Cari di RHE Linux 
     RHE Linux User Manual
Daftar Isi
(Sebelumnya) 13 : Chapter 9. Network Interf ...13 : Chapter 11. Configuring A ... (Berikutnya)

Deployment Guide

Part IV. Infrastructure Services

This part provides information how to configure services and daemons, configure authentication, and enable remote logins.

Daftar Isi

10. Services and Daemons
10.1. Configuring the Default Runlevel
10.2. Configuring the Services
10.2.1. Using the Service Configuration Utility
10.2.2. Using the ntsysv Utility
10.2.3. Using the chkconfig Utility
10.3. Running Services
10.3.1. Determining the Service Status
10.3.2. Starting a Service
10.3.3. Stopping a Service
10.3.4. Restarting a Service
10.4. Additional Resources
10.4.1. Installed Documentation
10.4.2. Related Books
11. Configuring Authentication
11.1. Configuring System Authentication
11.1.1. Launching the Authentication Configuration Tool UI
11.1.2. Selecting the Identity Store for Authentication
11.1.3. Configuring Alternative Authentication Features
11.1.4. Configuring Authentication from the Command Line
11.1.5. Using Custom Home Directories
11.2. Using and Caching Credentials with SSSD
11.2.1. About SSSD
11.2.2. Setting up the sssd.conf File
11.2.3. Starting and Stopping SSSD
11.2.4. SSSD and System Services
11.2.5. Configuring Services: NSS
11.2.6. Configuring Services: PAM
11.2.7. Configuring Services: autofs
11.2.8. Configuring Services: sudo
11.2.9. Configuring Services: OpenSSH and Cached Keys
11.2.10. SSSD and Identity Providers (Domains)
11.2.11. Creating Domains: LDAP
11.2.12. Creating Domains: Identity Management (IdM)
11.2.13. Creating Domains: Active Directory
11.2.14. Domain Options: Setting Username Formats
11.2.15. Domain Options: Enabling Offline Authentication
11.2.16. Domain Options: Setting Password Expirations
11.2.17. Domain Options: Using DNS Service Discovery
11.2.18. Domain Options: Using IP Addresses in Certificate Subject Names (LDAP Only)
11.2.19. Creating Domains: Proxy
11.2.20. Creating Domains: Kerberos Authentication
11.2.21. Creating Domains: Access Control
11.2.22. Creating Domains: Primary Server and Backup Servers
11.2.23. Installing SSSD Utilities
11.2.24. Creatig Local System Users
11.2.25. Seeding Users into the SSSD Cache During Kickstart
11.2.26. Managing the SSSD Cache
11.2.27. Using NSCD with SSSD
11.2.28. Troubleshooting SSSD
12. OpenSSH
12.1. The SSH Protocol
12.1.1. Why Use SSH?
12.1.2. Main Features
12.1.3. Protocol Versions
12.1.4. Event Sequence of an SSH Connection
12.2. Configuring OpenSSH
12.2.1. Configuration Files
12.2.2. Starting an OpenSSH Server
12.2.3. Requiring SSH for Remote Connections
12.2.4. Using a Key-Based Authentication
12.3. OpenSSH Clients
12.3.1. Using the ssh Utility
12.3.2. Using the scp Utility
12.3.3. Using the sftp Utility
12.4. More Than a Secure Shell
12.4.1. X11 Forwarding
12.4.2. Port Forwarding
12.5. Additional Resources
12.5.1. Installed Documentation
12.5.2. Useful Websites

Chapter 10. Services and Daemons

10.1. Configuring the Default Runlevel
10.2. Configuring the Services
10.2.1. Using the Service Configuration Utility
10.2.2. Using the ntsysv Utility
10.2.3. Using the chkconfig Utility
10.3. Running Services
10.3.1. Determining the Service Status
10.3.2. Starting a Service
10.3.3. Stopping a Service
10.3.4. Restarting a Service
10.4. Additional Resources
10.4.1. Installed Documentation
10.4.2. Related Books
Maintaining security on your system is extremely important, and one approach for this task is to manage access to system services carefully. Your system may need to provide open access to particular services (for example, httpd if you are running a web server). However, if you do not need to provide a service, you should turn it off to minimize your exposure to possible bug exploits.
This chapter explains the concept of runlevels, and describes how to set the default one. It also covers the setup of the services to be run in each of these runlevels, and provides information on how to start, stop, and restart the services on the command line using the service command.

Keep the system secure

When you allow access for new services, always remember that both the firewall and SELinux need to be configured as well. One of the most common mistakes committed when configuring a new service is neglecting to implement the necessary firewall configuration and SELinux policies to allow access for it. For more information, refer to the Red Hat Enterprise Linux 6 Security Guide.

10.1. Configuring the Default Runlevel

A runlevel is a state, or mode, defined by services that are meant to be run when this runlevel is selected. Seven numbered runlevels exist (indexed from 0):

Table 10.1. Runlevels in Red Hat Enterprise Linux

RunlevelDescription
0Used to halt the system. This runlevel is reserved and cannot be changed.
1Used to run in a single-user mode. This runlevel is reserved and cannot be changed.
2Not used by default. You are free to define it yourself.
3Used to run in a full multi-user mode with a command line user interface.
4Not used by default. You are free to define it yourself.
5Used to run in a full multi-user mode with a graphical user interface.
6Used to reboot the system. This runlevel is reserved and cannot be changed.

To check in which runlevel you are operating, type the following:
~]$ runlevelN 5
The runlevel command displays previous and current runlevel. In this case it is number 5, which means the system is running in a full multi-user mode with a graphical user interface.
The default runlevel can be changed by modifying the /etc/inittab file, which contains a line near the end of the file similar to the following:
id:5:initdefault:
To do so, edit this file as root and change the number on this line to the desired value. The change will take effect the next time you reboot the system.

10.2. Configuring the Services

To allow you to configure which services are started at boot time, Red Hat Enterprise Linux is shipped with the following utilities: the Service Configuration graphical application, the ntsysv text user interface, and the chkconfig command line tool.

Enabling the irqbalance service

To ensure optimal performance on POWER architecture, it is recommended that the irqbalance service is enabled. In most cases, this service is installed and configured to run during the Red Hat Enterprise Linux 6 installation. To verify that irqbalance is running, as root, type the following at a shell prompt:
~]# service irqbalance statusirqbalance (pid  1234) is running...
For information on how to enable and run a service using a graphical user interface, refer to Section 10.2.1, "Using the Service Configuration Utility". For instructions on how to perform these task on the command line, see Section 10.2.3, "Using the chkconfig Utility" and Section 10.3, "Running Services" respectively.

10.2.1. Using the Service Configuration Utility

The Service Configuration utility is a graphical application developed by Red Hat to configure which services are started in a particular runlevel, as well as to start, stop, and restart them from the menu. To start the utility, select SystemAdministrationServices from the panel, or type the command system-config-services at a shell prompt.
The Service Configuration utility
The Service Configuration Utility

Figure 10.1. The Service Configuration utility


The utility displays the list of all available services (services from the /etc/rc.d/init.d/ directory, as well as services controlled by xinetd) along with their description and the current status. For a complete list of used icons and an explanation of their meaning, see Table 10.2, "Possible service states".
Note that unless you are already authenticated, you will be prompted to enter the superuser password the first time you make a change.

Table 10.2. Possible service states

IconDescription
Green bullet
The service is enabled.
Red bullet
The service is disabled.
Control panel
The service is enabled for selected runlevels only.
Plugged plug
The service is running.
Unplugged plug
The service is stopped.
Exclamation mark
There is something wrong with the service.
Question mark
The status of the service is unknown.

10.2.1.1. Enabling and Disabling a Service

To enable a service, select it from the list and either click the Enable button on the toolbar, or choose ServiceEnable from the main menu.
To disable a service, select it from the list and either click the Disable button on the toolbar, or choose ServiceDisable from the main menu.

10.2.1.2. Starting, Restarting, and Stopping a Service

To start a service, select it from the list and either click the Start button on the toolbar, or choose ServiceStart from the main menu. Note that this option is not available for services controlled by xinetd, as they are started by it on demand.
To restart a running service, select it from the list and either click the Restart button on the toolbar, or choose ServiceRestart from the main menu. Note that this option is not available for services controlled by xinetd, as they are started and stopped by it automatically.
To stop a service, select it from the list and either click the Stop button on the toolbar, or choose ServiceStop from the main menu. Note that this option is not available for services controlled by xinetd, as they are stopped by it when their job is finished.

10.2.1.3. Selecting Runlevels

To enable the service for certain runlevels only, select it from the list and either click the Customize button on the toolbar, or choose ServiceCustomize from the main menu. Then select the checkbox beside each runlevel in which you want the service to run. Note that this option is not available for services controlled by xinetd.

10.2.2. Using the ntsysv Utility

The ntsysv utility is a command line application with a simple text user interface to configure which services are to be started in selected runlevels. To start the utility, type ntsysv at a shell prompt as root.
The ntsysv utility
The ntsysv utility

Figure 10.2. The ntsysv utility


The utility displays the list of available services (the services from the /etc/rc.d/init.d/ directory) along with their current status and a description obtainable by pressing F1. For a list of used symbols and an explanation of their meaning, see Table 10.3, "Possible service states".

Table 10.3. Possible service states

SymbolDescription
[*]The service is enabled.
[ ]The service is disabled.

10.2.2.1. Enabling and Disabling a Service

To enable a service, navigate through the list using the Up and Down arrows keys, and select it with the Spacebar. An asterisk (*) appears in the brackets.
To disable a service, navigate through the list using the Up and Down arrows keys, and toggle its status with the Spacebar. An asterisk (*) in the brackets disappears.
Once you are done, use the Tab key to navigate to the Ok button, and confirm the changes by pressing Enter. Keep in mind that ntsysv does not actually start or stop the service. If you need to start or stop the service immediately, use the service command as described in Section 10.3.2, "Starting a Service".

10.2.2.2. Selecting Runlevels

By default, the ntsysv utility only affects the current runlevel. To enable or disable services for other runlevels, as root, run the command with the additional --level option followed by numbers from 0 to 6 representing each runlevel you want to configure:
ntsysv --level runlevels
For example, to configure runlevels 3 and 5, type:
~]# ntsysv --level 35

10.2.3. Using the chkconfig Utility

The chkconfig utility is a command line tool that allows you to specify in which runlevel to start a selected service, as well as to list all available services along with their current setting. Note that with the exception of listing, you must have superuser privileges to use this command.

10.2.3.1. Listing the Services

To display a list of system services (services from the /etc/rc.d/init.d/ directory, as well as the services controlled by xinetd), either type chkconfig --list, or use chkconfig with no additional arguments. You will be presented with an output similar to the following:
~]# chkconfig --listNetworkManager  0:off   1:off   2:on 3:on 4:on 5:on 6:offabrtd   0:off   1:off   2:off   3:on 4:off   5:on 6:offacpid   0:off   1:off   2:on 3:on 4:on 5:on 6:offanamon  0:off   1:off   2:off   3:off   4:off   5:off   6:offatd 0:off   1:off   2:off   3:on 4:on 5:on 6:offauditd  0:off   1:off   2:on 3:on 4:on 5:on 6:offavahi-daemon 0:off   1:off   2:off   3:on 4:on 5:on 6:off... several lines omitted ...wpa_supplicant  0:off   1:off   2:off   3:off   4:off   5:off   6:offxinetd based services: chargen-dgram:  off chargen-stream: off cvs: off daytime-dgram:  off daytime-stream: off discard-dgram:  off... several lines omitted ... time-stream: off
Each line consists of the name of the service followed by its status (on or off) for each of the seven numbered runlevels. For example, in the listing above, NetworkManager is enabled in runlevel 2, 3, 4, and 5, while abrtd runs in runlevel 3 and 5. The xinetd based services are listed at the end, being either on, or off.
To display the current settings for a selected service only, use chkconfig --list followed by the name of the service:
chkconfig --list service_name
For example, to display the current settings for the sshd service, type:
~]# chkconfig --list sshdsshd 0:off   1:off   2:on 3:on 4:on 5:on 6:off
You can also use this command to display the status of a service that is managed by xinetd. In that case, the output will only contain the information whether the service is enabled or disabled:
~]# chkconfig --list rsyncrsync   off

10.2.3.2. Enabling a Service

To enable a service in runlevels 2, 3, 4, and 5, type the following at a shell prompt as root:
chkconfig service_name on
For example, to enable the httpd service in these four runlevels, type:
~]# chkconfig httpd on
To enable a service in certain runlevels only, add the --level option followed by numbers from 0 to 6 representing each runlevel in which you want the service to run:
chkconfig service_name on --level runlevels
For instance, to enable the abrtd service in runlevels 3 and 5, type:
~]# chkconfig abrtd on --level 35
The service will be started the next time you enter one of these runlevels. If you need to start the service immediately, use the service command as described in Section 10.3.2, "Starting a Service".
Do not use the --level option when working with a service that is managed by xinetd, as it is not supported. For example, to enable the rsync service, type:
~]# chkconfig rsync on
If the xinetd daemon is running, the service is immediately enabled without having to manually restart the daemon.

10.2.3.3. Disabling a Service

To disable a service in runlevels 2, 3, 4, and 5, type the following at a shell prompt as root:
chkconfig service_name off
For instance, to disable the httpd service in these four runlevels, type:
~]# chkconfig httpd off
To disable a service in certain runlevels only, add the --level option followed by numbers from 0 to 6 representing each runlevel in which you do not want the service to run:
chkconfig service_name off --level runlevels
For instance, to disable the abrtd in runlevels 2 and 4, type:
~]# chkconfig abrtd off --level 24
The service will be stopped the next time you enter one of these runlevels. If you need to stop the service immediately, use the service command as described in Section 10.3.3, "Stopping a Service".
Do not use the --level option when working with a service that is managed by xinetd, as it is not supported. For example, to disable the rsync service, type:
~]# chkconfig rsync off
If the xinetd daemon is running, the service is immediately disabled without having to manually restart the daemon.

10.3. Running Services

The service utility allows you to start, stop, or restart the services from the /etc/init.d/ directory.

10.3.1. Determining the Service Status

To determine the current status of a service, type the following at a shell prompt:
service service_name status
For example, to determine the status of the httpd service, type:
~]# service httpd statushttpd (pid  7474) is running...
To display the status of all available services at once, run the service command with the --status-all option:
~]# service --status-allabrt (pid  1492) is running...acpid (pid  1305) is running...atd (pid  1540) is running...auditd (pid  1103) is running...automount (pid 1315) is running...Avahi daemon is runningcpuspeed is stopped... several lines omitted ...wpa_supplicant (pid  1227) is running...
Note that you can also use the Service Configuration utility as described in Section 10.2.1, "Using the Service Configuration Utility".

10.3.2. Starting a Service

To start a service, type the following at a shell prompt as root:
service service_name start
For example, to start the httpd service, type:
~]# service httpd startStarting httpd: [  OK  ]

10.3.3. Stopping a Service

To stop a running service, type the following at a shell prompt as root:
service service_name stop
For example, to stop the httpd service, type:
~]# service httpd stopStopping httpd: [  OK  ]

10.3.4. Restarting a Service

To restart the service, type the following at a shell prompt as root:
service service_name restart
For example, to restart the httpd service, type:
~]# service httpd restartStopping httpd: [  OK  ]Starting httpd: [  OK  ]

10.4. Additional Resources

10.4.1. Installed Documentation

  • chkconfig(8) - a manual page for the chkconfig utility.
  • ntsysv(8) - a manual page for the ntsysv utility.
  • service(8) - a manual page for the service utility.
  • system-config-services(8) - a manual page for the system-config-services utility.

10.4.2. Related Books

Red Hat Enterprise Linux 6 Security Guide
A guide to securing Red Hat Enterprise Linux 6. It contains valuable information on how to set up the firewall, as well as the configuration of SELinux.
(Sebelumnya) 13 : Chapter 9. Network Interf ...13 : Chapter 11. Configuring A ... (Berikutnya)