Silviu Mocanu

Using SSH public keys to authenticate on a Cisco IOS device The preferred way to authenticate on a network device is using a SSH key. If you don't have a SSH key already, take a look at the steps to generate a new key here . After the key is available, you have to connected to your Cisco device and install it. But, first of all, you need to make sure that SSH is enabled on your device. 1st Step - Enable SSH To enable SSH on your device, you have to define the domain name and hostname of the device. Also you need to generate the host keys and finally to enable ssh: Router> ena Router# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Router(config)# ip domain-name johnyc20.blogspot.ro Router(config)# hostname bucharest bucharest(config)# crypto key generate rsa The name for the keys will be: bucharest.johnyc20.blogspot.ro Choose the size of the key modulus in the range of 360 to 4096 for your   General Purpose Keys. Choosing a key modulu

One of the preferred method of authentication on network devices is using SSH with a SSH public key. In order to be able to authenticate yourself, you have to generate a SSH key pair. A SSH key is composed of two parts, one private key (which should remain "private" and also should be password protected ) and one public key which should be installed on the SSH server in order to authenticate you. SSH client on Linux: In order to generate a SSH key pair on Linux, you will need to use "ssh-keygen" tool, which is a part of the "openssh-client" package on Debian-like operating systems: smocanu@debian7:~$ dpkg -S $(which ssh-keygen) openssh-client: /usr/bin/ssh-keygen or a part of "openssh" package on RedHat-like operating systems: smocanu@centos6 ~$ rpm -qf $(which ssh-keygen) openssh-5.3p1-94.el6.x86_64 The generating process is quite simple, just run the "ssh-keygen" command, and it will ask you the location of the new key

One of the most important things for an administrator is to keep track of the changes. The preferred  way to do that is to use a configuration management system , like ' cfengine ', ' puppet ', ' chef ', ' ansible ' or you named it. Even so, you should still be able to see what exactly was changed on you system and when. I'm using ' etckeeper '  to do that and I'm thinking that it is very useful. The most important Unix distributions are including this software and you can install it by using your favorite package manager. On CentOS6, you can run: [root@centos6 ~]# yum install etckeeper After installing, at least on CentOS, you have to initialize the repository, by running: [root@centos6 ~]# etckeeper init Initialized empty Git repository in /etc/.git/ The last thing is to commit these changes, that means that you will add the entire /etc directory to the repository: [root@centos6 ~]# etckeeper commit -m "initial com

If you have to enable secure connections to your service(s), you will need to buy a certificate or generate a self signed certificate for it. If you have to buy one, you have to generate a private certificate and a certificate request. If you will use a self signed certificate, you will need to generate a private, a request and a public certificate. You can do that by using the ' openssl ' tool. First at all, you have to generate a password, I'm usually using ' apg ': smocanu@debian7:~$ apg -n1 -m8 -x8 -t tiWiejTo (ti-Wiej-To) After that we are ready to generate the private certificate, this one should be kept safely, no one else should have it. I'm generating a 512bits RSA certificate: smocanu@debian7:~$ openssl genrsa -des3 -out ss.example.com.key 512 Generating RSA private key, 512 bit long modulus ........................++++++++++++ ...................++++++++++++ e is 65537 (0x10001) Enter pass phrase for ss.example.com.key: Verifying - Ent

Installing from binary package : If you don't need to use SSL, you can install it from binary package: root@freebsd:~ # pkg install pure-ftpd If you need to use SSL, you have to install it from ports, because the package is not compiled with SSL support: root@freebsd:~ # /usr/local/sbin/pure-ftpd -g/var/run/pure-ftpd.pid -A -c50 -B -C8 -D -E -fftp -H -I15 -lpuredb:/usr/local/etc/pureftpd.pdb -L10000:8 -m4 -p30000:50000 -s -U113:002 -u100 -k99 -Z -Y2 -4 pure-ftpd: invalid option -- Y pure-ftpd: invalid option -- 2 root@freebsd:~ # ldd /usr/local/sbin/pure-ftpd /usr/local/sbin/pure-ftpd:         libcrypt.so.5 => /lib/libcrypt.so.5 (0x801239000)         libpam.so.5 => /usr/lib/libpam.so.5 (0x801458000)         libc.so.7 => /lib/libc.so.7 (0x80081b000) Installing from ports :   Go to the pure-ftpd directory from the ports tree and tun "make install". Don't forget to check the SSL/TLS box: root@freebsd:~ # cd /usr/ports/ftp/pure-ftpd/ root@fre

If you have to setup attributes on all directories from one tree, you can use ' find' and it's ' exec ' argument or find and ' xargs '. If you have a lot of directories, the preferred menthod is the second one, the ones that's using xargs: [root@centos6::/var/www/html]# find . -type d | wc -l 2589 [root@centos6:/var/www/html]# time find . -type d -exec chmod 2775 {} \; real    0m2.168s user    0m0.046s sys     0m0.321s [root@centos6:/var/www/html]# time find . -type d -print0 | xargs -0 chmod 2775 real    0m0.098s user    0m0.021s sys     0m0.078s The same thing can be applied to files and, again, the preferred method is the second one: [root@centos6:/var/www/html]# find . -type f | wc -l 7403 [root@centos6:/var/www/html]# time find . -type f -exec chmod 664 {} \; real    0m6.081s user    0m0.070s sys     0m0.819s [root@centos6:/var/www/html]# time find . -type f -print0 | xargs -0 chmod 664 real    0m0.106s user    0m0.024

If you need to open X applications over a ssh session, using a different user than the one you are logging on the linux box, you have to use some tricks. We are assuming that you have already configured your ssh server to allow x-forwarding. There was a time where a wrapper called 'sux' was the way to go but now it is not present on newer linux distributions or, if exists, it is not working. If it will work for you, that's good, you just have to run 'sux - username' and you're there. If it is not working, you have to use a tool called xauth. First, check what display number is allocated for your session: [smocanu@centos6 ~]$ env | grep DIS DISPLAY=centos6:10.0 Second, check cookie ID and put it into clipboard: [smocanu@centos6 ~]$ xauth list | grep :10 centos6:10  MIT-MAGIC-COOKIE-1  35cc31782e3241e9e5cccad758h5a99c Now you can switch your user using sudo/su and setup your authorization entry for this new user, in this case, for root: [smocanu@c

If you have a streaming server, in my case nginx, and your webmaster is telling you that the movies are not starting to play until the browser have finished buffering it, most likely there is a problem with your video files. To be more specific, your moov atom index is missing or it is at the end of the file. If you're on case two, where the moov atom index is at the end of the file, you can fix it in a few ways. The first way is using ffmpeg: [root@centos6 ~]# ffmpeg -i movie.mp4 -movflags faststart movie-fixed.mp4 The second one, the preferred  way, is using MP4Box: [root@centos6 ~]# MP4Box -add movie.mp4 -isma movie-index.mp4 If you need to automate this fixing process, you cand use something like this:  [root@centos6 ~]# for m in $(ls *.mp4);do MP4Box -add ${m} -isma ${m%%.*}-fixed.mp4

There are times when you have to use a USB stick to copy to or from it files to a Juniper router/switch. Fortunetly it will not be to very frequently, but there will be a time when you will need it. JunOS being a UNIX( FreeBSD ) based OS, you have to identify and mount the device attached. First, you have to check the device name, so you can identify it on /dev: smocanu@j2350> show log messages | match mass May 16 15:25:45  j2350 /kernel: umass0: Kingston DataTraveler SE9, rev 2.00/1.00, addr 2 May 16 15:25:46  j2350 /kernel: da0 at umass-sim0 bus 0 target 0 lun 0 Then you have to verify the partition number, usually it is the first one: smocanu@j2350> start shell % ls -las /dev/da0 /dev/da0 /dev/da0s1 Now you can mount your USB stick: % mkdir /var/tmp/usb % mount_msdosfs /dev/da0s1 /var/tmp/usb Once your USB stick is mounted, you can copy to/from it files, using /var/tmp/usb path. Do not forget that you have to umount the USB storage, before removing it fr

First at all you have to know that you should be able to login to a secondary node of a J/SRX cluster using OOB( out of band management interface - fxp0 ), but, if this is not possible you can do it from the primary node. In my case there is a cluster of SRX240H2. You have to login into the cluster and check the status of it: smocanu@srx240h2# run show chassis cluster status Cluster ID: 1 Node                  Priority          Status    Preempt  Manual failover Redundancy group: 0 , Failover count: 1     node0                   100         primary        no       no     node1                   1           secondary      no       no Redundancy group: 1 , Failover count: 2     node0                   100         secondary      no       no     node1                   1           primary        no       no {primary:node0}[edit] If you would like to login into the secondary node from the primary node, you have to make sure that FAB link(s) is/are up and then you have to ru

Lately some of my friends have decided that they will like to learn IT staff, and they have asked me a lot of things about operating systems and network protocols. So, I have decided to start this blog, in order to keep, into one place, some of the procedures/commands that I use on my job, so I can provide them to my friends and also to get back to check them, if needed . I'm not intending to explain the mechanism behind the scene, unless is necessary, because there are so many places where you can find it, but I will try to provide a reference link, whenever is possible, so you can check and analyze it further.