281
CHAPTER 11
Managing Ubuntu Server
Security
Configuring Cryptography and
AppArmor
U
buntu Server offers some powerful security options. In this chapter you’ll learn how
to set up two important security solutions. First, you’ll learn how to create and manage
a PKI environment and certificate authority, using OpenSSL cryptography. Next, you’ll
be introduced to AppArmor, a new feature in Ubuntu Server 8.04 that helps you to secure
individual applications.
Managing Cryptography
In the age of the Internet, cryptography has become increasingly important. When data is
sent across insecure networks, you need to make sure the data is protected. When com-
municating with a host on the other side of the world, you need to make sure that the
host really is the host you think it is (authentication). To do this, cryptography can help.
In this section you will learn how to use OpenSSL to implement a secure cryptographic
infrastructure. The following subjects are discussed:
s )NTRODUCTIONTO33,
s 0UBLICANDPRIVATEKEYS
s 4HENEEDFORACERTIFICATEAUTHORITY
s #REATINGACERTIFICATEAUTHORITYANDSERVERCERTIFICATES
CHAPTER 11
N
MANAGING UBUNTU SERVER SECURITY
282
Introduction to SSL
Before Netscape invented the Secure Sockets Layer (SSL) protocol in 1994, there was no
good way to protect data against the eyes of interceptors when the data traveled across
the Internet. With SSL, data can be encrypted and clients and servers can be authenti-
CHAPTER 11
N
MANAGING UBUNTU SERVER SECURITY
283
The Need for a Certificate Authority
The scenario described in the preceding section is realistic and works well, but there is
one problem: when Linda receives Kylie’s public key, how can she be sure that it is Kylie’s
public key and not the public key of someone pretending to be Kylie? That’s where the
CERTIFICATEAUTHORITY#!COMESIN!#!GUARANTEESTHEAUTHENTICITYOFPUBLICKEYSOF
users and servers. It does so by signing this public key with its own private key. The result
of this is a public key certificate in which the public key of the user is present, together
WITHTHESIGNATUREOFTHE#!4HEUSERAPPLICATIONWHICHSHOULDHAVEACOPYOFTHEPUBLIC
KEYOFTHE#!CANVERIFYAUTOMATICALLYTHATTHESIGNATUREISVALIDANDTHEREFORECANUSE
this guaranteed public key certificate without consulting the user. If on the other hand
ACERTIFICATEISSIGNEDBYA#!OFWHICHTHEPUBLICKEYISUNKNOWNONTHELOCALHOSTTHE
user application notifies the user about the issue and allows the user to decide what to do
with that certificate. Of course, the user can decide to trust that the public key in the cer-
tificate is authentic, but there is no way to guarantee that.
4HEMAINPURPOSEOFA#!ISTOGUARANTEETHEAUTHENTICITYOFAPUBLICKEYBUTWHOIN
THISCASEISTHERETOGUARANTEETHEAUTHENTICITYOFTHE#!4HISISWHERETHETRUSTEDROOT
COMESIN'ENERALLYSPEAKINGTHEREARETWODIFFERENTKINDSOF#!S
sLocal CAs#!STHATrun within a company and are used to create certificates for
keys of individual servers.
sTrusted root CAs#!Sthat are trusted by everyone and used to create keys for
OTHER#!S)NOTHERWORDSTHETRUSTEDROOTISA#!THATGUARANTEESTHEAUTHENTICITY
OFOTHER#!S
The reason the trusted root is trusted is that most applications already have the pub-
LICKEYOFSUCHATRUSTEDROOT#!BYDEFAULT4HEREFORETHEAPPLICATIONSWILLAUTOMATICALLY
accept the certificate signed by such a trusted root. It is, however, not necessary for every
USERTOGOTOTHETRUSTEDROOTDIRECTLYWITHINACOMPANYYOUCANCREATEYOUROWN#!
and it doesn’t need a network connection to do so.
Creating a Certificate Authority and Server Certificates
To CREATEA#!ANDCERTIFICATESON5BUNTU3ERVERYOUCANUSETHE
klajooh
command.
In this section you’ll learn how to use the
klajooh
command to create a certificate and
ASELFSIGNED#!"ECAUSETHESELFSIGNED#!ISTHEHIGHESTLEVELINTHE#!HIERARCHYINTHIS
EXAMPLEITWILLBEAROOT#!
The following steps explain how to proceed:
1. Decide where you want to create the directory structure in which you want to
PUTTHE#!4HISSHOULDBEADIRECTORYSTRUCTURETHATCANTBEACCESSEDBYOTHER
users. The home directory of the user
nkkp
, for example, might be a good location,
because no ordinary users have access to this directory. From the directory of your
choice, start with
ig`ennkkp)?=
TOCREATEASUBDIRECTORYINWHICHTHE#!WILLSTORE
its files.
2. Next, some subdirectories must be created in this
nkkp)?=
directory. The names of
these subdirectories are predefined in the configuration file
+ap_+ooh+klajooh*_jb
,
so don’t try anything creative unless you are willing to change all settings in this
configuration file as well. The command
ig`en_anpojas_anpolner]pa_nh
modifying the
DKIA
and
`en
variables. Also, it is a good idea to set the names of the
certificates to the correct value. Listing 11-1 shows an example of what this should
look like. All nonessential parameters have been omitted from the listing.
Listing 11-1. Some Important Settings from openssl.cnf
DKIA9+nkkp+nkkp)?=
`en9+nkkp+nkkp)?=
***
_anpebe_]pa9 `en+_]_anp*lai
***
lner]pa[gau9 `en+lner]pa+lnergau*lai
***
4. Now that you have properly tuned the configuration file, you can create
ASELFSIGNEDCERTIFICATEFORTHEROOT#!4HEFOLLOWINGCOMMANDCREATESTHECER
TIFICATEWITHABIT23!KEYTHATISVALIDFORYEARS
klajoohnam)jasgauno]6-,.0)t1,5)`]uo/21,)gaukqp
±
lner]pa+lnergau*lai)kqp_]_anp*lai
The main command used here is
klajooh
. This command has several parameters
that can be used as if they were independent commands. The parameter
nam
is
used to create the self- signed certificate (check its man page to see everything
it can be used for). To make clear where these keys should be created,
)gaukqp
ejpkukqn_anpebe_]panamqaop*
Sd]pukq]na]^kqppkajpaneosd]peo_]hha`]@eopejcqeoda`J]iakn]@J*
Pdana]namqepa]basbeah`o^qpukq_]jha]raokia^h]jg
Bknokiabeah`opdanasehh^a]`ab]qhpr]hqa(
Ebukqajpan#*#(pdabeah`sehh^ahabp^h]jg*
)))))
?kqjpnuJ]ia$.happan_k`a%W=QY6JH
Op]paknLnkrej_aJ]ia$bqhhj]ia%WOkia)Op]paY6
Hk_]hepuJ]ia$ac(_epu%WY6
Knc]jev]pekjJ]ia$ac(_kil]ju%WEjpanjapSe`cepoLpuHp`Y6
Knc]jev]pekj]hQjepJ]ia$ac(oa_pekj%WY6
?kiikjJ]ia$ac(UKQNj]ia%WY6Iuoahb
Ai]eh=``naooWY6iuoahb<at]ilha*_ki
N
Note
You should always check the output of the
klajooh
commands carefully. It’s not easy to see errors,
but it is easy to make them through small typing mistakes. You should fix all errors before proceeding to the
next step.
CHAPTER 11
N
MANAGING UBUNTU SERVER SECURITY
287
6. 9OUNOWHAVEYOUROWNROOT#!WHICHMEANSYOUCANCREATEYOUROWNCERTIFI-
cates, used for any purpose. For example, you can create server certificates for
secure e-mail or create client certificates to connect a notebook to a VPN gate-
way. Before you can start creating your own certificates, you need to create the
OpenSSL database. This database consists of two files in which OpenSSL keeps
track of all the certificates that it has issued; you need to create these two files
******************''''''
*************''''''
snepejcjaslner]pagaupk#lner]pa+i]ehoanrangau*lai#
AjpanLAIl]ooldn]oa6
Ranebuejc)AjpanLAIl]ooldn]oa6
)))))
Ukq]na]^kqppk^a]oga`pkajpanejbkni]pekjpd]psehh^aej_knlkn]pa`
ejpkukqn_anpebe_]panamqaop*
Sd]pukq]na]^kqppkajpaneosd]peo_]hha`]@eopejcqeoda`J]iakn]@J*
Pdana]namqepa]basbeah`o^qpukq_]jha]raokia^h]jg
Bknokiabeah`opdanasehh^a]`ab]qhpr]hqa(
Ebukqajpan#*#(pdabeah`sehh^ahabp^h]jg*
)))))
CHAPTER 11
N
MANAGING UBUNTU SERVER SECURITY
288
?kqjpnuJ]ia$.happan_k`a%W=QY6JH
Op]paknLnkrej_aJ]ia$bqhhj]ia%WOkia)Op]paY6J>
Hk_]hepuJ]ia$ac(_epu%WY6=iopan`]i
Knc]jev]pekjJ]ia$ac(_kil]ju%WEjpanjapSe`cepoLpuHp`Y6Okia?kil]ju
Knc]jev]pekj]hQjepJ]ia$ac(oa_pekj%WY6okiasdana
?kiikjJ]ia$ac(UKQNj]ia%WY6Ia
Ai]eh=``naooWY6ia<okia_kil]ju*_ki
Lha]oaajpanpdabkhhksejc#atpn]#]ppne^qpao
pk^aoajpsepdukqn_anpebe_]panamqaop
=_d]hhajcal]ooskn`WY6
=jklpekj]h_kil]juj]iaWY6
8. You NOWHAVECREATEDTHE#!ANDAKEYPAIRTHATYOUWANTTOGETSIGNED)FUNLIKE
INTHISSIMPLEEXAMPLESETUPTHE#!THATNEEDSTOSIGNTHEKEYDOESNOTRUNON
be created without any problem. Listing 11-4 shows the output that is generated
when signing this certificate.
Listing 11-4. Signing the Certificate Just Created
nkkp<iah6z+nkkp)?=klajooh_])lkhe_ulkhe_u[]jupdejc)jkpatp)kqp
±
_anpo+i]ehoanran_anp*lai)ejbehao_anpo+i]ehoanran[nam*lai
Qoejc_kjbecqn]pekjbnki+qon+he^+ooh+klajooh*_jb
Ajpanl]ooldn]oabkn+nkkp+nkkp)?=+lner]pa+lnergau*lai6
Copyright: Tài liệu đại học ©