti#e t0e trailin% J.J5 31e t1ir) line
)oesnIt s0ecif& t1e )omain or an T so it )efa#lts to t1e )omain in t1e RR
a6ove it.+
. *ddress 4*5
o Ma0s a 1ostname to an IP a))ress.
o 2se) 6& for.ar) look#0s.
o <=am0leE
o ns1.somewhere.com. IN A 192.168.20.10 # FQDN
specified. Notice trailing "."
o ns2 IN A 192.168.20.11 # FQDN isn't
required. In the last 4 lines,
o ns3 IN A 192.168.20.12 #
somedomain.com. is appended to ns2, ns3,
o www IN A 192.168.20.15 # www, and mail
o mail IN A 192.168.20.20
o
". Canoni#al ,a&e 4C,*$E5
o Provi)es an JaliasJ or alternate name for an e=istin$ 1ost.
o A (@AM< recor) s1o#l) never 6e referre) to 6& anot1er (@AM< recor)G
an MB recor)G or an SOA recor).
o <=am0leE
o pop IN CNAME mail
o imap IN CNAME mail
o
In t1is caseG 6ot1 0o0 an) ima0 refer to t1e JmailJ a))ress *A+ recor) in
t1e 0revio#s e=am0le.
'. 2ointer 42:R5
o Ma0s an IP a))ress to 1ostname.
o 2se) in Jin%a))r.ar0aJ ;ones.
o <=am0le *ass#me a ;one of 1.1'.1,2.in%a))r.ar0a+E
o 10 IN PTR ns1.somewhere.com.
o 15.1.168.192.in-addr.arpa. IN PTR www.somewhere.com.
o 20 IN PTR mail.somewhere.com.
o
A$ainG if a :!D@ isnIt s0ecifie)G t1e )omain is a00en)e) to t1e entr&.
,. $ail Ex#0an%e 4$75
o Define a mail e=c1an$e for a ;one.
o ReC#ires a 0riorit& 6e s0ecifie) ri$1t after t1e JMBJ 6#t 6efore t1e
1ostname. 31e lo.er t1e n#m6erG t1e 1i$1er t1e 0riorit&.
o 2se) 6& M3As to )eliver mail to t1e ;one.
o S1o#l) not 6e #se) in reverse look#0 ;ones.
o <=am0leE
o @ IN MX 5 mail.somewhere.com. ###
Highest priority
o somewhere.com. IN MX 10 mail2.somewhere.com.
o IN MX 15 mail3.somewhere.com. ###
Lowest priority
o
1/. Host In;or&ation 4HI,9/5
o Provi)es information a6o#t &o#r 1ost.
o 5enerall& not a $oo) i)ea to $ive o#t an& 1ost information )#e to sec#rit&
concerns.
o S1o#l) not 6e #se) in reverse look#0 ;ones.
o <=am0leE
o mail IN HINFO i686 Linux-2.4.18
o www IN HINFO i686 Linux-2.4.17-pre2
o
1.." None 9iles
1. 5enerall& locate) in /var/named.
2. M#st 6e$in .it1 a Start Of A#t1orit& *SOA+ reso#rce recor).
3. (ontain ot1er reso#rce recor)s.
4. U33L )irective m#st 6e s0ecifie).
5. *lways spe#i;y t0e last J.J ;or a 9A3,.
. <=am0le :or.ar) Aone :ileE
7. $TTL 86400
8. $ORIGIN xyz.com. ; If not specified, it's taken from named.conf
9.
10. ; ns1 is a nameserver for the domain. root is the
11. ; e-mail address of the owner of the domain. The domain
12. ; is appended to each of these values since they don't
13. ; end with a period. (e.g. they become ns1.xyz.com
14. ; and root.xyz.com);
15. @ 1D IN SOA ns1 root (
16. 2002011901 ; serial
17. 3H ; refresh
18. 15M ; retry
19. 1W ; expire
20. 1D ) ; minimum
21.
22.
23. ; These two lines specify the same domain.
24. ; @ means take it from the $ORIGIN or the zone
25. ; specified in named.conf
26. @ IN NS ns1.xyz.com.
27. xyz.com. IN NS ns2.xyz.com.
28.
29. ns1 IN A 192.168.1.20
30. ns2 IN A 192.168.1.21
31.
32. www IN A 192.168.1.22
33. kashyyyk IN CNAME www
34. coruscant IN CNAME kashyyyk # BAD IDEA!!
35.
36. www1.xyz.com. IN A 192.168.1.23
37. endor IN CNAME www1
38.
39. mail IN A 192.168.1.24
40. backup-mail IN A 192.168.1.25
41.
42. @ IN MX 5 mail # Both lines
reference
43. xyz.com. IN MX 20 backup-mail # the same
domain
44.
45. support.xyz.com. IN NS ns.support.xyz.com. #
Zone delegation
46. ns.support IN A 192.168.2.20
47.
48. development.xyz.com. IN NS ns.development.xyz.com. #
Zone delegation
49. ns.development.xyz.com. IN A 192.168.3.20
5/. <=am0le Reverse Aone :ileE
51. $TTL 86400
52. $ORIGIN 1.168.192.in-addr.arpa.
53.
54. @ 1D IN SOA ns1.xyz.com. root.xyz.com. (
55. 2002011901 ; serial
56. 3H ; refresh
57. 15M ; retry
58. 1W ; expire
59. 1D ) ; minimum
60.
61. ; These two lines specify the same domain.
62. ; @ means take it from the $ORIGIN or the zone specified in
named.conf
63. @ IN NS ns1.xyz.com.
64. 1.168.192.in-addr.arpa. IN NS ns2.xyz.com.
65.
66. 20 IN PTR ns1.xyz.com. # Domain
appended to 20
67. 21.1.168.192.in-addr.arpa. IN PTR ns2.xyz.com. # Domain
not appended (ends with a "." )
68.
69. 22 IN PTR www.xyz.com.
70. 23.1.168.192.in-addr.arpa. IN PTR www1.xyz.com.
71.
72. 24 IN PTR mail.xyz.com.
73. 25 IN PTR mail-backup.xyz.com.
21. 3HC2
21.1 /verview
1. Provi)es )&namic confi$#ration an) net.ork information to 1osts.
o IP a))ress.
o D@S servers.
o @et6ios name servers.
o 5ate.a&s.
o Domain name.
2. Onl& one D-(P server 0er net.ork se$ment.
3. 2ses 6roa)cast 0ackets to retrieve information.
4. S#0erset of 6oot0.
5. (an ans.er reC#ests from 6oot0 clients.
. 2a#-a%es
o Server % )1c0).
o (lient % )1c0c) or 0#m0.
". 2orts
o Server % 2DP " *6oot0s+
o (lient % 2DP ' *6oot0c+
21.2 Server Con;i%uration
1. /etc/dhcpd&conf
3on't ;or%et t0e trailin% se&i>#olons.
<=am0leE
# Global Options (can also be specified for a specific subnet)
option nis-domain "secret_nis_domain"; # Set NIS
domain
option domain-name "somedomain.com"; # Domain
name assigned to client
option domain-name-servers 192.168.1.20, 192.168.1.21; # DNS
servers for domain
option netbios-name-servers 192.168.1.19; # WINS
server
# Specifies host that the initial boot file should be loaded from
next-server boot-server;
default-lease-time 600; # Lease time used unless client requests
otherwise.
max-lease-time 7200; # Maximum lease time that will be given
# At least one subnet block is required.
# It must correspond with a configured interface.
subnet 192.168.1.0 netmask 255.255.255.0
{
# Definitions in block only apply to this subnet
# Default gateway
option routers 192.168.1.1;
# Range of IPs to use for dynamic configuration
range 192.168.1.100 192.168.1.200;
# Static configuration - The host with the stated MAC address
will
# always receive the IP address stated below.
host enterprise
{
hardware ethernet 00:0a:cc:3a:1c:42;
fixed address 192.168.1.11
}
}
An e=am0le )1c0).conf file is availa6le at/usr/share/doc/dhcp-
2.0p15/dhcpd.conf.sample
2. /var/lib/dhcp/dhcpd&leases
Stores information a6o#t lease) IP a))resses. It m#st e=ist in or)er for )1c0 to
startM If it )oesnIt e=istG t&0eE
touch /var/lib/dhcp/dhcpd.leases
21.3 Client Con;i%uration
1. d0#p#d
o Defa#lt client.
o 2se) 6& Jif#0J to confi$#re interface.
o Stores information in /etc/dhcpc.
o (ommon #sa$eE
o /sbin/dhcpcd -n -H eth0
o
o -H = Force dhcpcd to set the hostname of the host to
the hostname option
o supplied by the DHCP server.
o -n = If dhcpcd is already running send it an ALRM
signal to cause it to
o attempt to renew it's lease.
o eth0 = Interface to configure.
o
2. pu&p
o Onl& #se) if )1c0c) isnIt fo#n).
o 2se) 6& Jif#0J to confi$#re interface.
o (ommon #sa$eE
o /sbin/pump --lookup-hostname -i eth0
o
o --lookup-hostname = Get hostname and domain name from
DNS
o -i = Specifies interface to configure
o
21. 7 8indow Syste&
21.1 2ie#es
1. 7 Server
31e B%server is res0onsi6le for mana$in$ reso#rces for B%clients. 31ese reso#rces
t&0icall& incl#)e t1e screenG ke&6oar)G an) mo#se. 31e B server r#ns on t1e
mac1ine t1at t1e #ser interacts .it1. It 0asses #ser in0#t 6ack to t1e B%clients an)
o#t0#ts information from t1e B%clients 6ack to t1e #ser via t1e screen.
2. 7 Clients
B%clients connect to t1e B%server in or)er to #se itIs reso#rces. B%clients can 6e
ran locall& on t1e same mac1ine as t1e B%server or remotel& *in .1ic1 case t1e&
connect to t1e local B%server+.
3. 7 2roto#ol
B%clients an) B%servers comm#nicate #sin$ t1is 0rotocol.
21.2 Con;i%uration :ools
1. 7#on;i%urator
o 32I 6ase).
o Primar& confi$#ration tool #se) on R- mac1ines.
o A#tomaticall& 0ro6es vi)eo car) for necessar& confi$#ration information.
o If 0ro6e failsG #se JS#0erPro6eJ to )etermine vi)eo car).
o Recommen)e) confi$#ration tool.
o 2se J%%e=0ertJ o0tion in or)er to overri)e 0ro6e) val#es.
2. x;+"#on;i%
o (1aracter 6ase).
o Bconfi$#rator recommen)e) over t1is for e=am.
3. Super2ro<e
o Part of B:ree'.
o (an 6e #se) to )etermine vi)eo car) if Bconfi$#rator fails.
o Ma& free;e s&stem .1en 0ro6in$.
21.3 Con;i%uration Re#o&&endations
1. (1oose J@o (lockc1i0 Settin$J
2. Select m#lti0le vi)eo mo)es in case one )oesnIt .ork
3. If &o#r car) is #ns#00orte)G c1oose t1e $eneric S75A or 75A s#00ort.
21.4 Hardware Support
1. 8e<sites
o R- -ar).are (om0ati6ilit& Lists %
1tt0E44....re)1at.com4cor04s#00ort41ar).are4in)e=.s1tml
o B:ree 3.B % 1tt0E44....B:ree'.or$4car)list.s1tml
o B:ree 4.B % 1tt0E44....B:ree'.or$44.1./4Stat#s.s1tml
o La0to0s % 1tt0E44lin#=%la0to0.net
21.! 9iles
1. 7 Con;i%uration
o Defa#lt font 0at1 % /usr/X11R6/lib/X11/fonts
o (ser #on;i%uration ;iles
1. ~/.xinitrc % Starts s0ecifie) =clients in 6ack$ro#n) an) t1en
e=ecs a .in)o. mana$er *e.$. exec startkde+.
2. ~/.Xclients % e=ecs .Bclients%)efa#lt. (reate) 6& s.itc1)esk.
3. ~/.Xclients-default % Starts )eskto0 environment *e.$. exec
startkde or exec wmaker+. 31is is #se) to overri)e t1e )efa#lt
)eskto0 environment s0ecifie) in /etc/sysconfig/desktop. 31is
file is create) 6& switchdesk.
4. ~/.xsession % 2se) 6& )is0la& mana$ers *e.$. =)mGk)mG$)m+.
5. ~/.Xresources %
. ~/.Xkbmap %
". ~/.xmodmap %
o Syste& #on;i%uration ;iles
1. /etc/X11/<window manager>/ % ?in)o. mana$er s0ecific files.
2. /etc/X11/XF86Config-4 % B:ree 4.B 0rimar& confi$#ration file.
3. /etc/X11/XF86Config % B:ree 3.B 0rimar& confi$#ration file.
4. /etc/X11/xinit/xinitrc % Same 0#r0ose as .=initrc in #sers
U-OM<. Onl& #se) if .=initrc )oesnIt e=ist.
5. /etc/X11/xinit/xinitrc.d/ % (ontains a))itional init scri0ts for
B start#0. <=ec#te) 6& /etc/X11/xinit/xinitrc
. /etc/X11/xdm/Xsession % Session confi$#ration. <=ec#te) 6&
)is0la& mana$er *e.$. =)mG k)mG $)m+.
". /etc/X11/xdm/xdm-config % (onfi$#ration file for =)m.
o /etc/,11/
1. applnk/ % Director& str#ct#re for men# items.
2. fs/ % B#ilt%in font server confi$#ration.
3. <window manager>/ % ?in)o. mana$er s0ecific files.
4. gdm/ % (onfi$#ration files for $)m )is0la& mana$er.
5. xdm/ % (onfi$#ration files for =)m )is0la& mana$er.
. xinit/ % (onfi$#ration files nee)e) for B start#0 8 initiali;ation.
o /usr/,11-6/
1. bin/ % B 6inaries
2. lib/
modules/ % B server e=tensions4mo)#les.
xscreensaver/ % Screen saver 0ro$rams.
X11/fonts/ % Defa#lt font 0at1.
X11/app-defaults/ % A00lication )efa#lts.
X11/locale/ % Locale information.
X11/xkb/ % B relate) ke&6oar) information.
2. @et#@711@7
o B:ree 4.B
/etc/X11/X is a s&mlink to /usr/X11R6/bin/XFree86
o B:ree 3.B
/etc/X11/X is a s&mlink to t1e act#al B server.
3. Co&&on 7 Client /ptions
4. -display server:0.0
5. -geometry 100x100+10+20 # A box 100x100 pixels that is 10
pixels from the left
6. # and 20 from the top of the
screen
7. -font font name
8. -background color
9. -foreground color
10. -title string
11. -bordercolor color
12. -borderwidth pixels
21." 8indow $ana%ers
1. A s0ecial t&0e of =%client.
2. (ontrols 1o. ot1er =%clients a00ear.
3. (a#ses all =%clients to )is0la& .it1 common feat#res *title 6arG minimi;e 8
ma=imi;e 6#ttonsG etc.+
4. Basicall& controls look 8 feel of .in)o. session.
5. (ommon ?in)o. Mana$ersE
o fv.m % (an 6e confi$#re) to em#late ot1er .in)o.in$ environments*e.$.
?in)o.s ,5G Motif+.
o ?in)o.Maker % Resem6les @<B3S3<P.
o <nli$1tenment % Previo#s )efa#lt .in)o. mana$er for 5@OM<.
o Sa.fis1 % (#rrent )efa#lt .in)o. mana$er for 5@OM<.
. (onfi$#ration files store) in /etc/X11/<window manager>/
21.' 3es-top Environ&ents
1. Provi)e more feat#res t1an a .in)o. mana$er.
2. A .in)o. mana$er is one 0art of t1e )eskto0 environment.
3. Attem0ts to create a consistent environment for all a00lications.
4. (ommon Deskto0 <nvironmentsE
o 9D< % 9 Deskto0 <nvironment *!3 6ase)+
o 5@OM< % 5@2 @et.ork O6Hect Mo)el <nvironment *539 6ase)+
21.+ 3isplay $ana%ers
1. B%client.
2. -an)les a#t1entication.
3. <=am0lesE =)mG $)mG k)m.
4. 3o c1an$eG e)it /etc/X11/prefdm
21.. Session $ana%ers
1. <=ec#tes )is0la& mana$ersE
o =)m % /usr/bin/xsession
o k)m % /usr/bin/kwm
o $)m % /usr/bin/gnome-session
2. DoesnIt e=ec#te ~/.xinitrc
3. ?ill e=ec#te ~/.xsession if it e=istsG ot1er.ise ~/.Xclients is e=ec#te).
21.11 Startin% 7
1. startx
o /usr/X11R6/bin/startx
Basic O0eration
if exists (~/.xinitrc)
client = ~/.xinitrc
else
client = /etc/X11/xinit/xinitrc
if exists (~/.xserverrc)
server = ~/.xserverrc
else
server = /etc/X11/xinit/xserverrc
# Authorization setup
xauth add $display_name . $magic_cookie
xinit $client -- $server
# If $server isn't specified, xinit defaults to X:0

o /etc/X11/xinit/xinitrc
o if exists (/etc/X11/Xresources)
o xrdb -merge /etc/X11/Xresources
o if exists (~/.Xresources)
o xrdb -merge ~/.Xresources
o
o if exists (/etc/X11/Xkbmap)
o setxkbmap `cat /etc/X11/Xkbmap`
o if exists (~/.Xkbmap)
o setxkbmap `cat ~/.Xkbmap`
o
o if exists (/etc/X11/Xmodmap)
o xmodmap /etc/X11/Xmodmap
o if exists (~/.Xmodmap)
o xmodmap ~/.Xmodmap
o
o execute any scripts in /etc/X11/xinit/xinitrc.d/
o
o if exists (~/.Xclients)
o exec ~/.Xclients
o else if exists /etc/X11/init/Xclients
o exec /etc/X11/init/Xclients
o else
o exec fvwm2
o
2. xd& *Dis0la& Mana$er+
o /etc/X11/xdm/xsession
Basic O0eration
execute any scripts in /etc/X11/xinit/xinitrc.d/
if exists (~/.xsession)
exec ~/.xsession
else if exists (~/.Xclients)
exec ~/.Xclients
else if exists (/etc/X11/xinit/Xclients
exec /etc/X11/xinit/Xclients
else
exec xsm

21.11 Re&ote 3isplay o; 7 *ppli#ations
1. Se#urity
=1ost controls access to t1e local B server. Access information is store) in
~/.Xauthority.
:ormat of =1ost comman)E
xhost [+|-]name

?1ere name is in t1e format of family:name. :amil& can 6e one of t1e
follo.in$E inet*)efa#lt+G)netGnisGkr6Glocal.
xhost + # Grant access from everywhere
xhost - # Revoke access from everywhere
xhost +server.domain.com # Grant access from server.domain.com
xhost -server.domain.com # Revoke access from server.domain.com
xhost +local:bob # Allow local user bob access

2. Spe#i;yin% a di;;erent display
3.o .a&s to s0ecif& a )is0la&E
o Per clientE
xterm -display server.domain.com:0.0
o :or all clientsE
export DISPLAY=server.domain.com:0.0
JDISPLANJ #se) 6& =clients to )etermine .1ere to sen) o#t0#t.
3. 2uttin% it all to%et0er
3o allo. remote.x!.com to )is0la& clients on local.x!.comG 0erform t1e
follo.in$ ste0sE
o On local.=&;.comE
xhost +remote.xyz.com
o On remote.=&;.comE
o export DISPLAY=remote.xyz.com:0.0
o xterm
o
4. SSH
If B%:or.ar)in$ is ena6le)G SS- a#tomaticall& confi$#res ever&t1in$ for &o# so
t1at can )is0la& B%clients from t1e remote 1ost to &o#r local 1ost.
21.12 :rou<les0ootin% 7
1. Startup 2ro<le&s
o B startsG 6#t .in)o. mana$er )oesnIt.
1. (1eck .=initrc file to see if t1e .in)o. mana$er is e=ecI) at t1e
en).
2. (1eck to see if .in)o. mana$er files are rea)a6le 6& #ser.
3. 3r& renamin$ #serIs .in)o. mana$er confi$#ration files an)
restart B.
o B .onIt start.
1. Save e=istin$ B:'(onfi$ file an) #se Bconfi$#rator to 6#il) a
ne. one.
2. 7erif& selecte) vi)eo car) an) itIs attri6#tes .it1 S#0erPro6e.
2. $ouse 2ro<le&s
o (1eck 01&scial connection.
o R#n mo#seconfi$.
o If it )oesnIt .ork in B or $0mG itIs 0ro6a6l& a 0ro6lem .it1 t1e mo#se
itself.
3. Can't lo%in to 3isplay $ana%er
o 7erif& t1at t1e #ser can lo$ s#ccessf#ll& from a virt#al terminal.
o 3r& a )ifferent .in)o. mana$er.
o Rename t1e #serIs .in)o. mana$er confi$#ration files an) tr& a$ain.
4. 3isplay *li%n&ent is o;;
o 3r& a)H#stin$ monitor settin$s.
o 2se xvidtune to a)H#st mo)e lines in t1e B:'(onfi$ file.
22. 9:2
22.1 2a#-a%es.
1. anon;tp
o @ot an ft0 server.
o ReC#ire) to set#0 anon&mo#s ft0.
o Sets #0 t1e c1rootI) env for anon&mo#s ft0 in /var/ftp.
o /var/ftp/bin
o /var/ftp/etc
o /var/ftp/lib
o /var/ftp/pub
o
o (annot .ork stan) aloneG reC#ires .#%ft0).
2. wu>;tpd
o Act#al :3P server soft.are.
o (onfi$#ration files.
o =inet) confi$#ration file.
o Doc#mentation.
22.2 Con;i%uration ;iles
1. /etc/ftpaccess
Primar& confi$#ration file.
2. /etc/ftpusers
List of #sers t1at are not allo.e) to #se ft0. 31is file is )e0recate) in R- ".B. 2se
)en&%#i)4)en&%$i) in /etc/ftpaccess instea).
3. /etc/ftphosts
Access restrictions 6& #ser41ost. 31e last r#le t1at matc1es .ins. :or e=am0leG to
)en& access to steve from ever&.1ere 6#t 1,2.1'.1./424G a)) t1e follo.in$
entriesE
deny steve *
allow steve 192.168.1.0/24
4. /etc/ftpconversions
S0ecif& file conversions t1at are to 6e 0erforme) 6& t1e ft0 server. ItIs commonl&
#se) to a#tomaticall& com0ress an)4or )ecom0ress files on t1e fl& for transfer.
5. /etc/ftpgroups
:I@IS- M<
. /etc/xinetd.d/wu-ftpd
=inet) confi$#ration file for .#%ft0).
". /etc/pam.d/ftp
Pam confi$#ration file for ft0.
22.3 /peration
1. Starte) 6& =inet).
2. PortsE 21 3(P an) 2/ 3(P.
3. Starts as #ser rootG t1en s.itc1es accor)in$ to lo$in t&0eE
o anon&mo#sE S.itc1es to #ser ft0.
o #serE S.itc1es to t1e #ser lo$$in$ in.
o $#estE S.itc1es to #ser lo$$in$ in.
22.4 :ypes o; (ser *##ounts
1. *nony&ous
o <as& to set#0 *A#tomaticall& confi$#re) .1en anonft0 is installe)+.
o 2ser #ses Janon&mo#sJ for lo$in an) t1eir e%mail a))ress for a 0ass.or).
o 2ser is c1rootI) to /var/ftp 6& )efa#lt.
o (annot #0loa) files 6& )efa#lt.
2. Real
o Also eas& to set#0. ?orks 6& )efa#lt.
o 2sers #se t1eir s&stem lo$ins an) 0ass.or)s to $ain access.
o Start o#t in #sers 1ome )irector&.
o 2ser 1as f#ll access to s&stem.
o (an #0loa) files to an& )irector& .1ere t1e #ni= file 0ermissions 0ermit it.
o (an 6e )an$ero#s to #se.
3. Guest
o ReC#ires set#0.
o 2sers #se t1eir s&stem lo$ins an) 0ass.or)s to $ain access.
o 2sers are c1rootI) to a )irector&G t&0icall& t1eir 1ome )irector&.
o 2ser onl& 1as access to t1e )irectories .it1in t1e c1rootI) environment.
o 2ser can #0loa) files if #ni= file 0ermissions 0ermit it.
o M#c1 safer to #se t1an JRealJ #ser acco#nts.
22.! Settin% up Guest (sers
I t1is e=am0leG .e .ill confi$#re #ser steve as a $#est #ser.
1. P#t /bin/false in /etc/shells so itIs reco$ni;e) as a vali) s1ell 6& t1e ft0
server.
2. (1an$e steveIs s1ell to /bin/false. 2se chsh or e)it /etc/passwd )irectl&.+
31is 0revents t1e #ser from lo$$in$ in via normal means *telnetG ss1G etc.+.
3. <)it /etc/passwd an) a00en) J/./J *.it1o#t C#otes+ to t1e en) of steveIs 1ome
)irector&.
(1an$eE
steve:x:500:500::/home/steve:/bin/false
3oE
steve:x:500:500::/home/steve/./:/bin/false
4. Set#0 t1e $#est #serIs 1ome )irector& so it .orks as a c1rootI) envE
5. cp -a /var/ftp/bin ~steve
6. cp -a /var/ftp/etc ~steve
7. cp -a /var/ftp/lib ~steve
8. chmod 0750 ~steve
@ote t1at anonft0 m#st 6e installe) in or)er for t1e a6ove ste0s to .ork.
,. (reate t1e $#est$ro#0 s0ecifie) in /etc/ftpaccess*)efa#lt is ft0c1root+ as a
s&stem $ro#0.
groupadd -r ftpchroot
1/. <)it /etc/group an) a)) #ser steve to t1e ft0c1root $ro#0.
11. 3r& to ft0 to t1e server as #ser steve an) see if it .orke).
22." *nony&ous (pload
1. Look for J#0loa)J #n)er t1e JPermission (a0a6ilitiesJ section in t1e ftpaccess
man 0a$e for more information.
2. (reate an) confi$#re t1e #0loa) )irector&E
3. mkdir /var/ftp/incoming
4. chown root.root /var/ftp/incoming
5. chmod 3773 /var/ftp/incoming # Set sticky and setgid bits so
no one can
6. # overwrite existing files and
all files are
7. # created with the same group
as the directory.
'. A)) t1e follo.in$ entr& to /etc/ftpaccess
9. upload /var/ftp /incoming yes root root 0400 nodirs
31is states t1at an& #ser .1o 1as a 1ome )irector& of /var/ftp *e.$. anon&mo#s
#sers+G allo. #0loa)s into t1e incoming )irector&G 6#t )onIt let t1em create
)irectories. (1an$e t1e o.ners1i0 too #ser rootG $ro#0 root .it1 0ermissions /4//
so anon&mo#s ft0 #sers canIt rea) t1e file.
22.' ?irtual Hosts
1. Several )omains can 6e 1oste) 6& a sin$le ft0 server.
2. ReC#ires an IP 0er )omain. 2se se0arate interfaces or IP aliasin$ *0referre)+ on a
sin$le interface.
3. (onfi$#re /etc/ftpaccess
4. virtual 192.168.1.10 root /var/virtualftp/somedomain.com
5. virtual 192.168.1.10 banner
/var/virtualftp/somedomain.com/banner.msg
6. virtual 192.168.1.10 logfile
/var/log/virtualftp/somedomain.com/xferlog
7. virtual 192.168.1.10 allow *
@oteE 31e a6ove )irectories .ill nee) to 6e create) if t1e& )onIt alrea)& e=ist.
31e JrootJ o0tion s0ecifies t1e root 0at1 for t1e virt#al ft0 server. 31e J6annerJ
o0tions s0ecifies t1e location of t1e file containin$ t1e 6anner messa$e t1at is
)is0la&e) at lo$in. 31e Jlo$fileJ o0tions s0ecifies .1ere transfers s1o#l) 6e
lo$$e) to. 31e Jallo.J o0tion allo.s all #sers to lo$in to t1e virt#al ft0 server.
No# co#l) also s0ecif& s0ecific #sers to allo..
31e a6ove confi$#ration ca#ses anon&mo#s #sers to 6e c1rootI) to t1e JrootJ of
t1e virt#al server. Real #sers are still 0lace) in t1eir 1ome )irector& at lo$in. It is
recommen)e) t1at $#est #sers 6e confi$#re) for t1e virt#al )omain t1at c1root to
t1e virt#al serverIs JrootJ.
3o )isa6le anon&mo#s ft0 to t1e virt#al serverG s0ecif&E
virtual 192.168.1.10 allow private
23. 2rint Servi#es
23.1 /verview
1. 2a#-a%es
LPRn$ is t1e onl& 0acka$e reC#ire) to act#all& 0rint. 31e ot1er 0acka$es 0rovi)e
0rinter )rivers an) #tilities to ease 0rinter confi$#ration.
o L2Rn% % Provi)es 6inariesG confi$#ration filesG )oc#mentation.
o /&ni % Printer )rivers.
o /&ni>;oo&ati# % Meta information a6o#t 0rint )rivers.
o print#on; % 52I432I 6ase) 0rinter confi$#ration #tilit&.
o %0osts#ript % A 0ostscri0t inter0reter.
o %0osts#ript>;onts % :onts for $1ostscri0t.
o %v % A #ser interface to $1ostscri0t.
2. 2ses 3(P 0ort 515
23.2 Con;i%uration 9iles
1. /etc/printcap
31is file is a#to $enerate) 6& t1e 0rintconf #tilities. An& c1an$es ma)e to t1is file
6& 1an) .ill 6e lost. 31e first 0rinter )efine) in t1is file is t1e )efa#lt 0rinter.
2. /etc/printcap&local
If &o# nee) to make c1an$es to /etc/printcap 6& 1an)G 0#t t1em in 1ere
instea). 31ese c#stom c1an$es .ill 6e incl#)e) in /etc/printcap .1en it is
re$enerate).
3. /etc/lpd&conf
(onfi$#ration file for t1e LPRn$ 0rinter s0ooler s&stem.
4. /etc/lpd&perms
Permissions control file for LPRn$ 0rinter s0ooler s&stem.
23.3 (tilities
1. print#on;>%ui@print#on;>tui
Primar& met1o) of confi$#rin$ 0rinters.
2. lp#
2se) to a)minister 0rintin$ services.
o Disa6le4ena6le 0rinters.
o lpc start bj200 # Start a single printer
o lpc stop bj200 # Stop a single printer
o lpc start all # Start all printers
o
o Disa6le4ena6le s0oolin$ C#e#es.
o lpc enable bj200 # Enable print spool for a single printer
o lpc disable bj200 # Disable print spool for a single
printer
o lpc enable all # Enable all print spools
o
o Mo)if& Ho6 0riorities.
o lpc topq bj200 101 # Move job 101 to the top of the print
queue
o
o 7ie. stat#s of 0rinters an) C#e#es.
o lpc status all # Display the daemon and queue status for
all printers
o
o -ol)4release 0rint Ho6s.
o lpc hold bj200 8 # Hold job 8 for printer bj200 from
printing
o lpc release bj200 8 # Release job 8 for printing on bj200
o
o Move Ho6s to anot1er 0rinter.
o lpc move bj200 8 hp697c # Move job 8 from bj200 to hp697c
o lpc move bj200 hp697c # Move all jobs on bj200 to hp697c
o
o Re)irect Ho6s to anot1er 0rinter.
o lpc redirect bj200 hp697c # Redirect all jobs sent to
bj200 to hp697c
o lpc redirect bj200 hp697c off # Turn off redirection
o
o Re0rint a Ho6.
o lpc redo bj200 7 # Reprint job 7 on printer bj200
o
3. lpr
2se) to sen) 0rint reC#ests to a 0rinter.
lpr /etc/hosts # Print file to default
printer
cat /var/log/messages | lpr -P hp697c # Print standard in to
hp697c
4. lp=
Dis0la& information a6o#t an) a)minister 0rint C#e#es.
lpq # Display queue information for default printer
lpq -Php420 # Display queue information for hp420 printer
5. lpr&
Remove 0rint Ho6s from a 0rint C#e#e.
lprm # Remove last job submitted
lprm -Pbj200 12 # Remove job 12 from print queue bj200
lprm -Pbj200 steve # Remove all of steve's jobs from print queue
bj200
lprm -a all # Remove all jobs in all print queues
lprm -a steve # Remove all of steve's print jobs in all
print queues
. #0e#-p#
(1ecks t1e /etc/printcap file for 0ro6lems an) verifies )evices assi$ne) to
0rinters.
23.4 Re&ote 2rintin% Re=uire&ents
1. Re&ote L23
o IP a))ress of remote 0rint server.
o @ame of C#e#e on remote 0rint server.
2. Sa&<a
o @etBIOS name or IP a))ress of t1e Sam6a server.
o @ame of s1are) 0rint service. 31is m#st incl#)e t1e server name *e.$.
//server1/bj200ex not bj200ex+
o Print filter for remote 0rinter installe) locall&.
o 2ser name to connect to t1e 0rint s1are .it1 *#s#all& no6o)& or $#est+.
o 31e 0ass.or) for t1e #ser if reC#ire).
o 31e .ork$ro#0 name of t1e Sam6a server 0rovi)in$ t1e 0rint service.
3. ,ovell
o nc0fs 0acka$e installe).
o server name4i0.
o 0rinter name.
o vali) #sername an) 0ass.or).
24. ,9S
24.1 /verview
1. :ile s1arin$ service.
2. RP( 6ase) serviceG so it reC#ires Portma0.
3. Packa$esE
o n;s>utils
Provi)esE
1. nfs) % Provi)es #serlan) 0ortion of @:S service.
2. lock) % @:S lock mana$er *kernel mo)#le+
3. r0cio) %
4. r0c.mo#nt) % Provi)es mo#ntin$ services.
5. r0c.rC#ota) % Ret#rns C#ota information.
. r0c.stat) % 2se) 6& lock) to recover& locks after a server cras1.
o port&ap
Provi)es 0ortma0 0ro$ram. Portma0 ma0s calls ma)e 6& ot1er 1osts to t1e
correct RP( service. Beca#se 0ortma0 is com0ile) .it1 tc0 .ra00ers
s#00ort *li6.ra0+G t1ose t1at nee) to access 0ortma0 m#st 6e $iven access
via /etc/hosts.allow an)4or /etc/hosts.deny.
4. 2orts
o 3(P42DP 111 % 0ortma0
o 2DP 2/4, % nfs)
o 31e ot1er @:S relate) services var& in t1e 0ort n#m6ers t1e& #se. (lients
contact 0ortma0 to fin) o#t t1e 0ort n#m6er t1e ot1er RP( services #se.
5. Re=uired Servi#es
Liste) in start#0 or)erE
o @:S Server
1. 0ortma0
2. nfs
o @:S (lient
1. 0ortma0
2. nfslock
24.2 Con;i%uration
1. /etc/e)ports
o @:S server confi$#ration file.
o :ormatE
o <directory> <host or network>(options) <host or
network>(options) ......
o
It is critical t1at t1ere not <e any spa#es 6et.een t1e 1ost4net.ork an) itIs
o0tions.
o <=am0leE
o # Allow all hosts in the somewhere.com domain to mount
/var/ftp/pub read-only
o
o /var/ftp/pub *.somewhere.com(ro)
o
o
o # Allow all hosts to mount /var/www/html read-only and
allow certain hosts
o # mount it read-write
o
o /var/www/html *(ro) 192.168.1.0/255.255.255.0(rw)
192.168.2.10(rw)
o
o
o # Allow certain hosts to mount /usr read-only and another
read-write as root
o
o /usr 172.16.0.0/255.255.0.0(ro)
172.16.1.10(rw,no_root_squash)
o
o
o # Allow access to /usr/local by everyone, but only as the
anonymous user
o
o /usr/local *(ro,all_squash,anonuid=100,anongid=100)
o
o Restrictions
1. Root canIt mo#nt an nfs s1are as root #nless noQrootQsC#as1 is
#se). @ormall& .1en root mo#nts a s1areG @:S ma0s root to t1e
local #ser no6o)&.
2. No# canIt e=0ort a )irector& t1at is a 0arent or c1il) of anot1er
e=0orte) )irector& .it1in t1e same file s&stem.
e.$. No# canIt e=0ort 6ot1 /usr an) /usr/local #nless
/usr/local is a se0arate file s&stem.
o (ommon <=0ort O0tions
o no_root_squash - Remote hosts can access local shares as
root (Dangerous!)
o ro - Read-only
o rw - Read/Write
o sync - All file system writes must be committed
to disk before the request can be completed.
o all_squash - All remote users are mapped to a local
anonymous user.
o anonuid - Specify the uid to user for anonymous
access.
o anongid - Specify the gid to user for anonymous
access.
o
2. /etc/fstab
o 2se) for @:S client confi$#ration
o <=am0leE
o server:/usr /usr nfs
user,soft,intr,rsize=8192,wsize=8192 0 0
o
o (ommon @:S relate) mo#nt o0tions
o soft - Processes return with an error on a failed I/O
attempt
o hard - If a process tries to access an unavailable
share, it will hang until data is retrieved.
o intr - Allows NFS requests to be interrupted or killed
if the server is unreachable
o nolock - Disable file locking in order to work with older
NFS servers
o rsize - Sets the number of bytes NFS reads from a share
at one time (default 1024)
o wsize - Sets the number of bytes NFS writes to a share at
one time (default 1024)
o * Setting rsize and wsize to 8192 greatly increases
performance.
o
24.3 *uto $ountin% ,9S s0ares
1. ReC#ires auto;s 0acka$e to 6e installe).
2. (reate entr& in /etc/auto.misc for t1e @:S s1areE
3. ftp -fstype=nfs,intr,soft 192.168.1.20:/var/pub/ftp
If t1e )efa#lt a#tofs set#0 is #se)G .1enever someone accesses /misc/ftpG t1e
remote @:S s1are on 1,2.1'.1.2/ .ill 6e a#tomaticall& mo#nte). 31e o0tions
s0ecifie) in t1e /etc/auto.misc 1ave t1e same meanin$ as .1en t1e& are #se)
in /etc/fstab.
24.4 ,9S (tilities
1. export;s
o 2se) to maintain t1e ta6le of e=0orte) file s&stems.
o <=am0le 2sa$eE
o exportfs -r # Refresh the share listing after
modifying /etc/exports.
o # This MUST be done in order for your changes
to take effect.
o exportfs -v # Display a list of shared directories
o exportfs -a # Exports all shares listed in /etc/exports
o
o # To export a filesystem not in /etc/exports
o exportfs 192.168.1.0/255.255.255.0:/tmp
o
o # Unexport a filesystem
o exportfs -u 192.168.1.0/255.255.255.0:/tmp
o
2. s0ow&ount
o S1o. mo#nt information for an @:S server.
o Does not reC#ire t1at an& local @:S services 6e r#nnin$ in or)er to #se it.
o <=am0le 2sa$eE
o showmount -e 192.168.1.67 # Shows available shares on host
192.168.1.67
o showmount -a 192.168.1.67 # Shows the clients connected to
host 192.168.1.67
o # and the shares they have
mounted.
o
3. rp#in;o
o Re0orts RP( information.
o (an )etermine if RP( services are r#nnin$ on a 1ost.
o <=am0le 2sa$eE
o rpcinfo -p 192.168.1.77 # Display list of RPC services
running on 192.168.1.77
o
2!. ,etwor- In;or&ation Servi#e 4,IS5
2!.1 /verview
1. (entral information )ata6ase
2. (an 0rovi)e #serG $ro#0G name resol#tionG 1ome )irector&G an) a#t1entication
information.
3. 2a#-a%es
o ypserv % Provi)es t1e pserv an) ppasswdd )aemons. pserv 0rovi)es t1e
@IS service an) ppasswdd allo.s t1e #ser to c1an$e t1eir 0ass.or) an)
0ossi6l& t1eir s1ell an) 5<(OS information *see 6elo.+.
o yp<ind % Provi)es pbind )aemon t1at is #se) 6& clients to connect to an
@IS server.
o yp>tools % Provi)es vario#s @IS client 0ro$rams.
o port&ap % @ot 0art of @ISG 6#t is reC#ire) for it to .ork.
4. 2orts
Assi$ne) 6& 0ortma0.
5. Supported ,IS ?ersions
Bot1 &06in) an) &0serv s#00ort versions 1 8 2.
. :opolo%y
o :lat names0ace. @o s#6%)omains are allo.e).
o Onl& one master 0er )omain.
o M#lti0le slave servers are allo.e). 31is 0rovi)es fa#lt tolerance an) loa)
s1arin$.
". Li&itations
o Low Se#urity % Desi$ne) .1en net.orks co#l) 6e tr#ste) *e.$. @o
sniffers installe)G no one tries to 6&0ass t1e service+.
o Low S#ala<ility % Re0lication of )ata 6et.een servers isnIt ver& efficient.
@IS 1as a flat name s0ace t1at canIt 6e )ele$ate) o#t 6& s#6)omain to 1el0
ease a)ministration. 31is limits t1e #se of @IS in lar$er net.orks.
o /nly runs on Pnix % Limite) #se in 1etero$eneo#s environments.
2!.2 ,IS Client In;o
1. Startup
o 3.o o0tions for fin)in$ @IS serverE
1. road#ast
&06in) contacts itIs @IS server 6& sen)in$ a 6roa)cast messa$e.
31is can 6e a sec#rit& risk since a ro$#e @IS server co#l) ans.er
all @IS 6roa)casts in or)er to collect a#t1entication information.
2. /etc/yp&conf
@IS servers for t1e clientIs )omain can 6e liste) in t1is file. 31is is
more sec#re since clients contact t1e @IS server )irectl& instea) of
6roa)castin$. 31is file is mo)ifie) 6& a#t1confi$ .1en &o# select
@IS a#t1entication.
2. Con;i%uration
o 2se authconfig to confi$#re t1e client mac1ine to #se @IS. No# m#st
s0ecifie) t1e follo.in$E
1. 31e )omain t1e client .ill 6elon$ to.
2. An @IS )omain server *master or slave+.
authconfig a#tomaticall& starts t1e &06in) )aemon for &o#.
o (onfi$#re /etc/nsswitch&conf.
Make s#re t1at JnisJ is liste) for an& information t1at .ill 6e store) in
@IS. :or e=am0leE
passwd: files nis # Check for users in the local
system file first, then NIS
shadow: files nis # Same as above, only for the
users' passwords
hosts: files nis dns # Check the local files, then NIS,
then DNS for host information

31e or)er s0ecifie) is im0ortant. :or e=am0leG if #ser steve is )efine) in
6ot1 t1e s&stem files an) t1e @IS ma0 an) .e 1ave t1e same set#0 as t1e
nsswitch.conf file a6oveG t1e information a6o#t #ser steve *0ass.)G
5<(OSG etc.+ .ill 6e retrieve) from t1e local s&stem files an) not from
t1e @IS ma0.
3o c1an$e t1isG .e .o#l) nee) to reverse t1e or)er liste) a6ove for t1e
0ass.) an) s1a)o. entries so t1at JnisJ comes 6efore JfilesJ.
3. Client Side :ools
o ypw0i#0 % Determines .1ic1 master or slave @IS server t1e client is
#sin$.
o yp#at % 2se) to 0rint ke&s in an @IS ma0. :or e=am0leG to 0rint
information in t1e 0ass.) fileE
o ypcat passwd
o
o yp#0;n % (1an$e &o#r 5<(OS information in @IS.
yppasswdd m#st 6e starte) .it1 J-e chfnJ in or)er for #sers to 6e a6le
c1an$e t1eir 5<(OS information.
o yp#0s0 % (1an$e &o#r lo$in s1ell in @IS.
yppasswdd m#st 6e starte) .it1 J-e chshJ in or)er for #sers 6e a6le to
c1an$e t1eir lo$in s1ell.
o yppasswd % (1an$e &o#r @IS 0ass.or).
o yppus0 % 2se) to co0& @IS information from masters to slaves. (alle)
a#tomaticall& if J@OP2S-KfalseJ in t1e /var/yp/Makefile.
o yp&at#0 % 2se) to 0rint t1e val#e of one or more ke&s in an @IS ma0.
:or e=am0leG to 0rint an) entr& for #ser steve in t1e 0ass.) fileE
ypmatch steve passwd

2!.3 ,IS Server
1. Con;i%uration
o S0ecif& &o#r )omain in /etc/sysconfig/network 6& insertin$ t1e
follo.in$ lineE
o NISDOMAIN=somedomain
o
31is .ill set &o#r )omain name at 6oot#0. 3o set it no.G #se t1e
domainname comman)E
domainname somedomain

SEC(RI:M ,/:EB 31e )omain s0ecifie) s1o#l) not 6e t1e same as
&o#r D@S )omain. @IS )omains s1o#l) 6e ke0t se#ret in or)er to im0rove
sec#rit&. If an @IS )omain is kno.n an) t1e @IS server can 6e reac1e)G
an& client can connect to t1e )omain.
o $aster Servers
1. Make s#re t1e 1ost name 1as 6een c1an$e) to somet1in$ ot1er
t1an localhost.localdomain. 31is can ca#se 0ro6lems for slave
servers if itIs not c1an$e).
2. S0ecif& t1e net.orks t1at are allo.e) to connect to t1e @IS server
in /var/yp/securenets.
3. (1an$e /var/yp/.akefile to fit &o#r nee)s. 31is file incl#)es a
list of 0ossi6le information t1at @IS can store.
A fe. o0tionsE
NOPUSH=true # Set to false if you have slave
servers
MERGE_PASSWD=true # Should we merge the shadow file
with the password file?
MERGE_GROUP=true # Should we merge the gshadow file
with the group file?
MINUID=500 # Lowest uid to include in the NIS
map
MINGID=500 # Lowest gid to include in the NIS
map

4. Start 0ortma0 an) &0servE
5. service portmap start
6. service ypserv start
7.
'. (reate t1e @IS ma0E
9. /usr/lib/yp/ypinit -m
10.
No# ma& receivin$ t1e follo.in$ messa$eE
Could not read ypservers map: 3 Can't bind to server
which serves this domain

31is )oes not a00ear to 6e a critical error. 31e @IS ma0 is still
create).
If &o# onl& .ant to incl#)e lo$in an) $ro#0 information in &o#r
@IS ma0G &o# co#l) #se t1e follo.in$ instea) of &0initE
make passwd shadow group

An& time &o# c1an$e information on t1e master server t1at affects
t1e @IS ma0G &o# m#st re%r#n t1e JmakeJ comman). 2ser
0ass.or)s are t1e e=ce0tion to t1is r#le. 31e& are #0)ate)
a#tomaticall&.
o Slave Servers
1. P#t an entr& in /etc/hosts for t1e master @IS server.
2. All names of t1e slave servers m#st 6e s0ecifie) in t1e
/var/yp/ypservers file on t1e master server.
3. Start 0ortma0 an) &0servE
4. service portmap start
5. service ypserv start
6.
". <=ec#te &0initE
8. /usr/lib/yp/ypinit -s <masterserver>
9.
If s0ecif&in$ t1e IP a))ress of t1e master server )oesnIt .orkG
s0ecif& t1e 1ostname *from /etc/hosts+ of t1e master server
instea).
No# ma& see t1e follo.in$ messa$e several timesE
Trying ypxfrd ... not running

<ver&t1in$ still a00ears to transfer ok from t1e master server.
2. Repli#ation
o yppush is a#tomaticall& calle) .1enever t1e master serverIs )ata6ase are
#0)ate). &00#s1 transfers t1e @IS ma0 from t1e master to t1e slaves. In
or)er for re0lication to .orkG ypbind m#st 6e r#nnin$ on t1e master
server.
o yp)fr is similar to &00#s1 e=ce0t t1at it transfers t1e @IS ma0 from t1e
@IS server to t1e local1ost. It is #s#all& invoke) 6& &0init or &0server.
3. 3e<u%%in%
o (1eck @IS #sin$ r0cinfoE
o rpcinfo -p localhost
o
o 7erif& 0ortma0 is r#nnin$.
2!.4 (sin% *uto&ounter to *uto&ount (ser Ho&e
3ire#tories
1. :irstG a)) t1e follo.in$ line to /etc/auto.masterE
2. /home /etc/auto.home --timeout 60
3. 31enG create t1e /etc/auto.home file .it1 t1e follo.in$ contentsE
4. * -rw,soft,intr 192.168.1.20:/home/&
In t1is caseG 1,2.1'.1.2/ is t1e IP a))ress of t1e @:S server.
5. 2nmo#nt /home on t1e client mac1ine if it is a se0arate 0artition.
. Restart a#tofs.
". On t1e @:S serverG 0#t t1e follo.in$ line in /etc/exports
8. /home 192.168.1.0(rw)
,. Start *or restart+ @:S on t1e @IS server.
2". L3*2
2".1 /verview
1. Distri6#te) )irector& service.
2. Plainte=t is #se) 6& )efa#ltG 6#t can 6e confi$#re) to #se 3LS.
3. 2a#-a%es
o openldap % (ontains confi$#ration filesG li6rariesG an) )oc#mentation
nee)e) for O0enLDAP to f#nction.
o openldap>servers % (ontains t1e slapd LDAP )aemon an) t1e slurpd
re0lication )aemon as .ell as several mi$ration scri0ts.
o openldap>#lients % (ontains client 0ro$rams nee)e) for accessin$ an)
mo)if&in$ o0enl)a0 )irectories.
o nssKldap % (ontains t.o LDAP access clientsG nssQl)a0 an) 0amQl)a0.
o %= % Provi)es 52I LDAP client $C.
4. 2orts
o sla0) % 3(P 3',
o sl#r0) % DDD
5. :er&inolo%y
o 3istin%uis0ed ,a&e 43,5 % 2se) to reference a s0ecific entr& in t1e
)irector& service. <=am0le D@E
o uid=steve, ou=People, dc=somedomain, dc=com
o
o ase3, % A server is res0onsi6le for all D@s t1at are .it1in itIs BaseD@.
<=am0le BaseD@E
o dc=somedomain, dc=com
o
2".2 L3*2 Server
1. slapd
o Stan)%alone LDAP Daemon.
o $i%ration
1. Scri0ts to mi$rate e=istin$ s&stem )ata to an LDAP server store) in
/usr/share/openldap/migration.
2. migrate+common&ph % (ontains common 1ea)er information
nee)e) 6& mi$ration scri0ts. @ee) to mo)if&E
UD<:A2L3QMAILQDOMAI@
UD<:A2L3QBAS<
3. After c1an$in$ )efa#ltsG mo)if& /etc/openldap/slapd.conf *see
6elo.+ an) t1en r#n t1e a00ro0riate mi$ration scri0t. :or e=am0leE
&i%rateKallKo;;line.s0 % Mi$rates tra)itional 2@IB flat
files.
,/:EB Startin$ .it1 R- ".1G 0rotocols an) services .ere
a))e) t1at contain a P in t1eir name. 31ese m#st 6e
commente) o#t of /etc/protocols an) /etc/services
6eca#se t1e& ca#se tro#6le .it1 t1e mi$ration scri0ts.
&i%rateKallKnisKo;;line.s0 % Mi$rates information from
e=istin$ @IS services.
See /usr/share/openldap/migration/README for an
e=0lanation of t1e vario#s mi$ration scri0ts.
4. (1an$e t1e o.ners1i0 of t1e l)a0 )ata6ase files so sla0) can
access t1emE
5. chown -R ldap:ldap /var/lib/ldap
6.
o Con;i%uration
1. <)it /etc/openldap/slapd&conf an) s0ecif& t1e follo.in$E
su;;ix % 31e BaseD@
rootdn % 31e D@ for t1e a)ministrator
rootpw % 31e 0ass.or) for t1e a)ministrator
2. *##ess
Defa#lt set#0 $ives root)n rea)4.rite access an) rea)%onl&
to all ot1ers.
-i$1l& (onfi$#ra6le.
(om0areG searc1G rea)G an) .rite access can 6e confi$#re)
for eac1 entr&.
2".3 L3*2 Clients
1. Co&&and Line
o (onfi$#re) in /etc/openldap/ldap&conf.
1. S0ecif& .1ic1 server to 6in) to.
2. S0ecif& t1e BaseD@ to #se.
3. (lient #tilities #s#all& let &o# overri)e t1ese )efa#lts.
o 2tilities incl#)eE
1. ldapadd % A)) )irector& entries.
2. ldapdelete % Delete )irector& entries.
3. ldap&odi;y % Mo)if& )irector& entries.
4. ldappasswd % (1an$e 0ass.or) of an entr&.
5. ldapsear#0 % Searc1es )irector& entries.
2. G(I
o %= % Allo.s #ser to 6ro.seG searc1G mo)if&G an) )is0la& )irector& entries.
2".4 (sin% L3*2 wit0 ,SS
1. ReC#ires nssQl)a0 RPM.
2. Con;i%uration
o /etc/nsswitch&conf % A)) Jl)a0J to t1e searc1 or)er of t1e entries t1at
.ill 6e 0rovi)e) 6& LDAP.
o /etc/ldap&conf % (onfi$#ration file for nss l)a0. @ote t1at t1is is
)ifferent from t1e client confi$#ration file /etc/openldap/ldap.conf.
(ommon <ntriesE
host 192.168.1.5 # LDAP server
base dc=xyz,dc=com # Base DN of database
binddn cn=binduser,dc=xyz,dc=com # DN to bind to the
server with. Default is anonymous access.
bindpw super_secret # Password for user to
bind with
rootbinddn cn=root,dc=xyz,dc=com # DN to bind to the
server with when the unix uid is 0.
# Password is stored
in /etc/ldap.secret in plaintext (mode 600)
ssl # Use TLS instead of
plaintext communication

31e root<inddn is t1e D@ #se) to attac1 to t1e LDAP )ata6ase .1en t1e
#seri) K /. It m#st 6e set to a D@ .it1 0ro0er 0ermissions *t&0icall& t1e
rootdn s0ecifie) in /etc/openldap/slapd.conf+ in or)er for root to
#0)ate #ser acco#nts #sin$ comman) line #tilities like 0ass.)G c1s1G etc.
o /etc/pam&d/system-auth % PAM confi$#ration file #se) for s&stem
a#t1entication. 31is is confi$#re) 6& authconfig.
3. :rou<les0ootin%
IfG as rootG &o# attem0t to c1an$e t1e 0ass.or) of a #ser store) in t1e l)a0
)ata6ase an) &o# receive an error a6o#t t1e #ser 6ein$ J2nkno.nJG verif& t1e
0ass.or) in /etc/ldap.secret is correct. It m#st 6e in 0lain te=t. ?1en t1e
0ass.or) is incorrectG root canIt 6in) to t1e LDAP )ata6ase an) t1erefor .onIt 6e
a6le to fin) t1e #ser.
2'. Sa&<a
2'.1 /verview
Sam6a 0rovi)es SMB4(I:S services to clients. 31e smbd )aemon 0erforms
a#t1enticationG a#t1ori;ationG fileG an) 0rint s1arin$ services. 31e nmbd )aemon can act
as a net6ios name server as .ell as a ?I@S server.
1. 2a#-a%es
o sa&<a>#o&&on
(ontains files nee)e) 6& 6ot1 t1e client an) server 0arts of Sam6a.
o sa&<a>#lient
(ontains t1e client si)e files.
o sa&<a
(ontains t1e server si)e files.
o sa&<a>swat
A .e6 6ase) a)ministration tool.
2. 2orts
o sm6)
3(P 0ort 13,.
o nm6)
2DP 0orts 13" 8 13'
2'.2 Con;i%uration
1. /etc/samba/smb&conf
o All confi$#ration is )one via e)itin$ t1is file.
o Similar in format to t1e .in)o.s.ini file.
o Sections
1. %lo<al
(ontains all server .i)e or $eneric settin$s.
2. 0o&es
2se) to $rant #sers access to t1eir 1ome )irectories.
3. printers
2se) to confi$#re 0rinter reso#rces4services.
2. Glo<al Con;i%uration
o (ser@2assword /ptions
1. <ncr&0te) Pass.or)s
3o ena6le encr&0te) 0ass.or)sG t1e follo.in$ t.o lines m#st 6e
#ncommente)E
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd

3o create t1e 0ass.or) fileG sim0l& a)) a #serE
smbpasswd -a steve

OR
smbadduser steve:steve # <unix user>:<nt user>
smbpasswd -u steve

31e #ser m#st e=ist in t1e #ser s&stem 0ass.or) files 6efore
a))in$ t1em to t1e sm60ass.) file. 31e )efa#lt file create) .ill 6e
t1e 0ass.or) file s0ecifie) 6& t1e smb passwd file o0tion in
/etc/samba/smb.conf.
2. username level
-el0s Sam6a )etermine .1at t1e #ni= #ser name is. B& )efa#lt it
tries all lo.er case c1aracters. 31is n#m6er s0ecifies 1o. man&
#00ercase com6inations s1o#l) 6e trie). 31e lar$er t1e n#m6erG t1e
lon$er it can take to a#t1enticateG 6#t t1e 6etter c1ance &o#Ill 1ave
s#ccess.
3. password level
Same as username level onl& for t1e 0ass.or).
4. S&ncin$ .it1 2ni= 0ass.or)s
If &o# .ant t1e #ni= 0ass.or) c1an$e) ever& time t1e Sam6a
0ass.or) is c1an$e)G &o# m#st s0ecif& t1e follo.in$E
unix password sync = Yes
# unix utility to use
passwd program = /usr/bin/passwd %u
# chat string
passwd chat = *New*password* %n\n
*Retype*new*password* %n\n *passwd:*all*au$ # chat
string

o wor-%roup
31e workgroup o0tion s0ecifies t1e name of t1e .in)o.s .ork$ro#0 or
@3 )omain name t1at t1e Sam6a Server .ill 6elon$ to.
o net<ios na&e
31e netbios name o0tions s0ecifies .1at t1e Sam6a server .ill a)vertise
as itIs net6ios name. B& )efa#ltG t1is is t1e same name as t1e first 0art of
t1e 1ostIs :!D@.
o Restri#tin% Hosts
31e hosts allow o0tions allo.s &o# to s0ecif& .1ic1 1osts are allo.e)
to #se t1e Sam6a service.
hosts allow = 192.168.1. 192.168.2. 192.168.3.20

31is allo.s all 1osts in t1e 1,2.1'.1./424 an) 1,2.1'.2./424 net.orks
an) t1e sin$le 1ost 1,2.1'.3.2/ to access t1e Sam6a services.
o 2rinter /ptions
o printcap name = /etc/printcap # Specify printer definition
file
o load printers = yes # Make all defined printers
available to users
o printing = lprng # Specifies printing system
used
o
o %uest a##ount
31e acco#nt #se) for access 0ermissions .1en connectin$ to s1ares t1at
allo. $#est access. Make s#re to a)) t1is acco#nt to /etc/passwd. If it
isnIt s0ecifie)G #ser Jno6o)&J is #se).
o 8I,S support
Sam6a can act as a ?I@S clientG or a ?I@S serverG 6#t not 6ot1. As a
?I@S client it .ill look#0 net6ios names #sin$ anot1er ?I@S server. As
a ?I@S serverG it .ill 0rovi)e t1e net6ios name to IP conversion for ot1er
clients.
3o make Sam6a a ?I@S clientE
wins server = 192.168.1.5

3o make Sam6a a ?I@S serverE
wins support = yes
name resolve order = wins lmhosts host bcast

31e secon) o0tion is reC#ire) an) )efa#lts to Jhost lmhosts wins
bcastJ. It s0ecifies .1ic1 or)er to access t1e vario#s reso#rces for net6ios
name resol#tion.
1. 0ost % Perform t1e stan)ar) 1ost name to IP resol#tion #sin$
/etc/hostsG @ISG an) D@S.
2. l&0osts % 2se t1e name4IP a))ress ma00in$s s0ecifie) in t1e
lm1osts file. B& )efa#ltG t1e lm1osts file is /etc/samba/lmhosts.
3. 127.0.0.1 localhost
4. 192.168.1.5 endor
5.
. wins % !#er& t1e 1ost s0ecifie) in t1e wins server o0tion to
resolve t1e IP a))ress.
". <#ast % 2se a net6ios 6roa)cast to resolve t1e IP a))ress. 31is onl&
.orks for 1osts connecte) to t1e local net.ork.
o *ut0enti#ation $et0ods
S0ecif& a#t1entication met1o) .it1 t1e security o0tion. Possi6le val#es
areE
1. user % A#t1enticate 6& #ser #sin$ sm60ass.) file. 31e #ser m#st
6e )efine) on t1e #ni= s&stem. 31is is t1e )efa#lt.
2. s0are % 2ser a#t1enticates a$ainst eac1 in)ivi)#al s1are.
3. server % Sam6a vali)ates t1e #ser #sin$ t1e server s0ecifie) 6& t1e
password server 0arameter. 31e #ser m#st still 6e )efine) on t1e
#ni= s&stem.
4. do&ain % Sam6a vali)ates t1e #ser #sin$ t1e PD( or BD( as a
normal @3 server .o#l). 31e Sam6a server m#st first 6e a))e) as
a vali) mac1ine to t1e PD(. 31e #ser m#st still 6e )efine) on t1e
#ni= s&stem.
o Lo%%in% /ptions
o log file = /var/log/samba/%m.log
o max log size = 0
o
31e first o0tions s0ecifies t1at an in)ivi)#al lo$ .ill 6e ke0t for eac1
mac1ine*Vm+ t1at connects to t1e server. 31e secon) o0tions s0ecifies a
si;e limit to 0#t on t1e lo$ file *;ero K #nlimite)+.
o rowser /ptions
o local master = yes # Allow Samba to participate in
master browser elections
o os level = 35 # The higher the level, the better
chance of winning the election
o preferred master = yes # Causes Samba to force an election
upon startup
o domain master = yes # Allows Samba to collate browse
lists between subnets
o
o 3o&ain /ptions
o domain logons = yes # Causes Samba to become a domain
logon server for Windows 95 machines.
o
3. Co&&on S0are /ptions
o pu<li#
S1are can 6e accesse) 6& t1e J$#estJ acco#nt.
o <rowsea<le
Makes t1e s1are visi6le in 6ro.se lists.
o writa<le
Allo.s #sers to .rite to t1e s1are.
o printa<le
S0ecifies t1e s1are4reso#rce as a 0rinter not a )isk.
o %roup
S0ecifies t1e 2@IB $ro#0 t1at .ill 6e assi$ne) as t1e )efa#lt 0rimar&
$ro#0 for all #sers connectin$ to t1e s1are.
o valid users
S0ecifies t1e #sers t1at are allo.e) to connect to t1e s1are.
o #reate &ode@#reate &as-
S0ecifies t1e #ni= file 0ermission 6its t1at .ill alwas 6e set on an& file
create) in t1is )irector& 6& Sam6a.
o dire#tory &ode
Same as Icreate mo)eI onl& for )irectories.
o write list
A list of #sers an)4or $ro#0s t1at .ill 6e $iven .rite access to t1e s1are if
t1e I.rita6leI o0tion is set to JnoJ.
o pat0
S0ecifies t1e location of t1e s1are .it1in t1e #ni= file s&stem.
o only %uest@%uest only
If set to &esG t1en onl& $#est connections to t1e s1are are 0ermitte).
o %uest o-@pu<li#
31is 0ermits t1e $#est acco#nt to access t1is s1are.
o Spe#ial s0ares
Some s1ares 1ave s0ecial meanin$ to Sam6a .1en )efine)G t1ese areE
1. QprintersR
Printa6le s1are t1at incl#)es all s&stem )efine) 0rinters.
2. Q0o&esR
Sets #0 eac1 #serIs 1ome )irector& as a file s1are t1at is accessi6le
onl& 6& t1at #ser.
3. Qnetlo%onR
S0ecifies t1e netlo$on )irector& for Domain Lo$ons
4. Exa&ple S0ares
o :ile s1are for researc1 )e0t.
o [research]
o comment = Research Dept.
o path = /var/research # Location of share on file
system
o public = yes # Shows up in browse lists
o writable = yes # Authenticated users can
write to it
o printable = no
o
o Printer s1are confi$#ration
o [printers] # Special share that defines
all printers
o comment = All printers
o path = /var/spool/samba # Location of spooling
directory for print jobs
o browseable = no # Does not show up in
browse lists
o guest ok = no # Guest user is not allowed
to connect to this share
o printable = yes # A printer share
o
o :ile s1are for acco#ntin$ )e0t.
o [accounting]
o comment = Accounting
o path = /usr/local/shares/accounting
o valid users = @accounting # Only users in the unix
group 'accounting' can access the share
o public = no
o write list = bob sue steve # Only users bob, sue, and
steve can write to this share
o
o -ome )irector& s1ares
o [homes]
o comment = Home Directories
o browseable = yes
o writable = yes
o valid users = %S
o create mode = 0664
o directory mode = 0775
o
2'.3 (tilities
1. testpar&
o (1eck for errors in smb.conf.
o 3est sec#rit& settin$s for a 0artic#lar 1ost
o testparm /etc/samba/smb.conf 192.168.1.20
31is .o#l) ret#rn t1e reso#rces availa6le to t1e 1ost at 1,2.1'.1.2/.
2. testprns
Determines .1et1er a 0rinter is vali) for #se t1ro#$1 sm6).
testprns <print> /etc/printcap
3. s&<#lient
Provi)es comman) line ft0%st&le retrieval of files from sm64cifs s1ares.
smbclient -L 192.168.1.10 # List accessible share on
host 192.168.1.10
smbclient //192.168.1.10/homes # Connect to user home
directory
smbclient -U steve //somehost/homes # Connect to homes share as
user steve
4. n&<loo-up
Provi)es 1ostname an) IP resol#tion for net6ios.
nmblookup -U server -R 'endor' # Lookup host 'endor' using
unicast to query WINS server 'endor'
# and set the recursion flag on (-
R)
nmblookup \* # List all machines
5. s&<&ount
2se) to mo#nt sm64cifs s1ares on a local s&stem.
# Mount share research from server endor onto mount point
/mnt/smb/research as user steve
smbmount //endor/research /mnt/smb/endor -o username=steve
Sam6a mo#nts can 6e 0erforme) a#tomaticall& at 6oot #0 6& 0#ttin$ t1em in t1e
/etc/fstab file.
//endor/research /mnt/smb/endor smbfs
defaults,credentials=/etc/smb/endor.research 0 0
31e cre)entials o0tion s0ecifies t1e file t1at contains t1e #sername40ass.or) 0air
to #se. Make s#re t1is file is 0rotecte) a)eC#atel&. 31e cre)entials file s1o#l)
containE
username = steve
password = mypassword
2'.4 3isa<lin% En#rypted 2asswords on 8indows
Clients
1. ?in)o.s ,5 OSR2P an) ?in)o.s ,'
2sin$ t1e re$istr& e)itor*re$e)it+G $o toE
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VNETSUP
A)) a D?ORD val#e .it1 t1e name of EnablePlaintextPassword. Set itIs
val#e to 0x01.
2. ?in)o.s @3
2sin$ t1e re$istr& e)itor*re$e)it+G $o toE
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rdr\Paramete
rs
A)) a D?ORD val#e like a6ove.
2'.! Con;i%urin% Sa&<a as a 2ri&ary 3o&ain
Controller
1. Make s#re Sam6a is onl& PD( on net.ork.
2. Make s#re t1ere is a ?I@S server on t1e net.ork *@3 or Sam6a+.
3. Sam6a is set to #se J#serJ level sec#rit&.
4. Set t1e follo.in$ o0tions in t1e W$lo6alX section of &o#r smb.conf fileE
5. [global]
6. workgroup = MYGROUP
7. domain logons = yes
8. security = user
9. os level = 34
10. local master = yes
11. preferred master = yes
12. domain master = yes
13.
14. [netlogon]
15. comment = Domain Logon Service
16. path = /var/samba/logon
17. public = no
18. writeable = no
19. browsable = no
2/. @3 (lients
If &o# 1ave @3 clients on &o#r net.orkG &o# m#st also a)) t1e follo.in$ o0tionE
encrypted passwords = yes
@3 client also reC#ire a tr#st acco#nt. 3r#st acco#nts allo. t1e mac1ine to lo$ in
to t1e PD( an) 6ecome a mem6er of t1e )omain. 2se t1e follo.in$ ste0s to set#0
a tr#st acco#nt on t1e Sam6a server for t1e @3 clientE
o A)) a #ni= s&stem acco#nt for t1e mac1ine. 31e lo$on name .ill al.a&s
en) in a JUJ. No#r /etc/password entr& s1o#l) look similar toE
o endor$:x:1000:1000:Trust Account:/dev/null:/dev/null
o
Place an R in t1e 0ass.or) fiel) of t1e /etc/shadow file to 0revent
an&one from lo$$in$ into t1e #ni= server .it1 t1is acco#nt.
o A)) t1e encr&0te) 0ass.or) for t1e mac1ineE
o smbpasswd -a -m endor
o
31e J%mJ s0ecifies itIs a mac1ine tr#st acco#nt. 31e )efa#lt 0ass.or) .ill
6e set to t1e net6ios name of t1e mac1ine. 31e @3 client s1o#l) lo$ into
t1e PD( asa0 so it can c1an$e t1e )efa#lt 0ass.or).
2'." 3e;ault Red Hat s&<.#on;
31is is t1e )efa#lt sm6.conf t1at comes .it1 R- ".2.
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command
"testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings
=====================================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = MYGROUP
# server string is the equivalent of the NT Description field
server string = Samba Server
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
; hosts allow = 192.168.1. 192.168.2. 127.
# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
printcap name = /etc/printcap
load printers = yes
# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
printing = lprng
# Uncomment this if you want a guest account, you must add this to
/etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/%m.log
# Put a capping on the size of the log files (in Kb).
max log size = 0
# Security mode. Most people will want user level security. See
# security_level.txt for details.
security = user
# Use password server option only with security = server
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
# password server = *
; password server = <NT-Server-Name>
# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
; password level = 8
; username level = 8
# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
# The following is needed to keep smbclient from spouting spurious
errors
# when Samba is built with support for SSL.
; ssl CA certFile = /usr/share/ssl/certs/ca-bundle.crt
# The following are needed to allow password changing from Windows to
# update the Linux sytsem password also.
# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
# the encrypted SMB passwords. They allow the Unix password
# to be kept in sync with the SMB password.
; unix password sync = Yes
; passwd program = /usr/bin/passwd %u
; passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
# Unix users can map to different SMB User names
; username map = /etc/samba/smbusers
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /etc/samba/smb.conf.%m
# This parameter will control whether or not Samba should obey PAM's
# account and session management directives. The default behavior is
# to use PAM for clear text authentication only and to ignore any
# account or session management. Note that Samba always ignores PAM
# for authentication in the case of encrypt passwords = yes
; obey pam restrictions = yes
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
# Configure remote browse list synchronisation here
# request announcement to, or browse list sync from:
# a specific host or from / to a whole subnet (see below)
; remote browse sync = 192.168.3.25 192.168.5.255
# Cause this host to announce itself to local subnets here
; remote announce = 192.168.1.255 192.168.2.44
# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
; local master = no
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
; os level = 33
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
; domain master = yes
# Preferred Master causes Samba to force a local browser election on
startup
# and gives it a slightly higher chance of winning the election
; preferred master = yes
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
; domain logons = yes
# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script = %m.bat
# run a specific logon batch file per username
; logon script = %U.bat
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS
Server
; wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but
NOT both
; wins server = w.x.y.z
# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no
# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
; preserve case = no
; short preserve case = no
# Default case is normally upper case for all DOS files
; default case = lower
# Be very careful with case sensitivity - it can break things!
; case sensitive = no
#============================ Share Definitions
==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
create mode = 0664
directory mode = 0775
# If you want users samba doesn't recognize to be mapped to a guest user
; map to guest = bad user
# Un-comment the following and create the netlogon directory for Domain
Logons
; [netlogon]
; comment = Network Logon Service
; path = /usr/local/samba/lib/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;[Profiles]
; path = /usr/local/samba/profiles
; browseable = no
; guest ok = yes
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
# This one is useful for people to share files
;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
; public = yes
# A publicly accessible directory, but read only, except for people in
# the "staff" group
;[public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = @staff
# Other examples.
#
# A private printer, usable only by fred. Spool data will be placed in
fred's
# home directory. Note that fred must have write access to the spool
directory,
# wherever it is.
;[fredsprn]
; comment = Fred's Printer
; valid users = fred
; path = /home/fred
; printer = freds_printer
; public = no
; writable = no
; printable = yes
# A private directory, usable only by fred. Note that fred requires
write
# access to the directory.
;[fredsdir]
; comment = Fred's Service
; path = /usr/somewhere/private
; valid users = fred
; public = no
; writable = yes
; printable = no
# a service which has a different directory for each machine that
connects
# this allows you to tailor configurations to incoming machines. You
could
# also use the %U option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;[pchome]
; comment = PC Directories
; path = /usr/local/pc/%m
; public = no
; writable = yes
# A publicly accessible directory, read/write to all users. Note that
all files
# created in the directory by users will be owned by the default user,
so
# any user with access can delete any other user's files. Obviously this
# directory must be writable by the default user. Another user could of
course
# be specified, in which case all files would be owned by that user
instead.
;[public]
; path = /usr/somewhere/else/public
; public = yes
; only guest = yes
; writable = yes
; printable = no
# The following two entries demonstrate how to share a directory so
that two
# users can place files there that will be owned by the specific users.
In this
# setup, the directory should be writable by both users and should have
the
# sticky bit set on it to prevent abuse. Obviously this could be
extended to
# as many users as required.
;[myshare]
; comment = Mary's and Fred's stuff
; path = /usr/somewhere/shared
; valid users = mary fred
; public = no
; writable = yes
; printable = no
; create mask = 0765
2+. S=uid
2+.1 /verview
1. -33P an) :3P cac1in$ 0ro=& server.
2. (onforms to -arvest (ac1e arc1itect#re.
3. 2ses Inter%(ac1e Protocol *I(P+ to comm#nicate .it1 ot1er cac1e servers.
4. Onl& reco$ni;es -33P on t1e client si)eG 6#t .ill #se 6ot1 :3P an) -33P on t1e
server si)e.
5. ReC#ire) Packa$esE s=uid
. Ports
o (lients connect to 3(P 0ort 312' 6& )efa#lt.
o Defa#lt 0ort can 6e c1an$e).
o :or accelerator mo)eG clients .ill t&0icall& connect to 3(P 0ort '/.
2+.2 Con;i%uration
1. /etc/s/uid/s/uid&conf
o Primar& confi$#ration file.
o Parent4si6lin$ cac1es % SC#i) can 6e confi$#re) to c1eck ot1er cac1es for a
reC#est 6efore fetc1in$ a ne. o6Hect.
(onfi$#ration e=am0leE
# Proxy ICP
# Host Name Type Port Port
cache_peer parentcache.xyz.com parent 3128 3130
cache_peer childcache1.xyz.com sibling 3128 3130
cache_peer childcache2.xyz.com sibling 3128 3130

o Access (ontrol Lists % SC#i) 1as ver& e=tensive A(Ls for control access.
o See /etc/squid/squid.conf for f#rt1er confi$#ration e=am0les. It is
ver& .ell )oc#mente).
o (ac1e initiali;ation.
31e cac1e is locate) at /var/spool/squid. If it 1asnIt 6een create)G t1e
start#0 scri0t .ill a#tomaticall& create) it .1en sC#i) is starte).
2+.3 Client 2ro%ra& 4@usr@s<in@#lient5
1. :I@IS- M<M
2.. I,,3
2..1 /verview
1. Provi)es @et.ork @e.s 3rans0ort Protocol *@@3P+ service.
2. MaHor ne.s$ro#0s incl#)eE altGcom0G$n#GmiscGne.sGrecGsciGsocG an) talk.
3. @e.s$ro#0s confi$#re) in a 1ierarc1ical fas1ion.
4. Packa$eE inn
5. PortE 3(P 11,.
2..2 Con;i%uration
1. /etc/news/
Location of confi$#ration files. A minimal leafno)e set#0 reC#ires t1at &o#
mo)if& t1e follo.in$ filesE
o inn&conf
Set t1e follo.in$ o0tions. 31e )efa#lts for t1e remainin$ o0tions s1o#l)
6e fine.
organization: MyOrganization
domain: mydomain.com
server: news.mydomain.com

o incoming&conf
Place &o#r ISPIs ne.s server information in 1ere.
# Peer definition
# MyISP.com (800) 555-1212 news@MyISP.com
peer myisp.com {
hostname: news.myisp.com
}

o newsfeeds
If &o# .ant to 0ost articlesG &o# nee) to mo)if& ne.sfee)s.
news.myisp.com:comp.*,!comp.sources.*,comp.sources.unix/!
foo:Tf,Wnm:news.myisp.com

31e colon is t1e fiel) )elimiter #se) a6ove. 31e format of t1at a6ove line
isE
sitename[/exclude,exclude,...]:pattern,pattern,...
[/distrib,distrib,..]:flag,flag,...:param

O0tionsE
1. sitena&e % @ames t1e site to .1ic1 t1is fee) relates. It can 6e
calle) an&t1in$ &o# .ant an) )oes not 1ave to 6e t1e )omain name
of t1e site.
2. pattern % In)icates .1ic1 ne.s $ro#0s are to 6e sent to t1is site.
31e )efa#lt is to sen) all $ro#0s *leave it 6lank if t1atIs .1at &o#
.ant+. 31e a6ove e=am0le .ill ca#se all Jcom0J $ro#0s to 6e
receive)G 6#t not an& $ro#0 #n)er Jcom0.so#rcesJ e=ce0t for
Jcom0.so#rces.#ni=J.
distri<ution % If s0ecifie)G an) an article 1as a
JDistri6#tionJ 1ea)erG it is c1eck a$ainst t1is val#e. If t1e
)istri6#tion s0ecifie) matc1es t1e )istri6#tion 1ea)er in t1e
articleG it is sent. -o.everG if t1e )istri6#tion s0ecifie)
starts .it1 an e=clamation 0ointG an) t1e )istri6#tion 1ea)er
in t1e article matc1esG it is not sent. In t1e a6ove e=am0leG
an& article .it1 a )istri6#tion 1ea)er containin$ JfooJ .ill
not 6e sent.
3. ;la% % S0ecif& vario#s o0tions a6o#t t1e ne.sfee). 31e a6ove
o0tions s0ecif& t1at t1is is a file fee) t&0e *3f+G an) t1at onl&
articles Jmessa$e%i)J an) JtokenJ *?mn+ s1o#l) 6e .ritten.
4. para& % Meanin$ varies )e0en)in$ on t1e fee) t&0e. ?1en t1e
fee) t&0e is JfileJ as in t1e e=am0le a6oveG it s0ecifies t1e file to
.rite an entr& to .1en an article is receive). If not an a6sol#te
0at1G it is relative to t1e J0at1o#t$oin$J o0tion in inn.conf.
o readers&conf % <)it t1is file if &o# .ant to allo. rea)ers on ot1er
com0#ters.
o motd&news % If &o# allo. rea)ersG it is a $oo) i)ea to 0#t a 6anner in t1is
file t1at rela&s &o#r #sa$e 0olicies to &o#r rea)ers.
2. R#n inncheck to correct an& 0ermissions 0ro6lems an) catc1 an& confi$#ration
file errors.
3. R#n makehistory to initiali;e t1e I@@ 1istor& )ata6ase.
4. R#n makedb0 to re6#il) t1e )6; )ata6ase files.
2..3 :rou<les0ootin%
1. innd won't start
o 2se innc1eck.
o (1eck lo$s #n)er /var/log/news.
2. Readers #an't read
o 7erif& t1at t1e rea)er is allo.e) access 6& c1eckin$ nnrp.access.
o Make s#re inn) is r#nnin$.
o telnet to 0ort 11, an) see if a 6anner comes #0.
3. 2osters #an't post
o (onfirm 0oster is allo.e) to 0ost 6& c1eckin$ nnrp.access.
o telnet to 0ort 11, an) see if a 6anner comes #0 .it1 *0ostin$ allo.e)+.
31. ,:2
31.1 /verview
1. ,etwor- :i&e 2roto#ol
o 2ses a )istri6#te) 1ierarc1& to s&nc1roni;e time to 23( *2niversal
(oor)inate) 3ime+.
o <ac1 server is at a certain strat#m. 31e lo.er t1e strat#mG t1e closer it is to
an e=ternal so#rce of 23(.
o Strat#m 1 servers 1ave )irect access to an e=ternal 23( so#rce. *e.$. a
ra)io clock s&nc1roni;e) to time si$nal 6roa)casts+.
o A strat#m 2 server $ets its time from a strat#m 1 server. A strat#m 3 $ets it
from a strat#m 2G an) so on an) so on.
o 3o avoi) s&nc1roni;ation 0ro6lemsG t1e ma=im#m n#m6er of strata is 15.
o I)eall&G @3P likes to 1ave at least 3 so#rces of time availa6le to
s&nc1roni;e to.
o @3P never r#ns a s&stem clock 6ack.ar)sG 6#t can slo. it )o.n if itIs
r#nnin$ too fast.
o ?1en @3P is first starte)G it starts to com0#te t1e freC#enc& of t1e clock
on t1e com0#ter itIs r#nnin$ on. It #s#all& takes a )a& or so for @3P to
)etermine t1e error or J)riftJ of t1e local clock. 31is J)riftJ is store) in a
local file so it )oesnIt 1ave to 6e recom0#te) if @3P is restarte).
2. 2a#-a%es
nt0
3. 2ort
2DP 123
31.2 Con;i%uration
1. /etc/ntp&conf
o Primar& confi$#ration file.
o <=am0leE
o server rackety.udel.edu
o server umd1.umd.edu
o server lilben.tn.cornell.edu
o
o driftfile /etc/ntp/drift
o
31e JserverJ ke&.or) is #se) to in)icate t1e servers t1at s1o#l) 6e #se) to
s&nc1roni;e to 23(. 31is 1ost can receive s&nc1roni;ation from one of
t1e liste) serversG 6#t cannot 0rovi)e it to t1em.
31e J)riftfileJ )irective in)ications t1e file t1at contains t1e c#rrent val#e
of t1e freC#enc& error of t1e clock on t1e com0#ter.
31. 222
31.1 /verview
1. Point%to%Point Protocol.
2. 3&0icall& #se) 6& )ial%#0 #sers.
3. 2a#-a%es
o ppp % Provi)es 000) )aemon an) ot1er tools necessar& to set#0 a 000
client or server.
o rp>pppoe % ReC#ire) for ADSL connections t1at r#n PPP over <t1ernet.
o wvdial % .v)ial is an eas& to #se 000 client confi$#ration tool.
o &%etty % @ee)e) for a 000) server to listen on a serial 0ort.
31.2 Client Con;i%uration
1. 2se .v)ial to confi$#re t1e client.
2. .v)ial a#tomaticall& )etects an) confi$#res &o#r mo)em.
3. Con;i%uration StepsB
o As rootG e=ec#teE /usr/bin/wvdialconf /etc/wvdial.conf % 31is
creates t1e confi$#ration file for .v)ial 6ase) on &o#r mo)em.
o <)it /etc/wvdial.conf an) s0ecif& t1e 01one n#m6erG lo$in nameG an)
0ass.or) t1atIs nee)e) to lo$in to &o#r ISP. 2ncomment t1e 3 lines t1at
alrea)& e=ist for t1is 0#r0ose an) fill in t1e necessar& information.
4. Conne#tin% to your IS2
3o connect to &o#r ISPG all &o# nee) to )o is e=ec#te /usr/bin/wvdial
31.3 Server Con;i%uration
1. 5eneral 000) confi$#ration o0tions are 0lace) in /etc/ppp/*
2. (onfi$#re m$ett& to listen on &o#r serial 0ort. In /etc/inittab 0#t t1e an entr&
similar to t1e follo.in$E
3. ppp0:35:respawn:/sbin/mingetty ttyS0
31is tells m$ett& to listen on serial 0ort /dev/ttyS0.
4. 31enG &o# m#st tell m$ett& to 0erform a#tomatic PPP ne$otiation. P#t t1e
follo.in$ line in /etc/mgetty+sendfax/login.confE
5. /AutoPPP/ - - /usr/sbin/pppd auth -chap +pap login
32. /penSSH
32.1 /verview
1. Re0laces insec#re net.ork comm#nication a00lications.
2. (an a#t1enticate via #ser an)4or token.
3. (an t#nnel insec#re 0rotocols t1ro#$1 an encr&0te) t#nnel.
4. 2a#-a%es
o openss0 % Provi)es core com0onents for 6ot1 o0enss1%servers an)
o0enss1%clients.
o openss0>server % (ontains ss1)G t1e sec#re s1ell )aemon.
o openss0>#lients % Incl#)es ss1G slo$inG ss1%a$entG ss1%a))G sft0.
o openss0>as-pass % Provi)es B11 6ase) 0ass 01rase )ialo$.
o openss0>as-pass>%no&e % A 5@OM< s0ecific B11 6ase) 0ass 01rase
)ialo$.
o openssl % Provi)es cr&0to$ra01ic li6raries.
5. 2orts
o ss1) % 3(P 22
32.2 Con;i%uration
1. /etc/ssh/
o (lient an) Server confi$#rations store) 1ere.
o Server Related 9iles
1. sshd+config % Primar& server confi$#ration file.
Sam0le o0tionsE
Port 22 # Port to bind to
Protocol 2,1 # Protocol
versions and order to use them in.
#ListenAddress 0.0.0.0 # Bind to all
addresses.
ListenAddress 192.168.1.20 # Bind to a
specific interface.
HostKey /etc/ssh/ssh_host_key # Specify Host key
files
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768 # Size of server
key for SSHv1 protocol
LoginGraceTime 600
KeyRegenerationInterval 3600 # How often server
key is regenerated in SSHv1 protocol
PermitRootLogin no # Don't allow root
to login directly
IgnoreRhosts yes # Ignore .rhost
files
IgnoreUserKnownHosts yes # Ignore user's
known_hosts files.
StrictModes yes # Tells sshd to
check file modes and ownerhsip of
# user files
before allowing login
X11Forwarding yes # Permit X11
Forwarding
X11DisplayOffset 10 # Specifies which
display to use when forwarding
# Enable secure ftp
Subsystem sftp /usr/libexec/openssh/sftp-
server

2. ssh+known+hosts % (ontains a list of 1ostnames an) t1eir
associate) 0#6lic ke&.
3. ssh+host+key 8 ssh+host+key&pub % Private4P#6lic RSA ke&%
0air for SS-v1 0rotocol.
4. ssh+host+rsa+key 8 ssh+host+rsa+key&pub % Private4P#6lic
RSA ke&%0air for SS-v2 0rotocol.
5. ssh+host+dsa+key 8 ssh+host+dsa+key&pub % Private4P#6lic
DSA ke&%0air for SS-v2 0rotocol.
o Client Related 9ile4s5
1. ssh+config % (lient confi$#ration file.
Defa#lt confi$#rationE
# Site-wide defaults for various options
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsAuthentication no
# RhostsRSAAuthentication yes
# RSAAuthentication yes
# PasswordAuthentication yes
# FallBackToRsh no
# UseRsh no
# BatchMode no
# CheckHostIP yes
# StrictHostKeyChecking yes
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_rsa
# Port 22
# Protocol 2,1
# Cipher blowfish
# EscapeChar ~

32.3 Client (sa%e
1. ss0
2. ssh 192.168.1.25 # Login to host 192.168.1.25 via ssh as
local user initiating session
3. ssh server.xyz.com # Login to host server.xyz.com
4. ssh steve@192.168.1.25 # Login to host 192.168.1.25 as user steve
5. ssh 192.168.1.25 ls -la # Execute 'ls -la' on host 192.168.1.25
6.
". s#p % Sec#re (o0&
8. scp essay steve@192.168.1.25:school_dir # Copy local file
'essay' to directory school_dir
9. # in steve's home
directory on the remote host
10. scp essay steve@192.168.1.25:english_paper # Copy local file
'essay' to remote host and rename
11. # it to
'english_paper' on the remote host
12. scp -r ~/docs steve@192.168.1.25 # Copy the local
directory docs and all of it's
13. # contents to the
remote host
14.
15. s;tp % Sec#re ft0
16. sftp steve@192.168.1.25 # Logs into host 192.168.1.25 as user
steve and provides an
17. # ftp like session.
18. sftp -C steve@192.168.1.25 # Same as above, only enables
compression too.
19.
32.4 *ut0enti#ation $et0ods Supported <y ss0d
1. password % Sent sec#rel& t1ro#$1 encr&0te) t#nnel.
2. 2u<li# 6ey % P#t 0#6lic ke& in 4.ss14a#t1ori;e)Qke&s on remote 1ost. Private ke&
is t1en #se) to a#t1enticate #ser .it1 remote 1ost.
3. 6er<eros
4. s@-ey
5. Se#ureI3
32.! ss0>a%ent usa%e
eval `ssh-agent`
ssh-add
32." 6eys
1. 5enerate .it1 ssh-keygen.
2. ssh-keygen -b 1024 # Generate 1024 bit RSA key for
SSHv1 protocol
3. ssh-keygen -t dsa -b 1024 # Generate a 1024 bit DSA key for
SSHv2 protocol
4. ssh-keygen -t rsa -b 1024 # Generate a 1024 bit RSA key for
SSHv2 protocol
5. 9e& LocationE
o RSA *SS-v1 0rotocol+ % ~/.ssh/identity an) ~/.ssh/identity.pub
o RSA *SS-v2 0rotocol+ % ~/.ssh/id_rsa an) ~/.ssh/id_rsa.pub
o DSA *SS-v2 0rotocol+ % ~/.ssh/id_dsa an) ~/.ssh/id_dsa.pub
33. Se#urity
33.1 :C2 8rappers
1. Provi)es 1ost 6ase) sec#rit&.
2. (onfi$#ration filesE /etc/hosts&allow 8 /etc/hosts&deny.
o hosts.allow is c1ecke) first. If access isnIt e=0licitl& 0ermitte)G t1en
hosts.deny is c1ecke). If access isnIt e=0licitl& )enie)G t1en access is
$rante).
o (onfi$#ration :ile :ormatE
o <service_list>:<client_list> [:options]
o
o S0ecial ke&.or)s
1. *LL % (an 6e #se) to re0resent all clients an)4or all services. :or
e=am0leG to )en& access to ever& service from all clientsG 0lace t1e
follo.in$ in 4etc41osts.)en&
2. ALL:ALL
3.
4. E7CE2: % (an 6e #se) .it1 ALL to 0rovi)e e=ce0tions. :or
e=am0leG to )en& access to all services e=ce0t ss1) an) vsft0 from
all clientsG 0lace t1e follo.in$ in 4etc41osts.)en&
5. ALL EXCEPT sshd EXCEPT vsftp:ALL
6.
". L/C*L % (an 6e #se) to re0resent all 1osts .it1o#t a )ot in t1eir
name.
'. (,6,/8, % All 1osts or #sers t1at canIt 6e looke) #0.
,. 6,/8, % All 1osts or #sers t1at can 6e resolve).
1/. 2*R*,/I3 % All 1osts .1ere t1e for.ar) an) reverse look#0s )o
not matc1.
3. t#pd
o 31e tc0) 0ro$ram c1ecks 0ermissions an) la#nc1es t1e s0ecifie) service if
access is 0ermitte).
o tc0) is t&0icall& #se) .it1 inet) t&0e services.
4. li<wrap
o Pro$rams com0ile) a$ainst li6.ra0 can #se tc0 .ra00ers confi$#ration
files for )eterminin$ access .it1o#t 1avin$ to #se t1e Itc0)I 0ro$ram.
o Man& 0ro$rams in Re) -at Lin#= are com0ile) a$ainst li6.ra0. 31ese
incl#)eE
o sendmail
o slapd
o sshd
o stunnel
o tcpd
o xinetd # This includes all services executed by xinetd
o gdm
o gnome-session
o ORBit
o portmap
o
5. /ptions
o (an 6e #se) to e=ec#te a comman) .1en a r#le matc1 occ#rs. :or
e=am0leG to e%mail root a .arnin$ messa$e ever& time someone tries to
telnet in from cracker.or$G 0#t t1e follo.in$ in 4etc41osts.)en&E
o in.telnetd: .cracker.org : spawn echo \
o "login attempt from %c to %s" | \
o mail -s "Telnet login warning" root
o
o 7aria6le re0lacementsE
o %c - client information (user@host)
o %s - service information (service@host)
o %h - client's hostname or IP address if hostname is
unavailable
o %p - The server process id
o
o See 0ostsKoptions man 0a$e for more information.
. Exa&ple Setup
o /etc/hosts.allow
o # Allow all clients in the 192.168.1.0/24 network and the
client at 63.21.45.2 access
o # to sshd and imapd.
o
o sshd, imapd:192.168.1. 63.21.45.2
o
o # For a multi-homed host, you can specify the interface.
This allows all hosts
o # in the 192.168.1.0/24 to access in.ftpd, but only if it's
through the 192.168.1.10 interface.
o
o in.ftpd@192.168.1.10:192.168.1.
o
o # Allow access to pop3d by all hosts in the somedomain.com
domain.
o
o pop3d:.somedomain.com
o
o # Another way to specify network netmasks
o
o vsftp:192.168.1.0/255.255.255.0
o
o # Allow access to telnet from the 'research' network
(specified in /etc/networks or NIS)
o
o in.telnetd:@research
o
o /etc/hosts.deny
o # Deny access to all services that aren't explicitly
permitted in /etc/hosts.allow
o
o ALL:ALL
o
33.2 xinetd <ased se#urity
1. /verview
o =inet) 1as itIs o.n 1ost 6ase) access controls 6#ilt%in.
o 3(P ?ra00ers are c1ecke) first. If 3(P ?ra00ers 0ermits accessG t1en
=inet)Is access controls are c1ecke).
o Provi)es some a))itional restrictions t1at 3(P ?ra00ers )oesnIt 0rovi)eE
timeG ma= S of instancesG an) n#m6er of instances 0er so#rce allo.e).
2. *##ess Controls
o only+from % S0ecifies .1ic1 1osts are allo.e) to access t1is service.
o only_from 192.168.1.0/24
o
o no+access % S0ecificall& )en& a 1ost or 1osts.
o no_access = 192.168.1.20
o
,/:EB % If 6ot1 only_from an) no_access are s0ecifie)G t1e one t1at is
more s0ecific .ins. In t1is case no_access .ins 6eca#se it s0ecifies a
s0ecific 1ost .it1in t1e 1,2.1'.1./424 net.ork.
o access+times % S0ecifies a time 0erio) .1ere access is allo.e).
o access_times 07:30-17:30
o
o instances % S0ecifies t1e ma=im#m n#m6er of instances of t1is service
t1at ma& 6e la#nc1e).
o instances = 100
o
o per+source % S0ecifies t1e ma=im#m n#m6er of instances t1at can 6e
initiate) 0er IP a))ress
o per_source 3
o
33.3 I2CH*I,S
1. /verview
o I0c1ains is t1e 0acket filter 0rovi)e) in t1e 2.2 kernels.
o Also s#00orte) 6& 2.4 kernels .it1 t1e i0c1ains com0ati6ilit& mo)#le.
o :ormatE
o ipchains [action] [chain] [options]
[target]
o ipchains -A input -i eth0 -p tcp -s 192.168.1.20 -d
0.0.0.0 -j ACCEPT
o
2. Capa<ilities
o *#tions
o -A = Append rule to end of chain
o -I = Insert rule at beginning of chain
o -D = Delete existing rule in chain
o -N = Create new chain
o -X = Delete a chain (user defined only)
o -P = Set default policy for chain (ACCEPT, DENY, or REJECT)
o -F = Flush all rules in a chain
o -L = List existing rules (can specify a specific chain)
o
o C0ains % 3 B#ilt%in c1ains. @ames in lo.er case.
o input - All packets that come into the interface pass
through this chain. Even packets that
o are being routed to another interface pass
through this chain.
o forward - All packets that come in one interface and leave
on another pass through this chain.
o output - All packets leaving an interface pass through
this chain. Even packets that are
o being routed from another interface pass through
this chain.
o
o /ptions
o -i = Interface (eth0, eth1, lo)
o -p = Protocol (udp,tcp,icmp, or the protocol number)
o -s = Source address of packet (192.168.1.20,
192.168.1.0/24, etc.)
o Can also include the source port for tcp/udp
(192.168.1.20 80)
o -d = Same as -s, only for the destination address
o -y = Matches a packet that has only the SYN flag set (First
step in TCP handshake)
o -l = Log the packet
o
o --source-port = Specify a source port without a source
address
o --destination-port = Specify a destination port without a
destination address
o
o :ar%ets
o DENY = Drop packet without sending any sort of response
to the source
o REJECT = Drop packet, but send the source an ICMP error
message
o ACCEPT = Accept the packet
o <CHAIN> = Specify a user defined chain to jump to for
further processing
o
3. Exa&ples
4. # Set the default Policies to DENY
5. ipchains -P input DENY
6. ipchains -P output DENY
7. ipchains -P forward DENY
8.
9. # Allow all incoming tcp connections on interface eth0 to port 80
(www)
10. ipchains -A input -i eth0 -p tcp -s 0.0.0.0 1024: --destination-
port 80 -j ACCEPT
11.
12. # We must also allow packets back out in order for the
connection to work
13. ipchains -A output -i eth0 -p tcp --source-port 80 -d 0.0.0.0
1024: -j ACCEPT
14.
15. # Allow outgoing connections to other web servers
16. ipchains -A output -i eth0 -p tcp --source-port 1024: -d 0.0.0.0
80 -j ACCEPT
81 -j ACCEPT
443 -j ACCEPT
19.
20. # We must now allow TCP packets back in on ports >= 1024 to
complete the connection. However,
21. # we don't want to allow any packet through with the SYN flag
set since that would indicate
22. # someone is trying to make a connection to us.
23. ipchains -A input -i eth0 -p tcp ! -y -s 0.0.0.0 80
--destination-port 1024: -j ACCEPT
26.
27. # Allow external access to our DNS services.
28. ipchains -A input -i eth0 -p udp --destination-port 53 -j
ACCEPT
29. ipchains -A output -i eth0 -p udp --source-port 53 -j ACCEPT
30.
31. # If you leave out a source (-s) or destination(-d) address it's
like specifying 0.0.0.0
32. # for it.
33.
34. #
35. # MASQUERADING
36. #
37. # In these examples, eth0 is the external interface on the
firewall, and eth1 is the
38. # internal interface.
39.
40. # Set Masquerade Timeouts
41. # Set a 2 hour (7200 sec) time out for TCP session timeouts
42. # Set a 15 second timeout for TCP/IP traffic after a FIN is
received
43. # Set a 3 minute (180 sec) time out for UDP traffic
44. /sbin/ipchains -M -S 7200 15 180
45.
46. # Set up the Masquerading
47. # Remember that the default policy is set to DENY above.
Otherwise we would set it here.
48. /sbin/ipchains -A forward -i eth0 -s $INTERNAL_LAN -j MASQ
33.4 I2:*LES 4,et;ilter5
1. /verview
o 2.4 kernels onl&.
o Man& 6enefits over i0c1ainsE
1. (onnection 3rackin$.
2. Rate Limitin$.
3. S#00ort for tr#e @A3.
4. Man& more filterin$ o0tionsE All 3(P fla$sG MA( a))ressesG #serG
etc.
5. Im0rove) lo$$in$.
o 9or&at
o iptables [table] [action] [chain] [options]
[target]
o iptables -t filter -A INPUT -m state --state NEW -p
tcp -s 192.168.1.0/24 -j ACCEPT
o
2. Capa<ilities
o :a<le % S0ecifies .1ic1 ta6le t1e c1ain a00lies toE natG filterG or man$le4
o *#tion % See IP(-AI@S actions a6ove.
o C0ains % 5 B#ilt%in c1ains. @ames ca0itali;e) #nlike IP(-AI@S.
o # Filter Table:
o INPUT - All packets entering an interface that are
destined for a local process use this
o chain. Note that packets that are being routed
from one interface to another
o do NOT go through this chain as is the case with
IPCHAINS.
o FORWARD - Only packets routed from one interface to another
pass through this chain.
o OUTPUT - All packets leaving an interface that originated
from a local process use this
o chains. Note that packets that are being routed
from one interface to another
o do NOT go through this chain as is the case with
IPCHAINS.
o
o # Nat Table:
o PREROUTING - Rules in this chain occur before it is
determined whether the packet will
o use the INPUT or FORWARD chain. Destination
NAT (DNAT) is configured
o using this chain.
o POSTROUTING - Rules in this chain occur after the OUTPUT
and FORWARD chains. Source NAT
o (SNAT) is configured using this chain.
o
o /ptions
o -i = Input interface (eth0, eth1, lo)
o -o = Output interface (eth0, eth1, lo)
o -p = Protocol (udp,tcp,icmp, or the protocol number)
o -s = Source address of packet (192.168.1.20,
192.168.1.0/24, etc.)
o -d = Same as -s, only for the destination address
o -m = Specify an extension module to load (e.g. -m state).
This must be the first option
o specified if it is used
o
o --sport = Source port
o --dport = Destination port
o
o :ar%ets
o # 3 Default Targets
o DROP = DROP the packet without returning an indication
that it was dropped to the source
o ACCEPT = Accept the packet
o <CHAIN> = A user defined chain
o
o # Additional Targets provided by modules:
o LOG = Log the packet
o REJECT = Reject the packet and send the source a user
defined response (defaults to an icmp
o error message)
o
o Conne#tion :ra#-in%
1. ReC#ires state mo)#le *%m state+.
2. Packet S3A3<SE
3. NEW = A new connection
4. ESTABLISHED = Packet is part of an existing connection
5. RELATED = Packet is related to an existing
connection (e.g. ICMP error messages)
6. INVALID = Packet doesn't belong to any other
connection
7.
'. 3rackin$ :3P (onnectionsE
Beca#se of t1e nat#re of t1e :3P 0rotocolG trackin$ ft0 connections
reC#ires a s0ecial kernel mo)#leE i0QconntrackQft0. If &o# .is1 to
#se @A3 .it1 ft0 connection trackin$G &o# m#st also loa) t1e
i0QnatQft0 kernel mo)#le
3. Exa&ples
4. # Set the default Policies to DENY
5. iptables -P INPUT DENY
6. iptables -P OUTPUT DENY
7. iptables -P FORWARD DENY
8.
9. # Allow all incoming tcp connections on interface eth0 to port 80
(www)
10. iptables -A INPUT -i eth0 -p tcp -s 0.0.0.0 --sport 1024:
--dport 80 -j ACCEPT
11.
12. # We must also allow packets back out in order for the
connection to work since we aren't
13. # using connection tracking
14. iptables -A OUTPUT -o eth0 -p tcp --sport 80 -d 0.0.0.0 --dport
1024: -j ACCEPT
15.
16. # Allow outgoing connections to all ports, and use connection
tracking so
17. # we don't have to create rules to allow us to receive the
packets coming back.
18. iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED \
19. -o eth0 -p tcp --sport 1024: -j ACCEPT
20. iptables -A INPUT -m state --state ESTABLISHED,RELATED \
21. -i eth0 -p tcp --dport 1024: -j ACCEPT
22.
23. # Allow external access to our DNS services, and keep state on
the connection.
24. iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED \
25. -i eth0 -p udp --dport 53 -j ACCEPT
26. iptables -A OUTPUT -m state --state ESTABLISHED,RELATED \
27. -o eth0 -p udp --sport 53 -j ACCEPT
28.
29. # Redirect all incoming traffic that hits port 8080 to port 80
on a web server
30. # in our internal LAN
31. iptables -t nat -A PREROUTING \
32. -p tcp -i eth0 --dport 8080 \
33. -j DNAT --to 192.168.1.10:80
34.
35. # Source NAT
36. iptables -t nat -A POSTROUTING \
37. -o eth0 -s 192.168.1.0/24 \
38. -j SNAT --to-source $EXTERNAL_IP_ADDRESS
39.
40. # Allow ICMP echo requests, but limit them to 1 per second. A
burst of 3 will allow
41. # a burst of up to 3 ICMP packets before the rate limiting kicks
in.
42. iptables -A INPUT -i eth0 -p icmp --icmp-type 8 \
43. -m state --state NEW,ESTABLISHED \
44. -m limit --limit 1/s --limit-burst 3 \
45. -j ACCEPT
46.
47. iptables -A OUTPUT -o eth0 -p icmp -m state --state ESTABLISHED
-j ACCEPT
34. 2ro#ess *##ountin%
34.1 /verview
1. 9ee0s track of #ser 0rocesses.
2. Ori$inall& inten)e) as a .a& to kee0 track of reso#rces in or)er to 6ill
)e0artments4#sers for t1eir #sa$e.
3. 2a#-a%es
0sacct
34.2 :urnin% /n@/;;
1. Ena<lin% % 2se accton comman) an) s0ecif& t1e file for storin$ t1e acco#ntin$
information.
2. /sbin/accton /var/log/pacct
3. 3isa<lin% % 2se accton comman) .it1o#t s0ecif&in$ a file.
4. /sbin/accton
34.3 ?iewin% In;or&ation
1. a# % 31e IacI comman) is #se) to 0rint o#t a re0ort of connection times.
<=am0lesE
ac # Print total connection time.
ac -dp # Give daily (-d) connection totals by person (-p)
ac --complain # Print out any problems in wtmp file (time-warps,
missing records, etc.)
2. sa % 31e IsaI comman) is #se) to s#mmari;e acco#ntin$ information.
<=am0lesE
sa # Print information about all commands in the
process accounting file
sa -u # Print command information by user
3. last#o&& % Dis0la&s .1ic1 comman)s 1ave 6een e=ec#te).
<=am0lesE
lastcomm # Display all commands executed on system
lastcomm rm # Display information about all invocations of the
'rm' command
3!. 6i#-start
3!.1 /verview
1. 9ickstart 0rovi)es a .a& to )o a#tomate) installations.
2. 31e 9ickstart confi$#ration file *ks.cf$+ ans.ers all t1e C#estions t1at are
normall& aske) )#rin$ a normal install.
3. Allo.s &o# to a#tomate most of t1e installationG incl#)in$ t1e follo.in$E
o Lan$#a$e Selection
o Mo#se (onfi$#ration
o 9e&6oar) Selection4(onfi$#ration
o Boot Loa)er Installation
o Disk Partitionin$
o @et.ork (onfi$#ration
o A#t1entication *@ISG LDAPG9er6erosG Sam6aG an) -esoi)+
o :ire.all (onfi$#ration
o B ?in)o. S&stem (onfi$#ration
o Packa$e Selection
4. 2a#-a%es
o &--i#-start % 31is 0acka$e 0rovi)es #tilities t1at .ill create a kickstart
file 6ase) on t1e c#rrent mac1ineIs confi$#ration.
o -s#on;i% % Provi)es a $ra01ical interface for creatin$ kickstart files.
3!.2 Creatin% a 6i#-start 9ile
1. $anual
(o0& t1e sam0le.ks kickstart file from t1e R-%DO(S )irector& on t1e
)oc#mentation (D an) mo)if& it to meet &o#r reC#irements. Be caref#l .1en
e)itin$ it 6eca#se t1e sections m#st remain in or)er. 31e or)er isE
o (omman) Section
o V0acka$e Section
o V0re 8 V0ost Sections
2. &--i#-start
2se t1e mkkickstart #tilit& to create a kickstart confi$#ration file 6ase) on t1e
c#rrent s&stemIs confi$#ration.
3. -s#on;i%
2se t1e 52I tool ksconfi$ to create a kickstart file.
3!.3 6i#-start Installation :ypes
1. ,etwor-
o ReC#ires a D-(P4BOO3P server.
o ks.cf$ file m#st 6e accessi6le from @:SG :3PG -33PG or Sam6a *alt1o#$1
IIve onl& 6een a6le to $et it to .ork .1en t1e ks.cf$ file is on @:S+.
o (an install from @:SG :3PG -33PG 8 Sam6a.
2. Lo#al
o ks.cf$ file m#st 6e 0#t on a flo00& 6oot )isk.
o (an install from a local (D%ROM or a local 1ar) )rive.
3!.4 6i#-start Installation
1. Boot .it1 a 6oot flo00&. :or a local kickstart installationG t1e ks.cf$ m#st 6e
locate) in t1e root of t1e 6oot )isk.
2. ?1en SNSLI@2B installation screen comes #0G s0ecif& one of t1e follo.in$
o0tionsE
o ks=floppy % If ks.cf$ is locate) on t1e flo00&.
o ks=hd:fd0/ks.cfg % Same as ksKflo00& a6ove.
o ks=floppy dd % ?1en ks.cf$ is locate) on t1e flo00& an) &o# nee) a
)river )isk.
o ks=nfs:<server>:/path % ks.cf$ file is on an @:S server.
o ks=http:<server>:/path % ks.cf$ file is on an -33P server.
o ks=ftp:<server>:/path % ks.cf$ file is on an :3P server.
3!.! *dditional ,etwor- Installation In;o
1. ?1en s0ecif&in$ Jlinux ksJ at t1e installation 0rom0tE
o 31e ks.cf$ file m#st 6e availa6le via @:S.
o B& )efa#ltG it is ass#me) t1at t1e ks.cf$ file .ill 6e on t1e same server as
t1e D-(P4BOO3P server. 3o s0ecif& a )ifferent server for t1e ks.cf$ fileG
s0ecif& t1e follo.in$ in t1e /etc/dhcpd.conf fileE
o filename "/path/to/ks.cfg"
o next-server <hostname or IP>
o
If t1e 0at1 s0ecifie) in t1e JfilenameJ cla#se en)s .it1 a J4JG t1en t1e file
t1at is looke) for isE J/specified/path/<IP>-kickstartJ .1ere LIPF is
t1e IP a))ress of t1e mac1ine makin$ t1e reC#est.
@ote t1at t1e 0at1 s0ecifie) in t1e JfilenameJ cla#se m#st 6e t1e f#ll 0at1
to t1e file an) not t1e relative 0at1 from t1e @:S e=0ort. 9ickstart .ill
a#tomaticall& tr& to mo#nt t1e @:S e=0ort 6ase) on t1e 0at1Is name. In
t1e a6ove e=am0leG it .o#l) first tr& to mo#nt J40at1JG t1en if t1at faile)G
J40at14toJ.
2. If &o# )onIt .is1 to #se D-(P to s0ecif& t1e location of t1e kickstart fileG &o# can
s0ecif& one of t1e o0tions liste) a6ove to 0oint to t1e location of t1e ks.cf$ file.
3. 3o install from @:SG t1e follo.in$ )irective m#st 6e #se) in t1e ks.cf$ file ri$1t
after t1e JinstallJ )irectiveE
4. nfs --server <server> --dir <dir>
5. 3o install from -33P or :3PG t1e follo.in$ )irective m#st 6e #se) in t1e ks.cf$
file ri$1t after t1e JinstallJ )irectiveE
6. url --url http://<server>/path
7. url --url ftp://<server>/path
3". 2ro#&ail
3".1 /verview
1. Mail 0rocessor.
2. (an 6e invoke) via t1e .for.ar) fileG or )irectl& 6& sen)mail.
3. 2ser confi$#ration file is $HOME/.procmailrc.
4. Packa$eE pro#&ail
3".2 Con;i%uration 9ile Syntax
1. :ormatE
2. :0 [flags] [ : [locallockfile] ]
3. <zero or more conditions (one per line)>
4. <exactly one action line>
5. 9la%s
See 0rocmailrc*5+ man 0a$e for a )escri0tion of t1e fla$s.
. Spe#ial #0ara#ters
o :
In)icates t1e start of a reci0e. (ommonl& #se) .it1 a ;ero follo.in$ it. In
t1e ol) )a&sG t1e ;ero .as re0lace) .it1 t1e n#m6er of con)itions t1at
follo..
o 1
In)icates t1e start of a con)ition.
o 2
?1en #se) in a con)itionG it means to invert t1e con)ition. ?1en #se) in
an action lineG it means to for.ar) t1e mail to t1e a))resses t1at follo..
o Pi0e *3+
Starts t1e 0ro$ram s0ecifie) after it .1en #se) in t1e action line.
o 4 5
?1en follo.e) 6& at least one s0aceG ta6G or ne.lineG it marks t1e
6e$innin$ of a nestin$ 6lock for t1e action line.
3".3 Exa&ple .pro#&ailr#
:0
*^From.*bob # Condition
*^Subject:.*Computers
{ :0 c # "c" flag means create a carbon copy
! steve@somedomain.org # Action - Forward to steve and keep a
local copy
:0
COMPUTERS
}
31is .ill for.ar) mail from 6o6 a6o#t com0#ters to steve an) also kee0 a local co0& in
t1e (OMP23<RS fol)er.
3'. I$*2 ) 2/2
3'.1 /verview
1. 2a#-a%e
o ima0
1. 31e ima0 0acka$e incl#)es t1e POP )aemon also.
2. Provi)es POP2G POP3G an) POP3s *POP3 over SSL+ service.
3. Provi)es IMAP an) IMAPs *IMAP over SSL+ service.
2. 2orts
o POP2 % 3(P 1/,
o POP3 % 3(P 11/
o POP3S *over SSL+ % 3(P ,,5
o IMAP % 3(P 143
o IMAPS *over SSL+ % 3(P ,,3
3'.2 Setup
1. <=ec#te) 6& =inet).
2. Sim0l& install t1e ima0 0acka$e an) ena6le service*s+ in =inet).
3+. En#ryption 4G2G ) /penSSL5
3+.1 /verview
1. 80y use itS
o Prevent 0ass.or) an) )ata sniffin$.
o Maintain inte$rit& of )ata.
o Prevents a#t1entication mani0#lation.
2. 2a#-a%es
o /penSSL % Provi)es cr&0to%$ra01ic li6raries #se) 6& ot1er 0ro$rams
.1ic1 comm#nicate via t1e net.ork.
o %nup% % 2se) to ins#re inte$rit& an) encr&0t files *e.$. )ataG e%mailG etc.+
o /penSSH % A sec#re re0lacement for ft0G telnetG rs1G rlo$inG etc. (overe)
else.1ere.
o stunnel % Provi)es net.ork encr&0tion services for t1ose a00lications
.1ic1 )onIt alrea)& 1ave it. (overe) else.1ere.
3+.2 En#ryption :ypes and Re=uire&ents
1. Rando& ,u&<ers
o In or)er for encr&0tion to 6e effectiveG it nee)s a $oo) so#rce of entro0& to
create ran)om n#m6ers.
o <ntro0& is #s#all& create) 6ase) on several t1in$s. :or e=am0leE ke&6oar)
eventsG mo#se eventsG an) 6lock )evice interr#0ts.
o 31e Lin#= 9ernel 0rovi)es 2 so#rces of entro0&E
1. /dev/random % Best so#rce of entro0&. If t1e entro0& 0ool r#ns
o#tG it 6locks #ntil more entro0& is $at1ere).
2. /dev/urandom % 2ses entro0& 0ool #ntil itIs e=1a#ste)G an) t1en
falls 6ack to 0se#)oran)om $eneration.
2. /ne>8ay Has0es
o One%?a& 1as1es take in0#t of an& len$t1 an) create) a fi=e) len$t1 o#t0#t
strin$ kno.n as a fin$er0rint.
o If an& 0art of t1e in0#t )ata c1an$esG it .ill create a )ifferent fin$er0rint.
o JOne%.a&J means &o# canIt recreate t1e ori$inal )ata from t1e fin$er0rint.
o <=am0les incl#)eE m)5G rm)1/G s1aG s1a1G 1avalG an) crc%32.
3. Sy&&etri# En#ryption
o 31e same ke& is #se) to 6ot1 encr&0t an) )ecr&0t t1e )ata.
o <=am0les of s&mmetric al$orit1msE D<SG 3D<SG Blo.fis1G R(2G R(4G
R(5G an) A<S.
o 2tilities t1at #se s&mmetric encr&0tionE 0ass.) *tra)itional #ni=+G $0$G
an) o0enssl.
o Minim#m recommen)e) ke& si;eE 12' 6its.
4. *sy&&etri# En#ryption
o a.k.a. P#6lic 9e& <ncr&0tion
o One ke& is #se) to encr&0t an) anot1er ke& is #se) to )ecr&0t.
o Standard /peration
1. Reci0ient $enerates a 0rivate40#6lic ke& 0airE S 8 P.
2. 31e Reci0ient t1en 0#6lis1es 0#6lic ke& P an) kee0s 0rivate ke& S
a secret.
3. Sen)er #ses Reci0ientIs 0#6lic ke& P to encr&0t a messa$e for t1e
Reci0ient.
4. Reci0ient #ses 0rivate ke& S to )ecr&0t t1e messa$e from t1e
sen)er.
o 3i%ital Si%natures
1. Provi)e a .a& to verif& a#t1enticit&.
2. Sen)er encr&0ts messa$e .it1 0rivate ke& S.
3. Reci0ient t1en )ecr&0ts messa$e .it1 Sen)erIs 0#6lic ke& P. As
lon$ as t1e sen)erIs 0rivate ke& S 1asnIt 6een com0romise)G t1is
$#aranteeIs t1at itIs from t1e Sen)er.
4. 3eta#0ed Si%natures
Similar to a6ove o0erationG onl& Sen)er creates a one%.a&
1as1 of t1e messa$e an) encr&0ts t1e one%.a& 1as1 instea).
31e encr&0te) one%.a& 1as1 is kno.n as t1e J)etac1e)
si$nat#reJ.
31e Reci0ient t1en #ses t1e Sen)erIs 0#6lic ke& P to
)ecr&0t t1e )etac1e) si$nat#re.
31e Reci0ient t1en 0erforms t1eir o.n one%.a& 1as1 on
t1e messa$e an) com0ares it to t1e one%.a& 1as1 sent 6&
t1e Sen)er. If t1e t.o matc1G it $#arantees t1e )oc#ment
1asnIt 6een tam0ere) .it1.
o Co&<inin% Standard /peration wit0 3i%ital Si%natures
1. 31is can 6e #se) so t1at onl& t1e Reci0ient can )ecr&0t a messa$eG
.1ile at t1e same time verif&in$ t1at it .as sent 6& t1e Sen)er.
2. ProcessE
Sen)er encr&0ts t1e messa$e .it1 t1e Sen)erIs 0rivate ke&
S.
Sen)er t1en encr&0ts t1e messa$e .it1 t1e Reci0ients
0#6lic ke& P.
31e Reci0ient .ill t1en )ecr&0t t1e messa$e .it1 t1e
Reci0ientIs 0rivate ke& S.
31e Reci0ient t1en )ecr&0ts t1e messa$e .it1 t1e Sen)erIs
0#6lic ke& P.
5. 3i%ital Certi;i#ates
o (ommonl& #se) 6& on%line merc1ants*as .ell as ot1ers+ to verif& t1eir
i)entit& to someone elseG t&0icall& a c#stomer.
o Iss#e) 6& a certificate a#t1orit& *(A+.
o Stan)ar) (ertificate :ormat is B.5/,G an) consists of t1e follo.in$
informationE
1. (o#ntr&
2. Province or State
3. Or$ani;ation @ame
4. (ommon @ame
5. <%mail
o Certi;i#ate Creation 2ro#ess
1. 31e merc1ant $enerates a 0rivate40#6lic ke& 0air.
2. 31e merc1ant m#st t1en 0rove t1eir i)entit& to a (A an) 0rovi)e
t1eir 0#6lic ke& to t1e (A.
3. 31e (A t1en creates a one%.a& 1as1 of t1e follo.in$ informationE
31e (AIs i)entit&.
31e merc1antIs i)entit&.
31e merc1antIs 0#6lic ke&.
Perio) of vali)it&.
4. 31e one%.a& 1as is t1en encr&0te) .it1 t1e (AIs 0rivate ke&
creatin$ a )etac1e) )i$ital si$nat#re.
5. 31e )i$ital certificate is ma)e #0 of t1e com6ine) information
a6ove an) t1e )etac1e) )i$ital si$nat#re.
. 31e (A t1en iss#es t1is to t1e merc1ant.
3+.3 (sin% G2G
1. 6ey Generation
2. gpg # Initialize GPG for this user (e.g. create
~/.gnupg). Only have to run once.
3. gpg --gen-key # Start key generation process. Follow prompts.
4. ?iewin% 6eys
5. gpg --list-keys # View public keys
6. gpg --list-secret-keys # View private keys
". Exportin% 2u<li# 6eys
8. gpg --export <name of key owner> # Exports key in binary
format
9. gpg --export --armor <name of key owner> # Export in a usable,
ASCII format
1/. I&portin% 2u<li# 6eys
11. gpg --import /path/to/public/key/file
12. En#ryptin% a $essa%e
13. gpg --encrypt --armor --recipient <recipient> message_file #
Creates encrypted message in
14. # an
ASCII format
15. 3e#ryptin% a $essa%e
16. gpg encrypted_message_file
No# .ill 6e 0rom0te) for t1e filename to #se for t1e o#t0#t of t1e )ecr&0tion
0rocess.
1". En#ryptin% wit0 a Sy&&etri# 6ey
18. gpg --symmetric --armor message_file
1,. Si%nin% and En#ryptin% a $essa%e
20. gpg --sign --encrypt --armor --recipient <recipient>
message_file
21. Creatin% a 3eta#0ed Si%nature
22. gpg --detach-sign --armor message_file # Sender
23. gpg --verify message_file.asc message_file # Recipient
24. Si%nin% *not0er's 2u<li# 6ey
Alice is $oin$ to si$n Bo6Is ke&.
# First, Alice must do:
gpg --sign-key bob
gpg --export --armor bob > bob.key
# Then, Bob must do:
gpg --import bob.key
3+.4 (sin% /penSSL
1. Generatin% a Certi;i#ate ) 6ey in t0e 2E$ 9or&at
o Lon$ ?a&
o openssl req -new -newkey rsa:1024 -nodes -x509 -keyout
~/key -out ~/cert
o echo >> ~/key
o cat ~/cert >> ~/key
o echo >> ~/key
o mv ~/key /usr/share/ssl/certs/give_me_a_name.pem
o rm ~/cert
o
o S1ort ?a&
o cd /usr/share/ssl/certs
o make give_me_a_name.pem
o
3.. stunnel
3..1 /verview
1. Provi)es encr&0tion services for a00lications .it1o#t mo)if&in$ t1e a00lication.
2. 2ses 0#6lic ke& encr&0tion.
3. 2a#-a%es
st#nnel
3..2 Con;i%uration
1. Create stunnel.pe&
2. # Generate private key and certificate
3.
4. openssl req -new -newkey rsa:1024 -nodes -x509 -keyout /tmp/key
-out /tmp/cert
5.
6. # Create stunnel.pem
7.
8. echo >> /tmp/key
9. cat /tmp/cert >> /tmp/key
10. echo >> /tmp/key
11. rm /tmp/cert
12. mv /tmp/key /usr/share/ssl/certs/stunnel.pem
13. chmod 600 /usr/share/ssl/certs/stunnel.pem
>/R>
cd /usr/share/ssl/certs
make stunnel.pem
14. Sam0le IMAPS (onfi$#ration
15. stunnel -d 192.168.1.20:993 -r localhost:143
31is starts st#nnel in )aemon mo)e *%)+ an) ca#ses it to listen on 0ort ,,3 of
interface 1,2.1'.1.2/. Incomin$ connections receive) on 0ort ,,3 are t1en
re)irecte) to 0ort 143.
li<wrap ,/:EB % Beca#se st#nnel #ses li6.ra0G &o# nee) to confi$#re access via
/etc/hosts.allow an) /etc/hosts.deny. ?1en st#nnel startsG it .ill .rite t1e
name of t1e service to /var/log/messages t1at it .ill 6e c1eckin$ for via tc0
.ra00ers. :or e=am0leG t1e a6ove st#nnel confi$#ration create) t1e follo.in$ lo$
entr&E
stunnel[1128]: Using 'localhost.143' as tcpwrapper service name
No# .ill nee) to #se Jlocal1ost.143J as t1e service name in /etc/hosts.allow
an) /etc/hosts.deny.
41. 9et#0&ail $ade Si&ple 4really si&ple5
41.1 @.;et#0&ailr#
1. (reate a .fetchmailrc file in &o#r 1ome )irector& similar to t1e follo.in$E
2. poll pop3.somedomain.com with protocol pop3:
3. user steve there is user gandalf here
4. password "super_secret"
31e first line sa&s t1at 0o03.some)omain.com 1osts o#r 0o03 acco#nt an) t1at .e
.ill contact it #sin$ t1e 0o03 0rotocol. 31e secon) line states t1at t1e #ser
acco#nt on t1e 0o03 server is steve an) o#r local acco#nt is $an)alf. 31e last line
contains o#r 0ass.or) for t1e 0o03 acco#nt.
5. Sec#re t1e .fetc1mailrc fileE
6. chmod 0600 ~/.fetchmailrc
". 31en retrieve &o#r mail 6& t&0in$E
8. fetchmail
2se t1e J%vJ o0tion to ca#se fetc1mail to 6e more ver6ose )#rin$ mail retreival.
See JC/,9IG(R*:I/, E7*$2LESJ in t1e fetc1mail man 0a$e.
41. Copyri%0t ) 3is#lai&er
41.1 General 3is#lai&er
:irst offG I am not c#rrentl& a R-(< *as of )ate on t1is st#)& $#i)e at t1e to0+G alt1o#$1
IIm 0lannin$ to $et m& certification later t1is &ear. I create) t1is $#i)e to 1el0 m&self
st#)& for t1e e=am. ?1ile t1e information in t1is )oc#ment is correct to t1e 6est of m&
kno.le)$eG I 3/ ,/: $#arantee t1e acc#rac& of *,M of t1e information containe) in
t1is )oc#ment. 31is information comes .it1o#t an& .arrant& of an& kin)G im0lie) or
ot1er.ise. I am not res0onsi6le for an& )ama$e t1at ma& 6e ca#se) 6& #sin$ t1e
information in t1is )oc#ment .1et1er t1e )ama$e is to &o#r com0#terG &o#r 6rainG or
an&t1in$ else. In s1ortG (SE *: M/(R /8, RIS6. No# 1ave 6een .arne).
31e amo#nt of )etail 0er to0ic varies $reatl& for man& reasonsG some of .1ic1 incl#)eE
M& 0ersonal familiarit& an) comfort level .it1 t1e to0ic.
-o. relevant I 0ersonall& feel it .ill 6e on t1e e=am.
In ot1er .or)sG H#st 6eca#se I cover somet1in$ in $reat )etail )oesnIt mean it .ill 6e on
t1e test. Like.iseG if I cover a to0ic 6riefl&G it )oesnIt mean t1at it .onIt 6e covere) in
)etail on t1e e=am. In s1ortG onl& &o# kno. .1at areas &o# nee) to im0rove inG an) t1ere
is no .a& to 6e certain .1at .ill 6e aske) on t1e e=am.
31is )oc#ment .ill in no .a& 0re0are &o# for t1e R-(< e=am 6& itself. No# nee) a lot
of 1an)s on e=0erience. I recommen) takin$ some of Re) -atIs e=cellent trainin$
co#rses. If &o# live in or near DenverG consi)er &o#rself l#ck&. 31e instr#ctor t1ere is
e=cellent in m& o0inion.
All net.ork a))ressesG 1ostnamesG an) )omain names #se) in t1is )oc#ment .ere ma)e
#0. I attem0te) to 0ick names t1at no one .o#l) act#all& #se. ?1ere 0ossi6leG I sta&e)
.it1in t1ose IP a))resses reserve) for internal #se.
41.2 80y a& I s0arin% t0is do#u&entS
I t1ink it .ill 1el0 t1e Lin#= movement 6& 1avin$ more certifie) tec1nical 0eo0le in t1e
Ho6 market t1at can s#00ort Lin#=. ?1ile it is tr#e t1at a certification is not t1e onl&
meas#re of tec1nical e=0ertiseG I 6elieve it is im0ortant t1at t1ere 6e a lar$e $ro#0 of
certifie) in)ivi)#als availa6le to 1el0 0#s1 Lin#= into areas .1ere it isnIt c#rrentl& a
maHor 0la&er *e.$. t1e )eskto0+. SoG if t1is )oc#ment 1el0s even one ot1er 0erson attain
t1eir R-(<G t1en I t1ink it .as .ort1 s1arin$ it.
41.3 Copyri%0t
31is )oc#ment is co0&ri$1t*c+ 2//2 Steve Bremer. IIve $at1ere) t1is information from
vario#s so#rces incl#)in$ 6#t not limite) toE
1. 31e Man#als t1at come .it1 Re) -at Lin#=.
2. Re) -at (ertifie) <n$ineer Lin#= St#)& 5#i)e 2n) <)ition from 5lo6al
9no.le)$e *.it1 t1e ai)e of S&n$ress Me)iaG Inc. an) Os6orne Mc5ra.%-ill+
3. Materials 0rovi)e) 6& Re) -at in t1eir e=cellent trainin$ co#rses t1at IIve taken.
4. Doc#mentation 0rovi)e) .it1in Re) -atIs 0acka$es.
5. Man 0a$es.
. 7ario#s .e6 sites.
IIve al.a&s trie) to $ive cre)it .1ere cre)it is )#e if IIve co0ie) an&t1in$ )irectl& o#t of
one of t1e a6ove mentione) )oc#ments. If &o# notice) an& 0lace .1ere IIve faile) to )o
soG 0lease contact me via e%mail.

Rhce 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Rhce 1

Uploaded by

Copyright:

Available Formats

Steve's RHCE Study Guide

You might also like