Articles

Adventures in Red Hat Enterprise Linux, CentOS, Fedora, OpenBSD and other open source solutions.

Using SSH is not so secure as we expect it to be

It seems there are some negative reports related to the usage of SSH lately:

My faith in SSH as a protocol is huge, reconsidering the usage of SSH might be a good idea, although there are not many alternatives at the moment.

Using rsync from cron with ssh keys that have a passphrase

It took me some time to figure this one out, as everybody is using rsync and ssh-keys without passphrases, but I insist that an ssh-key should have a passphrase.

In my first attemts I got this error messages mailed to me by crontab:

Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).

Here are the steps to automate a backup initiated from crontab using rsync, SSH and ssh-keys with a passphrase:

  1. Make a set of SSH keys.
  2. Setup SSH to use the agent automatically.
  3. Login once as the user who's cron will run the backup script. You will be asked for a passphrase. When the machine reboots, you will need to login once more, to enter the passphrase again.
  4. Make a backup script that includes some SSH variables.
    This script could be as simple as this:
    . /home/username/.ssh/variables
    rsync -avz --delete /data/ example.com:data

    N.B. This variables file only contains these lines:
    SSH_AUTH_SOCK=/tmp/ssh-DmFcb18036/agent.18036; export SSH_AUTH_SOCK;
    SSH_AGENT_PID=18037; export SSH_AGENT_PID;
    echo Agent pid 18037;
  5. Put that script in crontab.

That should do it for you, as it works like a charm for me!

Allowing a group to execute a specific command without using a password using sudo

So you have a user (or a group of users) on you Linux machine and want them to be able to execute something specific that normally can only be done by root or some other privileged user? Use sudo to solve your problem.

Open the sudoers file using visudo.
Append this line:

%groupname     ALL= NOPASSWD: /your/command -o with -o options -o and arguments like this

This will enable the group "groupname" to execute "/your/command", only with the specified options and arguments. The NOPASSWD makes sudo not ask for a password. Now the user can type:

$ sudo /your/command -o with -o options -o and arguments like this

Make OpenSSH logins 14 times faster!

Here is a trick to speedup your login to servers. This nice trick only works when you login to a box for the second time, now you might stop reading, but actually logging in again on a box occurs frequently on an average day with me.

First, lets measure time without any changes to SSH.

$ time ssh host ":"
real 0m0.573s
user 0m0.004s
sys 0m0.005s

Now let's modify ~/.ssh/config with these lines on top:

ControlMaster auto
ControlPath /tmp/ssh-%[email protected]%h:%p

And measure again:

$ ssh host ":"
$ time ssh host ":"
real 0m0.039s
user 0m0.004s
sys 0m0.004s

Wow, that is an improvement of more than 14 times! Be aware this does not speed up SSH, it only speeds up the login process, but, always good to see speed improvements. Also be aware that your first SSH connection to a certain box will not be faster, only "recycled" connections (second or more times) are faster.

Files related to network configuration in OpenBSD

Setting up a network interface, it's routes, resolving and so on, can be complicated when you don't know your way around in OpenBSD. You will see it's not difficult at all to setup or change the network configuration of a box when you know about the existence of these files and man-pages.

  • /etc/hostname.if - This is where you set a IP address, netmask and broadcast address of the interface. Replace "if" with the name of the network interface, like sk0, sis1, etc. You are able to determine the available network interfaces using the command ifconfig(8). Checkout the man-page of hostname.if(5) for more details. One example of what you could find in a hostname.if file: inet 192.168.1.1 255.255.255.0 192.168.1.255 or just dhcp if you would want to use DHCP. When you are using DHPC, you don't need to read the rest, you are done!
  • /etc/mygate - The default route to the internet. One IP address (can be IPv4 or IPv6) will let the TCP/IP stack know where to send non-local traffic to.
  • /etc/myname - The hostname of the system, in the longest syntax, including domain and toplevel domain, like host1.example.com. Normally you will find this name and it's IP in /etc/hosts. (see below)
  • /etc/hosts - The manual resolver. Don't use this too much, better rely on DNS to resolve hostname to IP addressed and the other way around. But; it's common to at least put the hostname and localhost in /etc/hosts. One example line would be: 192.168.1.1 host1.example.com host1
  • /etc/resolv.conf - The system needs to know how can resolve names to IP addresses, this is the file you need! It contains a few items, like domain example.com. This tells the resolver that all hostnames you are searching for without a top level domain, are relative to example.com. If you would like to add more "local domains", you can use the search otherexample.com thirdexample.com variable. Do take care not to add too many domains; it will be confusing to what host you are connecting. The most important is to tell the resolver that there are nameservers in use. Each nameserver that it could use has it's own line, like this: nameserver 192.168.1.2.

Well, you should be able to configure the network cards on your OpenBSD machine now.

Sometimes you will find additional configuration in /etc/rc.local, like an extra route to you VPN network. OpenBSD does not facilitate for these extra parameters, so adding them to /etc/rc.local is a good, but not very generic option.

Tricks you can do using the command cd (Change Directory)

The command cd, which can change directory, seems as the most simple command there is. Guess what; there are a few tricks you can use to navigate faster over a filesystem.

command expanation
cd Go to the home directory.
cd - Go back to the previous directory.
cd -P /directory Go to the physical directory, so translate all symbolic links to what they point to.
cd -L /directory Go to that /directory and do follow symbolic links. This is default behaviour.

Here is a demonstration about that -P and -L behaviour:

$ cd /tmp ; mkdir test
$ ln -s test symlink
$ cd symlink ; pwd
/tmp/symlink
$ cd -P ../symlink ; pwd
/tmp/test

Script to rotate some logfiles

Here is a small script to find files with the name "access_log" or "error_log" which are larger then 1 megabyte. It rotates file to .1, .2, .3, etc.

#!/bin/sh

for type in access_log error_log ; do
find /var/www/virtualhosts/*/logs -size +1024k -a -name $type | while read file ; do
  for number in 9 8 7 6 5 4 3 2 ; do
   if [ -f $file.$number ] ; then
    mv $file.$(($number-1)) $file.$number
   fi
  done
  mv $file $file.1 && touch /tmp/moved
done
done

if [ -f /tmp/moved ] ; then
/usr/sbin/apachectl restart
rm /tmp/moved
fi

Small Linux(-like) capable devices

Since a year or so my interest has been raised for small devices (a bit like appliances) that are capable of running Linux or OpenBSD. I used to have a Soekris 4801, but after lightning struck it, I had to throw it away.

Since that lightning, I have seen these devices that seem capable of replacing the Soekris 4801, not very ease as the Soekris 4801 had three network ports, a serial port, a casing around it, a USB port and an Compact Flash slot. Here are some alternatives:

  • Linksys WRT54GL (€ 40,-) is a very cheap, quite capable device device. Wide support could make this a great piece of hardware. OpenWRT can be installed on it, but it has no expandable local storage or USB.
  • PC Engines ALIX 2c3 (€ 125,-) is a device almost similar to the Soekris!
  • Beagleboard (€ 125,- without casing) a device that is USB (or alternate source) powered, has an SD card to store data on, and has DVI-D, audio, S-video and some other connections. Very nice, but no network card... (sure; there are USB adapters that could be used.)
  • Soekris 5501 (€ 225,-) is the best replacement for my old Soekris, but it's also the most expensive.

The PC Engines ALIX 2c3 seems to be the best alternative for a reasonable price. Let go for it, I'll let you know how it worked out.

Compare Google and Cuil search engines

Okay, so most of you have heard of Cuil, the new search engine designed by former Google employees. How does Cuil compare to Google? I can't imagine there is a better tool than Google...

The interface

Looks great, the black page actually saves energy. Not alot of things to see, just 2 links: About Cuil and Your Privacy.
In the "About" section Cuil claims they are the biggest search engine. How could that be?

The search results are neatly presented, looks great!

The search results

At a first glance; perfect! When searching for a PXE problem I experienced lately the results are disappointing. No relevant results found.
When searching for my own name, it presents me a "Explore by Category" box, about "Field Marshals Of Nazi Germany"! Come on, that's not closely correct. In fact; on the first page is displays 11 suggestions, only 4 are relevant. (36%) Google show 10 results, 8 are relevant. (80%)

So; looks great, but displays irrelevant information.

The speed of indexing

Difficult to tell, as the search engine is not very old, but there is some pretty new information to be found.

So; my guess: pretty good, just as Google.

The verdict

Looks promising, not very accurate at the moment. I will be keeping an eye to this search engine, could be that it will be more accurate in the near future.

Syndicate content