from:"bluethundr"

Re: [CentOS] disable ZTS in php

2015-10-30 Thread bluethundr

Ok got it Eero. Thanks for the info!

Tim 

Sent from my iPhone

> On Oct 30, 2015, at 12:29 PM, Eero Volotinen  wrote:
> 
> I think command name is yum-downloader.
> 
> Then modify spec and rpmbuild -ba specname.spec
> 
> You need also modify version number a bit. Rebuilding is a bit issue as you
> need to recompile as security patches come out ..
> 
> Eero
> 30.10.2015 6.04 ip. "Tim Dunphy"  kirjoitti:
> 
>> Yeah Erro, ok you have a point. I'll do that. Thanks!
>> 
>> On Fri, Oct 30, 2015 at 11:40 AM, Eero Volotinen 
>> wrote:
>> 
>>> This is really wrong way to do this. Install yum-utils and use
>>> yumdownloader --source package-name to get rhel version of package. Then
>>> modify spec file and recompile.
>>> 
>>> Eero
>>> Hey guys,
>>> 
>>> I'm trying to disable ZTS in php, because an application we need
>>> (AppDynamics) is not compatible with it.
>>> 
>>> So I tried compiling php with the following flags:
>>> 
>>> php -i | grep configure
>>> Configure Command =>  './configure'  '--with-apxs2=/opt/apache2/bin/apxs'
>>> '--with-zlib=/usr' '--prefix=/opt/php-5.6.8' '--with-libdir=lib64'
>>> '--with-config-file-path=/etc' '--enable-mime-magic' '--enable-pcntl'
>>> '--libexecdir=/usr/libexec' '--with-bz2' '--with-curl' '--with-gd'
>>> '--with-freetype-dir=/usr' '--with-png-dir=/usr/lib64'
>>> '--enable-gd-native-ttf' '--with-iconv' '--with-jpeg-dir=/usr/lib64'
>>> '--with-zlib' '--with-ldap' '--enable-exif' '--enable-sockets'
>>> '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx'
>>> '--with-kerberos' '--enable-shmop' '--enable-calendar' '--with-xmlrpc'
>>> '--enable-soap' '--disable-pdo' '--with-openssl' '--with-xsl'
>>> '--enable-dbx' '--enable-mbstring' '--with-mcrypt=/usr' '--enable-bcmath'
>>> '--enable-pdo' '--with-pdo-mysql=/usr' '--with-mysql'
>>> '--with-mysqli=/usr/bin/mysql_config' '--enable-zip'
>> '--enable-dba=shared'
>>> '--with-gettext=shared' '--with-gmp' '--enable-ftp' '--with-pspell'
>>> '--with-config-file-scan-dir=/etc/php.d'* '--disable-maintainer-zts'*
>>> 
>>> 
>>> And for some reason the AppD installer is claiming that ZTS is still
>>> enabled. So what I'd like to know is, did I disable ZTS correctly? If I
>> did
>>> that means the problem is on the AppD side so we should take a look
>> there.
>>> 
>>> Appreciate any help on this!
>>> 
>>> Thanks
>>> Tim
>>> 
>>> --
>>> GPG me!!
>>> 
>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>> ___
>>> CentOS mailing list
>>> CentOS@centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>>> ___
>>> CentOS mailing list
>>> CentOS@centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>> 
>> 
>> 
>> --
>> GPG me!!
>> 
>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] keychain problem

2011-01-15 Thread bluethundr

hello centos.. I am having a very annoying problem on my network right
now. it looks like every time I try to add my ssh key to keychain I
have to issue a command just to get my ssh subsystem communicating
with the ssh-agent:

I have this line in my .bashrc file

$(keychain --eval --quick --quiet private_key1 private_key2 private_key3)

If I try to perform ssh-add I get the message:

[bluethundr@VIRTCENT01:~]#ssh-add
Could not open a connection to your authentication agent.

So then I try to execute ssh-agent:


bluethundr@amanda:~]#exec ssh-agent bash
 * Warning: can't find private_key1; skipping
 * Warning: can't find private_key2; skipping
 * Warning: can't find private_key3; skipping
bash: SSH_AUTH_SOCK=/tmp/ssh-cdJlgq6077/agent.6077;: No such file or directory

Then I can add it.

[bluethundr@amanda:~]#ssh-add
Enter passphrase for /home/bluethundr/.ssh/id_rsa:
Identity added: /home/bluethundr/.ssh/id_rsa (/home/bluethundr/.ssh/id_rsa)

But if I ssh away from this box and then ssh back INTO it.. and then
sometime later have to ssh away again it asks me for my ssh key's
passphrase. See what I mean by 'annoying problem'?

Thanks in advance for your help!



-- 
GPG me!!

gpg --keyserver pgp.mit.edu --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] keychain problem(with config file)

2011-01-15 Thread bluethundr

Sorry meant to attach my sshd_config file.. here it is!

-- Forwarded message --
From: bluethundr bluethu...@gmail.com
Date: Sat, Jan 15, 2011 at 11:22 AM
Subject: keychain problem
To: CentOS mailing list centos@centos.org

hello centos.. I am having a very annoying problem on my network right
now. it looks like every time I try to add my ssh key to keychain I
have to issue a command just to get my ssh subsystem communicating
with the ssh-agent:

I have this line in my .bashrc file

$(keychain --eval --quick --quiet private_key1 private_key2 private_key3)

If I try to perform ssh-add I get the message:

[bluethundr@VIRTCENT01:~]#ssh-add
Could not open a connection to your authentication agent.

So then I try to execute ssh-agent:

bluethundr@amanda:~]#exec ssh-agent bash
 * Warning: can't find private_key1; skipping
 * Warning: can't find private_key2; skipping
 * Warning: can't find private_key3; skipping
bash: SSH_AUTH_SOCK=/tmp/ssh-cdJlgq6077/agent.6077;: No such file or directory

Then I can add it.

[bluethundr@amanda:~]#ssh-add
Enter passphrase for /home/bluethundr/.ssh/id_rsa:
Identity added: /home/bluethundr/.ssh/id_rsa (/home/bluethundr/.ssh/id_rsa)

But if I ssh away from this box and then ssh back INTO it.. and then
sometime later have to ssh away again it asks me for my ssh key's
passphrase. See what I mean by 'annoying problem'?

Thanks in advance for your help!

--
GPG me!!

gpg --keyserver pgp.mit.edu --recv-keys F186197B

-- 
GPG me!!

gpg --keyserver pgp.mit.edu --recv-keys F186197B

sshd_config
Description: Binary data
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] keychain problem

2011-01-15 Thread bluethundr

Hello and thanks for your reply!

 Well I took your advice and removed that keychain scriptlet from
.bashrc and put it into .bash_profile. Not sure what the functional
difference between the two would be. Perhaps you would care to
elaborate? I know that rc stands for resource configuration but
other than that I don't know why this statement would be more
appropriate in the .bash_profile. However you do seem well versed in
this and I hope you don't mind answering this question.

So this is what I put into my .bash_profile

$(keychain --eval --agents ssh id_rsa)

and here is an ssh session from after when I did this:

[bluethundr@LCENT01:~]#bash
[bluethundr@LCENT01:~]#ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-cBwwRR5466/agent.5466; export SSH_AUTH_SOCK;
SSH_AGENT_PID=5467; export SSH_AGENT_PID;
echo Agent pid 5467;
[bluethundr@LCENT01:~]#ssh-add
Could not open a connection to your authentication agent.
[bluethundr@LCENT01:~]#exec ssh-agent bash
[bluethundr@LCENT01:~]#ssh-add
Enter passphrase for /home/bluethundr/.ssh/id_rsa:
Identity added: /home/bluethundr/.ssh/id_rsa (/home/bluethundr/.ssh/id_rsa)

So this behavior did not change. I still have to enter my passphrase
again after I put this into my .bash_profile


[bluethundr@LCENT01:~]#ssh virt1
Last login: Sat Jan 15 11:51:08 2011 from 192.168.1.42
#
#   SUMMITNJHOME.COM#
#   TITLE:   LB1 BOX#
#   HOST:VIRTCENT01 #
#   LOCATION:SUMMIT BASEMENT#
#

 * keychain 2.7.0 ~ http://www.funtoo.org
 * Found existing ssh-agent: 27556
 * Adding 1 ssh key(s): /home/bluethundr/.ssh/id_rsa
Enter passphrase for /home/bluethundr/.ssh/id_rsa:
Bad passphrase, try again for /home/bluethundr/.ssh/id_rsa:
 * ssh-add: Identities added: /home/bluethundr/.ssh/id_rsa

This is new.. now I get prompted for the passphrase AGAIN once I reach
the server I am ssh'ing in to.

I should point out that I am operating from a shared NFS mounted home directory.


-bash: SSH_AUTH_SOCK=/tmp/ssh-Tqzln27555/agent.27555;: No such file or directory
[bluethundr@VIRTCENT01:~]#ssh virt2
ssh: connect to host virt2 port 22: No route to host
[bluethundr@VIRTCENT01:~]#ssh sum2
Enter passphrase for key '/home/bluethundr/.ssh/id_rsa':
Enter passphrase for key '/home/bluethundr/.ssh/id_rsa':
Last login: Sat Jan 15 10:54:51 2011 from 192.168.1.50
#
#   SUMMITNJHOME.COM#
#   TITLE:   SUM2 BOX   #
#   HOST:LCENT02#
#   LOCATION:SUMMIT BASEMENT#
#

 * keychain 2.7.0 ~ http://www.funtoo.org
 * Starting ssh-agent...
 * Adding 1 ssh key(s): /home/bluethundr/.ssh/id_rsa
Enter passphrase for /home/bluethundr/.ssh/id_rsa:
 * ssh-add: Identities added: /home/bluethundr/.ssh/id_rsa

-bash: SSH_AUTH_SOCK=/tmp/ssh-JGlcJj6111/agent.6111;: No such file or directory

Well it seems that I am still trying to figure this situation out. If
you have any further insight into what may be going on here I would
certainly appreciate your input.


On Sat, Jan 15, 2011 at 6:15 PM, Cameron Kerr came...@humbledown.org wrote:

 On 16/01/2011, at 11:56 AM, Cameron Kerr wrote:

 On 16/01/2011, at 5:22 AM, bluethundr wrote:

 I have this line in my .bashrc file

 $(keychain --eval --quick --quiet private_key1 private_key2 private_key3)

 Should not this go into your ~/.bash_profile?

 (disclaimer: I've not used the 'keychain' program before)


 According to the docs for keychain, it should look something more like the
 following:
 eval `keychain --eval --agents ssh id_dsa`
 The 'eval' at the start is probably more important than you think... I noted
 myself that the following are quite different in a bash script I was working
 on:
 $@
 eval $@
 (only the latter works, the former ended up not doing anything in a
 #!/bin/bash script)
 https://github.com/funtoo/keychain  and
 http://www.funtoo.org/en/security/keychain/intro/  for more information
 regarding keychain. You might also like adding    || exit 1   or similar to
 the 'eval' call, for debugging, as shown in the docs.

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos





-- 
GPG me!!

gpg --keyserver pgp.mit.edu --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] keychain problem

2011-01-15 Thread bluethundr

That's a great clarification for which I cannot thank you enough. I
will look up SSH Agent Forwarding and start getting the hang of it.
The centos list is a tremendous help for situations like these! :)

On Sun, Jan 16, 2011 at 12:22 AM, Cameron Kerr came...@humbledown.org wrote:

 On 16/01/2011, at 2:12 PM, bluethundr wrote:

 Hello and thanks for your reply!

 Well I took your advice and removed that keychain scriptlet from
 .bashrc and put it into .bash_profile. Not sure what the functional
 difference between the two would be. Perhaps you would care to
 elaborate? I know that rc stands for resource configuration but
 other than that I don't know why this statement would be more
 appropriate in the .bash_profile. However you do seem well versed in
 this and I hope you don't mind answering this question.


 .bash_profile is executed for login shells (followed by .bashrc).

 .bashrc is executed for non-login shells as well.

 .bash_profile should therefore be used for session setup tasks.

 So this is what I put into my .bash_profile

 $(keychain --eval --agents ssh id_rsa)

 and here is an ssh session from after when I did this:

 [bluethundr@LCENT01:~]#bash
 [bluethundr@LCENT01:~]#ssh-agent
 SSH_AUTH_SOCK=/tmp/ssh-cBwwRR5466/agent.5466; export SSH_AUTH_SOCK;
 SSH_AGENT_PID=5467; export SSH_AGENT_PID;

 Here you are not actually starting the ssh-agent in the background (which 
 explains why it is outputting environment variables). You should give it a 
 second parameter to tell it which program to launch.

 ssh-agent bash

 However, this will cause the parent shell to become redundant, so you want to 
 instead replace it with the shell that ssh-agent starts (that shell has the 
 environment variables set appropriately).

 exec ssh-agent bash

 Now when you use ssh-add, it should be able to see the agent.

 echo Agent pid 5467;
 [bluethundr@LCENT01:~]#ssh-add
 Could not open a connection to your authentication agent.
 [bluethundr@LCENT01:~]#exec ssh-agent bash
 [bluethundr@LCENT01:~]#ssh-add
 Enter passphrase for /home/bluethundr/.ssh/id_rsa:
 Identity added: /home/bluethundr/.ssh/id_rsa (/home/bluethundr/.ssh/id_rsa)

 So this behavior did not change. I still have to enter my passphrase
 again after I put this into my .bash_profile


 Of course. The passphrase is important because it encrypts the private key. 
 This, presumably, is why you are using the 'keychain' program, which is 
 typically used to have a key unlocked manually by a system administrator (eg. 
 after boot), so that cron jobs, etc, can access it.


 [bluethundr@LCENT01:~]#ssh virt1
 Last login: Sat Jan 15 11:51:08 2011 from 192.168.1.42
 #
 #               SUMMITNJHOME.COM                        #
 #               TITLE:       LB1 BOX                    #
 #               HOST:        VIRTCENT01                 #
 #               LOCATION:    SUMMIT BASEMENT            #
 #

 * keychain 2.7.0 ~ http://www.funtoo.org
 * Found existing ssh-agent: 27556
 * Adding 1 ssh key(s): /home/bluethundr/.ssh/id_rsa
 Enter passphrase for /home/bluethundr/.ssh/id_rsa:
 Bad passphrase, try again for /home/bluethundr/.ssh/id_rsa:
 * ssh-add: Identities added: /home/bluethundr/.ssh/id_rsa

 This is new.. now I get prompted for the passphrase AGAIN once I reach
 the server I am ssh'ing in to.

 This is why ssh-add (and presumably also 'keychain'), should NOT be included 
 in your ~/.bash_profile or ~/.bashrc (or similar).
 SSH Agent Forwarding is the correct way to approach this problem: it 
 generally increases system security (keys become easier to manage) and 
 reduces user support requirements.

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pgp.mit.edu --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] cron jobs fail to run

2011-01-05 Thread bluethundr

hey centos

 long time no hear! :) I'm having a small issue where the backup jobs
that I set to run in the crontab of the backup user do not appear to
be running. Here's how I set it up (with crontab -e as the backup
user):

run amanda every night (check at 2:45 and backup at 3)

45 2 * * * /usr/sbin/amcheck  /var/log/amanda/crontab/amcheck.log
* 3 * * * /usr/sbin/amdump  /var/log/amanda/crontab/amdump.log

The executables are where they are supposed to be and run if you type
them in on the command line:

[amandabac...@amanda ~]$ ls -l /usr/sbin/amcheck
-rwsr-x--- 1 root disk 68624 Dec 29 14:08 /usr/sbin/amcheck


[amandabac...@amanda ~]$ ls -l /usr/sbin/amdump
-rwxr-xr-x 1 amandabackup disk 9637 Dec 29 14:08 /usr/sbin/amdump

Although I'm not sure what the 's' indicates in the permissions of amcheck.


And here's a tail of the cron logs

[r...@amanda init.d]# tail /var/log/cron
Jan  5 07:01:01 newamanda crond[13612]: (root) CMD (run-parts /etc/cron.hourly)
Jan  5 07:17:09 newamanda crontab[13652]: (amandabackup) BEGIN EDIT
(amandabackup)
Jan  5 07:18:00 newamanda crontab[13652]: (amandabackup) REPLACE (amandabackup)
Jan  5 07:18:00 newamanda crontab[13652]: (amandabackup) END EDIT (amandabackup)
Jan  5 07:18:01 newamanda crond[1448]: (amandabackup) RELOAD (cron/amandabackup)
Jan  5 07:18:39 newamanda crond[13686]: (CRON) STARTUP (V5.0)
Jan  5 07:23:01 newamanda crontab[13699]: (amandabackup) BEGIN EDIT
(amandabackup)
Jan  5 07:23:47 newamanda crontab[13699]: (amandabackup) END EDIT (amandabackup)
Jan  5 07:25:38 newamanda crontab[13751]: (amandabackup) BEGIN EDIT
(amandabackup)
Jan  5 07:25:53 newamanda crontab[13751]: (amandabackup) END EDIT (amandabackup)

thanks in advance!


-- 
GPG me!!

gpg --keyserver pgp.mit.edu --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] cron jobs fail to run

2011-01-05 Thread bluethundr

sorry forgot to mention that cron IS running

r...@amanda init.d]# ps -ef | grep cron
root 13686 1  0 07:18 ?00:00:00 crond
root 13771  6676  0 07:34 pts/200:00:00 grep cron


On Wed, Jan 5, 2011 at 7:29 AM, bluethundr bluethu...@gmail.com wrote:
 hey centos

  long time no hear! :) I'm having a small issue where the backup jobs
 that I set to run in the crontab of the backup user do not appear to
 be running. Here's how I set it up (with crontab -e as the backup
 user):

 run amanda every night (check at 2:45 and backup at 3)

 45 2 * * * /usr/sbin/amcheck  /var/log/amanda/crontab/amcheck.log
 * 3 * * * /usr/sbin/amdump  /var/log/amanda/crontab/amdump.log

 The executables are where they are supposed to be and run if you type
 them in on the command line:

 [amandabac...@amanda ~]$ ls -l /usr/sbin/amcheck
 -rwsr-x--- 1 root disk 68624 Dec 29 14:08 /usr/sbin/amcheck


 [amandabac...@amanda ~]$ ls -l /usr/sbin/amdump
 -rwxr-xr-x 1 amandabackup disk 9637 Dec 29 14:08 /usr/sbin/amdump

 Although I'm not sure what the 's' indicates in the permissions of amcheck.


 And here's a tail of the cron logs

 [r...@amanda init.d]# tail /var/log/cron
 Jan  5 07:01:01 newamanda crond[13612]: (root) CMD (run-parts 
 /etc/cron.hourly)
 Jan  5 07:17:09 newamanda crontab[13652]: (amandabackup) BEGIN EDIT
 (amandabackup)
 Jan  5 07:18:00 newamanda crontab[13652]: (amandabackup) REPLACE 
 (amandabackup)
 Jan  5 07:18:00 newamanda crontab[13652]: (amandabackup) END EDIT 
 (amandabackup)
 Jan  5 07:18:01 newamanda crond[1448]: (amandabackup) RELOAD 
 (cron/amandabackup)
 Jan  5 07:18:39 newamanda crond[13686]: (CRON) STARTUP (V5.0)
 Jan  5 07:23:01 newamanda crontab[13699]: (amandabackup) BEGIN EDIT
 (amandabackup)
 Jan  5 07:23:47 newamanda crontab[13699]: (amandabackup) END EDIT 
 (amandabackup)
 Jan  5 07:25:38 newamanda crontab[13751]: (amandabackup) BEGIN EDIT
 (amandabackup)
 Jan  5 07:25:53 newamanda crontab[13751]: (amandabackup) END EDIT 
 (amandabackup)

 thanks in advance!


 --
 GPG me!!

 gpg --keyserver pgp.mit.edu --recv-keys F186197B




-- 
GPG me!!

gpg --keyserver pgp.mit.edu --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] happy new years ssh key problem :)

2010-12-31 Thread bluethundr

Hi List,

 Happy  New Years and I was hoping to get some help on an ssh issue
that I am having. For some reason I am unable to scp to hosts on this
network using RSA keys. Here is what I am doing/what is going on;

scp the public key to remote host

[amandabac...@virtcent18 ~]$ scp ~/.ssh/id_rsa_amdump.pub amandabac...@lb1:~
amandabac...@lb1's password:
id_rsa_amdump.pub
100%  408 0.4KB/s   00:00



ssh (w/passwd) to remote host


[amandabac...@virtcent18 ~]$ ssh lb1
amandabac...@lb1's password:
Last login: Fri Dec 31 10:57:05 2010 from 192.168.1.40
#
#   SUMMITNJHOME.COM#
#   TITLE:   LB1 BOX#
#   HOST:VIRTCENT01 #
#   LOCATION:SUMMIT BASEMENT#
#


check to see if the key exists in authorized_keys

[amandabac...@virtcent01 ~]$ grep -f id_rsa_amdump.pub ~/.ssh/authorized_keys


it didn't so cat it into authorized_keys

[amandabac...@virtcent01 ~]$ cat id_rsa_amdump.pub  ~/.ssh/authorized_keys

check again, just to make sure that it's there

[amandabac...@virtcent01 ~]$ grep -f id_rsa_amdump.pub ~/.ssh/authorized_keys
ssh-rsa 
BlAB3Nza/FAKE-KEY-DATA--KEY-DATAKfMq4DDa0xaKb/FAKE-KEY-DATA--KEY-DATAsoqCu/boKNa/FAKE-KEY-DATA--KEY-DATAp1n9TcDtxm2XFHcOKUw2/14/bz1pWNDI/FAKE-KEY-DATA--KEY-DATAr9951JdK7Ny6lk/FAKE-KEY-DATA--KEY-DATA1/FAKE-KEY-DATA--KEY-DATAwh2dmgyxI9N69x3ypvWcGWShZw1BCJI06j5qIxvin99/FAKE-KEY-DATA--KEY-DATA

It is. so good so far. Check permissions on authorized_keys file

[amandabac...@virtcent01 ~]$ ls -l ~/.ssh/authorized_keys
-rw--- 1 amandabackup disk 408 Dec 31 11:02
/var/lib/amanda/.ssh/authorized_keys

make sure we have the right home environment

HOME=/var/lib/amanda

Also good. Now, make sure ssh is looking at the right file

[r...@virtcent01 ~]# grep -i authorizedkeysfile /etc/ssh/sshd_config
AuthorizedKeysFile   ~/.ssh/authorized_keys 

It is. Now exit and try to ssh in

[amandabac...@virtcent01 ~]$ exit
Connection to lb1 closed.


[amandabac...@virtcent18 ~]$ ssh -vvv amandabac...@lb1
OpenSSH_5.6p1lpk, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to lb1 [192.168.1.23] port 22.
debug1: Connection established.
debug1: identity file /var/lib/amanda/.ssh/id_rsa type -1
debug1: identity file /var/lib/amanda/.ssh/id_rsa-cert type -1
debug1: identity file /var/lib/amanda/.ssh/id_dsa type -1
debug1: identity file /var/lib/amanda/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.6
debug1: match: OpenSSH_5.6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit:
ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:

[CentOS] amanda backup ssh key

2010-12-30 Thread bluethundr

hello list,

 I am attempting to ssh via a user account setup for amanda backups
from the backup server to the test backup client. AFAIK everything is
setup correctly yet when I ssh as the user to the client I have to
type the password. the public key is in the authorized_keys file of
the client and permissions all seem correct.

 Here is a verbose output of the ssh session

[amandabac...@virtcent18 .ssh]$ ssh -vvv lb1
OpenSSH_5.6p1lpk, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to lb1 [192.168.1.23] port 22.
debug1: Connection established.
debug1: identity file /var/lib/amanda/.ssh/id_rsa type -1
debug1: identity file /var/lib/amanda/.ssh/id_rsa-cert type -1
debug1: identity file /var/lib/amanda/.ssh/id_dsa type -1
debug1: identity file /var/lib/amanda/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.6
debug1: match: OpenSSH_5.6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit:
ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,z...@openssh.com
debug2: kex_parse_kexinit: none,z...@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server-client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client-server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 126/256
debug2: bits set: 514/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: host lb1 filename
/var/lib/amanda/.ssh/known_hosts
debug3: check_host_in_hostfile: host lb1 filename
/var/lib/amanda/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: host 192.168.1.23 filename
/var/lib/amanda/.ssh/known_hosts
debug3: check_host_in_hostfile: host 192.168.1.23 filename
/var/lib/amanda/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'lb1' is known and matches the RSA host key.
debug1: Found key in /var/lib/amanda/.ssh/known_hosts:1
debug2: bits set: 516/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /var/lib/amanda/.ssh/id_rsa ((nil))
debug2: key: /var/lib/amanda/.ssh/id_dsa ((nil))
debug1: Authentications that can continue:

[CentOS] pam account lockout duration

2010-12-22 Thread bluethundr

hey list

 I'm doing a PCI audit for my company.  One of the requirements is to
specify a lockout duration of 30 minutes after 6 failed login
attempts:

 For a sample of system components, obtain and insp 8.5.14
rd parameters  system configuration settings to verify that passwo
ed out, it  are set to require that once a user account is lock
 a system  remains locked for a minimum of 30 minutes or until
administrator resets the account


 I'm pretty sure this is a pam thing but does anyone know how this can
best be achieved?

thanks!

-- 
GPG me!!

gpg --keyserver pgp.mit.edu --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] cobbler fails to recognize semanage rules

2010-12-18 Thread bluethundr

I am having a bit of trouble setting up cobbler on this machine.



cobbler check points out a few things to correct:

[r...@virtcent04:~]#cobbler check
The following are potential configuration items that you may want to fix:

1 : you need to set some SELinux content rules to ensure cobbler
serves content correctly in your SELinux environment, run the
following: /usr/sbin/semanage fcontext -a -t public_content_t
/tftpboot/.*  /usr/sbin/semanage fcontext -a -t public_content_t
/var/www/cobbler/images/.*
2 : you need to set some SELinux rules if you want to use cobbler-web
(an optional package), run the following: /usr/sbin/semanage fcontext
-a -t httpd_sys_content_rw_t /var/lib/cobbler/webui_sessions/.*
3 : some network boot-loaders are missing from
/var/lib/cobbler/loaders, you may run 'cobbler get-loaders' to
download them, or, if you only want to handle x86/x86_64 netbooting,
you may ensure that you have installed a *recent* version of the
syslinux package installed and can ignore this message entirely.
Files in this directory, should you want to support all architectures,
should include pxelinux.0, menu.c32, elilo.efi, and yaboot. The
'cobbler get-loaders' command is the easiest way to resolve these
requirements.
4 : since iptables may be running, ensure 69, 80, and 25151 are unblocked
5 : debmirror package is not installed, it will be required to manage
debian deployments and repositories
6 : The default password used by the sample templates for newly
installed machines (default_password_crypted in /etc/cobbler/settings)
is still set to 'cobbler' and should be changed, try: openssl passwd
-1 -salt 'random-phrase-here' 'your-password-here' to generate new
one

Restart cobblerd and then run 'cobbler sync' to apply changes.





I try to apply the first suggestion:

[r...@virtcent04:~]#/usr/sbin/semanage fcontext -a -t public_content_t
/tftpboot/.*  /usr/sbin/semanage fcontext -a -t public_content_t
/var/www/cobbler/images/.*
/usr/sbin/semanage: File context for /tftpboot/.* already defined

And the system points out that the rules are already defined by semanage.


the cobbler service restarts:

[r...@virtcent04:~]#service cobblerd restart
Stopping cobbler daemon:   [  OK  ]
Starting cobbler daemon:   [  OK  ]
[r...@virtcent04:~]#SERVING!


sync is fine


[r...@virtcent04:~]#cobbler sync
task started: 2010-12-18_105137_sync
task started (id=Sync, time=Sat Dec 18 10:51:37 2010)
running pre-sync triggers
cleaning trees
removing: /tftpboot/pxelinux.cfg/default
removing: /tftpboot/s390x/profile_list
copying bootloaders
copying: /usr/lib/syslinux/pxelinux.0 - /tftpboot/pxelinux.0
copying: /usr/lib/syslinux/menu.c32 - /tftpboot/menu.c32
copying: /boot/memtest86+-1.65 - /tftpboot/memtest86+-1.65
copying: /usr/lib/syslinux/memdisk - /tftpboot/memdisk
copying distros
copying images
generating PXE configuration files
rendering Rsync files
generating PXE menu structure
running post-sync triggers
*** TASK COMPLETE ***


run cobbler check again:

[r...@virtcent04:~]#cobbler check
The following are potential configuration items that you may want to fix:

1 : you need to set some SELinux content rules to ensure cobbler
serves content correctly in your SELinux environment, run the
following: /usr/sbin/semanage fcontext -a -t public_content_t
/tftpboot/.*  /usr/sbin/semanage fcontext -a -t public_content_t
/var/www/cobbler/images/.*
2 : you need to set some SELinux rules if you want to use cobbler-web
(an optional package), run the following: /usr/sbin/semanage fcontext
-a -t httpd_sys_content_rw_t /var/lib/cobbler/webui_sessions/.*
3 : some network boot-loaders are missing from
/var/lib/cobbler/loaders, you may run 'cobbler get-loaders' to
download them, or, if you only want to handle x86/x86_64 netbooting,
you may ensure that you have installed a *recent* version of the
syslinux package installed and can ignore this message entirely.
Files in this directory, should you want to support all architectures,
should include pxelinux.0, menu.c32, elilo.efi, and yaboot. The
'cobbler get-loaders' command is the easiest way to resolve these
requirements.
4 : since iptables may be running, ensure 69, 80, and 25151 are unblocked
5 : debmirror package is not installed, it will be required to manage
debian deployments and repositories
6 : The default password used by the sample templates for newly
installed machines (default_password_crypted in /etc/cobbler/settings)
is still set to 'cobbler' and should be changed, try: openssl passwd
-1 -salt 'random-phrase-here' 'your-password-here' to generate new
one

Restart cobblerd and then run 'cobbler sync' to apply changes.

same thing... what can I do to get beyond this infinite loop?
-- 
GPG me!!

gpg --keyserver pgp.mit.edu --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] heartbeat configuration for lb

2010-12-14 Thread bluethundr

hey guys thanks for the tip.. I haven't had a chance to play with
heartbeat as we decided to go with keepalived as per Emmet's
suggestion. It works beautifully with two keepalived/haproxy load
balancers. I really appreciate emmet's advice and sorry I didn't let
you know it was working sooner.

 At any rate, I was told to add a 3rd load balancer to the mix and
that adds a new wrinkle. I need to add a new keepalived instance and I
can't quite figure out how that's done.

 It would seem to me to be an issue of the priorities as that is the
only thing I altered in the files.  Initially, nodes A and B were set
to 101 and 100 respectively. I set node A to 102, node B to 101 and
node C to 100... keepalived restarts and the virtual IP is pingable.
But the website goes down! :(

 SO then I tried Node A set to 101, node B to 100 and node C to 99.
Same thing, I restated keepalived and the site goes down, tho the
virtual IP remains pinagble and keepalived and haproxy are running.

Does anyone know how to address this issue?

Thanks!!

On Mon, Dec 13, 2010 at 3:04 AM, Juergen Gotteswinter j...@internetx.de wrote:
 Not 100% On Topic, but perhaps you should try keepalived for vrrp
 failover on Loadbalancers. Much more reliable, easier to setup and
 faster switch to the standby host

 keepalived.org

 Am 13.12.10 04:50, schrieb Emmett Culley:
 On 12/11/2010 07:26 PM, bluethundr wrote:
 Sorry I forgot to finish the story!!! :)

 And the interface doesn't appear to be sharing the address:

 [r...@virtcent01:~]#ip addr sh eth0
 2: eth0:BROADCAST,MULTICAST,UP,LOWER_UP   mtu 1500 qdisc pfifo_fast qlen 
 1000
       link/ether 00:16:36:22:92:70 brd ff:ff:ff:ff:ff:ff
       inet 192.168.1.23/24 brd 192.168.1.255 scope global eth0
       inet6 fe80::216:36ff:fe22:9270/64 scope link
          valid_lft forever preferred_lft forever


 And I can't ping the virtual address I had tried to setup using heartbeat:

 [r...@virtcent01:~]#ping 192.168.1.200
 PING 192.168.1.200 (192.168.1.200) 56(84) bytes of data.
  From 192.168.1.23 icmp_seq=1 Destination Host Unreachable
  From 192.168.1.23 icmp_seq=2 Destination Host Unreachable
  From 192.168.1.23 icmp_seq=3 Destination Host Unreachable

 thanks again!!!



 On Sat, Dec 11, 2010 at 10:13 PM, bluethundrbluethu...@gmail.com   wrote:
 hello list!

    I am attempting to setup haproxy using a shared up I am trying to
 setup using the heartbeat package that I currently have installed:

    [r...@virtcent01:~]#rpm -qa | grep heartbeat | grep -v -e stonith -e 
 pils
 heartbeat-2.1.4-11.el5
 heartbeat-2.1.4-11.el5


 I have /etc/ha/.d authkeys setup this way:

 #
 auth 2
 #1 crc
 2 sha1 {SHA}secret

 I have /etc/ha.d/resources setup like this:

 VIRTCENT01.summitnjhome.com 192.168.1.23

 And I have /etc/ha.cf setup like this:

    #       What UDP port to use for udp or ppp-udp communication?
 #
 udpport        694
 bcast  eth0
 mcast eth0 225.0.0.1 694 1 0
 ucast eth0 192.168.1.200
 #       What interfaces to heartbeat over?
 udp     eth0
 #
 #       Facility to use for syslog()/logger (alternative to log/debugfile)
 #
 logfacility     local0
 #
 #       Tell what machines are in the cluster
 #       node    nodename ...    -- must match uname -n
 node    lb1.summitnjhome.com
 node    lb2.summitnjhome.com


 The service seems to start ok:

 [r...@virtcent01:~]#service heartbeat restart
 Stopping High-Availability services:
                                                             [  OK  ]
 Waiting to allow resource takeover to complete:
                                                             [  OK  ]
 Starting High-Availability services:
 2010/12/11_22:03:55 INFO:  Resource is stopped
                                                             [  OK  ]

 (tho I am unsure of that the INFO notice is of the resource being stopped).

 And I have verified that it is running with ps:

 [r...@virtcent01:~]#ps auxwww | grep heartbeat
 root      3646  0.1  4.6  12260 12256 ?        SLs  22:03   0:00
 heartbeat: master control process
 nobody    3648  0.0  2.1   5664  5660 ?        SL   22:03   0:00
 heartbeat: FIFO reader
 nobody    3649  0.0  2.1   5660  5656 ?        SL   22:03   0:00
 heartbeat: write: bcast eth0
 nobody    3650  0.0  2.1   5660  5656 ?        SL   22:03   0:00
 heartbeat: read: bcast eth0
 root      3653  0.0  0.2  61180   736 pts/1    S+   22:04   0:00 grep 
 heartbeat


 And verified that the box is listening on port 694 (the port that I
 have set for heartbeat):


 [r...@virtcent01:~]#netstat -tulpn | grep heartbeat
 udp        0      0 0.0.0.0:694                 0.0.0.0:*
                   3649/heartbeat: wri
 udp        0      0 0.0.0.0:50550               0.0.0.0:*
                   3649/heartbeat: wri

 However although I have the port enabled in iptables:

 -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 694 -j 
 ACCEPT
 -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
 COMMIT


 An nmap scan does not see anything active

[CentOS] heartbeat configuration for lb

2010-12-11 Thread bluethundr

hello list!

 I am attempting to setup haproxy using a shared up I am trying to
setup using the heartbeat package that I currently have installed:

  [r...@virtcent01:~]#rpm -qa | grep heartbeat | grep -v -e stonith -e pils
heartbeat-2.1.4-11.el5
heartbeat-2.1.4-11.el5


I have /etc/ha/.d authkeys setup this way:

#
auth 2
#1 crc
2 sha1 {SHA}secret

I have /etc/ha.d/resources setup like this:

VIRTCENT01.summitnjhome.com 192.168.1.23

And I have /etc/ha.cf setup like this:

 #   What UDP port to use for udp or ppp-udp communication?
#
udpport694
bcast  eth0
mcast eth0 225.0.0.1 694 1 0
ucast eth0 192.168.1.200
#   What interfaces to heartbeat over?
udp eth0
#
#   Facility to use for syslog()/logger (alternative to log/debugfile)
#
logfacility local0
#
#   Tell what machines are in the cluster
#   nodenodename ...-- must match uname -n
nodelb1.summitnjhome.com
nodelb2.summitnjhome.com


The service seems to start ok:

[r...@virtcent01:~]#service heartbeat restart
Stopping High-Availability services:
   [  OK  ]
Waiting to allow resource takeover to complete:
   [  OK  ]
Starting High-Availability services:
2010/12/11_22:03:55 INFO:  Resource is stopped
   [  OK  ]

(tho I am unsure of that the INFO notice is of the resource being stopped).

And I have verified that it is running with ps:

[r...@virtcent01:~]#ps auxwww | grep heartbeat
root  3646  0.1  4.6  12260 12256 ?SLs  22:03   0:00
heartbeat: master control process
nobody3648  0.0  2.1   5664  5660 ?SL   22:03   0:00
heartbeat: FIFO reader
nobody3649  0.0  2.1   5660  5656 ?SL   22:03   0:00
heartbeat: write: bcast eth0
nobody3650  0.0  2.1   5660  5656 ?SL   22:03   0:00
heartbeat: read: bcast eth0
root  3653  0.0  0.2  61180   736 pts/1S+   22:04   0:00 grep heartbeat


And verified that the box is listening on port 694 (the port that I
have set for heartbeat):


[r...@virtcent01:~]#netstat -tulpn | grep heartbeat
udp0  0 0.0.0.0:694 0.0.0.0:*
 3649/heartbeat: wri
udp0  0 0.0.0.0:50550   0.0.0.0:*
 3649/heartbeat: wri

However although I have the port enabled in iptables:

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 694 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


An nmap scan does not see anything active on 694:

bluethu...@bluethundr-laptop:~$ sudo nmap -sT -A virt1

Starting Nmap 5.00 ( http://nmap.org ) at 2010-12-11 22:07 EST
Warning: Traceroute does not support idle or connect scan, disabling...
Interesting ports on 192.168.1.23:
Not shown: 997 filtered ports
PORTSTATE  SERVICE VERSION
22/tcp  open   ssh OpenSSH 5.6 (protocol 2.0)
|  ssh-hostkey: 1024 b0:gu:s (DSA)
|_ 2048 b0:gu:s (RSA)
80/tcp  closed http
631/tcp closed ipp
MAC Address: 00:16:36:22:92:70 (Quanta Computer)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.15 - 2.6.26
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect
results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.27 seconds



I am enclosing an archive of my /etc/ha.d directory in case this is of
use to anyone. I would certainly appreciate any help anyone could
provide!

Thanks!!


-- 
GPG me!!

gpg --keyserver pgp.mit.edu --recv-keys F186197B


ha.d.tar.gz
Description: GNU Zip compressed data
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] heartbeat configuration for lb

2010-12-11 Thread bluethundr

Sorry I forgot to finish the story!!! :)

And the interface doesn't appear to be sharing the address:

[r...@virtcent01:~]#ip addr sh eth0
2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:16:36:22:92:70 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.23/24 brd 192.168.1.255 scope global eth0
inet6 fe80::216:36ff:fe22:9270/64 scope link
   valid_lft forever preferred_lft forever


And I can't ping the virtual address I had tried to setup using heartbeat:

[r...@virtcent01:~]#ping 192.168.1.200
PING 192.168.1.200 (192.168.1.200) 56(84) bytes of data.
From 192.168.1.23 icmp_seq=1 Destination Host Unreachable
From 192.168.1.23 icmp_seq=2 Destination Host Unreachable
From 192.168.1.23 icmp_seq=3 Destination Host Unreachable

thanks again!!!



On Sat, Dec 11, 2010 at 10:13 PM, bluethundr bluethu...@gmail.com wrote:
 hello list!

  I am attempting to setup haproxy using a shared up I am trying to
 setup using the heartbeat package that I currently have installed:

  [r...@virtcent01:~]#rpm -qa | grep heartbeat | grep -v -e stonith -e pils
 heartbeat-2.1.4-11.el5
 heartbeat-2.1.4-11.el5


 I have /etc/ha/.d authkeys setup this way:

 #
 auth 2
 #1 crc
 2 sha1 {SHA}secret

 I have /etc/ha.d/resources setup like this:

 VIRTCENT01.summitnjhome.com 192.168.1.23

 And I have /etc/ha.cf setup like this:

  #       What UDP port to use for udp or ppp-udp communication?
 #
 udpport        694
 bcast  eth0
 mcast eth0 225.0.0.1 694 1 0
 ucast eth0 192.168.1.200
 #       What interfaces to heartbeat over?
 udp     eth0
 #
 #       Facility to use for syslog()/logger (alternative to log/debugfile)
 #
 logfacility     local0
 #
 #       Tell what machines are in the cluster
 #       node    nodename ...    -- must match uname -n
 node    lb1.summitnjhome.com
 node    lb2.summitnjhome.com


 The service seems to start ok:

 [r...@virtcent01:~]#service heartbeat restart
 Stopping High-Availability services:
                                                           [  OK  ]
 Waiting to allow resource takeover to complete:
                                                           [  OK  ]
 Starting High-Availability services:
 2010/12/11_22:03:55 INFO:  Resource is stopped
                                                           [  OK  ]

 (tho I am unsure of that the INFO notice is of the resource being stopped).

 And I have verified that it is running with ps:

 [r...@virtcent01:~]#ps auxwww | grep heartbeat
 root      3646  0.1  4.6  12260 12256 ?        SLs  22:03   0:00
 heartbeat: master control process
 nobody    3648  0.0  2.1   5664  5660 ?        SL   22:03   0:00
 heartbeat: FIFO reader
 nobody    3649  0.0  2.1   5660  5656 ?        SL   22:03   0:00
 heartbeat: write: bcast eth0
 nobody    3650  0.0  2.1   5660  5656 ?        SL   22:03   0:00
 heartbeat: read: bcast eth0
 root      3653  0.0  0.2  61180   736 pts/1    S+   22:04   0:00 grep 
 heartbeat


 And verified that the box is listening on port 694 (the port that I
 have set for heartbeat):


 [r...@virtcent01:~]#netstat -tulpn | grep heartbeat
 udp        0      0 0.0.0.0:694                 0.0.0.0:*
                 3649/heartbeat: wri
 udp        0      0 0.0.0.0:50550               0.0.0.0:*
                 3649/heartbeat: wri

 However although I have the port enabled in iptables:

 -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 694 -j 
 ACCEPT
 -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
 COMMIT


 An nmap scan does not see anything active on 694:

 bluethu...@bluethundr-laptop:~$ sudo nmap -sT -A virt1

 Starting Nmap 5.00 ( http://nmap.org ) at 2010-12-11 22:07 EST
 Warning: Traceroute does not support idle or connect scan, disabling...
 Interesting ports on 192.168.1.23:
 Not shown: 997 filtered ports
 PORT    STATE  SERVICE VERSION
 22/tcp  open   ssh     OpenSSH 5.6 (protocol 2.0)
 |  ssh-hostkey: 1024 b0:gu:s (DSA)
 |_ 2048 b0:gu:s (RSA)
 80/tcp  closed http
 631/tcp closed ipp
 MAC Address: 00:16:36:22:92:70 (Quanta Computer)
 Device type: general purpose
 Running: Linux 2.6.X
 OS details: Linux 2.6.15 - 2.6.26
 Network Distance: 1 hop

 OS and Service detection performed. Please report any incorrect
 results at http://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 11.27 seconds



 I am enclosing an archive of my /etc/ha.d directory in case this is of
 use to anyone. I would certainly appreciate any help anyone could
 provide!

 Thanks!!


 --
 GPG me!!

 gpg --keyserver pgp.mit.edu --recv-keys F186197B




-- 
GPG me!!

gpg --keyserver pgp.mit.edu --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] rpm dependencies

2010-11-29 Thread bluethundr

 I have successfully created a packaged version of openssh that has
the LPK patch.  LPK allows you to store your public keys in LDAP.
However when I go to install the package I created it complains about
dependencies:

[r...@virtcent13:/home/bluethundr/rpm]#rpm -Uvh openssh-5.6p1-1.i386.rpm
error: Failed dependencies:
openssh = 5.5p1-1.el5 is needed by (installed) 
openssh-clients-5.5p1-1.el5.i386
openssh = 5.5p1-1.el5 is needed by (installed) 
openssh-server-5.5p1-1.el5.i386

 how can I get past this?

thanks!!


-- 
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rpm dependencies

2010-11-29 Thread bluethundr

Sounds great guys!! on it!!! :)

On Mon, Nov 29, 2010 at 11:55 AM, Robert Heller hel...@deepsoft.com wrote:
 At Mon, 29 Nov 2010 11:23:03 -0500 CentOS mailing list centos@centos.org 
 wrote:


  I have successfully created a packaged version of openssh that has
 the LPK patch.  LPK allows you to store your public keys in LDAP.
 However when I go to install the package I created it complains about
 dependencies:

 [r...@virtcent13:/home/bluethundr/rpm]#rpm -Uvh openssh-5.6p1-1.i386.rpm
 error: Failed dependencies:
       openssh = 5.5p1-1.el5 is needed by (installed) 
 openssh-clients-5.5p1-1.el5.i386
       openssh = 5.5p1-1.el5 is needed by (installed) 
 openssh-server-5.5p1-1.el5.i386

  how can I get past this?

 Get the spec file from the stock openssh SRPM and use that as a guide
 to create a spec file for openssh-5.6p1 that will create the
 openssh-clients and openssh-server sub-packages and then re-build it
 again.  Now you can upgrade the three packages
 openssh-5.6p1-1.i386.rpm, openssh-clients-5.6p1-1.i386.rpm and
 openssh-server-5.6p1-1.i386.rpm.


 thanks!!



 --
 Robert Heller             -- 978-544-6933 / hel...@deepsoft.com
 Deepwoods Software        -- http://www.deepsoft.com/
 ()  ascii ribbon campaign -- against html e-mail
 /\  www.asciiribbon.org   -- against proprietary attachments



 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rpm dependencies

2010-11-29 Thread bluethundr

Hey list,

 I actually got the spec for openssh-lpk to build... however for some
reason at this point it is ONLY building SRPMs... no idea why yet but
i am plugging away at this.. I could use a spare set of eyes on this
if you can spare them...

 spec file is enclosed...


thanks!!


On Mon, Nov 29, 2010 at 12:02 PM, bluethundr bluethu...@gmail.com wrote:
 Sounds great guys!! on it!!! :)

 On Mon, Nov 29, 2010 at 11:55 AM, Robert Heller hel...@deepsoft.com wrote:
 At Mon, 29 Nov 2010 11:23:03 -0500 CentOS mailing list centos@centos.org 
 wrote:


  I have successfully created a packaged version of openssh that has
 the LPK patch.  LPK allows you to store your public keys in LDAP.
 However when I go to install the package I created it complains about
 dependencies:

 [r...@virtcent13:/home/bluethundr/rpm]#rpm -Uvh openssh-5.6p1-1.i386.rpm
 error: Failed dependencies:
       openssh = 5.5p1-1.el5 is needed by (installed) 
 openssh-clients-5.5p1-1.el5.i386
       openssh = 5.5p1-1.el5 is needed by (installed) 
 openssh-server-5.5p1-1.el5.i386

  how can I get past this?

 Get the spec file from the stock openssh SRPM and use that as a guide
 to create a spec file for openssh-5.6p1 that will create the
 openssh-clients and openssh-server sub-packages and then re-build it
 again.  Now you can upgrade the three packages
 openssh-5.6p1-1.i386.rpm, openssh-clients-5.6p1-1.i386.rpm and
 openssh-server-5.6p1-1.i386.rpm.


 thanks!!



 --
 Robert Heller             -- 978-544-6933 / hel...@deepsoft.com
 Deepwoods Software        -- http://www.deepsoft.com/
 ()  ascii ribbon campaign -- against html e-mail
 /\  www.asciiribbon.org   -- against proprietary attachments



 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




 --
 Here's my RSA Public key:
 gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3




-- 
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3
%define ver 5.6p1
%define rel 7

# OpenSSH privilege separation requires a user  group ID
%define sshd_uid74
%define sshd_gid74

# Version of ssh-askpass
%define aversion 1.2.4.1

# Do we want to disable building of x11-askpass? (1=yes 0=no)
%define no_x11_askpass 0

# Do we want to disable building of gnome-askpass? (1=yes 0=no)
%define no_gnome_askpass 0

# Do we want to link against a static libcrypto? (1=yes 0=no)
%define static_libcrypto 0

# Do we want smartcard support (1=yes 0=no)
%define scard 0

# Use GTK2 instead of GNOME in gnome-ssh-askpass
%define gtk2 1

# Is this build for RHL 6.x?
%define build6x 0

# Do we want kerberos5 support (1=yes 0=no)
%define kerberos5 1

# Reserve options to override askpass settings with:
# rpm -ba|--rebuild --define 'skip_xxx 1'
%{?skip_x11_askpass:%define no_x11_askpass 1}
%{?skip_gnome_askpass:%define no_gnome_askpass 1}

# Is this a build for RHL 6.x or earlier?
%{?build_6x:%define build6x 1}

# If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc.
%if %{build6x}
%define _sysconfdir /etc
%endif

# Options for static OpenSSL link:
# rpm -ba|--rebuild --define static_openssl 1
%{?static_openssl:%define static_libcrypto 1}

# Options for Smartcard support: (needs libsectok and openssl-engine)
# rpm -ba|--rebuild --define smartcard 1
%{?smartcard:%define scard 1}

# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
%define rescue 0
%{?build_rescue:%define rescue 1}

# Turn off some stuff for resuce builds
%if %{rescue}
%define kerberos5 0
%endif

Summary: The OpenSSH implementation of SSH protocol versions 1 and 2.
Name: openssh
Version: %{ver}
%if %{rescue}
Release: %{rel}rescue
%else
Release: %{rel}
%endif
URL: http://www.openssh.com/portable.html
Source0: openssh-5.6p1.tar.gz
Source1: http://www.pobox.com/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz
Patch0: contrib-openssh-lpk-5.6p1-0.3.13.patch
License: BSD
Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
Obsoletes: ssh
%if %{build6x}
PreReq: initscripts = 5.00
%else
PreReq: initscripts = 5.20
%endif
BuildPreReq: perl, openssl-devel, tcp_wrappers, openssl, zlib-devel, openldap-devel, openssl-devel, pam-devel
BuildPreReq: /bin/login
%if ! %{build6x}
BuildPreReq: glibc-devel, pam
%else
BuildPreReq: /usr/include/security/pam_appl.h
%endif

%if ! %{no_gnome_askpass}
BuildPreReq: pkgconfig
%endif


%package clients
Summary: OpenSSH clients.
Requires: openssh = %{version}-%{release}
Group: Applications/Internet
Obsoletes: ssh-clients

%package server
Summary: The OpenSSH server daemon.
Group: System Environment/Daemons
Obsoletes: ssh-server
PreReq: openssh = %{version}-%{release}, chkconfig = 0.9
%if ! %{build6x}
Requires: /etc/pam.d/system-auth
%endif

%package askpass
Summary: A passphrase dialog for OpenSSH and X.
Group: Applications/Internet
Requires: openssh = %{version}-%{release}
Obsoletes: ssh-extras

%package askpass-gnome
Summary: A passphrase

Re: [CentOS] rpm dependencies

2010-11-29 Thread bluethundr

using this command, sorry I forgot to include that..

[make...@virtcent15 SPECS]$ rpmbuild -ba openssh-lpk.spec


and here's the tail end of the output:

PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory

+ exit 0
Checking for unpackaged file(s): /usr/lib/rpm/check-files
/var/tmp/openssh-5.6p1-buildroot
Wrote: /home/makerpm/rpmbuild/SRPMS/openssh-5.6p1-7.src.rpm


thanks!



On Mon, Nov 29, 2010 at 4:19 PM, bluethundr bluethu...@gmail.com wrote:
 Hey list,

  I actually got the spec for openssh-lpk to build... however for some
 reason at this point it is ONLY building SRPMs... no idea why yet but
 i am plugging away at this.. I could use a spare set of eyes on this
 if you can spare them...

  spec file is enclosed...


 thanks!!


 On Mon, Nov 29, 2010 at 12:02 PM, bluethundr bluethu...@gmail.com wrote:
 Sounds great guys!! on it!!! :)

 On Mon, Nov 29, 2010 at 11:55 AM, Robert Heller hel...@deepsoft.com wrote:
 At Mon, 29 Nov 2010 11:23:03 -0500 CentOS mailing list centos@centos.org 
 wrote:


  I have successfully created a packaged version of openssh that has
 the LPK patch.  LPK allows you to store your public keys in LDAP.
 However when I go to install the package I created it complains about
 dependencies:

 [r...@virtcent13:/home/bluethundr/rpm]#rpm -Uvh openssh-5.6p1-1.i386.rpm
 error: Failed dependencies:
       openssh = 5.5p1-1.el5 is needed by (installed) 
 openssh-clients-5.5p1-1.el5.i386
       openssh = 5.5p1-1.el5 is needed by (installed) 
 openssh-server-5.5p1-1.el5.i386

  how can I get past this?

 Get the spec file from the stock openssh SRPM and use that as a guide
 to create a spec file for openssh-5.6p1 that will create the
 openssh-clients and openssh-server sub-packages and then re-build it
 again.  Now you can upgrade the three packages
 openssh-5.6p1-1.i386.rpm, openssh-clients-5.6p1-1.i386.rpm and
 openssh-server-5.6p1-1.i386.rpm.


 thanks!!



 --
 Robert Heller             -- 978-544-6933 / hel...@deepsoft.com
 Deepwoods Software        -- http://www.deepsoft.com/
 ()  ascii ribbon campaign -- against html e-mail
 /\  www.asciiribbon.org   -- against proprietary attachments



 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




 --
 Here's my RSA Public key:
 gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3




 --
 Here's my RSA Public key:
 gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3




-- 
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] can't use godaddy SSL cert

2010-11-28 Thread bluethundr

=0x8eb62e8 ptr=0x8eb62ed end=0x8eb6307 len=26
  :  77 18 80 16 31 2e 33 2e  36 2e 31 2e 34 2e 31 2e   w...1.3.6.1.4.1.
  0010:  31 34 36 36 2e 32 30 30  33 37 1466.20037
ber_dump: buf=0x8eb7678 ptr=0x8eb7678 end=0x8eb7684 len=12
  :  02 01 01 78 07 0a 01 00  04 00 04 00   ...x
ber_dump: buf=0x8eb7678 ptr=0x8eb767b end=0x8eb7684 len=9
  :  78 07 0a 01 00 04 00 04  00x
request done: ld 0x8ead530 msgid 1
ber_dump: buf=0x8eb7678 ptr=0x8eb767b end=0x8eb7684 len=9
  :  78 07 0a 01 00 04 00 04  00x
ber_dump: buf=0x8eb7678 ptr=0x8eb767b end=0x8eb7684 len=9
  :  78 07 0a 01 00 04 00 04  00x
ber_dump: buf=0x8eb7678 ptr=0x8eb7684 end=0x8eb7684 len=0

TLS certificate verification: Error, unable to get local issuer certificate
TLS: can't connect.
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Enter LDAP Password:
ldap_build_search_req ATTRS:
supportedSASLMechanisms
ber_dump: buf=0x8f1e6a0 ptr=0x8f1e6a0 end=0x8f1e6e0 len=64
  :  30 3e 02 01 02 63 39 04  00 0a 01 00 0a 01 00 02   0...c9.
  0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65 63 74   ..object
  0020:  63 6c 61 73 73 30 19 04  17 73 75 70 70 6f 72 74   class0...support
  0030:  65 64 53 41 53 4c 4d 65  63 68 61 6e 69 73 6d 73   edSASLMechanisms
ber_dump: buf=0x8f1e6a0 ptr=0x8f1e6a5 end=0x8f1e6e0 len=59
  :  63 39 04 00 0a 01 00 0a  01 00 02 01 00 02 01 00   c9..
  0010:  01 01 00 87 0b 6f 62 6a  65 63 74 63 6c 61 73 73   .objectclass
  0020:  30 19 04 17 73 75 70 70  6f 72 74 65 64 53 41 53   0...supportedSAS
  0030:  4c 4d 65 63 68 61 6e 69  73 6d 73  LMechanisms
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


I am including the output of a -d -1 as an attachment for those that
are still curious because the output of that command is quite long. :)

When I issue getent commands for passwd and group it hangs forever
when it tries to access information from ldap:

[r...@vircent03:~]#getent passwd | grep ldapAccount

[r...@vircent03:~]#getent group | grep ldapAccount

However if I remove TLS from the equation with the -x flag everything
starts working again:

[r...@vircent03:~]#ldapsearch -x -h ldap -b dc=summitnjhome,dc=com
-D cn=Manager,dc=summitnjhome,dc=com -w localG30rg3T0wn
(objectclass=sudoRole)
# extended LDIF
#
# LDAPv3
# base dc=summitnjhome,dc=com with scope subtree
# filter: (objectclass=sudoRole)
# requesting: ALL
#

# defaults, sudoers, Services, summitnjhome.com
dn: cn=defaults,ou=sudoers,ou=Services,dc=summitnjhome,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here

# %wheel, sudoers, Services, summitnjhome.com
dn: cn=%wheel,ou=sudoers,ou=Services,dc=summitnjhome,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOption: !authenticate
sudoUser: %wheel
sudoUser: bluethundr

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2



That's all I have for now. Sincere thanks to all those who have
provided input. I'll keep pounding away at this and hopefully figure
this out today.

Best regards!!!

On Thu, Nov 25, 2010 at 1:25 PM,  cpol...@surewest.net wrote:
 bluethundr wrote:
 I have setup the certificate chain in my slapd.conf like so:

 TLSCACertificateFile  /usr/local/etc/openldap/cacerts/sf_issuing.crt

 I don't see where you say which directory these are stored in:

 -rw-r--r--  1 root  bluethundr  2604 Nov 25 11:37 ca_bundle.crt
 -r--r-  1 root  ldap        4604 Nov 24 18:57 gd_bundle.crt
 -r--r-  1 root  ldap        1537 Nov 25 02:00 sf_issuing.crt

 [r...@lcent01:/tmp/Foswiki-1.1.2]#openssl s_client -connect
 ldap.example.com:389 -showcerts -CAfile sf_issuing.crt
 13730:error:02001002:system library:fopen:No such file or
 directory:bss_file.c:122:fopen('sf_issuing.crt','r')

 It looks like the expected directory is not the one being
 used. Perhaps try use this invocation:

 openssl s_client -connect ldap.example.com:389 -showcerts -CAfile 
 /path/to/sf_issuing.crt

 Best regards,
 --
 Charles Polisher

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3
[r...@vircent03:~]#ldapsearch -h ldap -b dc=summitnjhome,dc=com -d -1 -Z -D 
cn=Manager,dc=summitnjhome,dc=com (objectclass=sudoRole) -W
ldap_create
ldap_url_parse_ext(ldap://ldap)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap:389
ldap_new_socket: 3

[CentOS] ssh-agent fails to hold values

2010-11-28 Thread bluethundr

Hello list

I am attempting to manage my key logins with ssh-agent. However EVERY
time I try to ssh I have to go through the same exact routing and it's
getting a little old...

[bluethu...@lcent01:~]#ssh sum3
Enter passphrase for key '/home/bluethundr/.ssh/id_rsa':

[bluethu...@lcent01:~]#exec ssh-agent bash
[bluethu...@lcent01:~]#ssh-add
Enter passphrase for /home/bluethundr/.ssh/id_rsa:
Identity added: /home/bluethundr/.ssh/id_rsa (/home/bluethundr/.ssh/id_rsa)
[bluethu...@lcent01:~]#ssh sum3
Last login: Sun Nov 28 14:32:34 2010 from localhost.localdomain
#
#   SUMMITNJHOME.COM#
#   TITLE:   LCENT03 BOX#
#   LOCATION:SUMMIT BASEMENT#
#   #
#
[bluethu...@lcent03:~]#


Does anyone have any suggestions to make ssh-agent hold these values a
bit more persistently?

thanks!!



-- 
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ssh-agent fails to hold values

2010-11-28 Thread bluethundr

That DID it!!! thanks and I agree.. god? root? what's the difference!! :)

On Sun, Nov 28, 2010 at 4:41 PM, Ron Loftin relof...@twcny.rr.com wrote:

 On Sun, 2010-11-28 at 16:35 -0500, bluethundr wrote:
 Hello list

 I am attempting to manage my key logins with ssh-agent. However EVERY
 time I try to ssh I have to go through the same exact routing and it's
 getting a little old...

 [bluethu...@lcent01:~]#ssh sum3
 Enter passphrase for key '/home/bluethundr/.ssh/id_rsa':

 [bluethu...@lcent01:~]#exec ssh-agent bash
 [bluethu...@lcent01:~]#ssh-add
 Enter passphrase for /home/bluethundr/.ssh/id_rsa:
 Identity added: /home/bluethundr/.ssh/id_rsa (/home/bluethundr/.ssh/id_rsa)
 [bluethu...@lcent01:~]#ssh sum3
 Last login: Sun Nov 28 14:32:34 2010 from localhost.localdomain
 #
 #               SUMMITNJHOME.COM                        #
 #               TITLE:       LCENT03 BOX                #
 #               LOCATION:    SUMMIT BASEMENT            #
 #                                                       #
 #
 [bluethu...@lcent03:~]#


 Does anyone have any suggestions to make ssh-agent hold these values a
 bit more persistently?

 I'm not sure if this will help, but I use the keychain package from
 RPMForge, and it takes most of the pain out of dealing with SSH keys.


 thanks!!



 --
 Ron Loftin                      relof...@twcny.rr.com

 God, root, what is difference ?       Piter from UserFriendly

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] can't use godaddy SSL cert

2010-11-25 Thread bluethundr

Hey list,

 I was having a similar SSL/openLDAP problem to this last week. I had
a chance to look at this again today and it still appears to not be
working. I called godaddy and had the last cert cancelled and reissued
as I had mis-typed the name of the CN on the last one.

 I am trying to setup a Godaddy turbo SSL certificate with an openLDAP
2.4 server under FreeBSD 8.1. The clients are mainly a network of
virtual CentOS 5.5 instances.

[r...@lbsd2:/usr/home/bluethundr]#pkg_info | grep openldap
openldap-sasl-client-2.4.23 Open source LDAP client implementation
with SASL2 support
openldap-sasl-server-2.4.23 Open source LDAP server implementation



I have setup the certificate chain in my slapd.conf like so:

[r...@lbsd2:/usr/home/bluethundr]#grep -i tls
/usr/local/etc/openldap/slapd.conf## TLS options for slapd
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile  /usr/local/etc/openldap/cacerts/LBSD2.summitnjhome.com.crt
TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem
TLSCACertificateFile  /usr/local/etc/openldap/cacerts/sf_issuing.crt

I have tried each of the following certs with no luck in getting my
cert to talk to it's CA:

-rw-r--r--  1 root  bluethundr  2604 Nov 25 11:37 ca_bundle.crt
-r--r-  1 root  ldap4604 Nov 24 18:57 gd_bundle.crt
-r--r-  1 root  ldap1537 Nov 25 02:00 sf_issuing.crt


and I get the same result for each when I attempt to connect to SSL on
the LDAP server:

[r...@lcent01:/tmp/Foswiki-1.1.2]#openssl s_client -connect
ldap.example.com:389 -showcerts -CAfile sf_issuing.crt
13730:error:02001002:system library:fopen:No such file or
directory:bss_file.c:122:fopen('sf_issuing.crt','r')
13730:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
13730:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:279:
CONNECTED(0003)
13730:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:


ldapsearch -h ldap.example.com -d -1 -ZZ dc=example,dc=com

TLS certificate verification: depth: 0, err: 20, subject:
/O=LBSD2.summitnjhome.com/OU=Domain Control
Validated/CN=LBSD2.summitnjhome.com, issuer:
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
Certification Authority/serialNumber=07969287
TLS certificate verification: Error, unable to get local issuer certificate
tls_write: want=7, written=7
  :  15 03 01 00 02 02 30   ..0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

It seems to indicate that it can't talk to it's CA...

does anyone have any suggestions on how to make this work?

thanks!

-- 
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] LDAP clients fail to connect with SSL enabled

2010-11-21 Thread bluethundr

I am attempting to setup SSL/TLS support on my openLDAP 2.4 server on FreeBSD.

LBSD2# pkg_info | grep openldap
openldap-sasl-client-2.4.23 Open source LDAP client implementation
with SASL2 support
openldap-sasl-server-2.4.23 Open source LDAP server implementation

I put my cert file, key file and CA certfile in a directory called
/usr/local/etc/openldap/cacerts

Here's how it looks:

[r...@lbsd2:/usr/local/etc/openldap/cacerts]#ls -l
total 48
dr--r-  2 root  ldap   512 Nov 21 17:12 bak
-r--r-  1 root  ldap  1960 Nov 21 07:05 bsd2.summitnjhome.com.crt
-r--r-  1 root  ldap  4604 Nov 21 17:16 gd_bundle.crt
-r--r-  1 root  ldap  4689 Nov 21 18:59 sf_bundle.crt
-r--r-  1 root  ldap  1537 Nov 21 17:16 sf_issuing.crt
-r--r-  1 root  ldap  1090 Nov 21 12:29 slapd.csr
-r--r-  1 root  ldap  1743 Nov 21 12:26 slapd.key
-r--r-  1 root  ldap  1675 Nov 21 17:25 slapd.pem


My cert flie is a GoDaddy turbo-ssl certfile named
bsd2.summitnjhome.com.crt. slapd.key is the key file and slapd.pem is
the same thing only with the password removed.

I'm a little unsure of which CA file to use but I think that
sf_issuing.crt _should_ work as this is the CA file that I used to
setup a similar SSL enabled LDAP server for a client recently.
Although I have tried all three CA files in this directory:
(gd_bundle.crt, sf_bundle.crt, and sf_issuing.crt).

I put the various cert/key files into my slapd.conf file like this:

LBSD2# cat slapd.conf | grep -i tls
## TLS options for slapd
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile  /usr/local/etc/openldap/cacerts/bsd2.summitnjhome.com.crt
TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem
TLSCACertificateFile  /usr/local/etc/openldap/cacerts/sf_issuing.crt


Slapd restarts cleanly!

LBSD2# /usr/local/etc/rc.d/slapd restart
Stopping slapd.
Waiting for PIDS: 81924.
Starting slapd.


Then I attempt to setup a virtual instance of CentOS 5.5 on the client
side and that's where things fall apart...I attempt to ssh to
localhost as an LDAP account:

[r...@virtcent08:/etc/openldap/cacerts]#ssh bluethu...@localhost

[...tectonic plates drift, careers begin and end, babies learn to
walk, talk and grow to adulthood..]

Connection closed by 127.0.0.1

[r...@virtcent08:/etc/openldap/cacerts]#getent passwd | grep ldapAccount
[same interminable wait as above]


This is what my /etc/ldap.conf file looks like on the client:

[r...@virtcent08:/etc/openldap/cacerts]#cat /etc/ldap.conf
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
#host 127.0.0.1
# The distinguished name of the search base.
base dc=summitnjhome,dc=com
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=example,dc=com
# The port.
# Optional: default is 389.
#port 389
# Search timelimit
#timelimit 30
timelimit 120
# Bind/connect timelimit
#bind_timelimit 30
bind_timelimit 120
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
idle_timelimit 3600
# Netscape SDK LDAPS
#ssl on
# Netscape SDK SSL options
#sslpath /etc/ssl/certs
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
# OpenLDAP 2.0 and earlier is no, for 2.1 and later is yes.
#tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is yes
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
uri ldap://ldap.summitnjhome.com/
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password crypt

This is how my nsswitch on the client side is setup:

passwd: files ldap
shadow: files ldap
group:  files ldap

And here is the cert dir on my CentOS client:

[r...@virtcent08:/etc/openldap/cacerts]#ls -l
total 72
lrwxrwxrwx 1 root root   13 Nov 21 09:44 97552d04.0 - gd_bundle.crt
lrwxrwxrwx 1 root root   14 Nov 21 09:44 b737b221.0 - sf_issuing.crt
dr--r--r-- 2 root root 4096 Nov 21  2010 bak
-r--r--r-- 1 root root 1960 Nov 21 07:05 bsd2.summitnjhome.com.crt
lrwxrwxrwx 1 root root   25 Nov 21 09:44 c75be861.0 - bsd2.summitnjhome.com.crt
-r--r--r-- 1 root root 4604 Nov 21  2010 gd_bundle.crt
-r--r--r-- 1 root root 1537 Nov 21  2010

[CentOS] ssh prompting for password

2010-11-16 Thread bluethundr

hello list

I have a network mounted home directory shared between all hosts on my network:

[bluethu...@lcent03:~]#df -h
FilesystemSize  Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
  140G  4.4G  128G   4% /
/dev/sda1  99M   35M   60M  37% /boot
tmpfs 1.6G 0  1.6G   0% /dev/shm
nas.summitnjhome.com:/mnt/nas
  903G  265G  566G  32% /mnt/nas
nas2.summitnjhome.com:/mnt/store
  1.4T  187G  1.1T  15% /mnt/store
nas2.summitnjhome.com:/mnt/home
  903G   47G  784G   6% /home
none  1.6G  136K  1.6G   1% /var/lib/xenstored

So therefore my RSA key should already be in my authorized_keys on any
host. However logging into the virtual network, I always get prompted
for a password. just for the heck of it, I scp'd the key over again to
one of the virtual hosts:


[bluethu...@lcent03:~]#scp .ssh/id_rsa.pub virt1:~
bluethu...@virt1's password:
id_rsa.pub
   100%  381 0.4KB/s   00:00

ssh'd in:

[bluethu...@lcent03:~]#ssh virt1
bluethu...@virt1's password:
Last login: Tue Nov 16 15:57:24 2010 from 192.168.1.46

Searched for the key on the host I just ssh'd into:


[bluethu...@virtcent01:~]#grep -f id_rsa.pub .ssh/authorized_keys
ssh-rsa B3NzaC1yc2EBI-FAKE-DATA-dgjIWxnyplIYKE5IQw9FY2+IVsYw==

As you can see, it's already there.. I then checked the modes on
authorized_keys:

[bluethu...@virtcent01:~]#ls -l .ssh/authorized_keys
-rw--- 1 1001 1002 1597 Nov 15 12:02 .ssh/authorized_keys

And checked that I was using the same shared network mounted home
directory from the machine I just ssh'd in from:


[bluethu...@virtcent01:~]#df -h
FilesystemSize  Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
  9.1G  1.8G  6.9G  21% /
/dev/xvda1 99M   20M   75M  21% /boot
tmpfs 129M 0  129M   0% /dev/shm
nas.summitnjhome.com:/mnt/nas
  903G  265G  566G  32% /mnt/nas
nas2.summitnjhome.com:/mnt/store
  1.4T  187G  1.1T  15% /mnt/store
nas2.summitnjhome.com:/mnt/home
  903G   47G  784G   6% /home
[bluethu...@virtcent01:~]#


Considering that this key is internal network only and doesn't have a
passphrase set (it does not traverse internet boundaries) why on earth
am I being prompted for a password whenever I ssh into this machine?

thanks!
-- 
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9

Share and enjoy!!
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] can't find ldapseaerch

2010-11-13 Thread bluethundr

hello list

I'm having a very strange problem with my centos 5.5 system. For some
strange reason, this machine cannot find ldapsearch:

[r...@virtcent13 ~]# ldapsearch
ldapsearch: Command not found.


[r...@virtcent13 ~]# whereis ldapsearch
ldapsearch: /usr/bin/ldapsearch /usr/share/man/man1/ldapsearch.1.gz

ldapsearch currently lives at /usr/bin along with a lot of other
really very useful tools.


/usr/bin is also _clearly_ on my root path:i

[r...@virtcent13 ~]# echo $PATH
/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin

And here are the permissions and modes for this tool:

[r...@virtcent13 bin]# ls -l ldapsearch
-rwxr-xr-x 1 root wheel 65336 Aug 11 09:20 ldapsearch

And other things in this directory (like yum for example) work just fine:

[r...@virtcent13 bin]# yum repolist
Loaded plugins: fastestmirror, priorities
Existing lock /var/run/yum.pid: another copy is running as pid 11750.
Another app is currently holding the yum lock; waiting for it to exit...
  The other application is: yum-updatesd-he
Memory :  65 M RSS (107 MB VSZ)
Started: Sat Nov 13 18:04:22 2010 - 00:57 ago
State  : Running, pid: 11750


If you feed the command line the full path to ldapsearch it works as
intended. I was wondering if anyone had any idea why ldapsearch isn't
being found?

thanks!
-- 
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9

Share and enjoy!!
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] pam_ldap login under centOS

2010-11-08 Thread bluethundr

Hello List


 I am attempting to setup various pam modules to consult our new LDAP
services in order to do what it needs to do.

 I have setup my /etc/pam.d sudo file (for example) this way in the
attempt to accomplish this via LDAP:

 [r...@vircent03:~]#cat /etc/pam.d/sudo
#%PAM-1.0
auth   include  system-auth
auth   required pam_ldap.so
accountinclude  system-auth
accountrequired pam_ldap.so
password   include  system-auth
password   required pam_ldap.so
sessionoptional pam_keyinit.so revoke
sessionrequired pam_limits.so
sessionrequired pam_ldap.so


but even tho the user is part of the %wheel group under LDAP it is
unable to sudo to any other account (including root). If I try to sudo
this is what happens:

[bluethu...@vircent03:~]#sudo bash
[sudo] password for bluethundr:
bluethundr is not in the sudoers file.  This incident will be reported.

It would appear that sudo support for ldap is compiled in:

[r...@vircent03:~]#ldd $(which sudo)| grep -i ldap
libldap-2.3.so.0 = /usr/lib/libldap-2.3.so.0 (0x00552000)


This is how I setup my ldap.conf file

[r...@vircent03:~]#cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example, dc=com
#URIldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT  12
#TIMELIMIT  15
#DEREF  never
URI ldap://ldap.acadaca.net/
BASE dc=acadaca,dc=net
TLS_CACERTDIR /etc/openldap/cacerts
sudoers_base ou=sudoers,ou=Services,dc=acadaca,dc=net


In my openldap logs on the LDAP server there appears to be no activity
when I sudo. however in the secure logs on the client I do..

Nov  8 16:05:34 VIRCENT03 su: pam_unix(su-l:session): session opened
for user root by bluethundr(uid=500)
Nov  8 16:05:37 VIRCENT03 su: pam_unix(su-l:session): session opened
for user bluethundr by bluethundr(uid=0)
Nov  8 16:05:44 VIRCENT03 sudo: bluethundr : user NOT in sudoers ;
TTY=pts/5 ; PWD=/home/bluethundr ; USER=root ; COMMAND=/bin/bash


I do see other events in secure.log that appear to be pam successes
however. am i interpreting this correctly that at least part of the
system is communicating with pam on the ldap server?


thanks




-- 
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9

Share and enjoy!!
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] disable ZTS in php

[CentOS] keychain problem

[CentOS] keychain problem(with config file)

Re: [CentOS] keychain problem

Re: [CentOS] keychain problem

[CentOS] cron jobs fail to run

Re: [CentOS] cron jobs fail to run

[CentOS] happy new years ssh key problem :)

[CentOS] amanda backup ssh key

[CentOS] pam account lockout duration

[CentOS] cobbler fails to recognize semanage rules

Re: [CentOS] heartbeat configuration for lb

[CentOS] heartbeat configuration for lb

Re: [CentOS] heartbeat configuration for lb

[CentOS] rpm dependencies

Re: [CentOS] rpm dependencies

Re: [CentOS] rpm dependencies

Re: [CentOS] rpm dependencies

Re: [CentOS] can't use godaddy SSL cert

[CentOS] ssh-agent fails to hold values

Re: [CentOS] ssh-agent fails to hold values

[CentOS] can't use godaddy SSL cert

[CentOS] LDAP clients fail to connect with SSL enabled

[CentOS] ssh prompting for password

[CentOS] can't find ldapseaerch

[CentOS] pam_ldap login under centOS

26 matches

Site Navigation

Mail list logo

Footer information