TechBytes will be held at the Novell offices in Bracknell on Thursday 19^th February. As usual it will be packed agenda with the latest technical information. At just £50 you can’t afford not to be there.  Places are limited so book now by visiting to www.mindworksuk.com

TechBytes agenda

9:00 – 9:30              Registration

9:30 – 10:00            Novell Introduction and Roadmap, Peter Joseph

10:00 – 11:00          How to cluster enabled SuSE Linux, running Hamachi (Nterprise Linux Services), Simon Lidgett

11:00 – 11:15          Coffee

11:15 – 13:00          Security and presentation of systems, in and out of the organization, Dave Hill and Mark Oldroyd. This will be an indepth technical presentation showing NMAS logging into a NetWare server and Secure Login. The same token will then be demonstrated logging in via iChain. In the second part of the presentation Mark will create a Portal using exteNd.    

13:00 – 14:00          Lunch

14:00 – 14:30          Using Apache and Tomcat on Linux with the hosting of the Novell eXtend Director Std. edition as a working example, Rob Hebron

14:30 – 15:00          Using authentication in Apache to secure web content and interface with Novell eDirectory for controlling access to resources, Rob Hebron

15:00 – 15:30          Modules available for Apache which can aid in intrusion detection and prevention and compliance with the Disability Discrimination Act, Rob Hebron

15:30 – 15:45          Tea

15:45 – 16:45          Nterprise Linux Services, Gary Porter

Novell eDirectory 8.7.1 for HP-UX Now Available

Novell eDirectory 8.7.1 customers can now download the product on the HP-UX platform free of charge from http://download.novell.com. Customers who wish to acquire a new media kit can do so using the current media kit part number for eDirectory 8.7.1 available on the Novell Price List.

3007+: Novell eDirectory Tools and Diagnostics PLUS DS Clinic Compact with Gary Porter

University of Liverpool 23 – 27 February

Places from only £750 +vat for customers from academic/ NHS, £850 +vat for Government customers and £900 +vat for our corporate clients.

Gary Porter returns from the US to deliver this course in his unique and lively style with the added value of his outstanding expertise in the field of eDirectory. In addition, each student will receive a compact version of DS Clinic, a teaching tool essential for those wishing to practice their eDirectory skills without the worry of doing so on a live system!

Novell eDirectory Tools and Diagnostics (Course 3007) is a practical skills course. It focuses on preventing, troubleshooting, and solving common problems related to eDirectory communication, synchronisation, caching, and replication processes and on such integral tasks as server maintenance, database backup, and disaster prevention and recovery.

Course 3007 provides opportunities to perform eDirectory install and upgrade tasks, and tree design and health check procedures. All these are performed in both a NetWare only and a multi-platform environment using the latest web-based eDirectory administration tools: iMonitor and iManager.

Places are strictly limited to ensure personal attention. Book your place now, by visiting www.mindworksuk.com

Linux firewalling, virus and SPAM scanning by Rob Hebron, Live Data Computers Ltd

At Live Data we setup and manage Linux Firewalls using IPTables (www.netfilter.org). IPTables was introduced in the 2.4 Linux kernel and offers superb firewall functionality and throughput. We use fwbuilder on Linux to build the firewall scripts in a policy-driven GUI (www.fwbuilder.org).

We also use a Linux based mail gateways that scan incoming and outgoing mail for viruses and SPAM. Virus scanning can be performed using an open source scanner such as clamd (www.clamav.net) or a commercial scan engine. SPAM scanning is best done using SpamAssassin (www.spamassassin.org). The actual mail relaying id performed by a high

performance MTA such as Exim (www.exim.org).

Finally, in the field of Internet Security, Snort (www.snort.org) is a high performance network intrusion detection system that is open source and has commercial support available.

Rob Hebron, rob.hebron@live-data.co.uk

Domesticating and Living with Linux in the Machine Room, 9 & 10 March, St Hughes College, Oxford

Hands On 2 day Course £295.00 +vat

We have seen amazing demand for this short technical course, given by Joe Doupnik and it is back in March for its third encore. Why Linux?  A short course for those who need to know without becoming gurus

If you want to find out all about Linux, this is the course for you.  This comprehensive 2 day hands-on course, gives you an excellent insight into the Linux world, how to get to get to grips with the basics and how to make the most of this exciting technology in your own environment and benefit from the vast opportunities it offers.

This 2 day course will cover the following key elements:

• Installation of Red Hat Linux from CD-ROMs

• Configuring for security right after installation

• What's running, how to stop items, checking logs

• Starting and stopping services, adding them, removing them

• Dealing with the inetd super daemon

• Creating and removing users, Unix groups, password files

• Linux directory layouts: where things hide

• Finding files, finding text phrases

• Adding RPMs, up2date

• Backing up and restoring file systems

• Adding new disks

• Constructing good IP filters

• Adding safe ftp services, SSH, etc

• Investigating PAM authentication modules

• Compiling major applications (say Apache web server) (this is a major lab, covering configure, make, gcc)

• Replacing the kernel and modules, loading modules manually (this should be a major lab, also covering recompiling the kernel and modules)

Don’t get left behind. Book your place now  by visiting www.mindworksuk.com

Can one survive on port 80 alone? by Joe Doupnik

Recently, while on holiday in a distant land, the communications channel was a dialup link to a web proxy server which listened on port 80 only. I needed to contact my machine farm at home and tend things. My, did I learn a lesson from this!

The webmail agent for the campus was decent, but had two awkward characteristics: it could access mail only on that particular machine, and it wanted to run only while the sun was up on weekdays (I don’t know why, but it was holiday time). What about my own machines? Their email, telnet, ftp, all these mod cons?

“Open the pod door Hal. I’m sorry Dave, I can’t do that.”©

When I returned home I quickly scouted out proxy agents which might offer at least ftp and mail reading through a web port 80 channel, http:// not https://. Some time later two were selected. Squirrelmail (what a name) is a nice webmail program which can read Unix mbox style email files. It points at the user’s home directory for the spot to find those files. Another needed facility was ftp, and the best so far is a quiet program named notftp which is basically a webftp item relaying ftp responses and files over the web. Both are written in PHP and thus fit right into Apache web server.

While notftp was passable it did have one awkward characteristic. It asked only for the location and credentials of the place we wish to contact via ftp, the remote site. There was no checking about who was coming over the web to run it, and if anyone did they could contact any remote site via ftp. Oh dear, another file laundry. Apache experts say, no problem, just add a mod_auth set of clauses so that Apache will ask for local credentials. Um, no. While that works, it works the wrong way for me.

What I need is an authentication mechanism in front of each web-app so that anyone on my Unix (FreeBSD) system can use the app, but not anyone else. This goal brings us face to face with two problems. The first problem is Apache runs as an ordinary user and has no access to the encrypted/protected passwords of the Unix machine. PHP scripts run as that user, launched by Apache of course. The second problem is Apache’s mod_auth material refers to its own private storage of credentials, which means I would have to create new user/password pairs from plaintext for everyone, and that is a non-starter.

Once this sunk in I said “Pam!”  No, not her, but Pluggable Authentication Modules PAM. The notion is an application can call upon a PAM library, supplying plaintext credentials, and have it query the system for permission to proceed. A good idea. Alas, PAM code runs as the caller, as an ordinary user, and has the same problem getting at protected Unix credentials. Most folks who use PAM may be unaware of this small impediment, but it exists and must be surmounted.

The system being used for this work is FreeBSD v4.9. After much chasing through PAM source code I found that it lacked a helper module which would run as root and lend a hand to probe the protected data. Seems like a serious lack, it is, and it goes away in the FBSD 5.x series under development. Helper modules like this are exposed to users, and hence exposed to abuse. I looked at the Linux one doing the same job and it does try to keep away tiny fingers, but we can’t block everything.

The need for PAM here arose from that notftp program. I decided the shortest path to immediate success was to modify notftp to call a helper I wrote which ran PAM as root. Yup, a risk but I limited it. A little PHP writing later the program now prompts for local Unix credentials, and then those of the remote site. It works nicely, thanks. Yes, it is a kludge.

What about mod_auth_pam for Apache? It is a third party module. I tried it. It has the same problem of running as the Apache user, not as root. Maybe I should have rewritten PAM module pam_unix.so, but I was too far along to bother. Also this Apache module can conflict with regular mod_auth, and that seems like asking for trouble later.

Back to webmail, Squirrelmail in this case. It does ask for local credentials, it runs from Apache too, and it does not run into the need for PAM. Why not? The program makes an IMAP4 connection to the mail server, and that process exchanges credentials. Hmmm, this suggests a similar redirection to real apps for other tasks as well, but this is a distraction right now. Thus the burden of checking is placed on the IMAP4 server, not on the webmail program. Luckily, the IMAP4 server on the FreeBSD machine is able to do the job nicely. The Webmail program does not offer a choice of adding remote mailboxes for inspection, not like GroupWise or IE or Netscape browsers but then those are not running over port 80. But it does offer to fetch from them using POP3 and put copies into the local mailbox. It’s a start, better than without the ability. It works well enough to cover needs while traveling, yet I could rewrite it to be more flexible.

I looked at the over all situation on my machines. Each machine has a good IP filter to keep away the wandering thieves. Each exposed application has enough strength, barely, to rebuff most penetration attempts. But credentials are needed on each such app such that only locally known users can run them, and the manager would not have to manually create username/password pairs for each. Multiple levels of access.

By now you are probably saying I need to enhance my vocabulary of acronyms beyond three characters, including say LDAP or even RADIUS or NDS. These are excellent suggestions, but… we have to start somewhere. I am very hesitant about putting major Unix credentials on some other machine; too many things must work to let me in to fix things or just get work done. Thus I very much prefer that local access employs local credentials, no matter whether the network is operational or other machines are happy.

So far I have not seen in the industry a dual approach of storing credentials locally as well as on some larger database machine. Wait, there is one case. Yes, it is Novell’s NDS.

The neat thing about Novell’s Directory Services is the data can be replicated, copies all over. For folks like me we need NDS services running on the local machine, plus have copies on other machines for safety if/when the network is happy. I don’t need to manually replicate every night at 0200, it happens automatically when changes occur.

That’s the stuff. But we need to ensure everyone is poured into NDS at the start, else we have to crack encrypted passwords to get plaintext and not tell a soul we are doing it. But, says the conservative manager, what if the NDS software takes ill? What then? Ah, says the equally conservative but more attentive system manager, we will use NDS and PAM together! If we go through the PAM stack of methods, one will be NDS, and if it is not working then there are other methods ready to try, such as LDAP, RADIUS, Kerberos, and even the local Unix credentials. &cetera.

This is great, but one piece remains uncertain. How can we populate all these storage areas with a new password if the user makes such a change? PAM again. There is a facility apps can call when passwords are changed, a stack of PAM modules which get into the act. In principle (meaning I haven’t dug in and looked carefully, not to mention actually try) they can pass the old/new credential pair  down the PAM stack, from one module to the next, so that all get a copy and send it to their matching storage mechanism. A worry is if the password arrives encrypted and not in a method one of the above uses.

Novell faced the problem of foreign encryption when NetWare 6.0 came out with “Simple Passwords.” After a year of struggling with it they created a rather clever bypass named “Universal Passwords.” I think this must work because larger superlatives are difficult to locate. UP’s say I don’t care how this thing is encrypted, provided I can match it with what the user provides today. The Novell NMAS material does this work. Actually the Unix password checking code could do the same, but it isn’t written that way. I think we are talking ourselves into putting NDS and PAM on Unix machines as the more capable traders in credentials, and NDS replicates them to other machines for safety. With such distribution we make another step toward single-signon. I sure hope we can work out the details of such matters.

Golly, what we think of with a little free time on our hands during holiday and a small port 80 problem to overcome.

Joe Doupnik, jrd@cc.usu.edu

Novell's Linux Strategy

The acquisition of SUSE LINUX will be an important step in Novell's efforts to accelerate enterprise adoption of Linux. Novell began building solutions for Linux in early 2000, when it made its flagship eDirectory™ technology available on Linux. In April of this year, Novell announced it would make all the services that run on its NetWare® operating system run on both the NetWare and Linux kernels in the future with the full range of Novell's worldwide technical support. In August, Novell acquired Ximian with its leading Linux desktop management solutions and its visionary leadership to promote Linux desktops and to enable Microsoft .NET* applications to run on Linux.

In September, Novell announced the open beta of Novell® Nterprise™ Linux Services (NLS), an offering that runs on SUSE LINUX and Red Hat* and provides a variety of networking services for Linux environments. IBM, HP and Dell have all licensed the NLS technology for resale to their customers. With SUSE LINUX, Novell expands its reach to developers and ISVs looking for a complete Linux solution. Today's announcement of Novell's plans to acquire SUSE LINUX strengthens Novell's already proven set of Linux offerings by allowing Novell to distribute the underlying Linux platform itself, in addition to the many value-added services for Linux that Novell already offers.

"We chose SUSE LINUX because they are a clear market leader in Linux technology for the enterprise," Messman said. "With this acquisition, Novell will be the only billion-dollar software company with a Linux distribution and a worldwide ecosystem around it. A worldwide technical staff of more than 600 has been trained to support Linux. The acquisition of SUSE LINUX completes our technology stack from the desktop to the server."

Beyond the technology, the acquisition will also expand Novell's strategic commitment to the open source community. The combination of SUSE LINUX and Novell will deliver not only complete enterprise Linux software solutions, but also worldwide channels and industry-leading partnerships. The combined company will help promote a thriving, global open source ecosystem that creates innovation and choice for developers, users and organizations alike. Novell is firmly committed to open standards and maintaining the existing open source kernel development efforts. From advocacy and development resources to events and support of open source efforts like kernel projects, XFree86, ReiserFS, KDE, GNOME and Mono, Novell stands side-by-side with the open source community.

Citigroup Global Markets Inc. acted as Novell's financial adviser to the transaction. Clifford Chance Punder served as Novell's legal counsel. Arma Partners acted as financial adviser to SUSE LINUX and its stockholders. Freshfields Bruckhaus Deringer served as legal counsel to SUSE LINUX and its stockholders. SUSE LINUX investors are e-Millenium 1, AdAstra Erste Beteiligungsgesellschaft mbH and APAX Partners & CO.

For more information on Linux visit  http://developer.novell.com/linux/

SuSIE Linux

Established in 1992, SUSE LINUX is one of the world's leading providers of Linux software and services. With the largest dedicated Linux research and development team, SUSE delivers enterprise-ready software and services that harness the innovation, speed-to-market and independence of the open source community.

SUSE LINUX Offerings Complement Novell Linux Services SUSE LINUX offers a range of Linux server and desktop solutions designed to meet the diversified needs of different organizations. SUSE LINUX Enterprise Server 8 for midsize to large companies provides a range of core networking services with the high-availability and scalability features needed for mission-critical environments.

SUSE LINUX is the leading enterprise Linux company in Europe. In addition, through its relationships with Conectiva and Turbolinux, SUSE LINUX has been a leader in Latin America and Asia, as well. SUSE LINUX is also one of the top providers of Linux to enterprises in the United States and North America. Novell's extensive global sales and channel programs, proven and reliable technical support capabilities, as well as ongoing Novell and SUSE LINUX relationships with key partners like IBM, Oracle, SGI, Fujitsu-Siemens, Dell, Intel, AMD, SAP, HP and others, provide a powerful business network to promote more rapid Linux adoption around the globe.

For more information on SuSIE Linux visit http://www.suse.com

Academic / NHS rates for authorised training at Novell, Bracknell

3006: Desktop Management with ZENworks for Desktops 4

Places from only £750 +vat for customers from academic/ NHS, £850 +vat for Government customers and £900 +vat for our corporate clients.

2 – 6 February

A few places remain on this popular ZENworks course which will be delivered at Novell, Bracknell.  Don’t forget, if you are an individual pursuing personal development and are therefore paying for your own course, you are entitled to the academic / NHS rate.

Visit www.mindworksuk.com to book your place.

Novell's Unique Legal Rights

Novell has recently made available additional information on the unique contractual and intellectual property rights it holds because of its position in the historical ownership chain of UNIX and UnixWare. These rights include:

• Novell's rights to license UNIX technology pursuant to a Technology License Agreement between SCO and Novell, including Novell's right to authorize its customers to use that UNIX technology in their internal business operations.
• Novell's rights to take action on behalf of SCO under legacy UNIX SVRX licenses pursuant to the Asset Purchase Agreement between SCO and Novell.
• As previously confirmed by Novell, copyright registrations on UNIX SVRX releases, consistent with Novell's position that it retained ownership of these copyrights.

Copies of relevant correspondence between Novell and SCO are available at http://www.novell.com/licensing/indemnity/legal.html . The rights reflected in these documents are part of the foundation for the indemnification program Novell has announced.

Self Study Kits

Self study kits remain a popular method for self learning and updating technical skills.  We have an excellent list of kits including the GroupWise 6.5 Administration, v1.0  and NetWare 6 CNE Bundle (3001, 3004, 3005, 575, and 3006 Self Study Kits)  at excellent prices.

To purchase kits, please visit www.mindworksuk.com

Novell Small Business Suite 6.5 Open Beta available for download

Novell Small Business Suite 6.5 Open Beta is available for you to test. You can download your copy at: http://www.novell.com/products/smallbiz/beta.html

The Open Beta of Novell Small Business Suite 6.5 is a 90-day fully-enabled version of the entire software suite. The Open Beta includes the following Novell product versions, each of which is targeted for inclusion in the shipping product in the first calendar quarter of 2004:

NetWare 6.5 with Support Pack 1

GroupWise 6.5 with Support Pack 1

ZENworks for Desktops 4.01

BorderManager 3.8

To accelerate the download please make sure you select DUBLIN as your mirror Server Location (the default is Provo in USA).

Novell Resource Management White Paper

See: http://www.novell.com/collateral/4621338/4621338.pdf

Strategic Value of Moving to Linux

See: http://www.novell.com/collateral/4621356/4621356.html

Managing Apache Web Servers with NetWare 6.5

See: http://www.novell.com/collateral/4621343/4621343.html

Creating web services with exteNd in NetWare 6.5

See: http://www.novell.com/collateral/4621359/4621359.html

The Novell Museum is being re-launched in association with MindWorks Inc Ltd and is hosted by Joe Doupnik at Utah State University in Logan, Utah.

Visit www.novellmuseum.net and browse through two decades of Novell Memorabilia, merchandise, software and most other things you can imagine. Then rise to the challenge of finding an item that isn’t on the site.

If you do have an item not in the museum please send a picture to: novellmuseum@mindworksuk.com

We would like to thank Joe Doupnik for his support in hosting the Virtual Novell Museum.

Mailing list maintenance

If you know of someone who you think would like to be added to the mailing list for NewsBytes, and similar information from Mindworks Inc Ltd, please complete the List Subscription page on our website www.mindworksuk.com. Alternatively you may email training@mindworksuk.com

It is possible to remove yourself from this list by the same process. If you do ask to come off the list please let us know why as we would welcome the feedback as to why the newsletter is no longer of interest to you.

Key Contacts:

Peter Atkins, Managing Director

Telephone    01706 871900

Email           peter@mindworksuk.com

Julia Davey, Marketing Director

Telephone    01706 871901

Email           julia@mindworksuk.com