Thursday, 25 September 2008

SSH configuration with certificates

Quickly now.....

### /etc/ssh/sshd_config ###
Port 22
Protocol 2
SyslogFacility LOCAL1
PermitRootLogin no
StrictModes yes
PubkeyAuthentication yes
IgnoreRhosts yes
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication no
GSSAPIAuthentication no
GSSAPICleanupCredentials no
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding no
UsePrivilegeSeparation yes
Banner /etc/ssh/banner
Subsystem       sftp    /usr/libexec/openssh/sftp-server

these are openSUSE specifics:
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL

### Creating SSH certs ###
ssh-keygen -b 2048 -t rsa -f certkeyfile

enter a key at the prompt (can be left blank)
this will create 2 files certkeyfile and certkeyfile.pub
cat certkeyfile.pub >> /home/target_user/.ssh/authorized_keys

copy certkeyfile to /home/source_user/.ssh/id_rsa

both files should be 600 owned by the user.

Tunneling:

ssh -p <ssh_port> -L <src_port>:hostname:<dest_port> username@ssh_server_host

Thanks for playing :)

Wednesday, 24 September 2008

Solaris Patching

Patching procedure usually should be undertaken under single mode (1)

Step by step:
smpatch analyze: print out the patches that should be applied
smpatch download -d /destination : download them on that directory
smpatch update -d /destination: applies them from that destination
smpatch add -x list=/filelist-with-updates.txt : add some more patches

Patches that require an immediate reboot will be skipped, and put into a file /var/sadm/spool/disallowed_patch_list.

When you're ready to apply them, kick everybody off the system, shut down as much as you can, and do
smpatch add -x idlist=/var/sadm/spool/disallowed_patch_list

then reboot or go back to init 1 and do the full list from there..

Thanks for playing :)

Saturday, 13 September 2008

Solaris package management

Solaris package management notes...


1. prodreg ( GUI to package install or uninstall)

2. pkginfo (total installed package dump)

pkginfo -l pkgname (specific package dump pkgname is optional [will present details for all installed packages])

pkginfo -x pkgname (package info dump pkgname is optional [will present details for all installed packages])

pkginfo -i (fully installed packages)

pkginfo -p (partially installed packages)

3. pkgchk -v pkgname (checks/lists files included on the package installation)



Thats it for now :)

Wednesday, 10 September 2008

Solaris SMF and other configs

Ok.. SMF is a big thing and looks very neat... so here are some things to remember.

1.Logs from the SMF framework are kept at /var/svc/log/ on a directory similar to the FMRI of the service.

2.Useful commands:
svcs -a (prints out all the installed/registered with smf services)
svcs -x FMRI (prints out status and additional info)
svcs -l FMRI (prints out verbose dependencies for the service)
svcs -d (prints out the services the FRMI depends upon)
svcs -D (prints out the services that depend upon the FMRI)
svcs -p FMRI (prints out PIDs related to the FMRI)

svcadm disable FMRI (disable a service permenantly)
svcadm disable -t FMRI (disable a service until the next reboot)
svcadm disable -s FMRI (disable all the service's instances)

svcadm enable FMRI (enable a service permenantly)
svcadm enable -t FMRI (enable service for the current session only)
svcadm enable -r FMRI (enable service and all its dependencies)
svcadm enable -s FMRI (enable service and all its instances)

svcadm -v refresh/restart FMRI (restarts or re-reads a services configuration files)

3. Disabling X server login
/usr/dt/bin/dtconfig -d (disable login screen from the next reboot)
/usr/dt/bin/dtconfig -kill (kill the login screen and Xserver NOW)

4. Change the security policy to use md5 from crypt for accounts on /etc/security/policy
CRYPT_DEFAULT=__unix__  to  CRYPT_DEFAULT=md5
Note: you need to re-enter the passwords to be re-encrypted with the selected algorythm