Setup SSH Keys with Agent

This guide for setting up SSH Keys with an SSH Agent for auto-logging into Linux based systems. Why set up SSH keys, why not just use your password? SSH Keys are considered more secure than using passwords to access systems, because user accounts are authenticated by the server without ever having to send your password over the network. If the passwords are not transmitted then they can't be intercepted. This works by identifying yourself to an SSH server using public-key cryptography and challenge-response authentication. When you set up an SSH agent then the agent will handle the challenge-response authentication for you.

This guide is not for installing or setting up a SSH server. You must have the sshd service running on your system in order to follow along with this guide. All the examples are take from a Red Hat system. In the following examples, earth is the name on the local system and moon is the remote system. 

Create you key pair

The ssh-keygen command will generate a public and private keypair. The keys will be stored in the users home directory by default, this is the path  ~/.ssh/. The basic command looks like this: ssh-keygen -t [dsa|rsa]  The -t sets the type of keys used. In the example below I create a rsa key pair. This command also sets the passphrase, think of this like setting a password. Make sure you remember the  passphrase because you will use this instead of the password for logging into the remote system (moon).

man@earth> ssh-keygen -t rsa
Enter file in which to save the key (/home/man/.ssh/id_rsa): Press [Enter] key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/man/.ssh/id_rsa.
Your public key has been saved in /home/man/.ssh/id_rsa.pub.
The key fingerprint is:dfhjodfnk
04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01

It is import to protect your private key, so don't share it. 

Note- Do not leave the passphrase blank. Doing this is a bad security practice, because this defeats the purpose of having the extra security of SSH keys. This will make the system less secure. If you have done this just rerun the command and add a passphrase. 

Install Public Key on Remote Host

You install the public SSH key by copying or appending it to the authorized_keys file on a remote host. This file is also located in the users home directory, ~/.ssh/.  For most systems you can use the ssh-copy-id command, which I cover in Method 1.  I will show a work around if the ssh-copy-id command is not available, in Method 2 & 3.

Method 1 - Use The ssh-copy-id Command

The easiest way to install the public key to a remote SSH server is use the ssh-copy-id command. To use the command type "ssh-copy-id <remote host>". This command appends the public key to the authorized_keys file on the the remote host. If the file doesn't exist it will be created. 

In the example below "moon" is the name of the remote host.

man@earth> ssh-copy-id moon
Now try logging into the machine, with "ssh 'remote-host'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

This the best way is to copy over the public key because ssh-copy-id will create .ssh/authorized_keys file if it doesn't exist. The command also appends the public key to the authorized_keys file, whereas other methods may overwrites the file. This allows the account to use keys from more than one system.

Note- This method will not work on some systems, such as Solaris 10.

Method 2 - Manually Copy the Key File

This method uses the scp command to copy the public key to the remote server. Before the ssh-copy-id  command came about, this was way it was done. The key file will fail to copy to the system if .ssh/authorized_keys doesn't exist. If this happens just login with your password and create the file and try again. The main downside to this method is that it overwrites the authorized_keys file.

man@earth> scp ~/.ssh/id_rsa.pub moon:~/.ssh/authorized_keys

Alternately you can get around this by doing this instead. The command below mimics what the ssh-copy-id command does. It creates the .ssh directory if it doesn't exist and appends the contents of the key to the authorized_keys file.

man@earth> cat ~/.ssh/id_rsa.pub | ssh man@moon "mkdir -p ~/.ssh  &&  cat   >>  ~/.ssh/authorized_keys

Method 3 - If You Automount Your Home Directory

If your home directory automounts across a lot of servers then you can just append the contents of the public key to the authorized_keys file. This method can be a lot faster then other methods. For example if you have 100 hosts you need to connect to, you just need to run the command once to connect to all of them. Instead of running 100 copy commands you just run one. Again this will only work if the hosts your connecting to automount the same home directory that the SSH kays are on.

You can copy it over with the cat command.

man@earth> cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

The other methods will still work if you prefer them to this one. 

Setting up the SSH Agent

At this point when you login to a remote host you now get prompted for the SSH passphrase instead of the password. To automate the login process it is recommended to setup an SSH Agent. Luckily setting up an SSH Agent is easy. The agent holds the passphrase for the user and then presets the passphrase when prompted. 

There are some considerations you need to consider when running an SSH Agent. If a GUI is installed on the system, such as gnome, then the window manager may run the agent for you. This is by far the easiest way to setup an agent. If the system window manager handles SSH keys then you get prompted with a GUI text box for a passphrase the 1st time you try to SSH to a remote host. If you enter the passphrase the GUI will run the SSH Agent for you system wide for the user currently logged into that account. This lasts until the system is rebooted or the user logs out.

You can also run the agent from within a terminal or shell. When you run an agent from the terminal it will only work from that terminal and not system wide like does if the GUI manages the agent. 

To start an SSH Agent in a terminal run the commands show below. 

man@earth> eval `ssh-agent`
man@earth> ssh-add
Enter passphrase for /home/man/.ssh/id_rsa:
Identity added: /home/man/.ssh/id_dsa (/home/man/.ssh/id_rsa)

Note- Add these commands to the .bashrc file to start an agent automatically when you open a terminal emulator. 

If you use VNC, just start your VNC server session in the same terminal you used to starting your agent. This way all your terminal emulators launched in your VNC session, will use the same agent.     

SSH Agent Management

One issue with agents is that sometimes you end up running a lot of agents. This is because the agent doesn't stop running when the terminal closes. You need to run the command below and kill any agents that you are not using.

man@earth> ps aux | grep agent

If there is more than one agent running then you should kill the additional ssh-agent.

man@earth> pkill ssh-agent

This will only kill agents owned by the user running the command in.

One way to kill your ssh-agents is to add a kill statement to the .bash_logout file.

Reference Section
Manpage ssh-copy-id

Linux User Account Creation & Customization

A Systems Administrator must be able to manage user accounts by adding users, removing users, modifying accounts and setting passwords. In this tutorial, I will be giving you instructions on how to properly create user accounts on Linux operating systems. Creating a user account can be simple, but there are a few complexities to note. As opposed to a graphical user interface (GUI), these instructions use the command line to create the user accounts.

The command line provides an ideal method for account management, because it provides faster account creation, especially when you are creating several accounts on one more computers. The graphical user interface or GUI on Linux Systems can vary greatly from system to system, but the one constancy on all Linux operating systems is the command line. The command line (CLI) is a text based user interface used for entering commands for the operating system to decipher. So I will be showing the use of the useradd command which creates the user accounts, and the passswd command which sets or changes the user accounts password.

Typographical conventions.
The typographic convection section is meant to help readers better understand what it is their seeing. Please carefully read the instructions before continuing.

The courier font is used for names of commands, files, directories, user names, and on-screen computer output; for example:
Use the useradd command to add users to the computer.

The courier bold font is used for characters and numbers you type; for example:

whoami

Courier bold italic is used to represent variables that can change; for example:

passwd bob

Instructions
After each line you type into the command line press the enter key. As explained in the above typographical conventions section, anything displayed in courier bold is typed in the command line and if it is displayed in courier it is the output of the line above. To follow this tutorial open the terminal or xterm program to access the command line. Please refer to the Command & Term Reference guide, for information on commands and terms.

Note - If you don't have access to a Linux computer you can still follow along, using the Linux emulator at, "http://www.tutorialspoint.com/execute_bash_online.php" . Type the commands into the green box on the right.

Method One: Create a user, using default settings.
If you are creating a user account on just one computer, the steps below will work, but if you are creating a user account on more than one computer, use method two or three instead. If the Linux computer is not connected to any other Linux computers on the network then the method shown below will work. This the best method to of users who are novices at using the command line.

Follow the steps below to create a user account for Bob.
1) Create user account for bob

useradd bob

2) Create a password for user account bob.

passwd bob
passwd: Changing password for bob
New Password:
Re-enter new Password:
passwd: password successfully changed for bob

The passwd command sets user account passwords. In the example above it sets the password for user account bob.

Note - If you don't set the password, the user will not have a password and will not be able to log in.

3) Test user account by logging into the computer with the new user account.

su – bob

The su command stands for switch user, and it is used to switch from one user account to another. The – is an option used with the su command, it allows you to fully switch to the new user account. In order to fully test the newly created user account you must use the su command with the – option, as shown.

4) Verify you are logged in as new user.

whoami
bob

The whoami command displays the name of user currently logged in on the command line. The result of the command should be bob as shown above.

Fun Fact: The whoami command also works on Windows computers.

Creating a user account using this method was pretty easy right? This method is perfect for home users who want to add user accounts to their home PC, for their family and friends. This method is not the way to add users on a corporate network.

Method Two: Creating a user with custom setting.
This method is all about control, and is used when creating user accounts on corporate networks. One positive thing about this method is that you know exactly what is being set. The downside to the method is the high probability of making a typo. This method can be too complicated for less knowledgeable users.

1) Create the user account.
Type the entire line out before you press enter.

useradd -u 900 -g users -G video  -c “user account, Jill” -m -d /export/home/jill -s /bin/bash jill

Command Options Explained
-u        Sets user’s UID (Unique Identification Number) to 900
-g        Sets user’s primary group to users
-G        Sets user’s secondary groups to video
-c        Sets a comment for the user. Puts a comment into the /etc/passwd file.
-m        Makes the user’s home directory
-d        Sets the path to the user’s home directory
-s        Sets the user’s shell

One reason to use useradd with all the options listed above is because computers see user accounts as numbers. When we created Jill’s user account we see the account’s name as being jill, but the computer sees the account’s name as 900 or UID (Unique Identification Number) 900. Unless you set the UID by using the –u option the computer will assign the next available UID number which could result in a user having different UID numbers on different computers. This can cause issues with permissions, for example if user Bob has UID 900 on PC number one and Jill has the same UID on PC number two. Jill creates a document and stores it on the network. PC one will see that file is owned by UID 900 and so it will show Bob as the owner. Then Bob can do anything he wants to Jill’s document, including deleting it.

Note: For more information on the useradd command and it options, type man useradd into the command line. To exit the man page

2) Set Jill’s password. 

echo jillspassword | passwd -e jill –stdin

In the above series of commands, the echo command sends the word jillsmypassword to the passwd command, then the passwd command sets the user’s password to jillsmypassword. The –e shown in the above example, expires the user’s password, making the user have to change their password when they attempt to login.

Why set the password in this way, the way shown in Method one was easier? This method is a more advanced way to set a user’s password. For example, let’s say you need create ten user accounts. If you do what we did in Method one, you will need to type the new user’s password in twenty times, two times for each user. On the other hand if you use the method show here, then you only need to change the username ten times. To save on typing, the rest of the command shown above can be pasted into the command line. This method can also be used in a script, since it doesn’t require any additional input from you after you run the command.

3) Repeat steps 3 &4 from Method one to test the account.

Method Three: Configuring system settings for easier user creation.
In Method three, I will be combining the ease of use of the first method and the completeness of the second. In Method one we ran the useradd command with no options set. The Linux system still used many of the options used in Method two, but set them using system defined defaults. To see these defaults for the useradd command with the –D option; for example:

useradd -D
GROUP=2001
HOME=/home
INACTIVE=35
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

To change the default system setting run useradd –D followed by the setting you want to change. In the example below, the default shell is being changed to /bin/ksh from /bin/bash.

useradd –D –s /bin/ksh

To see if the changes took effect, run the useradd –D command again.

Note: The most common things to set is the home directory, and the shell.

1) Create user account for Sam

useradd -u 1010 -G 10 -c “user account, Sam” -m sam

Here we have the best of both words, the less typing of Method 1 and the precise settings from Method two. Setting the system defaults will allow much less of a chance of making mistakes. Now only the setting that are unique to the user will have to be set.

2) Set Sam’s password, choose the approach used in Method one or Method two.

3) Repeat steps 3 & 4 from Method one to test the account.

I showed you three variations, on using the passwd command to create user accounts. For new users on Linux, I suggest they use Method one. Intermediate to advance users should use Method two or three, though Method three is the preferred method. I hope this tutorial was informative and you learned something new.

Command & Term Reference Guide

Commands
useradd – command used to create user accounts.
passwd – command used to set user account passwords.
whoami – informs user who they are logged in as. Can also use the command id to do the same thing.
su – stands for switch user, and is used to switch between users.
man – stands for manual, used to view system manuals. The manuals are referred to as man pages.
echo – displays whatever you type on the next line.
|  - This is called a pipe, it takes the output of the command on the left and sends (pipes) it to the input of the command on the right.

Terms
Terminal and xterm: are programs that display the command line. The terms xterm, terminal and command line can, for the most part, be interchangeable.
Shell: is a customized command line environment. Examples of shells are BASH, SH, KSH and CSH.

Conclusion
Well what did you think? This post is written at a lower level than most of my other posts, because this was originally a paper I wrote for a college class. Method 3 needs a little more info, so I will write a follow on post with a little more detail on how to set the system defaults. Anyway let me know what you think and if you have any questions by posting below.

Related posts on this Blog
Adding a new user to a UNIX based system

References
Man pages: useradd, passwd
My Collage paper
The Ultimate Guide to Create Users in Linux / Unix

A Better Way to Setup SSH Keys

Note - I have a newer version of this how-to. Please click here 

This is a guide on setting up SSH Keys for a Linux based user account. Why set up SSH keys, why not just use your password? SSH Keys are considered more secure than using passwords to access systems, because user accounts are authenticated by the server without ever having to send your password over the network. If the passwords are not transmitted then they can't be intercepted. This works by identifying yourself to an SSH server using public-key cryptography and challenge-response authentication. Not to mention if you set up a SSH agent then the agent will handle the challenge-response authentication for you.

This guide is not for installing or setting up a SSH server. You must have sshd service running on your servers in order to get your SSH to work. All the examples are take from a Red Hat or Suse servers. The ssh-copy-id command will not work on Solaris servers but all other commands should work file.

Create you key pair
The ssh-keygen command will generate a public and private keypair. The keys will be stored at ~/.ssh.The basic command looks like this: ssh-keygen -t [dsa|rsa]  The -t sets the type of keys used. In the example below I create a rsa key pair.

man@earth> ssh-keygen -t rsa
Enter file in which to save the key (/home/man/.ssh/id_rsa): Press [Enter] key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/man/.ssh/id_rsa.
Your public key has been saved in /home/man/.ssh/id_rsa.pub.
The key fingerprint is:dfhjodfnk
04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01

Make sure you don't use a blank passphrase. Doing this is very insecure. Having a blank passphrase defeats the purpose of having having the extra security of a key exchange setup. It is also import to never give out your private key, which also compromises security of your account.


The old way of transferring the public key to the remote sytem.

man@earth> scp ~/.ssh/id_rsa.pub moon:~/.ssh/authorized_keys

New way

man@earth> ssh-copy-id user@moon
Now try logging into the machine, with "ssh 'remote-host'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

The reason the new way is better then the old way is that the ssh-copy-id appends the public key to the authorized_keys file. Where as the old way overwrites the authorized_keys file. This allows the account to use keys from more than one server.

Note- This method will not work on Solaris 10

If your home directory automounts across a lot of servers. You can copy it over with the cat command.

man@earth> cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

You can also use this method if the ssh-copy-id command is not available to you.

man@earth> cat ~/.ssh/id_rsa.pub | ssh man@moon "mkdir -p ~/.ssh  &&  cat   >>  ~/.ssh/authorized_keys"

Setting up the SSH Agent.

man@earth> eval `ssh-agent`
man@earth> ssh-add
Enter passphrase for /home/man/.ssh/id_rsa:
Identity added: /home/man/.ssh/id_dsa (/home/man/.ssh/id_rsa)

Note- Add these commands to the .bashrc file to start an agent automatically when you login to a server. 

There are other ways to set up the agent, such as using the gnome GUI for example. If you use VNC, just start your VNC server session in the same terminal you used to starting your agent. This way all your terminals launched in your VNC session, will use the same agent.

SSH Agent Management
One issue with agents is that sometimes you end up running a lot of agents. Run the command below and kill any agents that you are not using.

man@earth> ps aux | grep agent

If there is more than one agent running then you should kill the additional ssh-agent.

man@earth> pkill ssh-agent

This will only kill agents owned by the user running the command in.

One way to kill your ssh-agents is to add a kill statement to the .bash_logout file.

Reference Section
Manpage ssh-copy-id

Related posts on this site.
How to setup SSH Keys
http://rich-notes.blogspot.com/2013/09/how-to-setup-ssh-keys.html

If you have any questions or comments please post below.

Unlock locked accounts

These are my notes no unlocking user accounts, below I go over a few ways to get a user account back up and running. Such as changing the expiration date on an expired account and resetting the PAM Tally for a user.

In keeping with the space theme, I will be using earth as the server's hostname and man as the name of the user account.

This the most common way to unlock your account.

root@earth> passwd -u man

Change the expiration date of the user account

root@earth> usermod --expire 9999 man

This works on some systems

root@earth> ipa user-unlock man

This resets the account if all else fails.

root@earth> pam_tally --user=man --reset

References.
www.cyberciti.biz
From RHEL user-unlock command
SuperUser pam command

Using SCP on Windows Command Prompt

In this post, I show how to move files between a Windows machine and a UNIX machine, using the command line. When I say a UNIX machine, I mean all UNIX based operating systems such as UNIX, Linux, FreeBSD and Mac OS. In this post I will be using the free PuTTY utility called PSCP.

As you know SSH is not supported in Windows, you will need to download a 3rd party program.
The People who make PuTTY, which gives SSH terminal emulation on Windows machines, has a program called PSCP. PSCP gives you the ability to use SCP or SFTP form the Windows command prompt.

You could use a GUI program that lets you SCP or SFTP the files. The issue with this approach is that an application with a GUI has limitations. If you use a command line tool, like PSCP, to move the files then you can also put it in a script. A script that can be used by the Windows Task manager or the UNIX crontab. PSCP is free and doesn't need to be installed.

Download pscp from  PuTTY download page.

After you download PSCP move it to your My  Documents folder. As the program doesn't need to be installed, It is ready to use as soon as you download it. All you need to do, to use PSCP is follow the examples below.

Run the command as shown below to move files from the Windows machine to a UNIX machine

Command Prompt

C:\> pscp.exe files man@earth:/path

Run the command as shown below to move files form a UNIX machine to a Windows machine.

Command Prompt

C:\> pscp.exe man@earth:/path/files  C:/path/

In the example above, man is the user name and earth is the name of the UNIX server. The user name can be left off if the user account in Windows have the same name as the user account on the UNIX server. I would highly recommend that you use the same user name on both systems.

Some options
If you want to force the use of ether SCP or SFTP add -scp or -sftp right after pscp.exe. If you want to use a SSH agent to manage you SSH Keys add the -agent option. I will go more into how to use SSH Key with PSCP in a future post.

Draw Back
In the method I shown here, you must start the SCP or SFTP session from the Windows machine. The Windows machine can't accept incoming requests, because there is no SSH sever running on the the Windows machine.

References
PuTTY documention

My BASH profile

These are notes on how I like to have my command prompt set up. I'm a BASH user so I will be updating the .profile and the .bashrc files. Both files are located in the users home directory.


This what my prompt looks like. It is a two line prompt, I find that it helps break up the commands from the output. The second line also gives more room for long commands and helps prevent the line from wrapping over top of the prompt.

earth:~

man@earth
< 

The basic bash prompt don't look all the great, as seen below. To get it look like the example above run the command below.

bash

bash$

export PS1="\[\e]2;\h:\w \a\[\e[0;31m\]\u\[\e[0m\]@\e[0;32m\h\e[0;34m\]\n<\[\e[0m\] "

Below I have posted my .profile file.

earth:~

man@earth
< more .profile

PATH=/usr/xpg4/bin:/usr/bin:/bin:/usr/sbin:/usr/local/sbin:/usr/openwin/bin:/usr/local/bin:/usr/ucb:/etc:/usr/X11/bin:/sbin:/usr/openv/netbackup:/usr/openv/netbackup/bin:/usr/openv/netbackup/bin/admincmd:/usr/openv/netbackup/bin/goodies:/usr/openv/volmgr/bin:/usr/sfw/bin/:$HOME

MANPATH=/usr/share/man:/usr/dt/man:/usr/openwin/share/man:/usr/X11/man:/usr/man:/usr/sfw/man:/usr/local/man:

EDITOR=/usr/bin/vi
TMOUT=0
TIMEOUT=0

#alias xterm="xterm -sl 1000 &"
#export PS1="\[\e]2;\h:\w \a\[\e[0;31m\]\u@\e[0;32m\h\e[0;34m\]>\[\e[0m\] "
export PS1="\[\e]2;\h:\w \a\[\e[0;31m\]\u\[\e[0m\]@\e[0;32m\h\e[0;34m\]\n<\[\e[0m\] "

The PATH statement is used to store the paths of the commands you want to use. This way you don't need to provide the full path for each command you want to run. The MANPATH statement is basically the same thing, but used to help you access the man pages.

Access the Java Control Panel

Finding the Java Control Panel in Windows is easy. Now try finding it on a UNIX based system, not so easy. Below are my notes on accessing the Java Control Panel for both Oracle Java and IBM Java.





Sun/Oracle
/usr/java/jdk1.7.0_21/bin/ControlPanel

IBM
/usr/bin/java -viewer

If you have something to please post a comment below.

Get the OpenSSL version

I often have to check which versions of applications we have installed our servers. Below I have post the method of checking the version of OpenSSL installed on a server. The command below should work with any UNIX based operating system. I might even work on Windows.

man@earth> openssl version -a

To find the non system or embedded versions you will have to run the find command. Shown below.

root@earth> find / -name openssl -type f 2>/dev/null

I hope this helps someone

My BASH Promt

Below are my notes on how I like my BASH prompt setup. This prompt has two lines which I find helps to break up the commands from the output. The second line also gives more room for long commands and helps prevent the line from wrapping over top of the prompt. I also update the title bar on the terminal or xterm with the hostname and current working directory. I find this helpful because this way I will always know who I am on the system, what server I'm logged into and what directory I'm in without typing any commands.

earth:~

man@earth
< 

Cut and paste the line below into your terminal or add in to your .profile file. If you like my prompt.
export PS1="\[\e]2;\h:\w \a\[\e[0;31m\]\u\[\e[0m\]@\e[0;32m\h\e[0;34m\]\n<\[\e[0m\] "

If you have any suggestions or questions post them below.

How to setup SSH Keys

Note - I have a newer version of this how-to. Please click here 

This is a guide on setting up SSH Keys for a UNIX based account. What are SSH keys you ask? They are means of identifying yourself to an SSH server using public-key cryptography and challenge-response authentication. SSH Keys are considered more secure than using passwords to access systems, because user accounts are authenticated by the server without ever having to send your password over the network. If the passwords are not transmitted then they can't be intercepted.
This guide is not for installing or setting up a SSH server. You must have SSH running on your servers in order to get your SSH keys to work. All the examples are take from a Solaris 10 (SPARC) server. This guide should as work on any UNIX based operating system like Linux, BSD and the Mac.

Create you key pair
The ssh-keygen command will generate a public and private keypair. The keys will be stored at ~/.ssh.The basic command looks like this: ssh-keygen -t [dsa|rsa]  The -t sets the type of keys used. In the example below I create a rsa key pair.

man@earth> ssh-keygen -t rsa
Enter file in which to save the key (/home/man/.ssh/id_rsa): Press [Enter] key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/man/.ssh/id_rsa.
Your public key has been saved in /home/man/.ssh/id_rsa.pub.
The key fingerprint is:dfhjodfnk
04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01

Make sure you don't use a blank passphrase. Doing this is very insecure. Having a blank passphrase defeats the purpose of having having the extra security of a key exchange setup. It is also import to never give out your private key, which also compromises security of your account.

Copy public key
Copy you public key to the authorized_keys file on the remote server.

man@earth> scp ~/.ssh/id_rsa.pub moon:~/.ssh/authorized_keys

If your home directory automounts across a lot of servers. You can copy it over with the cat command.

man@earth> cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

Setup Agent
At this point, when you login you get prompted for a passphase. To stop this from happening you need to setup a SSH agent. Run the command below and type in your passphare when prompted.

man@earth> eval `ssh-agent`
man@earth> ssh-add
Enter passphrase for /home/man/.ssh/id_rsa:
Identity added: /home/vivek/.ssh/id_dsa (/home/man/.ssh/id_rsa)

There are other ways to set up the agent such as using the gnome GUI for example. Unfortunately that only works if your running a gnome desktop. If your a VNC user, you should start your VNC server session after starting your agent in the same terminal. This way all your terminals launched in your VNC session, will use the same agent.

One issue with agents is that sometimes you end up running a lot of agents. Run the command below and kill any agents that you are not using, as a good practice.

man@earth> ps -ef | grep agent

References
g-loaded.eu
Symantec: SSH and ssh-agent

If you have any questions or comments please post below.

Adding, Deleting or Changing a Group in UNIX

This is a little how to on creating, deleting or modifying a group on a UNIX based computer.

root@earth> /usr/sbin/groupadd -g # groupname
If you us -g the option, you will be able to set the GID for the group. If the GID is not set then the OS will choose one.

To delete a group.
root@earth> /usr/sbin/groupdel groupname

To change a group
root@earth> /usr/sbin/groupdel -g # -n newgroupname groupname
Use the -g option to change the group gid and use -n to change the name of the group.

Use these commands only for local accounts. If a network nameservice or directory server is running then use that service instead.

Getting NetBackup 7.5 files for install

We just upgraded our NetBackup from 7.1 to 7.5. These are my notes on upgrading our UNIX and Linux clients.

Go to https://fileconnect.symantec.com and download the required files. You will need to enter a serial number to get access to the files. As seen to the right.

After you download the files you will have to join them together before you can do a install.


Unix joining instructions:
cat "NB_CLT_7.5.0.4-tar-split.1of3" "NB_CLT_7.5.0.4-tar-split.2of3" "NB_CLT_7.5.0.4-tar-split.3of3" > "NB_CLT_7.5.0.4.tar"

now you are ready to begin the install.

Bash Shortcut keys

I found this little reference chart on the short cut keys in BASH. These short cut keys allow for command line editing. I for example use Ctrl + A all the time to edit the line.

Ctrl + A	Go to the beginning of the line you are currently typing on
Ctrl + E	Go to the end of the line you are currently typing on
Ctrl + L	Clears the Screen, similar to the clear command
Ctrl + U	Clears the line before the cursor position. If you are at the end of the line, clears the entire line.
Ctrl + H	Same as backspace
Ctrl + R	Let’s you search through previously used commands
Ctrl + C	Kill whatever you are running
Ctrl + D	Exit the current shell
Ctrl + Z	Puts whatever you are running into a suspended background process. fg restores it.
Ctrl + W	Delete the word before the cursor
Ctrl + K	Clear the line after the cursor
Ctrl + X	Then Backspace clear the line before the cursor
Ctrl + T	Swap the last two characters before the cursor
Esc + L	Changes to upper case
Esc + U	Changes to lower case
Esc + T	Swap the last two words before the cursor
Alt + F	Move cursor forward one word on the current line
Alt + B	Move cursor backward one word on the current line
Tab	Auto-complete files and folder names

Referance:
http://www.howtogeek.com/howto/ubuntu/keyboard-shortcuts-for-bash-command-shell-for-ubuntu-debian-suse-redhat-linux-etc/
I found this chart at the link above.

How to use VNC to view a remote system

VNC is a free 3rd party program that allows a remote login, similar to Remote Desktop in Windows or Daemonware. One nice thing about VNC, is that it's multi-platform. It works on Windows, UNIX, BSD, Linux and MAC. The down side to using VNC is that it's insecure, but you can wrap it in a SSH tunnel. Most of my experience with VNC is on Solaris and Red Hat. Most of the examples below are from a Solaris server.


To see if any VNC sessions is running on your server run the command below. # ps -ef|grep vnc
If you have a session running it will look like this. rich 15137 14170  0 Nov 24 ?    0:00  vncconfig -iconic
rich  538  8833   0 Nov 24 ?    7:34  Xvnc :1 -desktop server:1 (rich) -auth /home/rich/.Xauthority -geometry 1900
To start a basic VNC server session just type vncserver. # vncserver After you run this command you will get a session ID number. For example the first user of VNC server will get session number 1. When you connect to the session from a remote computer you use the hostname:1.

You will also need to set the VNC password to connect the session. # vncpasswd This sets the password for your account.

If you want more options, check the these popular options below. For screen size use -geometry widthxhight. If the computer you are connecting from doesn't have VNC Viewer installed then, you can use the -httpd option to connect using a web browser.  # vncserver :3 -geometry 800x600 -http

VNC is installed on MACs and you can turn on the VNC server by going to System Preferences -->  Sharing. Select Remote Management and then click Computer settings. In the drop down select VNC viewers may control screen with password. Then put in desired password in box.

The xstartup file controls the desktop you get. Uncomment lines 4 & 5 to get a gnome desktop.

Sometimes you need to shutdown the VNC session your using. # vncserver -kill :#Replace # with the session number VNC gave you.

Now that you have started the VNC server you will want to connect to use it. From a UNIX or Linux  you run the following command. vncviewer hostname:1 # vncviewer server1:1
If you are using VNC from a Windows PC, then there is a VNC viewer application.


Warning: If you auto-mount your home directory. Beware that different operating systems have different setting in the xstartup file. All VNC sessions use the same xstartup file, so changes made by you or the VNC program will effect the VNC experience. I ran into an issue when I tried to use the gnome desktop on both a RHEL & Solaris 10 servers. When I got the gnome desktop working for RHEL the gnome desktop was unusable with Solaris 10. The best way to get around this is to use different accounts or different windowing programs on different operating systems.

Important VNC files
$HOME/.vnc/xstartup -- The file that controls them all. This is the main config file used for the session on VNC server.

$HOME/.vnc/passwd -- The VNC password file

$HOME/.vnc/host:display#.log -- The log file for Xvnc and applications started in xstartup

$HOME/.vnc/host:display#.pid -- Identifies the Xvnc process ID, used by the -kill option.

Package list for Solaris 10
SUNWxvnc                VNC Server
SUNWvncviewer       VNC Viewer

Restrict the ability to switch to the root user

Having the ability to be come root is great, but if the wrong person gets the root password then bad things can happen. So lets make it a little harder on them. In the steps below I'm going to make the the su command unusable to a normal user. First we will remove the permissions for other. Then changing the group ownership to sysadmin so only users in the sysadmin group (gid 14) can su and become root.

Change permissions and group ownership on the su command
# cd /usr/bin
# ls -la su
-r-sr-xr-x 1 root sys 21192 Dec 28 12:30 su
# /usr/bin/chgrp syadmin su
# /usr/bin/chmod 04750 su
# ls -la su
-rwsr-x--- 1 root sysadmin 21192 Dec 28 12:30 su
Now lets change the su.static file. # cd /sbin
# ls -la su.static
-r-sr-xr-x 1 root sys 21192 Dec 28 12:30 su
# /usr/bin/chgrp syadmin su.static
# /usr/bin/chmod 04750 su.static
# ls -la su.static
-rwsr-x--- 1 root sysadmin 21192 Dec 28 12:30 su.static

Restict SSH logins

As a System Administrator you always want to make your servers more secure. With that being said I'm going to restrict ssh logins. To do this, I will make a change to the /etc/ssh/sshd_config file. This change will limit the ability of accounts to login using ssh to only accounts in a the users group. The example below is from a Solaris 10 server, but this will still work on any UNIX, BSD and Linux system. We have done this on Solaris 10, RHEL 5 and SLES 11 servers at my work place.


Before you begin,  login to the server using a remote console or at least more then one terminal. I had one co-worker lock himself out of the server because he forgot to add himself to the users group before he restarted ssh. I would also take note of any programs that use ssh so you don't lock them out.

# vi /etc/ssh/sshd_config
Add the following line to the /etc/ssh/sshd_config file. AllowGroups users You can use any group you want, you don't have to use the users group. Often you will find that many people like to use the group sshusers for this function. I use the default group users, because all the user accounts use SSH to access my servers. Make sure you check all you application accounts and make use they are the in the group that are using for SSH. otherwise your applications may no longer work.

To have the changes take affect you need to restart the sshd process. # svcadm restart ssh or # /etc/rc2.d/K03sshd stop
# /etc/rc2.d/K03sshd start

Test the the new setup by trying to login with one accout not in the users group and one that is. The account that is in the users group should be able to login, but the account that is not should not.

 If you have anything to add please post below.

Make Firefox load ILOM pages

I had this issue where Firefox wouldn't load ILOM pages right. I've also noticed that I'm not the only one with this issue. So I'm posting this little how-to for people who are still struggling with this. Basically the content section of the ILOM webpage will not display.

For those who don't know ILOM stands for Integrated Lights Out Manager. It is a web interface that helps you remotely manage servers. This interface is good for monitoring hardware issues and can can send out SNMP traffic. The ILOM can also give you console access. Meaning that you get a console or window that stays connected even during a reboot. Basically it is as if you are physically standing in front of the server with a keyboard and monitor.

Each user will have to add the following file to their home directory.
In ~/.mozilla/firefox/profile_id.default/chrome add a file called userContent.css@media print {
}

@namespace url(http:www.w3.org/1999/xhtml);
#mainpage { visibility: visible !important; }
Note - The profile_id.default will be the only file with .default at the end in the firefox directory. You may have to create the chrome directory.

I originally posted this fix at the forum linked to below, under the user name cyberninja.
https://forums.oracle.com/forums/thread.jspa?messageID=10283552
I also provided this fix to Oracle tech support and if you put in a trouble ticket to My Oracle Support this is the solution they will provide you. So in other words, this is the Oracle supported fix.

I have a second part to this post, where I fix a connection issue between the chassis and their blades.

How-to change the IP address on a Solaris server

This post is a how to, for changing an IP address on a Solaris operating system. I will show you how to change the IP address and sudnet mask for both a global zone and a full root zone. For the examples on this page I will be using the Solaris 10 operating system. The global zone will be called earth and the zone will be called moon.


Solaris 10 
root@earth> ifconfig [interface] x.x.x.x/x
The /x at the end is used to set the netmask and is optional. If the netmask is not set Solaris will use the default /24 for a class C address, if the IP address is a class C address.

root@earth> ifconfig [interface] plumb x.x.x.x/x up
This command sets the IP adddress and brings up the interface.

Note this is not a permanent fix. The server will revert back to the old IP address after a reboot. To prevent this, perform the steps below.
root@earth> echo x.x.x.x/x > /etc/hostname.[interface]

Add the IP address and hostname to the /etc/hosts file.

Use this command to restart the service instead of rebooting the server.
root@earth> svcadm restart network/physical

Change the IP address of a Solaris 10 zone.
The steps above can be used to change the IP address from within the zone. Though if the NIC is controlled by the global zone, ie a shared interface. Then steps below will show you how to change the IP address of the zone, from the global zone.
root@earth> zonecfg -z moon
zonecfg:moon> select net address=x.x.x.x/x
zonecfg:moon:net> set address=x.x.x.x/x
zonecfg:moon:net> set physical=[interface]
zonecfg:moon:net> set defrouter=x.x.x.x/x
zonecfg:moon:net> end
zonecfg:moon> verify
zonecfg:moon> commit
zonecfg:moon> exit

You may have to remove the the old IP address first. If so follow the steps below.
root@earth> zonecfg:moon> remove address=x.x.x.x/x
zonecfg:moon> add net
zonecfg:moon:net> set address=x.x.x.x/x
zonecfg:moon:net> set physical=[interface]
zonecfg:moon:net> set defrouter=x.x.x.x/x
zonecfg:moon:net> end

Now reboot the zone and check the zone status.root@earth> zoneadm -z moon  reboot
root@earth> zoneadm list -cv

ID NAME	STATUS	PATH	BRAND	IP
global	running	/	native	shared
moon	running	/export/zones/moon	native	shared

I hope this helps someone. If you have an suggestions or questions please post below.

Use sudo without a password

These are my notes for setting up users so they can use sudo without a password. This how-to is for a system that already has sudo installed on a server. Basically what I'm doing here, is giving a group the ability to use sudo without a password and then assigning users to that group.

To edit the sudoers file, use the command below.

# visudo

Add the following line.
sysadmin ALL=(ALL) NOPASSWD: ALL
In this example the sysadmin group can now sudo without needing to use a password, but any group can be used.

Note - I use the sysadmin group for Solaris and the wheel group for RHEL & SLES.

Add the user rich to the sysadmin group.

# usermod -G sysadmin man

The -G option adds the user man to the sysadmin group. If you use -g instead the sysadmin group will be added as the primary group.

Following the steps above should now give access to sudo without needing to enter a password. If you have any questions or comments please post below.

Simular pages on this blog:
Setup no password sudo on RHEL

Updating Java in NetBackup

These are my notes on updating the embedded Java in NetBackup. The Symantec NetBackup patches can't keep up with the Java security patches from Oracle. The way to get around this is to use the Java installed on the server instead of the embedded Java in NetBackup. Sometimes System administrators will just link the embedded program to the system program, this is not what I'm doing here. It is similar though, the fix I'm explaining here is supported by Symantec. The examples I give on this post are from a Solaris 10 (x86) server, but the steps below will work on any server that NetBackup runs on. The embedded Java is installed on all NetBackup servers and clients.

First we need to find all the java on the server. Running the commands java -version or which java is not enough. These commands only show the main Java on the server, as shown by the examples below. # java -version
Java version "1.6.0_33"
Java(TM) SE Runtime Environment (build 1.6.0_33-b03)
Java HotSpot(TM) Server VM (build 20.8-b03, mixed mode)
# which java
/usr/bin/java
Use the find command to find all the Java on your server. # find / -name java -type f
/usr/jdk/instances/jdk1.6.0/bin/amd64/java
/usr/jdk/instances/jdk1.6.0/bin/java
/usr/jdk/instances/jdk1.6.0/jre/bin/java
/usr/jdk/instances/jdk1.6.0/jre/bin/amd64/java
/usr/jdk/instances/jdk1.5.0/bin/java
/usr/jdk/instances/jdk1.5.0/bin/amd64/java
/usr/jdk/instances/jdk1.5.0/jre/bin/java
/usr/jdk/instances/jdk1.5.0/jre/bin/amd64/java
/usr/openv/java/jre/java
/usr/openv/java/jre/amd64/java The last two lines in the above example are the embedded Java in NetBackup.

To find out what version of Java is on the server. Put the path statements above into the terminal with  -version at the end. Like the example below.
# /usr/jdk/instances/jdk1.6.0/bin/java -version
Java version "1.6.0_33"
Java(TM) SE Runtime Environment (build 1.6.0_33-b03)
Java HotSpot(TM) Server VM (build 20.8-b03, mixed mode)
Open the .nbjConf in your favorite editor. # vi /usr/openv/java/.nbjConf
Change the JAVA_PATH to: JAVA_PATH=/usr/jdk/instances/jdk1.6.0/jre/bin/java
If NetBackup uses a different version of Java then the Java installed on your system it will still work for the client. I have tested this with NetBackup 7.1, which was using java 1.6.0_26, and set it up to work with Java 1.5.0_36. The Media server and the Master server need to have the same version of Java in order to work though.

Test Nebackup by performing a backup. If there are no errors then delete the two embedded Java files for NetBackup.

References:
NetBackup Instructions

If you have any questions or comments, please post them below.