iptables and more on Linux » gnu/linux

SSH timeout

admin — Tue, 04 May 2010 11:03:45 +0000

If you have a problem of frequent disconnection from your SSH server, you can enable the following setting in your sshd_config file and restart SSHD.

ClientAliveInterval 60

The exact description of what this does is

ClientAliveInterval
Sets a timeout interval in seconds after which if no data has
been received from the client, sshd will send a message through
the encrypted channel to request a response from the client.
The default is 0, indicating that these messages will not be
sent to the client. This option applies to protocol version 2
only.

SPBCHSW81

SPBCHSW82

SPBCHSW91

SPBCHSW92

Screen command

admin — Tue, 19 Jan 2010 21:53:09 +0000

I hadn’t used screen much in the past but I see that it is a very handy tool. I just would like to add some tips about screen command.

Ctrl-a c : creates a new screen shell
Ctrl-a TAB: switches focues between upper and lower split terminal
Ctrl-a “ : Display a list of managed windows. (This is the most I like:)

It is very useful to use the option “-t” in screen as it allows you to mark your instances. If you run a new screen sheel with the command;

screen -t /var/log/local6 1 tail -f /var/log/local6

Then when you run Ctrl-a “ to list the windows, you will recognize your tailing window with the title “/var/log/local6″

This is a very short article about screen. I hope on the way I use this tool, I may improve this it.

sysconfig.txt

admin — Sat, 09 Jan 2010 16:31:05 +0000

You can find quite a lot of files in /etc/sysconfig however in configuring them you may have trouble but there is a file that you can use to understand what attributes you can use for each file. It is sysconfig.txt. In my current Redhat 5.4 system the file is at the following location as it comes with the package initscripts.

/usr/share/doc/initscripts-8.45.30/sysconfig.txt

For example if you want to set ethernet options into your ifcfg-eth0 file below is the quote from this file;

ETHTOOL_OPTS=…
Any device-specific options supported by ethtool. For example,
if you wanted to force 100Mb full duplex:
ETHTOOL_OPTS=”speed 100 duplex full autoneg off”
Note that changing speed or duplex settings almost always
requires disabling autonegotiation with ‘autoneg off’.

Installing RPM file into a different root

admin — Sat, 09 Jan 2010 14:59:03 +0000

One day you may have to install an RPM file into a different root folder. For example under rescue mode though you can chroot as an option. Here is the handy option for you to do it.

#rpm -ivh zip-2.31-2.el5.i386.rpm –root /mnt/sysimage

MBR recovery and grub reinstall

admin — Sat, 09 Jan 2010 14:10:24 +0000

In the event that partition table is corrupted or boot loader has gone, here are some steps that you can take in order to boot the system as normal.

I hope that you have taken the backup of partition table previously with the command;

#sfdisk -d /dev/sda > /root/sda_partition_table.out

Or if you also want to backup the whole MBR to a file do this;

#dd if=/dev/sda of=/tmp/mbr_sda.out bs=512 count=1

From now on, I assume that you have booted the system in rescue mode with networking support.

1) The first thing is to paste this partition table back into its original space. Presumably, you have copied the partition table from network and put it under /tmp/sda_partition_table.out

#sfdisk /dev/sda < /tmp/sda_partition_table.out

This will fix your partition table. Now time to fix MBR

2) As the MBR has gone, we have to write MBR again. Do the followings;

#grub

grub> root (hd0,0)
grub>setup (hd0)
grub>quit

The root (hd0,0) command assumes that your boot partition is in /dev/sda1

After these commands, you should be able to boot your system as before.

NIS & Autofs configuration

admin — Sun, 03 Jan 2010 17:49:55 +0000

This article is about to configure NIS server and NIS client in a redhat base distribution. I know that NIS isn’t the preferred method of authentication anymore but I wanted to add this short NIS document along with autofs usage so that when any user logs in, their homedirectories at the remote NFS server will be mounted automatically.

Lets start:

Sample NIS domain: penguen.com
NIS Server: rh54srv1.penguen.com
NIS Server IP: 192.168.200.1
NIS Client IP: 192.168.200.81

**Don’t forget that this hostname to IP mapping must exist in /etc/hosts file.

[SERVER SIDE CONFIGURATION]

Install the packages required for NIS server

ypserv
ypbind
portmap
yp-tools

Add the following line into cat /etc/sysconfig/network

NISDOMAIN=”penguen.com”

Start the following daemons

service portmap start
service ypserv start
service yppasswdd start

Generate the NIS database by the following command. Command should detect your hostname and you should only press Control D.
Once you Press and confirm the output, database will be generated.

[root@rh54srv1 yp]# /usr/lib/yp/ypinit -m

At this point, we have to construct a list of the hosts which will run NIS
servers. rh54srv1.penguen.com is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a .
next host to add: rh54srv1.penguen.com
next host to add:

Now start two more services

service ypbind start
service ypxfrd start

Make sure that deamons are running not to beat the air

[root@rh54srv1 yp]# rpcinfo -p localhost
program vers proto   port
100000    2   tcp    111 portmapper
100000    2   udp    111 portmapper
100024    1   udp    662 status
100024    1   tcp    662 status
100011    1   udp    875 rquotad
100011    2   udp    875 rquotad
100011    1   tcp    875 rquotad
100011    2   tcp    875 rquotad
100003    2   udp   2049 nfs
100003    3   udp   2049 nfs
100003    4   udp   2049 nfs
100021    1   udp 32769 nlockmgr
100021    3   udp 32769 nlockmgr
100021    4   udp 32769 nlockmgr
100021    1   tcp 32803 nlockmgr
100021    3   tcp 32803 nlockmgr
100021    4   tcp 32803 nlockmgr
100003    2   tcp   2049 nfs
100003    3   tcp   2049 nfs
100003    4   tcp   2049 nfs
100005    1   udp    892 mountd
100005    1   tcp    892 mountd
100005    2   udp    892 mountd
100005    2   tcp    892 mountd
100005    3   udp    892 mountd
100005    3   tcp    892 mountd
100004    2   udp    829 ypserv
100004    1   udp    829 ypserv
100004    2   tcp    832 ypserv
100004    1   tcp    832 ypserv
100009    1   udp    608 yppasswdd
100007    2   udp    840 ypbind
100007    1   udp    840 ypbind
100007    2   tcp    843 ypbind
100007    1   tcp    843 ypbind
600100069    1   udp    855 fypxfrd
600100069    1   tcp    857 fypxfrd

Now our NIS server is ready, it is time to configure NIS clients.

NIS client configuration is easy, espacially with the handy tool “authconfig” in redhat. It is sufficent to type “man authconfig” to learn how you can use this tool to configure your nis client. Run the following command to activate authentication via your NIS server.

[root@rh54-2 ~]# authconfig –enablenis –nisdomain penguen.com –nisserver rh54srv1.penguen.com –update
Stopping portmap: [ OK ]
Starting portmap: [ OK ]
Shutting down NIS services: [ OK ]
Turning on allow_ypbind SELinux boolean
Binding to the NIS domain: [ OK ]
Listening for an NIS domain server..

Everything is completed now. Lets test the setup. Login to the server and run the following;

[root@rh54srv1 yp]# ypcat passwd
redhat:$1$CtsnSUU0S$qVtddcKXT8QWJlQoqsda0Gvs4.:502:502::/data:/bin/bash
nisuser:$1$2issdfeFXfuv$HYXcVUiu0jsktNDKtXF2M.:505:505::/home/nisuser:/bin/bash
nisuser1:!!:506:506::/home/nisuser1:/bin/bash
accountant:!!:503:503::/home/accountant:/bin/bash
nisuser2:!!:507:507::/home/nisuser2:/bin/bash

You should see a similar output. If you don’t check your setup. Now lets add another username “nisuser100″ , update the database
and test this username in the client.

[root@rh54srv1 ~]# useradd nisuser100
[root@rh54srv1 ~]# passwd nisuser100
Changing password for user nisuser100.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@rh54srv1 ~]# cd /var/yp ; make
gmake[1]: Entering directory `/var/yp/penguen.com’
Updating passwd.byname…
Updating passwd.byuid…
Updating group.byname…
Updating group.bygid…
Updating netid.byname…
gmake[1]: Leaving directory `/var/yp/penguen.com’

Now try to login with this username into the client that we previously configured as NIS client.

[root@rh54srv1 yp]# ssh nisuser100@192.168.200.81
nisuser100@192.168.200.81’s password:
Could not chdir to home directory /home/nisuser100: No such file or directory

Just ignore the error message now. We haven’t configured autofs mounter yet, but we can see that our NIS setup
works properly. Now configure NFS server for home exports.

Add the following line into our NFS server (rh54srv1) /etc/exportfs file.

/home 192.168.200.0/255.255.255.0(rw)

Now reexport all directories in NFS server and check the configuration;

[root@rh54srv1 home]# exportfs -r
[root@rh54srv1 home]# showmount -e
Export list for rh54srv1.penguen.com:
/home 192.168.200.0/255.255.255.0

Server side NFS configuration is completed. Now login to NIS client and configure automounter.

Add the following line into /etc/auto.master file

/home /etc/auto.home

Create the file /etc/auto.home and add the following line into it, so that when users login their home directories will be mapped.

* 192.168.200.1:/home/&

Restart autofs deamon

[root@rh54-2 /]# /etc/init.d/autofs restart
Stopping automount: [ OK ]
Starting automount: [ OK ]

To test automounting works properly, login into the client via ssh once again.

[root@rh54srv1 home]# ssh nisuser100@192.168.200.81
nisuser100@192.168.200.81’s password:
Last login: Sun Jan 3 07:28:58 2010 from rh54srv1.penguen.com
[nisuser100@rh54-2 ~]$ df
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
3203952   2098188    941932 70% /
/dev/sda1               101086     17112     78755 18% /boot
tmpfs                   265604         0    265604   0% /dev/shm
192.168.200.1:/home/nisuser100 59514976 12735296 43707680 23% /home/nisuser100

As you can see we haven’t received any error message about “home directory not found” but instead /home/nisuser100 is automatically mounted on the NFS server.

I hope everything went right on your side too. Let me know if you see any issues on this short article.

Software Raid

admin — Sun, 03 Jan 2010 12:58:27 +0000

Software raid configuration is quite easy and within a few minutes you can start building your array. Depending on the size of the array, build time may vary. Here is a quick instruction about how you can use mdadm utility to create a raid 1 array.

We have two partitions of the size 512MB in two different disks:

First Partition: /dev/sdb2
Second Partition: /dev/sdc1
Partition Types: fd (Linux raid auto detect)

As we are creating a raid paritition, using fdisk set both partition types to the code “fd” . Your output from fdisk will be something like below;

[root@rh54-2 ~]# fdisk /dev/sdb -l

Disk /dev/sdb: 1073 MB, 1073741824 bytes
255 heads, 63 sectors/track, 130 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot      Start         End      Blocks   Id System
/dev/sdb1               1          63      506016   83 Linux
/dev/sdb2              64         130      538177+ fd Linux raid autodetect

[root@rh54-2 ~]# fdisk /dev/sdc -l

Disk /dev/sdc: 1073 MB, 1073741824 bytes
255 heads, 63 sectors/track, 130 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot      Start         End      Blocks   Id System
/dev/sdc1               1          63      506016   fd Linux raid autodetect
/dev/sdc2              64         130      538177+ fd Linux raid autodetect

Lets create our RAID1 array;

[root@rh54-2 ~]# mdadm –create /dev/md1 –raid-devices=2 –level=1 /dev/sdb2 /dev/sdc1

Now check the raid array building;

[root@rh54-2 ~]# cat /proc/mdstat
Personalities : [raid1]
md1 : active raid1 sdc1[1] sdb2[0]
505920 blocks [2/2] [UU]

As you can see from the output of cat command, md1 raid device has been created with two active partitions (sdc1 and sdb2)

Now you can create the filesystem on /dev/md1 device and mount.

[root@rh54-2 ~]# mkfs.ext3 /dev/md1
mke2fs 1.39 (29-May-2006)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
126480 inodes, 505920 blocks
25296 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67633152
62 block groups
8192 blocks per group, 8192 fragments per group
2040 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409

Writing inode tables: done
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 21 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

Finally mount the partition into a directory.

[root@rh54-2 ~]# mkdir /raiddisk1
[root@rh54-2 ~]# mount /dev/md1 /raiddisk1/
[root@rh54-2 ~]# df -l
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
3203952   2062572    977548 68% /
/dev/sda1               101086     17112     78755 18% /boot
tmpfs                   265604         0    265604   0% /dev/shm
/dev/md1                489958     10544    454118   3% /raiddisk1

In order to see the status of the array you can run the command for which you will see a similar output like below;

#mdadm –detail /dev/md1

Number   Major   Minor   RaidDevice State
0       8       17        0      active sync   /dev/sdb2
1       8       33        1      active sync   /dev/sdc1

DISK FAILURE

Now your array is working. Imagine that one of the disks (e.g /dev/sdc1) in the array has failed and we need
replace the failed disk with another one (e.g /dev/sdd1) . Here is the process: First fail the disk (but this may not
be necessary if it is in already failed state, you can try) , remove it and add /dev/sde1 device.

#mdadm /dev/md1 -f /dev/sdc1 -r /dev/sdc1 -a /dev/sdd1

After this command, rebuilding the array starts automatically.

The new situation is;

#mdadm –detail /dev/md1

Number   Major   Minor   RaidDevice State
0       8       17        0      active sync   /dev/sdb2
1       8       49        1      active sync   /dev/sdd1

SPARE DISK

What if you want to have a spare disk into this array. Normally spare disk can be added during initilization step with the switch “-x” , however
in our configuration (raid1 with 2 disks) if you try to add a third disk, mdadm will automatically add it as a spare disk.

#mdadm /dev/md1 -a /dev/sde1
#mdadm –detail /dev/md1

Number   Major   Minor   RaidDevice State
0       8       17        0      active sync   /dev/sdb2
1       8       49        1      active sync   /dev/sdd1

2 8 65 - spare /dev/sde1

You can also try failing /dev/sdd1 and you will see that /dev/sde1 will be automatically attached into the raid1 array and /dev/sdd1 will be marked as faulty.

STOPPING THE ARRAY

If you want to stop/disassemble the array, use the following;

#mdadm -S /dev/md1

Now you have a fully functional raid1 array. Congratulations!!

Public key authentication in SSH

admin — Tue, 29 Dec 2009 20:18:15 +0000

I am sure most system administrators don’t want to waste their time by entering the same passwords everyday for every server. Here SSH utilities comes with lovely flavoured tools. In this article, I will try to explain how we can login to remote systems without using password at all or once in a day.

In this example, here are the client and server data. Green color is used for the text/command you should type.

Client hostname: rh54-win-1
Client username: sshtest
Remote system IP: 192.168.200.1
Remote system hostname: rh54srv1
Remote username: root

1) Authenticating yourself by public key instead of password into remote systems

a) First create private and public keys. When the passphrase is asked leave it empty.

[sshtest@rh54-win-1 ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/sshtest/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/sshtest/.ssh/id_rsa.
Your public key has been saved in /home/sshtest/.ssh/id_rsa.pub.
The key fingerprint is:
a3:6f:be:7f:0c:c5:32:61:dc:d6:e1:2c:57:df:9a:a2 sshtest@rh54-win-1.penguen.com

Now our keys are saved under /home/sshtest/.ssh folder in the client we work.

b) It is time to copy our public key into the remote system
[sshtest@rh54-win-1 ~]$ ssh-copy-id -i /home/sshtest/.ssh/id_rsa.pub root@192.168.200.1
29
root@192.168.200.1’s password:
Now try logging into the machine, with “ssh ‘root@192.168.200.1′”, and check in:

.ssh/authorized_keys

to make sure we haven’t added extra keys that you weren’t expecting.

We have copied our key successfully.

c) Now try to login to the system again

[sshtest@rh54-win-1 ~]$ ssh root@192.168.200.1
Last login: Tue Dec 29 20:37:59 2009 from 192.168.200.50
[root@rh54srv1 ~]#

It is nice right:)

2) Using passphrase in authentication

If you had provided a passphrase during the key creation in the step 1.a, then you would have had to enter the passphrase in each connection setup but what is the point if we have to enter a passphrase each time we initiate the connection. If we put the security point of view aside, I will try to explain how we can avoid entering passphrase everytime but once for the session. For instance once at the beginning of the day and you won’t have to type it again and again. Here it is;

1) Create public and private key but this time type a passphrase.

[sshtest@rh54-win-1 ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/sshtest/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): testphrase
Enter same passphrase again: testphrase
Your identification has been saved in /home/sshtest/.ssh/id_rsa.
Your public key has been saved in /home/sshtest/.ssh/id_rsa.pub.
The key fingerprint is:
b1:b1:68:45:8e:31:fb:98:7f:b9:21:c7:2c:73:ce:9b sshtest@rh54-win-1.penguen.com

2)Copy the key into the remote system
[sshtest@rh54-win-1 ~]$ ssh-copy-id -i /home/sshtest/.ssh/id_rsa.pub root@192.168.200.1
29
root@192.168.200.1’s password:
Now try logging into the machine, with “ssh ‘root@192.168.200.1′”, and check in:

.ssh/authorized_keys

to make sure we haven’t added extra keys that you weren’t expecting.

From now on if you try to login to the root account on the remote system 192.168.200.1 you will be presented by a passphrase. To avoid this, continue reading.

3) Run the ssh-agent program which will respond on behalf of us.

[sshtest@rh54-win-1 ~]$ ssh-agent /bin/bash
[sshtest@rh54-win-1 ~]$ env | grep SSH
SSH_AGENT_PID=3381
SSH_AUTH_SOCK=/tmp/ssh-Bixnyz3380/agent.3380
SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass

We can see from the output of the second command such that ssh-agent sets some environmental variables. That is good:)

4) Now let’s use ssh-add to provide ssh-agent with your key.

[sshtest@rh54-win-1 ~]$ ssh-add
Enter passphrase for /home/sshtest/.ssh/id_rsa: testphrase
Identity added: /home/sshtest/.ssh/id_rsa (/home/sshtest/.ssh/id_rsa)

5) Now try to login again

[sshtest@rh54-win-1 ~]$ ssh root@192.168.200.1
Last login: Tue Dec 29 21:13:55 2009 from 192.168.200.50
[root@rh54srv1 ~]#

As you can see, nothing has been asked. However, if you leave the current shell in which you have executed ssh-agent, ssh-agent will die and you will have to enter passphrase again. SSH-AGENT is very handy for administrators who have terminals active during the day and connect into various servers.

I hope this article was useful for a quick intro authentication in SSH. If you want to have more info on the subject not a tutorial style but mainly about concepts you can have a look at http://unixwiz.net/techtips/ssh-agent-forwarding.html