Sysadmin stew: My summer vacation We catch up on PGP, sysadmin tools, and rant about Network Computers

September  1996

Once a year, SunWorld's editors indulge me as I offer "softer" commentary about management, the state of the union or dissolution of the union in system management, or some other area removed from the Unix command line. This month, I present a trip report -- not of my actual summer vacation, but of the research roads traveled answering reader e-mail and exploring interesting pieces of Internet flotsam and jetsam. I'll do this in true trip report fashion, with numerous bulleted lists connected by topic. Welcome to the USA Today version of Sysadmin. (2,500 words)

Mail this article to a friend

Instead of the usual background, exposition, and tips sections, we'll revisit four areas covered by columns of the past year. We'll start with a brief PGP update with both good and bad news for the PGP-literate public. From there we'll do a roundup of some security issues and "seat wrench" type tools -- those utilities that lay around unnoticed until you absolutely, positively need them, and you find that the tool is a perfect fit for the job. (For the uninitiated in home plumbing experiments, a seat wrench exists to do nothing else but remove the inner workings of a leaky faucet.) We'll close out this odd lot with some kind and not-so-kind words for our readership, our collective management, and marketing people cruising in the stratosphere of Internet hype. Read to the end to see who gets what on their plates.

Pretty Good gets pretty much better: A PGP update
Back in February, we covered Phil Zimmermann's Pretty Good Privacy (PGP) package, explaining how to use it to encrypt files and mail, and to use it as the basis for a digital signature and authentication scheme. At the time, Zimmermann was facing Federal prosecution in the United States for allegedly violating an export embargo on the PGP software. Rumors were rife about an upcoming PGP 3.0 release, and one major stumbling block for widespread use of PGP was the lack of a scalable, global, trusted key management scheme. Six months later, the news is mostly good:

• The United States dropped its case against Phil Zimmermann. Phil has gone start-up with Pretty Good Privacy Inc., a Silicon Valley company that produces PGP-enabled applications.

• A good example of an application that utilizes PGP is PGPfone, a secure telephone system that compresses and encrypts voice communications over any network, including the Internet. Macintosh and Windows 95 and NT clients can be downloaded from the MIT PGP distribution site. PGP Inc. should be releasing a commercial version of the product shortly.

• The most commonly asked question following the PGP column was "How do I integrate PGP with my mail user agent?" The usual procedure of editing the message, encrypting it with PGP, and then embedding the ASCII armored file in a mail message is cumbersome, at best. Raph Levien's premail utility to the rescue. This publicly available tool solves the problem by interposing itself between your mail user agent and the mail delivery agent, applying the PGP magic once you hand the mail off for delivery. Currently, premail works with any system using sendmail, or those who use Netscape 3.0 or Pine as mail user agents. An even simpler solution is privtool, a look-alike for Sun's desket mail tool. It's not a complete functional replica, but it does move the PGP steps into the mail user agent instead of an intermediary that you must configure for each user.

Key management remains an open issue for PGP and other services that depend on public keys, such as Sun's Simple Key Management for IP (SKIP) protocol used by the Solstice SunScreen SPF-100 product. Rather than relying on a well-known service or hierarchy of key servers like the Domain Name System (DNS), PGP refers to a key ring maintained somewhere within your filesystem hierarchy. In essence, you take full personal responsibility for collecting and packing the keys you'll need. Generally, you'll add keys to your own keyring if you can prove the identity of the person giving you the key, for example, she hands you the key on a floppy disk while you sip double lattes.

Alternatively, you may accept an electronic copy of a key if it was digitally signed by one or more people to whom you would extend your trust. What you're saying is "I proxy my background check on this key to Bob and Fred; if they signed the key then I will believe it's valid, even if I don't know the key holder personally." Dealing with PGP keys from users you haven't met poses a non-trivial problem.

The USENIX Association offers a key-signing service to help build a web of trust between its members. Operationally, the signing service is elegant in its simplicity. Any USENIX member presents him or herself at the USENIX booth at an industry conference or show, provides two forms of identification, at least one with a picture, and agrees to indemnify USENIX for any misuse of the PGP keys. At the time this agreement is signed, a USENIX representative gives you a "shared secret" containing some sequence information and eight words. The key signing is done electronically, via e-mail, using the shared secret to reconfirm the identity of the human being present at the USENIX booth. You'll need the 1996 USENIX key-signing key, available on the USENIX Web site. Once your sign bits have USENIX written on them, use the Web query interface to find a particular user's key.

Two shameless plugs on behalf of USENIX: First, join if you're not already a member. In addition to the USENIX organization proper, there's the System Administrator's Guild (SAGE), the largest professional organization devoted solely to systems management. Second, the 10th Systems Administration Conference (LISA '96) will be held September 29 through October 2 in Chicago. Get signed, learn something at the same time, and meet your peers in the industry.

Dropping the security blanket
We'll use the preceding good news about PGP and key signing as an opening act for some more somber and pragmatic news on security issues:

• From the "when there's a will, there's a way" department, you may find a tool called pgpcrack floating around the Web. As its name implies, it's a brute-force attack on PGP encrypted files. With the exponential rise in networked computing power available, it's not unreasonable to think that some PGP encryption can be cracked. Word to the cautious: use the largest PGP key sizes (1024 bits) if you fear the sledge hammer approach.

• On a more theoretical note, it appears that the Message Digest 5 (MD5) secure hash scheme can be exploited to produce identical hashes for similar but dangerously different documents. MD5 takes a file and reduces it to a 1024-bit checksum, with a very high sensitivity to single bit variations in the file. Two nearly identical transactions, for example, with different dollar amounts or payer numbers should produce quite different MD5 values. As the clear text grows larger, however, the problem of hash aliasing -- two different documents returning the same hash value -- increases, since the hash value is only 1024 bits.

  It appears that MD5 can be abused such that a given document may be modified into another, different document that aliases to the same MD5 checksum. The likely successor to MD5 is the NIST Secure Hash Algorithm (SHA-1), with a fast implementation described in a conference paper (see the Resources section below for the URL).

• Worried about key sizes, export of cryptographic software, and regulation of the few reliable mechanisms for securing electronic communications? A variety of players including the Electronic Freedom Foundation (EFF), Wired Ventures, and the Electronic Privacy Information Center (EPIC) made a call to action for participation in Crypto Week, which started September 3. Inform your elected officials with a dollar value on lost business or increased cost of doing business due to cryptographic software export restrictions.

• We took a quick look at the removable media mount configuration file /etc/rmmount.conf back in July. The file is used by the volume manager and the removable media mount "helper" to automatically mount and share a CD-ROM when it is inserted by the user. On August 2, AUSCERT issued an advisory against the Solaris volume manager daemon (vold), /etc/rmmount.conf, and the temporary files used to inform the Solaris desktop file manager that a new media volume has been loaded. The temporary files created by the volume manager are not handled in a secure way, and could allow arbitrary files on the system to be accessed by the volume manager daemon, which of course runs as root. The suggested fix (short of not running the volume manager) is to comment out the lines in /etc/rmmount.conf that create these temporary files:

  	action cdrom action_filemgr.so
  	action floppy action_filemgr.so
  

  Insert a hash mark (#) at the beginning of these two lines to disable the file manager notification.

• We kicked off 1996 with a preview of the secure shell (ssh), an encrypting tunnel for remote logins that closes holes creates by the X Window System or sending passwords over the network in the clear. Bob Vickers has written a tool called checkXusers that looks for users logged in from X servers that have relaxed their authorization, opening up potential holes to the local system. checkXusers relies on netstat (which must be in your path) and should be run as a normal user.

• Sun's Alec Muffet, security guru resident in the United Kingdom, has made available a program for guessing eight-character Unix passwords using a set of rules and a standard set of guessing techniques. Called crack, it is meant to be flexible and quick, and it can also make use of multiple hosts at once to reduce the time required to iterate through the guessing game. Use crack to pro-actively ferret out weak passwords, and then annoy users to change them. This is a simple case of arming yourself with the same tools available to anyone who has a more sinister interest in obtaining passwords to your systems. Rather than go through a password change-filter-harass cycle repeatedly, you may want to run passwords through the guessing rules when they're first entered by the user, at the time the password is set or changed. Voila cracklib, a C-callable library that mimics the functionality of crack. Use it in a wrapper around passwd or yppasswd to enforce good password hygiene. Like it or not, passwords are a fact of life in a well-run environment. Even if you use PGP religiously, you need a password to unlock your private key (unless you're adept at memorizing 1024-bit strings). Passwords under your aegis should be well kept, well formed, and subjected to the most active filtering possible.

The COAST archives at Purdue University, home of the last two items mentioned, contain a plethora of security and network analysis tools. They're worth a visit during your Web travels.

Cool tools and jewels
Here are some other cool tools and management jewels proffered by gentle readers and not-so-gentle mailing lists:

• Ever have one of those days when it seems like you are doing nothing in your office except fielding interrupts that require you to go elsewhere? Have you found yourself in another office, staring at a usable display, but unable to be productive because the editing windows, forms, and tools you need are open and in progress on the machine in your office? What you need is the ability to pick up your current X display and ship it to the same location as you, without dropping the connection. The X11 R6 distribution will include a contributed client called xmove, available from both the X distribution site or Columbia University.

  Like the xscope (November 1995) pseudo-server that intercepts X Window System client/server communications for debugging purposes, xmove acts as a man in the middle that can redirect a client's X requests to a different server. You create a "fake" X server on your own machine using xmove, and direct your local X clients to it instead of the physical display. Under normal conditions, xmove passes the traffic right through to the local screen, but when you tell xmove to shift displays, it routes the traffic to another screen, on another machine, effectively following you from hop to hop on your troubleshooting tail.

• Several astute and HTML-literate readers asked about integrating SCCS (July 1995) with a Web-based form prompting for the necessary user and delta information on a check-in operation. Mortice Kern Systems (MKS) has done just that with its MKS Integrity Engine. Normally we don't plug products in or around this space, but this one caught my eye and it filled a reader need.

Products like the Integrity Engine show what's possible when you treat your browser like the universal front end. Constantly emphasizing easy and simple access to data, however, may sometimes cloud the real underlying issues.

Return to zero logic: Costs of system management revisited
Tim Steele, a reader from the United Kingdom, chided me for "making [this] sound too easy", where "this" ranged from including PGP support in mail services to editing sendmail configuration files. After a few exchanges of e-mail, I concluded that Tim was right, and I have glossed over implementation details at times. When I go light on the content, it's for one or more of a few reasons: I may not have done it myself, or proven that an idea works; the details would require several dozen pages more than editorial prudence or deadlines allow; or I'm simply offering an idea for digestion, hoping that someone will return a useful pointer (such as the MKS Integrity Engine).

Tim's main point, however, was not to question the competence of himself or his peers, but to underscore that fact that management sees light treatment of a topic as an indication of trivial implementation. Setting proper time, cost, and complexity expectations for users and management has been a recurrent theme in this space. Unix system management expenses, along with mainframe operations or telecommunications costs, are not discretionary expenditures. They're a necessary component of a first-class, reliable operation.

Like mainframes, Unix sysadmins are not easily and safely modified to perform the function du jour; careful implementation of the latest ideas yields a performant and predictable system. Cost issues have sprung up with every new paradigm embraced by the technical press: PCs, client/server computing, and now even Internet access. It's important to focus on the cost of running the show, but it's even more critical to know what kind of show it is: a serious production or a casual operation. Careful design, architecture and implementation hold the costs down in the long run and generate positive value for the organization.

Why the rant? The trade press has been full of talk of Network Computers (NCs), proclaiming their costs of administration to be near zero. From an end-user perspective that may be true -- there's no need to load floppy disks or interfere with system configuration files each time you need a new application. But from the system and network management viewpoint, there's no such thing as a zero-administration device. Someone has to do the network design, performance and capacity planning, and network failure analysis, although that effort is likely to be more centralized than before.

Again, the comparison to mainframe operations is quite strong. Does Unix run the risk of becoming the next legacy environment, ridiculed for its antiquated ways? Hopefully not, since Unix has a long history of encouraging rapid innovation, rapid delivery of that functionality, and a skilled community of professionals -- our readers -- who are responsible for fueling the pace of that change. Realize what re-centralization of services means, and learn from what the mainframes do well and what they don't do so well. It's something to consider on your next vacation.

Resources

• Pretty Good Privacy Inc.
  http://www.pgp.com/
• PGPfone
  http://web.mit.edu/network/pgpfone/
• MIT PGP distribution site
  http://web.mit.edu/pgp/
• premail
  http://www.c2.net/~raph/premail.html
• privtool
  http://www.c2.net/~mark/privtool/privtool.html
• USENIX Association
  http:/www.usenix.org/
• 1996 USENIX key-signing key
  http://www.usenix.org/pgpsig.html
• Web query interface
  http://www.usenix.org/cgi-bin/pgp-key.cgi
• NIST Secure Hash Algorithm (SHA-1)
  ftp://ripem.msu.edu/pub/crypt/docs/nist-secure-hash.txt
• Crypto Week
  http:/www.crypto.com/caw/
• secure shell (ssh)
  /sunworldonline/swol-01-1996/swol-01-sysadmin.html
• PGP: The key to your heart
  /sunworldonline/swol-02-1996/swol-02-sysadmin.html
• checkXusers
  ftp://coast.cs.purdue.edu/pub/tools/unix/checkXusers.Z crack ftp://coast.cs.purdue.edu/pub/tools/unix/crack/ cracklib ftp://coast.cs.purdue.edu/pub/tools/unix/cracklib
• COAST archives
  http://www.cs.purdue.edu/coast
• X distribution site
  ftp://ftp.x.org/
• Columbia University
  ftp://ftp.cs.columbia.edu/pub/xmove/
• MKS Integrity Engine
  http://www.mks.com/solutions/ie/
• "A third in fourths: An NFS potpourri"
  /sunworldonline/swol-07-1996/swol-07-sysadmin.html
• A list of Hal Stern's other Sysadmin
  /sunworldonline/common/swol-backissues-columns.html#sysadmin

If you have technical problems with this magazine, contact webmaster@sunworld.com

URL: http://www.sunworld.com/swol-09-1996/swol-09-sysadmin.html
Last modified: