Setup SSH Keys with Agent

This guide for setting up SSH Keys with an SSH Agent for auto-logging into Linux based systems. Why set up SSH keys, why not just use your password? SSH Keys are considered more secure than using passwords to access systems, because user accounts are authenticated by the server without ever having to send your password over the network. If the passwords are not transmitted then they can't be intercepted. This works by identifying yourself to an SSH server using public-key cryptography and challenge-response authentication. When you set up an SSH agent then the agent will handle the challenge-response authentication for you.

This guide is not for installing or setting up a SSH server. You must have the sshd service running on your system in order to follow along with this guide. All the examples are take from a Red Hat system. In the following examples, earth is the name on the local system and moon is the remote system. 

Create you key pair

The ssh-keygen command will generate a public and private keypair. The keys will be stored in the users home directory by default, this is the path  ~/.ssh/. The basic command looks like this: ssh-keygen -t [dsa|rsa]  The -t sets the type of keys used. In the example below I create a rsa key pair. This command also sets the passphrase, think of this like setting a password. Make sure you remember the  passphrase because you will use this instead of the password for logging into the remote system (moon).

man@earth> ssh-keygen -t rsa
Enter file in which to save the key (/home/man/.ssh/id_rsa): Press [Enter] key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/man/.ssh/id_rsa.
Your public key has been saved in /home/man/.ssh/id_rsa.pub.
The key fingerprint is:dfhjodfnk
04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01

It is import to protect your private key, so don't share it. 

Note- Do not leave the passphrase blank. Doing this is a bad security practice, because this defeats the purpose of having the extra security of SSH keys. This will make the system less secure. If you have done this just rerun the command and add a passphrase. 

Install Public Key on Remote Host

You install the public SSH key by copying or appending it to the authorized_keys file on a remote host. This file is also located in the users home directory, ~/.ssh/.  For most systems you can use the ssh-copy-id command, which I cover in Method 1.  I will show a work around if the ssh-copy-id command is not available, in Method 2 & 3.

Method 1 - Use The ssh-copy-id Command

The easiest way to install the public key to a remote SSH server is use the ssh-copy-id command. To use the command type "ssh-copy-id <remote host>". This command appends the public key to the authorized_keys file on the the remote host. If the file doesn't exist it will be created. 

In the example below "moon" is the name of the remote host.

man@earth> ssh-copy-id moon
Now try logging into the machine, with "ssh 'remote-host'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

This the best way is to copy over the public key because ssh-copy-id will create .ssh/authorized_keys file if it doesn't exist. The command also appends the public key to the authorized_keys file, whereas other methods may overwrites the file. This allows the account to use keys from more than one system.

Note- This method will not work on some systems, such as Solaris 10.

Method 2 - Manually Copy the Key File

This method uses the scp command to copy the public key to the remote server. Before the ssh-copy-id  command came about, this was way it was done. The key file will fail to copy to the system if .ssh/authorized_keys doesn't exist. If this happens just login with your password and create the file and try again. The main downside to this method is that it overwrites the authorized_keys file.

man@earth> scp ~/.ssh/id_rsa.pub moon:~/.ssh/authorized_keys

Alternately you can get around this by doing this instead. The command below mimics what the ssh-copy-id command does. It creates the .ssh directory if it doesn't exist and appends the contents of the key to the authorized_keys file.

man@earth> cat ~/.ssh/id_rsa.pub | ssh man@moon "mkdir -p ~/.ssh  &&  cat   >>  ~/.ssh/authorized_keys

Method 3 - If You Automount Your Home Directory

If your home directory automounts across a lot of servers then you can just append the contents of the public key to the authorized_keys file. This method can be a lot faster then other methods. For example if you have 100 hosts you need to connect to, you just need to run the command once to connect to all of them. Instead of running 100 copy commands you just run one. Again this will only work if the hosts your connecting to automount the same home directory that the SSH kays are on.

You can copy it over with the cat command.

man@earth> cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

The other methods will still work if you prefer them to this one. 

Setting up the SSH Agent

At this point when you login to a remote host you now get prompted for the SSH passphrase instead of the password. To automate the login process it is recommended to setup an SSH Agent. Luckily setting up an SSH Agent is easy. The agent holds the passphrase for the user and then presets the passphrase when prompted. 

There are some considerations you need to consider when running an SSH Agent. If a GUI is installed on the system, such as gnome, then the window manager may run the agent for you. This is by far the easiest way to setup an agent. If the system window manager handles SSH keys then you get prompted with a GUI text box for a passphrase the 1st time you try to SSH to a remote host. If you enter the passphrase the GUI will run the SSH Agent for you system wide for the user currently logged into that account. This lasts until the system is rebooted or the user logs out.

You can also run the agent from within a terminal or shell. When you run an agent from the terminal it will only work from that terminal and not system wide like does if the GUI manages the agent. 

To start an SSH Agent in a terminal run the commands show below. 

man@earth> eval `ssh-agent`
man@earth> ssh-add
Enter passphrase for /home/man/.ssh/id_rsa:
Identity added: /home/man/.ssh/id_dsa (/home/man/.ssh/id_rsa)

Note- Add these commands to the .bashrc file to start an agent automatically when you open a terminal emulator. 

If you use VNC, just start your VNC server session in the same terminal you used to starting your agent. This way all your terminal emulators launched in your VNC session, will use the same agent.     

SSH Agent Management

One issue with agents is that sometimes you end up running a lot of agents. This is because the agent doesn't stop running when the terminal closes. You need to run the command below and kill any agents that you are not using.

man@earth> ps aux | grep agent

If there is more than one agent running then you should kill the additional ssh-agent.

man@earth> pkill ssh-agent

This will only kill agents owned by the user running the command in.

One way to kill your ssh-agents is to add a kill statement to the .bash_logout file.

Reference Section
Manpage ssh-copy-id

Manually Update Plugins on a Nessus Scanner (Windows)

I had an issue the other day with one of my Nessus Vulnerability Scanners which is being managed by Security Center. In Security Center the status of one of the Nessus scanners showed "Plugin Out of Sync". I tried to push the plugins to the Nessus scanner from the Security Center, but I was getting a status error of "Connection timed out".  So basically I was getting a latency issue on the connection. The Nessus scanner and the Security Center are in different states, so this may be why there is so much latency. I just built this Nessus scanner, so there were just too many plugins to be pushed over the wire by Security Center. To fix this issue, I just manually copied the plugins to the Nessus scanner. Then I manually loaded the plugins into the Nessus scanner. After I did this, I have not had this issue again.

Manually updating the Plugins can sometimes fix error or scanner status of "Protocol error". These instructions work on Nessus 5x and 6x, when managed by Security Center 4x or 5x.

Follow the instructions below to manually install plugins for the Nessus scanner on a Windows computer. For Linux computers click here.

1. Login to the Nessus scanner.

2. Open PowerShell or the Windows command line (CMD) as privileged user.

3. Stop the Nessus service

# net stop "Tenable Nessus"

4. Remove the Nessus scanner from Security Center

5. Reset the scanner

# …\Program Files\Tenable\Nessus>nessuscli fetch fix --reset

6. Connect the Nessus scanner

# …\Program Files\Tenable\Nessus>nessuscli fetch –security-center

7. Load the plugins into Nessus

# …\Program Files\Tenable\Nessus>nessuscli update plugins_file.tar.qz

8. Start the Nessus scanner

# net start “Tenable Nessus”

9. Login to the web interface for Nessus and verify that the configuration is complete.
https://localhost:8834

10. Login to the web interface for the Security Center. Add the Nessus scanner back and verify connectivity.

Your done.

Related posts
On this Blog

Setting up NFS & automount on RHEL

I believe that any Linux or UNIX server should start a very minimal build. Meaning that a server should only have the programs or packages installed that are needed for the operation of the server. To make some of my servers a little more functional I decided to install NFS and automount. This is so users can automount home directories and  mount external shares.

Follow the steps below to install NFS and autofs, so you can mount the NFS shares and mount home directories. The example below is on a RHEL 6 server.


To be able to mount NFS share you will need the following packages.
autofs
nfs-utils
nfs-utils-lib

Dependencies:
Hesiod
keyutils
libgssglue
libtirpc
python-argparse
rpcbind

Install the packages

root@server> yum install autofs  nfs-utils  nfs-utils-lib

To enable NFS shares you must add them to the /etc/fstab file. Example below.

10.12.12.8:/share /export/share  nfs noauto,nosuid,nodev,noguid,noxattr,timeout,sloppy 0 0
10.12.12.6:/cifs  /export/cifs  nfs noauto,nosuid,nodev,noguid,noxattr,timeout,sloppy 0 0
repos:/linux_repos /export/repos   nfs auto,ro,nosuid,nodev,noguid,noxattr,timeout,sloppy 0 0

To setup the automount funtion you need to edit the auto.home and auto.master files.
 Add the hostname or IP address line to /etc/auto.home

*             10.10.10.2:/home/&

Add this line to /etc/auto.master

/export/home /etc/auto.home -nolock,nosuid,noguid,nodev,nobrowse,noxattr --timeout 10

Restart services

root@server> service autofs restart
root@server> service rpcbind start
root@server> service nfs start

Ensure that autofs starts at boot

root@server> chkconfig –list autofs

Make mount points
Make the mount pint for all the mount points listed in the /etc/fstab file..

root@server> mkdir /export/share
root@server> mkdir /export/cifs
root@server> mkdir /export/repos

Note- make sure any host names used are added to the /etc/hosts file.

After following the steps above evey should be working. test the configuration by loggingin or becoming a user with a non local home directory. Also try to mount the shares.

root@server> mount /export/share

Check to see if the mount was successful.

root@server> df -h | grep share
Filesystem            Size  Used Avail Use% Mounted on
10.12.12.8:/share  9.8G  1.9G  7.5G  20%   /export/share

Please let me know if you have any questions.

Manually Update Plugins on a Nessus Scanner (Linux)

I had an issue the other day with one of my Nessus Vulnerability Scanners which is being managed by Security Center. In Security Center the status of one of the Nessus scanners showed "Plugin Out of Sync". I tried to push the plugins to the Nessus scanner from the Security Center, but I was getting a status error of "Connection timed out".  So basically I was getting a latency issue on the connection. The Nessus scanner and the Security Center are in different states, so this may be why there is so much latency. I just built this Nessus scanner, so there were just too many plugins to be pushed over the wire by Security Center. To fix this issue, I just manually copied the plugins to the Nessus scanner. Then I manually loaded the plugins into the Nessus scanner. After I did this, I have not had this issue again.

Manually updating the Plugins can sometimes fix error or scanner status of "Protocol error". These instructions work on Nessus 5x and 6x, when managed by Security Center 4x or 5x.

Follow the instructions below to manually install plugins for the Nessus scanner on a Linux server. To do this on a Windows computer go here.

1. Login to the Nessus scanner.

root@earth> ssh nessus

2. Stop the Nessus service.

root@nessus> service nessusd stop

3. Remove the scanner from Security Center.

4. Reset the scanner

root@nessus> /opt/nessus/sbin/nessuscli fix --reset
Resetting Nessus configuration will permanently erase all your settings and causes Nessus to become unregistered.
Do you want to proceed? (y/n) [n]: y
Successfully reset Nessus configuration.

5. Connect the Nessus scanner.

root@nessus> /opt/nessus/sbin/nessuscli fetch --security-center
nessud can now be started, SeccrityCenter will upload the plugins

6. Manually copy over the plugins file.
    Copy the file tar.gz file from Security Center to or download latest plugins from Tenable.

Note - In Security Center The plugins are located here: /opt/sc/data/plugins

7. Load the plugins into Nessus.

root@nessus> /opt/nessus/sbin/nessuscli update plugins_file.tar.gz

* Update successful. The changes will be automatically processed by Nessus 

8. Start the Nessus service

root@nessus> service nessusd start

9. Login to the web interface for Nessus and wait for the bar to complete.

root@nessus> firefox https://localhost:8834

10. Login to the web interface for the Security Center. Add the Nessus scanner back and verify connectivity.

You're done.

If you have any questions or comments please post them below.

Related posts
Manually Update Plugins for your PVS
Reset Admin account on Security Center

How to install Java 7 & 8 on Solaris

In this how to, I will show you how to install Java 7 on a Solaris 10 operating system. These instructions will work if you need to install Java 8, as well. There have been some changes in the way Java is updated and installed. Now you can also update Java by using packages, unlike before when you had to install a package, to install a program and then patch to upgrade the program. This can be very helpful when installing Java 7 and 8, as Java 7 and 8 didn't come with Solaris 10 and getting patches for these versions of Java can be difficult if you don't have a software contract with Oracle. Oracle will only give patches Java 4, 5 and 6 if you only have a hardware contract with them. You can still update Java via patches like before, as explained in my previous post Updating Java on Solaris, With Oracle's new way way of doing things, we can install and patch Java on a Solaris system much faster and easier then ever before.

Download java

1) Go to java.com
2) Click on Free Java Download button
3) Click on See all Java downloads
4) Scroll down to the bottom of the page to where the Solaris files are.
5) Download the version you need for the platform to your using.

Installation of Java

1) Extract both the 32bit and 64bit versions of Java
Run the gzip -dc or zcat commands to extract the files

On SPARC processors

root@earth> gzip -dc jdk-7u80-solaris-sparc.tar.Z |tar xf -
root@earth> gzip -dc jdk-7u80-solaris-sparcv9.tar.Z |tar xf -

or

root@earth> zcat jdk-7u80-solaris-sparc.tar.Z |tar xf -
root@earth> zcat jdk-7u80-solaris-sparcv9.tar.Z |tar xf -

On x64/EM64T processors

root@earth> zcat jdk-7u80-solaris-i586.tar.Z | tar xf -
root@earth> zcat jdk-7u80-solaris-x64.tar.Z | tar xf -

Note - If you ran the commands as shown above, you will find the packages in same directory the .tar.Z files are in.

2) Install the packages
Enter the command below, when prompted answer yes to all the questions.

root@earth> pkgadd -d . SUNWj7rt SUNWj7dev SUNWj7cfg SUNWj7man
root@earth> pkgadd -d . SUNWj7rtx SUNWj7dvx

Note - If you want a minimal install, then all you need to install is SUNWj7rt & SUNWj7rtx

Note - Java 8 has combined the 32 bit and 64 bit versions, so you only need to install what appears to be only the 32 bit version.

Now you are done, congratulations. If you want more info, review the references and man pages below. Also be sure to checkout some of my other posts on Java.

References
Installation Instructions form Java.com
The Offical Instructions from Oracle

Man Pages
pkgadd
gzip
zcat

Related posts on this blog:
How to install or upgrade Java in Linux
Updating Java on Solaris
Checking Java Versions Remotely
Download Java in MOS
Access the Java Control Panel
Updating Java in NetBackup

If have any question on how to install Java on Solaris then feel free to ask below.

How to install or upgrade Java in Linux

These are my notes on how to install or update Java on a Linux server. In this how to, I will be using the Java from Oracle and not the operating systems or distros repository. You can download and install either a rpm or a tar file, from Oracle's site.

When using the Java provided on Oracle's website, they give you a choice of downloading rpm or tar file.

You can download Java here.
http://www.java.com/en/download/linux_manual.jsp

Installing Java with using RPM

Find the current version of Java on the system.

root@earth> find / -name java -type f
/usr/java/jre1.7.0_55/bin/java

Note If you use which or java -version commands to find Java on you system. This will only show your the system's main java. You may have additional versions installed.

Now take each line of output and paste it at the end of this command. This gives you the name of the rpm package that installed this file and version of Java.

root@earth> rpm -qf    /usr/java/jre1.7.0_55/bin/java
jre-1.7.0_55-fcs

Uninstall the old package.

root@earth> rpm -e  jre-1.7.0_55-fcs

Note- Do not run the above command for java that is part of an application. If the file was in /usr/bin/ you should be fine.

Install Java

root@earth> rpm  -ivh    jre-7u65-linux-x64.rpm

You can alternately upgrade Java instead.

root@earth> rmp   -Uvh    jre-7u65-linux-x64.rpm

Install Java using a tar file
Change directory to where Java is going to be installed. Usually it will be /user/java.

root@earth> cd  /usr/java

Move the tar file to /usr/java.

Unpack the tarball and install Java

root@earth> tar  zxvf   jre-7u65-linux-i586.tar.gz

Delete the tar file after you test Java and your done.

Reference:
Java.com

Related posts on this Blog
How to install Java 7 & 8 on Solaris
Access the Java Control Panel
Updating Java on Solaris

How to Manually Remove the NetBackup Client on Linux

These are my notes on removing a NetBackup client on a Linux system. This how to is based on the Symantec Tech Note, which is referenced at the bottom of this post. This is for the most part the recommended way of removing NetBackup. I have added a few more steps so that your logs are not filled with error messages.

Shut down running NetBackup processes. (optional)

man@earth> sudo netbackup stop
stopping the NetBackup client daemon
stopping the NetBackup network daemon

Or you can use this command.

man@earth> sudo bp.kill_all

Looking for NetBackup processes that need to be terminated.

Looking for more NetBackup processes that need to be terminated.
Stopping bpcd...
Stopping vnetd...

Check for running processes. (optional)

man@earth> sudo bpps -x
NB Processes
------------

Shared Symantec Processes
-------------------------
root 2827 1 0 Apr22 ? 00:00:00
/opt/VRTSpbx/bin/pbx_exchange

If you see more then what is list above then than NetBackup didn't shut down. If the commands didn't work then move to the next step.

Remove the NetBackup client.

man@earth> rm -r /usr/openv

Look for NetBackup files in xinet.d

man@earth> ls -l /etc/xinetd.d/

Look for the bpcd, bpjava-msvc, ventd and vopied files. If the file is found remove it.

Edit the services file.
Backup the /etc/services file. Remove all NetBackup services, such as the ones listed above.

Restart xinetd 
For Susie run this command

man@earth> sudo /etc/rc.d/xinetd restart

For all others run this command

man@earth> sudo /etc/rc.d/init.d/xinetd restart

Reference:
Tech Note 71923

If you have any questions or comments post they below.

Reimporting Tapes into NetBackup.

These are my notes on reimporting old tapes. These tapes were shipped off site after NetBackup vaulted the tapes. They are still listed in NetBackup as vaulted. In order to reuse these tapes, they will need to be expired. The steps list below will allow you to reuse the tapes.

Steps
1) Put the old tapes into the MAP.

2) In NetBackup run, inventory tape.

3) Run the command below to expire the tape.
Syntax: bpexpdate -m -d 0 -force

root@earth> bpexpdate -m E00154 -d 0 -force

On UNIX and Linux systems, the directory path to this command is /usr/openv/netbackup/bin/admincmd/
On Windows systems, the directory path to this command is \NetBackup\bin\admincmd\

4) Back in the GUI refresh your display.

5) Check to see if the imported tapes are in the scratch volume pool. Make sure all the details match the existing tapes in the library.

Reference
bpexpdate man page at Symantec.

Using SCP on Windows Command Prompt

In this post, I show how to move files between a Windows machine and a UNIX machine, using the command line. When I say a UNIX machine, I mean all UNIX based operating systems such as UNIX, Linux, FreeBSD and Mac OS. In this post I will be using the free PuTTY utility called PSCP.

As you know SSH is not supported in Windows, you will need to download a 3rd party program.
The People who make PuTTY, which gives SSH terminal emulation on Windows machines, has a program called PSCP. PSCP gives you the ability to use SCP or SFTP form the Windows command prompt.

You could use a GUI program that lets you SCP or SFTP the files. The issue with this approach is that an application with a GUI has limitations. If you use a command line tool, like PSCP, to move the files then you can also put it in a script. A script that can be used by the Windows Task manager or the UNIX crontab. PSCP is free and doesn't need to be installed.

Download pscp from  PuTTY download page.

After you download PSCP move it to your My  Documents folder. As the program doesn't need to be installed, It is ready to use as soon as you download it. All you need to do, to use PSCP is follow the examples below.

Run the command as shown below to move files from the Windows machine to a UNIX machine

Command Prompt

C:\> pscp.exe files man@earth:/path

Run the command as shown below to move files form a UNIX machine to a Windows machine.

Command Prompt

C:\> pscp.exe man@earth:/path/files  C:/path/

In the example above, man is the user name and earth is the name of the UNIX server. The user name can be left off if the user account in Windows have the same name as the user account on the UNIX server. I would highly recommend that you use the same user name on both systems.

Some options
If you want to force the use of ether SCP or SFTP add -scp or -sftp right after pscp.exe. If you want to use a SSH agent to manage you SSH Keys add the -agent option. I will go more into how to use SSH Key with PSCP in a future post.

Draw Back
In the method I shown here, you must start the SCP or SFTP session from the Windows machine. The Windows machine can't accept incoming requests, because there is no SSH sever running on the the Windows machine.

References
PuTTY documention

Installing Firefox on Solaris (Update III)

These are my updated notes on how to install Firefox on a Solaris 10 server. In this installment, I will go over two different ways to install Firefox. I will be using the files found at the Mozilla website, which just started hosting these files. To check out my previous posts on installing Firefox please check out at the bottom of this post.

The files on the Mozilla site, are the same files that can be found at Sunfreeware.com or UNIXpackages.com. The only issue with getting Firefox from this site is that it is not actually from them. They go out of there way to say this on there site and I quote; "They are the ONLY packages in our repository that are not compiled by us, and were contributed by External Offshore developers in East Asia". The README file on the site says that they where contributed by Oracle Solaris Desktop Beijing Team. I checked with the local Oracle reps in the area and they can't confirm that install files are from Oracle. Anyway if this is not an issue for you then follow the instructions below to install Firefox.

Get the Files
Use the links below to download the files needed for this how to.
http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/24.0esr/contrib/solaris_pkgadd/
http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/24.0esr/contrib/solaris_tarball/

We will use the files below to install Firefox.
firefox-24.1.1esr.en-US.solaris-10-fcs-sparc.tar.bz2
firefox-24.1.1esr.en-US.solaris-10-fcs-sparc-pkg.bz2

Install Firefox from a tar file.
One advantage of installing Firefox with a tar file is that you can install Firefox almost anywhere.  Run the following commands to install Firefox.

root@earth> mv firefox-* /usr/lib/
root@earth> cd /usr/lib
root@earth> bzip2 -cd firefox-24.1.0esr.en-US.solaris-10-fcs-sparc.tar.bz2 | tar xvf - root@earth> ln -s /usr/lib/firefox/firefox /usr/bin/firefox

Start Firefox.

root@earth> firefox

Install Firefox from a package.

root@earth> bzip2 -d firefox-24.0esr.en-US.solaris-10-fcs-sparc-pkg.bz2
root@earth> pkgadd -d ./firefox-24.0esr.en-US.solaris-10-fcs-sparc-pkg

The following packages are available:
   1  SFWatk           ATK - Accesibility Toolkit Libraries
                       (sparc) 1.24.0,REV=110.0.4.2009.02.26.22.56
   2  SFWcairo        Vector graphics library
                       (sparc) 1.8.4,REV=110.0.4.2009.02.26.23.05
   3  SFWfirefox     Mozilla Firefox Web browser
                       (sparc) 24.1.0esr,REV=110.0.4.2013.10.24.13.53
   4  SFWglib2       Low level core compatibility library for GTK+ and GNOME
                      (sparc) 2.18.3,REV=110.0.4.2009.02.27.14.31
   5  SFWgtk2        GTK+ - GIMP Toolkit Library for creation of graphical user interfaces
                      (sparc) 2.14.5,REV=110.0.4.2011.05.26.09.57
   6  SFWpango      Library for layout and rendering of internationalized text
                      (sparc) 1.22.3,REV=110.0.4.2009.02.26.23.21
   7  SFWpixman    Vector graphics library
                      (sparc) 0.12.0,REV=110.0.4.2009.02.26.23.01

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:

You can install all the packages listed above or just the Firefox package (SFWfirefox). Firefox will be installed at /opt/sfw/lib/firefox. The install process will link the Firefox exacuteable to /usr/local/bin/firefox. Start firefox as shown below.

root@earth> firefox

If Firefox doesn't start then I would make sure that /usr/local/bin in your path.

My Other Firefox posts.
Installing Firefox on a Solaris server
Installing Firefox on Solaris (Update)
Installing Firefox on Solaris (Update II)

Firefox won't run

This is quick fix for getting Firefox to run, when it says it is already running. How this only seems to happen if you have your home directory mounted across all your computers. The picture below is the error you normally get when your have this problem.

One way to fix this is to delete the lock file.

root@earth> rm ~/.mozzilla/firefox/*.default/lock

You can also use profiles to get past this error. I would suggest you create a different profile for each computer you use Firefox on. Run the command below to get the Pop-up GUI for selecting the profile, as show below. From here you can create a profile to use, if you need one.

root@earth> firefox -p

If you already have profile, then run the command firefox -p with the profiles name at the end.

root@earth> firefox -p profilename

Please feel free to add an comments below If I have missed something.

Download Java in MOS

Oracle offers patches for their software products through My Oracle Support (MOS). The issue is the way Oracle handles Java patches. If you don't have a software contact, then Oracle will not let you directly download the latest Java patch. This can be extremely frustrating, given the fact that the patch is part of both the CPU patchset and 10 Recommend patchset, for Solaris 10. Also if you have a Premier Hardware Support contract, then you get software support for the Solaris operating system. So why Oracle makes it hard is beyond me.

If you don't have a Software support contract then you can't download Java as a Java patch. You can however download a Java patch as system patch. It is actually the same patch ether way. So what matters is the approach you use to get the patch. Follow the steps below to download the latest Java patch as a system patch.

Fig. 1 - Patch Search

Steps
1) Login  to MOS.

2) Go to the Patches and Upgrade tab.

3) Choose the Product or Family (Advanced).
At this point you should be at figure 1.

Fig. 2 - Example of processor types

4) For the Product field input Solaris Operating System.

5) For the Release drop down menu. Pick the Solaris Operating system version you need.
Look at figure 2 as an example.

6) For the next drop down choose Platform.

Fig. 3 - Example of finished search fields

7) For the next drop down pick the Solaris Operating system processor  type you need.

8) Then choose Description.

9) type in javase in the last box.

10) Check the Exclude Superseded patches. 

At this point your search should look like figure 3.

I hope this helps you out.
You can also use this method to download other patches form Oracle such as OpenSSL.
If you have any comments please post them below.

Installing Firefox on Solaris (Update II)

This part three of my "How to Install Firefox" series of posts. Please read the other Firefox posts linked to at the bottom of this post, for additional information. This post is an update on the Firefox situation on Solaris.

The Oracle Security Blog, posted on October 13, 2013, the long awaited patch for Firefox. You will need a MOS (My Oracle Support) login to download the patches though. Patch 145080-13 for SPARC and patch 145081-12 for X86 will upgrade Firefox to 10.0.12 ESR. This is pathetic considering that at the time I'm writing this, Firefox is at version 24.0. Mozilla doesn't even support Firefox 10 ESR anymore. So why is Oracle giving us this now? Most operating systems are using Firefox 17 ESR right now and they will soon be moving to version 24 ESR. On top of that, Oracle's security blog also doesn't address any of the security vulnerabilities for 2013.

Note - Mozilla doesn't offer Firefox install packages for Solaris.

Current Mozilla supported versions

• Firefox 17.0.9 ESR
• Firefox 24.0
• Firefox 24.0 ESR

Now on the install on Firefox.
The package Solaris uses for the Firefox install is SUNWfirefox. Run the command below to make sure that package is installed. There may be other Firefox related packages, that's OK.

root@earth> pkginfo -l | grep firefox
PKGINST: SUNWfirefox
PKGINST: SUNWfirefoxl10n-es-ES
PKGINST: SUNWfirefox-devel

If the package is not installed then you will have to install it. Unfortunately it installs Firefox 3, so you need to patch it right away. As I mentioned above the patch will update Firefox to 10.0.12. If this is the 1st patch to be applied to Firefox it may take some time, this is normal. In the example below we are installing the SPARC patch.

root@earth> mv 145080-13 /tmp
root@earth> unzip 145080-13
root@earth> pkgadd 145080-13

And you're done. Test the application. If your previous version of Firefox was not part of a package, but instead was install using a tar file then you will have to delete it from the server. I have instructions on how to do that in my 1st post on how to install Firefox.

Info
I have removed Firefox from my server at work because I don't think it is secure on Solaris 10. I am instead using Firefox on Linux server, until Oracle gets their act together. I have heard that Oracle will be releasing FireFox 17 ESR soon. The only problem is, Firefox is only coming to Solaris 11 and not Solaris 10. You can still get Firefox at SunFreeware.com or UNIXpackages.com, which are the same people. The only issue with getting Firefox from there site is that it is not actually from them. They go out of there way to say this on there site and I quote; "They are the ONLY packages in our repository that are not compiled by us, and were contributed by External Offshore developers in East Asia". 

Links to my other Firefox install posts
Installing Firefox on Solaris
Installing Firefox on Solaris (Update)
Installing Firefox on Solaris (Update III)

If you have any comments or question please post them below.

How to setup SSH Keys

Note - I have a newer version of this how-to. Please click here 

This is a guide on setting up SSH Keys for a UNIX based account. What are SSH keys you ask? They are means of identifying yourself to an SSH server using public-key cryptography and challenge-response authentication. SSH Keys are considered more secure than using passwords to access systems, because user accounts are authenticated by the server without ever having to send your password over the network. If the passwords are not transmitted then they can't be intercepted.
This guide is not for installing or setting up a SSH server. You must have SSH running on your servers in order to get your SSH keys to work. All the examples are take from a Solaris 10 (SPARC) server. This guide should as work on any UNIX based operating system like Linux, BSD and the Mac.

Create you key pair
The ssh-keygen command will generate a public and private keypair. The keys will be stored at ~/.ssh.The basic command looks like this: ssh-keygen -t [dsa|rsa]  The -t sets the type of keys used. In the example below I create a rsa key pair.

man@earth> ssh-keygen -t rsa
Enter file in which to save the key (/home/man/.ssh/id_rsa): Press [Enter] key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/man/.ssh/id_rsa.
Your public key has been saved in /home/man/.ssh/id_rsa.pub.
The key fingerprint is:dfhjodfnk
04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01

Make sure you don't use a blank passphrase. Doing this is very insecure. Having a blank passphrase defeats the purpose of having having the extra security of a key exchange setup. It is also import to never give out your private key, which also compromises security of your account.

Copy public key
Copy you public key to the authorized_keys file on the remote server.

man@earth> scp ~/.ssh/id_rsa.pub moon:~/.ssh/authorized_keys

If your home directory automounts across a lot of servers. You can copy it over with the cat command.

man@earth> cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

Setup Agent
At this point, when you login you get prompted for a passphase. To stop this from happening you need to setup a SSH agent. Run the command below and type in your passphare when prompted.

man@earth> eval `ssh-agent`
man@earth> ssh-add
Enter passphrase for /home/man/.ssh/id_rsa:
Identity added: /home/vivek/.ssh/id_dsa (/home/man/.ssh/id_rsa)

There are other ways to set up the agent such as using the gnome GUI for example. Unfortunately that only works if your running a gnome desktop. If your a VNC user, you should start your VNC server session after starting your agent in the same terminal. This way all your terminals launched in your VNC session, will use the same agent.

One issue with agents is that sometimes you end up running a lot of agents. Run the command below and kill any agents that you are not using, as a good practice.

man@earth> ps -ef | grep agent

References
g-loaded.eu
Symantec: SSH and ssh-agent

If you have any questions or comments please post below.

Faster Solaris 10 Zone Creation

These are my notes on a faster way creating Solaris 10 zones. If you're not familiar with Solaris 10 zones might I suggest you first read my notes on creating Solaris 10 zones. These notes will go over making a whole root zone with a shared network interface. For the purpose of this guide. We will use the hostname, earth for our Global zone (host). We will create a zone named moon.

Create the zone

root@earth> zonecfg -z moon "create -b; set zonepath=/export/zones/test; set autoboot=true; add net; set physical=e1000g0; set address=10.1.1.232/24; end; verify; commit; exit"

Alternately you can put all the sub-commands into a file.

Install zone

root@earth> zoneadm -z moon  install
A ZFS file system has been created for this zone.
Preparing to install zone moon.
Creating list of files to copy from the global zone.
Copying 82181 files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize 783 packages on the zone.
Initialized 783 packages on zone.
Zone moon is initialized.
Installation of 1 packages was skipped.
The file contains a log of the zone installation.

Check the zone (Optional)

root@earth> zoneadm list -cv
ID NAME     STATUS      PATH                            BRAND      IP
0   global        running        /                                 native          shared
-    moon        installed       /export/zones/moon     native          shared

Make an answer file
You must create the sysidcfg configuration file and put it in the zone's /etc directory. For example: /export/zones/moon/root/etc/. This must be done after the zone install but before the you boot the zone. Below is an example of a sysiccfg that worked for my setup.

system_locale=en_US
timezone=US/Eastern
terminal=vt100
timeserver=localhost
root_password=$1$w/3YH4kq$R3Tk2lHWRIL2FiiJ2eJqQ1
network_interface=PRIMARY {hostname=moon
                     default_route=NONE
                     ip_address=10.1.1.232
                     netmask=255.255.254.0
                     protocol_ipv6=no}
nfs4_domain=sun
security_policy=NONE
name_service=NONE


Get remote console on the zone
Run this command in a different terminal.

root@earth> zlogin -C moon

Note -C option gives you a persistent console. To get back to the global zone type .~

Boot the zone

root@earth> zoneadm -z moon boot

After you run the command above, look at the other terminal where you ran zlogin. You should see the zone booting up. After the zone boots up, you should see a login prompt. If instead the setup process starts up, then there is an error with the sysidcfg file. I that case you will have to delete you zone. Check out my notes on how to uninstall and delete a zone. If there are no issues then your done.

I hope this was helpful to someone. If you have any questions or comments please post them below.

Related posts on this blog:
Creating Solaris 10 zones
Uninstall and delete a zone

Adding, Deleting or Changing a Group in UNIX

This is a little how to on creating, deleting or modifying a group on a UNIX based computer.

root@earth> /usr/sbin/groupadd -g # groupname
If you us -g the option, you will be able to set the GID for the group. If the GID is not set then the OS will choose one.

To delete a group.
root@earth> /usr/sbin/groupdel groupname

To change a group
root@earth> /usr/sbin/groupdel -g # -n newgroupname groupname
Use the -g option to change the group gid and use -n to change the name of the group.

Use these commands only for local accounts. If a network nameservice or directory server is running then use that service instead.

Installing Sudo on Solaris 10

These are the notes on installing sudo on Solaris 10. In order to install sudo you will also need to install some dependencies. I have listed the needed packages below.

Packages

Package Name	Application	Description
SMCsudo	sudo	Provides limited super user privileges
SMClintl	libintl	GNU locale utilities, libintl.so.2
SMCliconv	libiconv	GNU iconv library, libiconv.so.2
SMCzlib	zlib	Zlib data compression library, libz.so.1
SMClgcc	libgcc	The GNU Compiler Collection, libgcc_s.so.1

Installing the packages
mv filename /tmp
cd /tmp
gunzip filename
pkgadd -d filename
Links to where you can get the packages.
www.sufreeware.com
  unixpackages.com paid site, the paid version of sunfreeware.

Mount an ISO in Solaris 10

Sometime I run into an issue were I need to install a program and the only installer I can find is on a CD or DVD. Unfortunately most servers don't have CD/DVD players. I can usually download the media, in the form of an ISO from the vender website. Then the issue is how do I get the application out of the ISO if you don't have a CD or DVD drive. Luckily for me, most UNIX based Operating Systems can mount a ISO. In much the same way you would mount an NFS (Network File System) or other external volumes, like a CD/DVD drive. As the title suggests this How-to will focus on doing this on a Solaris 10 server.

Mounting an ISO

# lofiadm -a /path/to/cd.iso
/dev/lofi/1
Now you can mount the ISO. # mount -o ro -F hsfs /dev/lofi/1 /mnt

Unmount and detach the images

# umount /mnt
# lofiadm -d /dev/lofi/1
Useful links
http://www.cyberciti.biz/faq/howto-mount-sun-solaris-cd-iso-image/
http://bradthemad.org/tech/notes/solaris_mount_iso.php

Installing Firefox on Solaris (Update)

On this post I'm going over how to install Firefox on Solaris 10. This is an update from one of my earlier posts. The reason for this update is because there has been some changes on how you get Firefox. The place where Mozilla would point it's uses to download Firefox was the OpenSolaris.org website. Oracle took down the OpenSolaris.org website on March 23 2013. As my old instructions used a different install process, I felt I needed to rewrite this how-to.


The other main place to get Firefox is at SunFreeware.com or UNIXpackages.com, which are the same people. The only issue with getting Firefox from there site is that it is not actually from them. They go out of there way to say this on there site and I quote; "They are the ONLY packages in our repository that are not compiled by us, and were contributed by External Offshore developers in East Asia". The quote used to say "contributed by developers in Beijing China", apparently someone complained and a change was made. With all the hacking allegations concerning China you may not not want to get Firefox from them.

The other places that host Solaris software or packages is blastwave and OpenCSW.org. Blastwave is now a dead project and OpenCSW.org doesn't have Firefox in their package list.

Now I have some good news and some bad news. Good news Oracle is now providing patches and/or packages for Firefox. The bad news is that they are not keeping up with the Firefox versions from Mozilla. Not to mention the CVE vulnerabilities that are coming out.

Below I list two places to get Firefox from Oracle. You will need a Oracle Support login to download the files. The 2nd link lets you see the 3rd party patches that are available before you need to login to Oracle. You can get newer versions of Firefox, then what is linked to below, by putting in a ticket (SR) to your MOS (My Oracle Support) account.
Oracle Support document 1448883.1
Third Party Software in Oracle Products webpage.

The main package for Firefox is SUNWfirefox. There are a few additional Firefox packages that you might have installed on your sever. To see what Firefox related packages are on your server run the command below.
# pkginfo -l | grep firefox
PKGINST: SUNWfirefox
PKGINST: SUNWfirefoxl10n-es-ES
PKGINST: SUNWfirefox-devel
To see a complete list of Solaris 10 packages click here.

Oracle has provided the following patches for Firefox: 145080-11 (x86) & 145080-12 (SPARC). Applying this patch may take a little longer then what you are used too but, it will upgrade Firefox from 3.X to Firefox 10.0.7. # mv 145080-12.zip /tmp
# unzip 145080-12.zip
# patchadd 145080-12
Congrats you have install the ESR version Firefox on Solaris 10. Oracle also has an updated version of Firefox for Solaris 11, coming soon.

My Other Firefox posts.
Installing Firefox on a Solaris server
Installing Firefox on Solaris (Update II)
Installing Firefox on Solaris (Update III)

If you have anything to add please post below.