Posts

Showing posts from June, 2014

Cisco: Authenticating with SSH public key on Cisco IOS devices

Using SSH public keys to authenticate on a Cisco IOS device The preferred way to authenticate on a network device is using a SSH key. If you don't have a SSH key already, take a look at the steps to generate a new key here . After the key is available, you have to connected to your Cisco device and install it. But, first of all, you need to make sure that SSH is enabled on your device. 1st Step - Enable SSH To enable SSH on your device, you have to define the domain name and hostname of the device. Also you need to generate the host keys and finally to enable ssh: Router> ena Router# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Router(config)# ip domain-name johnyc20.blogspot.ro Router(config)# hostname bucharest bucharest(config)# crypto key generate rsa The name for the keys will be: bucharest.johnyc20.blogspot.ro Choose the size of the key modulus in the range of 360 to 4096 for your   General Purpose Keys. Choosing a key m...

SSH: Generating and using SSH keys

Image
One of the preferred method of authentication on network devices is using SSH with a SSH public key. In order to be able to authenticate yourself, you have to generate a SSH key pair. A SSH key is composed of two parts, one private key (which should remain "private" and also should be password protected ) and one public key which should be installed on the SSH server in order to authenticate you. SSH client on Linux: In order to generate a SSH key pair on Linux, you will need to use "ssh-keygen" tool, which is a part of the "openssh-client" package on Debian-like operating systems: smocanu@debian7:~$ dpkg -S $(which ssh-keygen) openssh-client: /usr/bin/ssh-keygen or a part of "openssh" package on RedHat-like operating systems: smocanu@centos6 ~$ rpm -qf $(which ssh-keygen) openssh-5.3p1-94.el6.x86_64 The generating process is quite simple, just run the "ssh-keygen" command, and it will ask you the location of the new key ...

Linux: Versioning the /etc/ configurations using 'etckeeper'

One of the most important things for an administrator is to keep track of the changes. The preferred  way to do that is to use a configuration management system , like ' cfengine ', ' puppet ', ' chef ', ' ansible ' or you named it. Even so, you should still be able to see what exactly was changed on you system and when. I'm using ' etckeeper '  to do that and I'm thinking that it is very useful. The most important Unix distributions are including this software and you can install it by using your favorite package manager. On CentOS6, you can run: [root@centos6 ~]# yum install etckeeper After installing, at least on CentOS, you have to initialize the repository, by running: [root@centos6 ~]# etckeeper init Initialized empty Git repository in /etc/.git/ The last thing is to commit these changes, that means that you will add the entire /etc directory to the repository: [root@centos6 ~]# etckeeper commit -m "initial com...

Linux: working with SSL certificates

If you have to enable secure connections to your service(s), you will need to buy a certificate or generate a self signed certificate for it. If you have to buy one, you have to generate a private certificate and a certificate request. If you will use a self signed certificate, you will need to generate a private, a request and a public certificate. You can do that by using the ' openssl ' tool. First at all, you have to generate a password, I'm usually using ' apg ': smocanu@debian7:~$ apg -n1 -m8 -x8 -t tiWiejTo (ti-Wiej-To) After that we are ready to generate the private certificate, this one should be kept safely, no one else should have it. I'm generating a 512bits RSA certificate: smocanu@debian7:~$ openssl genrsa -des3 -out ss.example.com.key 512 Generating RSA private key, 512 bit long modulus ........................++++++++++++ ...................++++++++++++ e is 65537 (0x10001) Enter pass phrase for ss.example.com.key: Verifying - Ent...

FreeBSD(9.2) - PureFTPd

Installing from binary package : If you don't need to use SSL, you can install it from binary package: root@freebsd:~ # pkg install pure-ftpd If you need to use SSL, you have to install it from ports, because the package is not compiled with SSL support: root@freebsd:~ # /usr/local/sbin/pure-ftpd -g/var/run/pure-ftpd.pid -A -c50 -B -C8 -D -E -fftp -H -I15 -lpuredb:/usr/local/etc/pureftpd.pdb -L10000:8 -m4 -p30000:50000 -s -U113:002 -u100 -k99 -Z -Y2 -4 pure-ftpd: invalid option -- Y pure-ftpd: invalid option -- 2 root@freebsd:~ # ldd /usr/local/sbin/pure-ftpd /usr/local/sbin/pure-ftpd:         libcrypt.so.5 => /lib/libcrypt.so.5 (0x801239000)         libpam.so.5 => /usr/lib/libpam.so.5 (0x801458000)         libc.so.7 => /lib/libc.so.7 (0x80081b000) Installing from ports :   Go to the pure-ftpd directory from the ports tree and tun "make install". Don't...

Linux: setup attributes based on type of entry(file or directory)

If you have to setup attributes on all directories from one tree, you can use ' find' and it's ' exec ' argument or find and ' xargs '. If you have a lot of directories, the preferred menthod is the second one, the ones that's using xargs: [root@centos6::/var/www/html]# find . -type d | wc -l 2589 [root@centos6:/var/www/html]# time find . -type d -exec chmod 2775 {} \; real    0m2.168s user    0m0.046s sys     0m0.321s [root@centos6:/var/www/html]# time find . -type d -print0 | xargs -0 chmod 2775 real    0m0.098s user    0m0.021s sys     0m0.078s The same thing can be applied to files and, again, the preferred method is the second one: [root@centos6:/var/www/html]# find . -type f | wc -l 7403 [root@centos6:/var/www/html]# time find . -type f -exec chmod 664 {} \; real    0m6.081s user    0m0.070s sys     0m0.819...

Linux: Using ssh x-forward and su

If you need to open X applications over a ssh session, using a different user than the one you are logging on the linux box, you have to use some tricks. We are assuming that you have already configured your ssh server to allow x-forwarding. There was a time where a wrapper called 'sux' was the way to go but now it is not present on newer linux distributions or, if exists, it is not working. If it will work for you, that's good, you just have to run 'sux - username' and you're there. If it is not working, you have to use a tool called xauth. First, check what display number is allocated for your session: [smocanu@centos6 ~]$ env | grep DIS DISPLAY=centos6:10.0 Second, check cookie ID and put it into clipboard: [smocanu@centos6 ~]$ xauth list | grep :10 centos6:10  MIT-MAGIC-COOKIE-1  35cc31782e3241e9e5cccad758h5a99c Now you can switch your user using sudo/su and setup your authorization entry for this new user, in this case, for root: [smocanu@c...

Linux: moving moov atom index to the beginning of the file

If you have a streaming server, in my case nginx, and your webmaster is telling you that the movies are not starting to play until the browser have finished buffering it, most likely there is a problem with your video files. To be more specific, your moov atom index is missing or it is at the end of the file. If you're on case two, where the moov atom index is at the end of the file, you can fix it in a few ways. The first way is using ffmpeg: [root@centos6 ~]# ffmpeg -i movie.mp4 -movflags faststart movie-fixed.mp4 The second one, the preferred  way, is using MP4Box: [root@centos6 ~]# MP4Box -add movie.mp4 -isma movie-index.mp4 If you need to automate this fixing process, you cand use something like this:  [root@centos6 ~]# for m in $(ls *.mp4);do MP4Box -add ${m} -isma ${m%%.*}-fixed.mp4