A Sysadmin's Notes: RHEL

Showing posts with label RHEL. Show all posts

Thursday, October 19, 2023

Login hangs for scanning account

The Problem

I ran into this issue the other day. Tenable.sc (formerly Security Center) was reporting a hit on plugin 21745 for a Red Hat Enterprise Linux 8 (RHEL 8) system. I checked on the account used on the systems for scanning and it wasn't locked out or anything. When I tried to SSH into the system with the credentials, it would just hang. The system logs showed "login successful". When I rebooted the system was able to login normally again, but the problem would come back eventually.

The Cause

When the Nessus scanner connects to a system, it's scanning, it makes several connections to the host. Each connection starts a TMUX session. The problem is the TMUX sessions where not being closed after the Nessus scanner disconnected from the system. It turned out that the account used for security scanning had around 2,000 TMUX sessions running.

The Fix

Add "set -g destroy-unattached on" to the /etc/tmux.conf file.

scanuser@remotesystem> sudo echo "set -g destroy-unattached on" >> /etc/tmux.conf

This will append this line "set -g destroy-unattached on" into the /etc/tmux.conf configuration file. This will auto close sessions not being actively used.

Anther Fix

Set system wide rules for TMUX on the effected systems so only the account used by the Nessus scanner will have use of the TMUX terminal multiplexer. /etc/profile.d/custom.sh


[ "$USER" != "scanuser" ]
 then if [ "$PS1" ]
   then parent=$(ps -o ppid= -p $$)
        name=$(ps -o comm= -p $parent) 
        case "$name" in (sshd|login) exec tmux
        esac 
 fi 
fi

Defs

TMUX is an open-source terminal multiplexer for Unix type systems. Multiple terminal sessions can be accessed simultaneously by splitting the terminal into different screens. Can also detach remote sessions and reattach later, similar to what the screen application can do.

Tenable Plugin a plugin is a script deployed by the Nessus scanner to check for security vulnerabilities. In this case plugin 21745 is an info plugin, it displays info from other plugins. This plugin is triggered (displayed) whenever a login failure occurs.

Wednesday, November 21, 2018

Fix RPM Database finding for UEFI file types

I ran into an issue the other day when was hardening a server. I couldn't change the file permissions on a few files to what the RPM database says is the default. This was in regard to the /boot/efi files or UEFI file types.

This is the check: rpm -Va

The security rule: RHEL-07-010010 "The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." Basically the the check is to ensure the files have the default file permissions or less.

Also works for Red Hat 6
RHEL-06-000516, RHEL-06-000517, RHEL-06-000518, RHEL-06-000519

The Fix

Add the line below to /etc/fstab

UUID=#### /boot/efi vfat umask=0177,shortnames=winnt 0 0

Unmount and mount /boot/efi

root@earth> umount /boot/efi
root@earth> mount /boot/efi

Some other reference materials.
Could not change permission for /boot/efi/EFI/redhat/grub.conf
Why do /boot/efi content always show up in rpm -Va output in UEFI enabled system?

How to lookup UUIDs
https://liquidat.wordpress.com/2007/10/15/short-tip-get-uuid-of-hard-disks/
https://liquidat.wordpress.com/2013/03/13/uuids-and-linux-everything-you-ever-need-to-know/

Thursday, September 22, 2016

Create user account and set password with one command

I often see forum posts where a System Administrators, wants to create local user accounts on several servers and doesn't want to have to have to set the user's password over and over again. Below I share two ways to do this. The first way creates the user account and sets the password in one command. The second method sets the password in a additional command. Ether way can be used in a script, which can speed things up if you need to create one or more accout on servel systems.

Below is an example of creating a user account.

root@earth> useradd -u 25 -g staff -G ftp,users -m -d /export/home/newuser -c "newuser" -s /bin/bash newuser
root@earth> passwd newuser
passwd: Changing password for username
New Password:
Re-enter new Password:
passwd: password successfully changed for newuser

This method can be very time consuming process and would be hard to use in script. Below is an example of how using the -p option in the useradd command, to set the user's password by setting the uses hash.

root@earth> useradd -u 25 -g staff -G ftp,users -m -d /export/home/newuser -c "newuser" -s /bin/bash -p '6$jbvkjjg$qFmFH.bQmmtXzyBY0s9v7Oicd2z4XSIecDzlB5KiA2/jctKu9YterLp8wwnSq.qc.eoxqOmSuNp2xS0ktL3nh/' newuser

This method works on Linux computers, such as SLES and RHEL. It however doesn't work on systems such as Solaris.

Alternately you can also set the users by echoing the password to standard in, as shown below. The major issue with doing it this way is that the password is recorded in the system logs and if your running the command remotely then your sending the password in the clear. So I don't recomend doing it this way.

root@earth> echo password | passwd newuser --stdin

This method works only Linux systems.

Other posts with similar info
Linux User Account Creation & Customization
Adding a new user to a UNIX based system

References pages.
Online man page - useradd
Online man page - passwd

Thursday, September 15, 2016

Setting up NFS & automount on RHEL

I believe that any Linux or UNIX server should start a very minimal build. Meaning that a server should only have the programs or packages installed that are needed for the operation of the server. To make some of my servers a little more functional I decided to install NFS and automount. This is so users can automount home directories and mount external shares.

Follow the steps below to install NFS and autofs, so you can mount the NFS shares and mount home directories. The example below is on a RHEL 6 server.

To be able to mount NFS share you will need the following packages.
autofs

nfs-utils
nfs-utils-lib

Dependencies:
Hesiod
keyutils
libgssglue
libtirpc
python-argparse
rpcbind

Install the packages

root@server> yum install autofs nfs-utils nfs-utils-lib

To enable NFS shares you must add them to the /etc/fstab file. Example below.

10.12.12.8:/share /export/share nfs noauto,nosuid,nodev,noguid,noxattr,timeout,sloppy 0 0
10.12.12.6:/cifs /export/cifs nfs noauto,nosuid,nodev,noguid,noxattr,timeout,sloppy 0 0
repos:/linux_repos /export/repos nfs auto,ro,nosuid,nodev,noguid,noxattr,timeout,sloppy 0 0

To setup the automount funtion you need to edit the auto.home and auto.master files.
Add the hostname or IP address line to /etc/auto.home

* 10.10.10.2:/home/&

Add this line to /etc/auto.master

/export/home /etc/auto.home -nolock,nosuid,noguid,nodev,nobrowse,noxattr --timeout 10

Restart services

root@server> service autofs restart
root@server> service rpcbind start
root@server> service nfs start

Ensure that autofs starts at boot

root@server> chkconfig –list autofs

Make mount points
Make the mount pint for all the mount points listed in the /etc/fstab file..

root@server> mkdir /export/share
root@server> mkdir /export/cifs
root@server> mkdir /export/repos

Note- make sure any host names used are added to the /etc/hosts file.

After following the steps above evey should be working. test the configuration by loggingin or becoming a user with a non local home directory. Also try to mount the shares.

root@server> mount /export/share

Check to see if the mount was successful.

root@server> df -h | grep share
Filesystem Size Used Avail Use% Mounted on
10.12.12.8:/share 9.8G 1.9G 7.5G 20% /export/share

Please let me know if you have any questions.

Wednesday, April 27, 2016

How to install or upgrade Java in Linux (Updated)

In this blog post I show how to install or update Java from Oracle on a Linux server. Many Linux distros use the OpenJDK version of Java in their operating systems and in their repository. Although the instructions below will still work to install OpenJDK, the focus is on Oracle's version of Java.

When using the Java provided by Oracle, you can download it from Oracle's website or from java.com. From there they give you a choice of downloading rpm or tar files. I prefer to use Red Hat Package Manager (RPM) files instead of the tar files when installing any program.

You can download Java here: www.java.com

Find Java on the system.

root@earth> find / -name java -type f
/usr/java/jre1.7.0_101/bin/java

Note - If you use which or java -version commands to find Java on your system. This will only show your the system's main java. You may have additional versions installed.

Now take each line of output and paste it at the end of the rpm -qf command. This gives you the name of the rpm package that installed that instance of Java.

root@earth> rpm -qf /usr/java/jre1.7.0_101/bin/java
jre-1.7.0_101s

If the Java found on the system was not installed via a package, then Java was installed via a tar file. At this point you must decide whether to install the new version of Java with an rpm or a tar file. I recommend the use of the rpm packages to install any programs. If you are installing with a rpm then go to the section titled Installing Java using RPM. If you are use the tar file then skip to the section titled Install Java using a tar file.

Installing Java using RPM
The rpm command can either update an existing package or install a new one.

The documentation on the Java website says to remove/uninstall the old version of Java and then install the new one. I prefer to install or upgrade though. This is because if there are any symlinks or application settings that use the systems' Java, will be updated to use the newer Java. Then you can remove the old version if needed after the fact. Otherwise you would have to recreate these items after the install.

Updating Java using RPM
If you update Java as shown below then you will not need to remove the old version. Unless you are installing a different version of Java. For exampe If you have Java 7 installed and then you install Java 8

root@earth> rpm -Uvh jre-7u111-linux-x64.rpm

You can alternately install Java instead.

root@earth> rpm -ivh jre-7u111-linux-x64.rpm

Uninstall the old package.
Take the output from the last command and use the rpm command with the -e option to remove the package.

root@earth> rpm -e jre-1.7.0_65cs

Note- Do not run the above command for java that is part of an application. If the file was in /usr/bin/ you should be fine.

Install Java using a tar file
Change directory to where Java is going to be installed. Usually it will be /user/java.

root@earth> cd /usr/java

Note - If your upgrading Java with a tar file, it is advised to backup the old installation and to remove the previous version. If the old version was installed via a tar then remove the directory. If it was installed with a rpm file use the rpm or yum command to remove the package.

Move the tar file to /usr/java and unpack the tarball to install Java

root@earth> tar zxvf jre-7u111-linux-i586.tar.gz

Delete the tar file after you test Java and your done.

Reference:
Java.com

Related posts on this Blog
How to install or upgrade Java in Linux
How to install Java 7 & 8 on Solaris
Access the Java Control Panel
Updating Java on Solaris

If you have any questions or comments please post them below.

Tuesday, April 12, 2016

A Better Way to Setup SSH Keys

Note - I have a newer version of this how-to. Please click here

This is a guide on setting up SSH Keys for a Linux based user account. Why set up SSH keys, why not just use your password? SSH Keys are considered more secure than using passwords to access systems, because user accounts are authenticated by the server without ever having to send your password over the network. If the passwords are not transmitted then they can't be intercepted. This works by identifying yourself to an SSH server using public-key cryptography and challenge-response authentication. Not to mention if you set up a SSH agent then the agent will handle the challenge-response authentication for you.

This guide is not for installing or setting up a SSH server. You must have sshd service running on your servers in order to get your SSH to work. All the examples are take from a Red Hat or Suse servers. The ssh-copy-id command will not work on Solaris servers but all other commands should work file.

Create you key pair
The ssh-keygen command will generate a public and private keypair. The keys will be stored at ~/.ssh.The basic command looks like this: ssh-keygen -t [dsa|rsa] The -t sets the type of keys used. In the example below I create a rsa key pair.

man@earth> ssh-keygen -t rsa
Enter file in which to save the key (/home/man/.ssh/id_rsa): Press [Enter] key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/man/.ssh/id_rsa.
Your public key has been saved in /home/man/.ssh/id_rsa.pub.
The key fingerprint is:dfhjodfnk
04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01

Make sure you don't use a blank passphrase. Doing this is very insecure. Having a blank passphrase defeats the purpose of having having the extra security of a key exchange setup. It is also import to never give out your private key, which also compromises security of your account.

The old way of transferring the public key to the remote sytem.

man@earth> scp ~/.ssh/id_rsa.pub moon:~/.ssh/authorized_keys

New way

man@earth> ssh-copy-id user@moon
Now try logging into the machine, with "ssh 'remote-host'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

The reason the new way is better then the old way is that the ssh-copy-id appends the public key to the authorized_keys file. Where as the old way overwrites the authorized_keys file. This allows the account to use keys from more than one server.

Note- This method will not work on Solaris 10

If your home directory automounts across a lot of servers. You can copy it over with the cat command.

man@earth> cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

You can also use this method if the ssh-copy-id command is not available to you.

man@earth> cat ~/.ssh/id_rsa.pub | ssh man@moon "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Setting up the SSH Agent.

man@earth> eval `ssh-agent`
man@earth> ssh-add
Enter passphrase for /home/man/.ssh/id_rsa:
Identity added: /home/man/.ssh/id_dsa (/home/man/.ssh/id_rsa)

Note- Add these commands to the .bashrc file to start an agent automatically when you login to a server.

There are other ways to set up the agent, such as using the gnome GUI for example. If you use VNC, just start your VNC server session in the same terminal you used to starting your agent. This way all your terminals launched in your VNC session, will use the same agent.

SSH Agent Management
One issue with agents is that sometimes you end up running a lot of agents. Run the command below and kill any agents that you are not using.

man@earth> ps aux | grep agent

If there is more than one agent running then you should kill the additional ssh-agent.

man@earth> pkill ssh-agent

This will only kill agents owned by the user running the command in.

One way to kill your ssh-agents is to add a kill statement to the .bash_logout file.

Reference Section
Manpage ssh-copy-id

Related posts on this site.
How to setup SSH Keys
http://rich-notes.blogspot.com/2013/09/how-to-setup-ssh-keys.html

If you have any questions or comments please post below.

Friday, May 22, 2015

Is SELinux running?

There is a simple question that you need to know when you get a new Linux server to manage, is SELinux running? If so, what are its setting? Below are some ways to answer these questions.

See if the SELinux configuration file exists and if it does what the settings for SELinux are.

root@earth> cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

The getenforce command displays the current SELinux enforcement policy being used.

root@earth> /usr/sbin/getenforce
Permissive

The sestatus command is a tool that is used to get the status of a system running SELinux.

root@earth> /usr/sbin/sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: targeted

Reference
Security Enhanced Linux (SELinux) project page
Wikipedia - SELinux

Tuesday, August 26, 2014

How to Manually Remove the NetBackup Client on Linux

These are my notes on removing a NetBackup client on a Linux system. This how to is based on the Symantec Tech Note, which is referenced at the bottom of this post. This is for the most part the recommended way of removing NetBackup. I have added a few more steps so that your logs are not filled with error messages.

Shut down running NetBackup processes. (optional)

man@earth> sudo netbackup stop
stopping the NetBackup client daemon
stopping the NetBackup network daemon

Or you can use this command.

man@earth> sudo bp.kill_all

Looking for NetBackup processes that need to be terminated.

Looking for more NetBackup processes that need to be terminated.
Stopping bpcd...
Stopping vnetd...

Check for running processes. (optional)

man@earth> sudo bpps -x
NB Processes
------------

Shared Symantec Processes
-------------------------
root 2827 1 0 Apr22 ? 00:00:00
/opt/VRTSpbx/bin/pbx_exchange

If you see more then what is list above then than NetBackup didn't shut down. If the commands didn't work then move to the next step.

Remove the NetBackup client.

man@earth> rm -r /usr/openv

Look for NetBackup files in xinet.d

man@earth> ls -l /etc/xinetd.d/

Look for the bpcd, bpjava-msvc, ventd and vopied files. If the file is found remove it.

Edit the services file.
Backup the /etc/services file. Remove all NetBackup services, such as the ones listed above.

Restart xinetd
For Susie run this command

man@earth> sudo /etc/rc.d/xinetd restart

For all others run this command

man@earth> sudo /etc/rc.d/init.d/xinetd restart

Reference:
Tech Note 71923

If you have any questions or comments post they below.

Wednesday, February 19, 2014

My BASH profile

These are notes on how I like to have my command prompt set up. I'm a BASH user so I will be updating the .profile and the .bashrc files. Both files are located in the users home directory.

This what my prompt looks like. It is a two line prompt, I find that it helps break up the commands from the output. The second line also gives more room for long commands and helps prevent the line from wrapping over top of the prompt.

earth:~

man@earth
<

The basic bash prompt don't look all the great, as seen below. To get it look like the example above run the command below.

bash

bash$

export PS1="\[\e]2;\h:\w \a\[\e[0;31m\]\u\[\e[0m\]@\e[0;32m\h\e[0;34m\]\n<\[\e[0m\] "

Below I have posted my .profile file.

earth:~

man@earth
< more .profile

PATH=/usr/xpg4/bin:/usr/bin:/bin:/usr/sbin:/usr/local/sbin:/usr/openwin/bin:/usr/local/bin:/usr/ucb:/etc:/usr/X11/bin:/sbin:/usr/openv/netbackup:/usr/openv/netbackup/bin:/usr/openv/netbackup/bin/admincmd:/usr/openv/netbackup/bin/goodies:/usr/openv/volmgr/bin:/usr/sfw/bin/:$HOME

MANPATH=/usr/share/man:/usr/dt/man:/usr/openwin/share/man:/usr/X11/man:/usr/man:/usr/sfw/man:/usr/local/man:

EDITOR=/usr/bin/vi
TMOUT=0
TIMEOUT=0

#alias xterm="xterm -sl 1000 &"
#export PS1="\[\e]2;\h:\w \a\[\e[0;31m\]\u@\e[0;32m\h\e[0;34m\]>\[\e[0m\] "
export PS1="\[\e]2;\h:\w \a\[\e[0;31m\]\u\[\e[0m\]@\e[0;32m\h\e[0;34m\]\n<\[\e[0m\] "

The PATH statement is used to store the paths of the commands you want to use. This way you don't need to provide the full path for each command you want to run. The MANPATH statement is basically the same thing, but used to help you access the man pages.

Tuesday, October 22, 2013

Get the OpenSSL version

I often have to check which versions of applications we have installed our servers. Below I have post the method of checking the version of OpenSSL installed on a server. The command below should work with any UNIX based operating system. I might even work on Windows.

man@earth> openssl version -a

To find the non system or embedded versions you will have to run the find command. Shown below.

root@earth> find / -name openssl -type f 2>/dev/null

I hope this helps someone

Friday, September 6, 2013

How to setup SSH Keys

Note - I have a newer version of this how-to. Please click here

This is a guide on setting up SSH Keys for a UNIX based account. What are SSH keys you ask? They are means of identifying yourself to an SSH server using public-key cryptography and challenge-response authentication. SSH Keys are considered more secure than using passwords to access systems, because user accounts are authenticated by the server without ever having to send your password over the network. If the passwords are not transmitted then they can't be intercepted.
This guide is not for installing or setting up a SSH server. You must have SSH running on your servers in order to get your SSH keys to work. All the examples are take from a Solaris 10 (SPARC) server. This guide should as work on any UNIX based operating system like Linux, BSD and the Mac.

Create you key pair
The ssh-keygen command will generate a public and private keypair. The keys will be stored at ~/.ssh.The basic command looks like this: ssh-keygen -t [dsa|rsa] The -t sets the type of keys used. In the example below I create a rsa key pair.

Make sure you don't use a blank passphrase. Doing this is very insecure. Having a blank passphrase defeats the purpose of having having the extra security of a key exchange setup. It is also import to never give out your private key, which also compromises security of your account.

Copy public key
Copy you public key to the authorized_keys file on the remote server.

man@earth> scp ~/.ssh/id_rsa.pub moon:~/.ssh/authorized_keys

If your home directory automounts across a lot of servers. You can copy it over with the cat command.

man@earth> cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

Setup Agent
At this point, when you login you get prompted for a passphase. To stop this from happening you need to setup a SSH agent. Run the command below and type in your passphare when prompted.

man@earth> eval `ssh-agent`
man@earth> ssh-add
Enter passphrase for /home/man/.ssh/id_rsa:
Identity added: /home/vivek/.ssh/id_dsa (/home/man/.ssh/id_rsa)

There are other ways to set up the agent such as using the gnome GUI for example. Unfortunately that only works if your running a gnome desktop. If your a VNC user, you should start your VNC server session after starting your agent in the same terminal. This way all your terminals launched in your VNC session, will use the same agent.

One issue with agents is that sometimes you end up running a lot of agents. Run the command below and kill any agents that you are not using, as a good practice.

man@earth> ps -ef | grep agent

References
g-loaded.eu
Symantec: SSH and ssh-agent

If you have any questions or comments please post below.

Thursday, April 25, 2013

Bash Shortcut keys

I found this little reference chart on the short cut keys in BASH. These short cut keys allow for command line editing. I for example use Ctrl + A all the time to edit the line.

Ctrl + A	Go to the beginning of the line you are currently typing on
Ctrl + E	Go to the end of the line you are currently typing on
Ctrl + L	Clears the Screen, similar to the clear command
Ctrl + U	Clears the line before the cursor position. If you are at the end of the line, clears the entire line.
Ctrl + H	Same as backspace
Ctrl + R	Let’s you search through previously used commands
Ctrl + C	Kill whatever you are running
Ctrl + D	Exit the current shell
Ctrl + Z	Puts whatever you are running into a suspended background process. fg restores it.
Ctrl + W	Delete the word before the cursor
Ctrl + K	Clear the line after the cursor
Ctrl + X	Then Backspace clear the line before the cursor
Ctrl + T	Swap the last two characters before the cursor
Esc + L	Changes to upper case
Esc + U	Changes to lower case
Esc + T	Swap the last two words before the cursor
Alt + F	Move cursor forward one word on the current line
Alt + B	Move cursor backward one word on the current line
Tab	Auto-complete files and folder names

Referance:
http://www.howtogeek.com/howto/ubuntu/keyboard-shortcuts-for-bash-command-shell-for-ubuntu-debian-suse-redhat-linux-etc/
I found this chart at the link above.

Thursday, April 11, 2013

Script for checking accounts

In a perfect world all user accounts are centrally managed by a directory server such as NIS, LDAP or Active Directory. Unfortunately not all servers use accounts that are centrally managed or there are some servers that are set aside, as stand alone servers. It a can be a real pain to find out your account's password expired. Then be forced to change it before you can login. So I wrote this is a little script because I need to know when my passwords are about to expire. This way I can change my passwords on all the servers, before they expire.

I have three different operating systems at work so of course they all do this differently. In this how to I will be using examples from Solaris 10, RHEL 5 (Red Hat Enterprise Linux) and SLES 11 (SUSE Linux Enterprise Server). I created a different file, containing the server names, for each OS.

The script below logs into each server listed in the server-sol file and runs the passwd -s command and prints the output on the screen. It then runs the change -l command on the Linux servers. SUSE needs elevated privileges to run the change -l, so I add sudo to the line. The line where you see the echo statement, prints the server's name indented and in bold.


man@earth>cat check-login2

for s in `cat  server-sol`

do echo -e "\e[1m  $s \033[0m "

ssh -q $s sudo passwd -s man

done

for r in `cat server-rhel`

do echo -e "\e[1m  $r \033[0m "

ssh -q $r chage -l man

done

for sles in `cat server-suse`

do echo -e "\e[1m  $sles \033[0m "

ssh -q $sles sudo chage -l man

done

Examples of out from script on the different OS versions.


man@earth>./check-login2

   solaris-server

rich     PS    04/03/13     7    56     7

   rhel-server 

Last password change                                    : Apr 03, 2013

Password expires                                        : May 29, 2013

Password inactive                                       : never

Account expires                                         : never

Minimum number of days between password change          : 7

Maximum number of days between password change          : 56

Number of days of warning before password expires       : 7

   sles-server

Minimum:        1

Maximum:        60

Warning:        7

Inactive:       35

Last Change:            Apr 03, 2013

Password Expires:       Jun 02, 2013

Password Inactive:      Jul 07, 2013

Account Expires:        Never

As you can see there is a difference in the output each OS gives you. If you have any comments or questions please post them below.

Monday, December 31, 2012

How to use VNC to view a remote system

VNC is a free 3rd party program that allows a remote login, similar to Remote Desktop in Windows or Daemonware. One nice thing about VNC, is that it's multi-platform. It works on Windows, UNIX, BSD, Linux and MAC. The down side to using VNC is that it's insecure, but you can wrap it in a SSH tunnel. Most of my experience with VNC is on Solaris and Red Hat. Most of the examples below are from a Solaris server.

To see if any VNC sessions is running on your server run the command below. # ps -ef|grep vnc
If you have a session running it will look like this.

rich 15137 14170  0 Nov 24 ?    0:00  vncconfig -iconic
rich  538  8833   0 Nov 24 ?    7:34  Xvnc :1 -desktop server:1 (rich) -auth /home/rich/.Xauthority -geometry 1900

To start a basic VNC server session just type vncserver. # vncserver After you run this command you will get a session ID number. For example the first user of VNC server will get session number 1. When you connect to the session from a remote computer you use the hostname:1.

You will also need to set the VNC password to connect the session. # vncpasswd This sets the password for your account.

If you want more options, check the these popular options below. For screen size use -geometry widthxhight. If the computer you are connecting from doesn't have VNC Viewer installed then, you can use the -httpd option to connect using a web browser. # vncserver :3 -geometry 800x600 -http

VNC is installed on MACs and you can turn on the VNC server by going to System Preferences --> Sharing. Select Remote Management and then click Computer settings. In the drop down select VNC viewers may control screen with password. Then put in desired password in box.

The xstartup file controls the desktop you get. Uncomment lines 4 & 5 to get a gnome desktop.

Sometimes you need to shutdown the VNC session your using. # vncserver -kill :#Replace # with the session number VNC gave you.

Now that you have started the VNC server you will want to connect to use it. From a UNIX or Linux you run the following command. vncviewer hostname:1 # vncviewer server1:1
If you are using VNC from a Windows PC, then there is a VNC viewer application.

Warning: If you auto-mount your home directory. Beware that different operating systems have different setting in the xstartup file. All VNC sessions use the same xstartup file, so changes made by you or the VNC program will effect the VNC experience. I ran into an issue when I tried to use the gnome desktop on both a RHEL & Solaris 10 servers. When I got the gnome desktop working for RHEL the gnome desktop was unusable with Solaris 10. The best way to get around this is to use different accounts or different windowing programs on different operating systems.

Important VNC files
$HOME/.vnc/xstartup -- The file that controls them all. This is the main config file used for the session on VNC server.

$HOME/.vnc/passwd -- The VNC password file

$HOME/.vnc/host:display#.log -- The log file for Xvnc and applications started in xstartup

$HOME/.vnc/host:display#.pid -- Identifies the Xvnc process ID, used by the -kill option.

Package list for Solaris 10
SUNWxvnc VNC Server
SUNWvncviewer VNC Viewer

Tuesday, September 25, 2012

Setup no password sudo on RHEL

Sudo is a great tool if you want to run programs with elevated permissions. The problem is that by default you have to enter a password to run the commands. In this post I show you how to set up sudo in RHEL 5, so select users don't need to enter a password.

Open your favorite text editor and edit /etc/sudoers. Change the following lines to match what is below.
visudo


## Allows people in group wheel to run all commands
%wheel   ALL=(ALL)  ALL



## Same thing without a password

%wheel   ALL=(ALL)                 NOPASSWD: ALL

Note - I found that you have to uncomment both of the items above, if you are using a gnome desktop. When only the bottom option is set, the the gnome admin apps will not launching, even after you enter the root password in the pop-up. So if you are not using the admin GUI apps then just uncomment the bottom.

Next add the user to the wheel group.
usermod -G wheel user
The -G option adds the user to the wheel group. If you use -g instead the sysadmin group will be added as the primary group.

Now your user should be able to use sudo without having to use a password.

Simular pages on this blog:
Use sudo without a password

Thursday, September 6, 2012

Use sudo without a password

These are my notes for setting up users so they can use sudo without a password. This how-to is for a system that already has sudo installed on a server. Basically what I'm doing here, is giving a group the ability to use sudo without a password and then assigning users to that group.

To edit the sudoers file, use the command below.

# visudo

Add the following line.
sysadmin ALL=(ALL) NOPASSWD: ALL
In this example the sysadmin group can now sudo without needing to use a password, but any group can be used.

Note - I use the sysadmin group for Solaris and the wheel group for RHEL & SLES.

Add the user rich to the sysadmin group.

# usermod -G sysadmin man

The -G option adds the user man to the sysadmin group. If you use -g instead the sysadmin group will be added as the primary group.

Following the steps above should now give access to sudo without needing to enter a password. If you have any questions or comments please post below.

Simular pages on this blog:
Setup no password sudo on RHEL

Thursday, August 23, 2012

Delete User accounts

Here is a note on deleting user accounts from UNIX or Linux operating systems. These instructions are for local accounts only.

To remove or delete a user account run the command below. # userdel -r userThe -r option removes their home directory.

Related posts
Linux User Account Creation & Customization
Unlock locked accounts
Delete User accounts

Pages