Thursday, October 6, 2011

scp without password

8 steps explain how to perform SSH and SCP from local-host to a remote-host without entering the password on openSSH system

1. Verify that local-host and remote-host is running openSSH

[local-host]$ ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006

[remote-host]$ ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006

2. Generate key-pair on the local-host using ssh-keygen

[local-host]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jsmith/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/jsmith/.ssh/id_rsa.
Your public key has been saved in /home/jsmith/.ssh/id_rsa.pub.
The key fingerprint is:
31:3a:5d:dc:bc:81:81:71:be:31:2b:11:b8:e8:39:a0 jsmith@local-host
The public key and private key are typically stored in .ssh folder under your home directory. In this example, it is under /home/jsmith/.sshd. You should not share the private key with anybody.

By default the ssh-keygen on openSSH generates RSA key pair. You can also generate DSA key pair using: ssh-keygen -t dsa command.

3. Install public key on the remote-host.

Copy the content of the public key from the local-host and paste it to the /home/jsmith/.ssh/authorized_keys on the remote-host. If the /home/jsmith/.ssh/authorized_keys already has some other public key, you can append this to the end of it. If the .ssh directory under your home directory on remote-host doesn’t exist, please create it.

[remote-host]$ vi ~/.ssh/authorized_keys
ssh-rsa ABIwAAAQEAzRPh9rWfjZ1+7Q369zsBEa7wS1RxzWR jsmith@local-host
In simple words, copy the local-host:/home/jsmith/.ssh/id_rsa.pub to remote-host:/home/jsmith/.ssh/authorized_keys

4. Give appropriate permission to the .ssh directory on the remote-host.

[remote-host]$ chmod 755 ~/.ssh
[remote-host]$ chmod 644 ~/.ssh/authorized_keys

5. Login from the local-host to remote-host using the SSH key authentication to verify whether it works properly.

[local-host]$

[local-host]$ ssh -l jsmith remote-host
Enter passphrase for key '/home/jsmith/.ssh/id_rsa':
Last login: Sat Jun 07 2008 23:03:04 -0700 from 192.168.1.102
No mail.

[remote-host]$

6. Start the SSH Agent on local-host to perform ssh and scp without having to enter the passphrase several times.

Verify whether SSH agent is already running, if not start it as shown below.

[local-host]$ ps -ef | grep ssh-agent
511 9789 9425 0 00:05 pts/1 00:00:00 grep ssh-agent

[local-host]$ ssh-agent $SHELL

[local-host]$ ps -ef | grep ssh-agent
511 9791 9790 0 00:05 ? 00:00:00 ssh-agent /bin/bash
511 9793 9790 0 00:05 pts/1 00:00:00 grep ssh-agent

7. Load the private key to the SSH agent on the local-host.

[local-host]$ ssh-add
Enter passphrase for /home/jsmith/.ssh/id_rsa:
Identity added: /home/jsmith/.ssh/id_rsa (/home/jsmith/.ssh/id_rsa)
Following are the different options available in the ssh-add:

ssh-add : Load a specific key file.
ssh-add -l: List all the key loaded in the ssh agent.
ssh-add -d : Delete a specificy key from the ssh agent
ssh-add -D: Delete all key

8. Perform SSH or SCP to remote-home from local-host without entering the password.

[local-host]$

[local-host]$ ssh -l jsmith remote-host
Last login: Sat Jun 07 2008 23:03:04 -0700 from 192.168.1.102
No mail.

[remote-host]$

Saturday, April 17, 2010

PHP Snippet codes

Get Script name & URL
=====================
$url = $_SERVER['SCRIPT_NAME'];
if( $url ) {
$url = strrev($url);
$last_slash = strlen($url) - strpos($url,'/') - 1;
$url = strrev($url);
if( $last_slash ) {
$file_name = substr($url,$last_slash);
$filename = explode('/',$file_name);
$fname = $filename[1];
}
}
echo "Script URL is " . $url;
echo "
Script name is ". $fname;
?>

Wednesday, August 6, 2008

Generate ssl certs

https certs
===========
Setp 1> Generate ssl certificates

#openssl genrsa -des3 -out hostname.key 1024

#openssl req -new -key hostname.key -out hostname.csr

#openssl x509 -req -days 365 -in hostname.csr -signkey hostname.key -out hostname.crt

step 2> Add Certificate to /etc/httpd/conf.d/ssl.conf


# vi /etc/httpd/conf.d/ssl.conf

(note: just remove comment "#" from SSLCertificate and add filename)

# Server Certificate:
SSLCertificateFile /etc/httpd/conf/cert/hostname.crt
# Server Private Key:
SSLCertificateKeyFile /etc/httpd/conf/cert/hostname.key

dovecot ssl certs
==================
Setp 1> Generate ssl certificates


#openssl genrsa -des3 -out /usr/share/ssl/private/dovecot.pem 2048

#openssl req -new -x509 -key /usr/share/ssl/private/dovecot.pem -out /usr/share/ssl/certs/dovecot.pem -days 1095

step 2> modify into /etc/dovecot.conf

URL redirect

Redirect Directive

Description: Sends an external redirect asking the client to fetch a different URL
Syntax: Redirect [status] URL-path URL
Context: server config, virtual host, directory, .htaccess
Override: FileInfo
Status: Base
Module: mod_alias

The Redirect directive maps an old URL into a new one by asking the client to refetch the resource at the new location.

The old URL-path is a case-sensitive (%-decoded) path beginning with a slash. A relative path is not allowed. The new URL should be an absolute URL beginning with a scheme and hostname.

Example:

vi /etc/apache2/apache2.conf

RewriteEngine on
Redirect /service http://www.bar.com/service

If the client requests http://myserver/service/foo.txt, it will be told to access http://www.bar.com/service/foo.txt instead.


Meta Refresh URL Redirect

Meta Refresh URL Redirect is an example of a meta refresh URL redirect.
The code is,

< meta http-equiv="refresh" content="5;url=http://www.foo.org" />

This method displays the new page that the refresh points to by 5 seonds.


PHP URL Redirect

The code for redirect URL, code goes at the top of the page.
header("location:http://www.foo.org/index.php");
exit;
?>

Monday, August 4, 2008

All about RPM

How can I install or upgrade a package? Can I install an old one?

// Simply install rpm

rpm -i package.rpm

// The "-v" is for verbose and "-h" for the hashing marks.

rpm -ivh package.rpm

// Upgrade / Install a new-package

rpm -Uvh new-package.rpm

// Downgrade Samba to old version

rpm -Uvh --oldpackage Samba-old-version.rpm

// Simply remove a package

rpm -e package

// Simulate what will be done before erase

rpm -e --test package;

// Backup the package before erase

rpm -e --repackage package

// see dependencies of the RPM package you're trying to erase

rpm -q --whatrequires kernel

// Simply query an installed package

rpm -q yum

// know all installed packages on your system

rpm –qa

// Check if pkg is installed

rpm -qa | grep -i pkg

// Query an uninstalled pkg

rpm -qpi vnc-server-4.0-0.beta4.3.2.i386.rpm

// get list of packages & programs required for some pkg installation

rpm -qpR package.rpm

// query an installed package eg. Kernel

rpm -qR kernel

// find which package the file /usr/bin/smbmount belongs to

rpm -qf /usr/bin/smbmount

// list what files will be installed by a package

rpm -ql cpp

// list what files will be installed by an RPM package

rpm -qpl cpp-3.3.2-1.i386.rpm

//Direct install frm ftp server

rpm -Uvh ftp://user:pass@ftpserver/directory/package.rpm

// anonymous ftp and using proxy

rpm -qpl --ftpproxy proxyserver --ftpport port ftp://ftpserver/dir/remote-package.rpm
rpm -qpR --httpproxy proxyserver --httpport port http://webserver/dir/remote-package.rpm

// simulate the effect of execution- "rpm -ivh new-kernel.rpm"

rpm -ivh --test new-kernel.rpm

// Freshen / Upgrade only installed packages

rpm -Fvh new-package.rpm

// figure out the Kernel version(smp, bigmem) and base arch(i386, athlon)?

rpm -q --qf "Kernel arch type is: %{ARCH}\nKernel name is: %{VERSION}\n" kernel

How can I install a new Kernel version but keeping my old one installed?
When upgrading or installing a new Kernel version from a RPM package, the first thing you have to know is what Kernel to use. Always try to keep the current Kernel installed when upgrading, so you can test the new installed image an see if you'll get in trouble for some reason, if this happens so you can reboot with the current one. Starting from this point, we can say: Never use the "Freshen" or "Upgrade" commands unless you really knows what will going to happen. When upgrading critical packages like Kernel, try to use the Test option before executing the final command. And always try to install, not upgrade.
And finally, when upgrading, use the Backup option "--repackage" so you can reinstall the old package you've removed during upgrade process. You can issue the command below to upgrade the Kernel and making a backup of the current and installed Kernel package:
rpm -Uvh --repackage new-kernel.rpm
The Old RPM will be generated on "_repackage_dir" RPM macro, usually /var/spool/repackage. If some problem occurs with the new installed Kernel version, then use the following command to reinstall the old one:
rpm -ivh --oldpackage /var/spool/repackage/old-kernel.rpm

Make backups of old packages when updating or removing them?

rpm -Uvh --repackage new-package.rpm
rpm -e --repackage n
The backup RPMs will be generated on "_repackage_dir" RPM macro, usually /var/spool/repackage. If some problem occurs, then use the following command to reinstall: ew-package.rpm
rpm -Uvh --oldpackage /var/spool/repackage/old-package.rpm

How can I check digests and signatures against a package?

Every RPM package can be signed with a GPG key and has an MD5 hash inside its header so one can verify and validate a package. The first thing you must check is the presence of the GPG public key, you can only verify a signature if you have the right public key installed.
To install the keys, look at the directory /usr/share/rhn/, this is usually the place where GPG-KEYS are. The following command will import/install the key:

rpm --import /usr/share/rhn/GPG-KEY
rpm -qi gpg-pubkey | more // See keys already installed in ur system

rpm -K package.rpm // to verify(md5, sha1, gpg) a package.

// example output against the Iptables package:

# rpm -K /ftp/linux/fedora/1/updates/i386/iptables-1.2.9-1.0.i386.rpm
/ftp/linux/fedora/1/updates/i386/iptables-1.2.9-1.0.i386.rpm: (sha1) dsa sha1 md5 gpg OK

# rpm --showrc | grep repackage // show values of macro
-14: _repackage_all_erasures 0
-14: _repackage_dir /var/spool/repackage
-14: _repackage_name_fmt %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm
-14: _repackage_root %{nil}

How can I get RPM back? The command "rpm -qa" returns nothing!

Sometimes the RPM database gets broken and rpm command freezes or doesn't work as expected. How to solve this problem:

rm -f /var/lib/rpm/__* ; rpm -vv --rebuilddb

How to figure out the installation time of my packages?

rpm -qa --queryformat '%{installtime} %{installtime:date} %{name}-%{version}\n' | sort -n | sed 's/^[0-9]*//'

OR

rpm -qa -last | tac

How to figure out the size of a installed package?

rpm -qa --queryformat '%10{size} %{name}-%{version}\n' | sort –n

Thursday, June 5, 2008

creating NAT using Linux IPtables

If you are running a recent 2.6 Linux Kernel this four step process should work for you. This has been specifically tested on FCore 3, 4, 5, and 6.. should work on any modern Linux distribution. All of these commands must be executed as the root user.

First you need to tell your kernel that you want to allow IP forwarding.

echo 1 > /proc/sys/net/ipv4/ip_forward

Then you'll need to configure iptables to forward the packets from your internal network, on /dev/eth1, to your external network on /dev/eth0. You do this will the following commands:

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

You should now be NATing. You can test this by pinging an external address from one of your internal hosts. The last step is to ensure that this setup survives over a reboot. Obviously you should only do these last two steps if your test is a success.

You will need to edit /etc/sysctl.conf and change the line that says net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1. This essentially tells your kernel to do step one on boot.

Ok last step for Fedora/RHEL users. In order for your system to save the iptables rules we setup in step two you have to configure iptables correctly. You will need to edit /etc/sysconfig/iptables-config and make sure IPTABLES_MODULES_UNLOAD, IPTABLES_SAVE_ON_STOP, and IPTABLES_SAVE_ON_RESTART are all set to 'yes'.

For non-Fedora/RHEL users you can simply setup an init script for this or simply append these commands to the existing rc.local script so they are executed on boot

Thursday, October 18, 2007

creating global rules in openwebmail

open Openwebmail cgi-bin folder (/var/www/cgi-bin/openwebmail)/etc/filter.book and add the rule. Local user rules exist in ~user/.openwebmail/webmail/filter.book