Re: [CentOS] disable ZTS in php
Ok got it Eero. Thanks for the info! Tim Sent from my iPhone > On Oct 30, 2015, at 12:29 PM, Eero Volotinenwrote: > > I think command name is yum-downloader. > > Then modify spec and rpmbuild -ba specname.spec > > You need also modify version number a bit. Rebuilding is a bit issue as you > need to recompile as security patches come out .. > > Eero > 30.10.2015 6.04 ip. "Tim Dunphy" kirjoitti: > >> Yeah Erro, ok you have a point. I'll do that. Thanks! >> >> On Fri, Oct 30, 2015 at 11:40 AM, Eero Volotinen >> wrote: >> >>> This is really wrong way to do this. Install yum-utils and use >>> yumdownloader --source package-name to get rhel version of package. Then >>> modify spec file and recompile. >>> >>> Eero >>> Hey guys, >>> >>> I'm trying to disable ZTS in php, because an application we need >>> (AppDynamics) is not compatible with it. >>> >>> So I tried compiling php with the following flags: >>> >>> php -i | grep configure >>> Configure Command => './configure' '--with-apxs2=/opt/apache2/bin/apxs' >>> '--with-zlib=/usr' '--prefix=/opt/php-5.6.8' '--with-libdir=lib64' >>> '--with-config-file-path=/etc' '--enable-mime-magic' '--enable-pcntl' >>> '--libexecdir=/usr/libexec' '--with-bz2' '--with-curl' '--with-gd' >>> '--with-freetype-dir=/usr' '--with-png-dir=/usr/lib64' >>> '--enable-gd-native-ttf' '--with-iconv' '--with-jpeg-dir=/usr/lib64' >>> '--with-zlib' '--with-ldap' '--enable-exif' '--enable-sockets' >>> '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx' >>> '--with-kerberos' '--enable-shmop' '--enable-calendar' '--with-xmlrpc' >>> '--enable-soap' '--disable-pdo' '--with-openssl' '--with-xsl' >>> '--enable-dbx' '--enable-mbstring' '--with-mcrypt=/usr' '--enable-bcmath' >>> '--enable-pdo' '--with-pdo-mysql=/usr' '--with-mysql' >>> '--with-mysqli=/usr/bin/mysql_config' '--enable-zip' >> '--enable-dba=shared' >>> '--with-gettext=shared' '--with-gmp' '--enable-ftp' '--with-pspell' >>> '--with-config-file-scan-dir=/etc/php.d'* '--disable-maintainer-zts'* >>> >>> >>> And for some reason the AppD installer is claiming that ZTS is still >>> enabled. So what I'd like to know is, did I disable ZTS correctly? If I >> did >>> that means the problem is on the AppD side so we should take a look >> there. >>> >>> Appreciate any help on this! >>> >>> Thanks >>> Tim >>> >>> -- >>> GPG me!! >>> >>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >>> ___ >>> CentOS mailing list >>> CentOS@centos.org >>> https://lists.centos.org/mailman/listinfo/centos >>> ___ >>> CentOS mailing list >>> CentOS@centos.org >>> https://lists.centos.org/mailman/listinfo/centos >> >> >> >> -- >> GPG me!! >> >> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >> ___ >> CentOS mailing list >> CentOS@centos.org >> https://lists.centos.org/mailman/listinfo/centos > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] keychain problem
hello centos.. I am having a very annoying problem on my network right now. it looks like every time I try to add my ssh key to keychain I have to issue a command just to get my ssh subsystem communicating with the ssh-agent: I have this line in my .bashrc file $(keychain --eval --quick --quiet private_key1 private_key2 private_key3) If I try to perform ssh-add I get the message: [bluethundr@VIRTCENT01:~]#ssh-add Could not open a connection to your authentication agent. So then I try to execute ssh-agent: bluethundr@amanda:~]#exec ssh-agent bash * Warning: can't find private_key1; skipping * Warning: can't find private_key2; skipping * Warning: can't find private_key3; skipping bash: SSH_AUTH_SOCK=/tmp/ssh-cdJlgq6077/agent.6077;: No such file or directory Then I can add it. [bluethundr@amanda:~]#ssh-add Enter passphrase for /home/bluethundr/.ssh/id_rsa: Identity added: /home/bluethundr/.ssh/id_rsa (/home/bluethundr/.ssh/id_rsa) But if I ssh away from this box and then ssh back INTO it.. and then sometime later have to ssh away again it asks me for my ssh key's passphrase. See what I mean by 'annoying problem'? Thanks in advance for your help! -- GPG me!! gpg --keyserver pgp.mit.edu --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] keychain problem(with config file)
Sorry meant to attach my sshd_config file.. here it is! -- Forwarded message -- From: bluethundr bluethu...@gmail.com Date: Sat, Jan 15, 2011 at 11:22 AM Subject: keychain problem To: CentOS mailing list centos@centos.org hello centos.. I am having a very annoying problem on my network right now. it looks like every time I try to add my ssh key to keychain I have to issue a command just to get my ssh subsystem communicating with the ssh-agent: I have this line in my .bashrc file $(keychain --eval --quick --quiet private_key1 private_key2 private_key3) If I try to perform ssh-add I get the message: [bluethundr@VIRTCENT01:~]#ssh-add Could not open a connection to your authentication agent. So then I try to execute ssh-agent: bluethundr@amanda:~]#exec ssh-agent bash * Warning: can't find private_key1; skipping * Warning: can't find private_key2; skipping * Warning: can't find private_key3; skipping bash: SSH_AUTH_SOCK=/tmp/ssh-cdJlgq6077/agent.6077;: No such file or directory Then I can add it. [bluethundr@amanda:~]#ssh-add Enter passphrase for /home/bluethundr/.ssh/id_rsa: Identity added: /home/bluethundr/.ssh/id_rsa (/home/bluethundr/.ssh/id_rsa) But if I ssh away from this box and then ssh back INTO it.. and then sometime later have to ssh away again it asks me for my ssh key's passphrase. See what I mean by 'annoying problem'? Thanks in advance for your help! -- GPG me!! gpg --keyserver pgp.mit.edu --recv-keys F186197B -- GPG me!! gpg --keyserver pgp.mit.edu --recv-keys F186197B sshd_config Description: Binary data ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] keychain problem
Hello and thanks for your reply! Well I took your advice and removed that keychain scriptlet from .bashrc and put it into .bash_profile. Not sure what the functional difference between the two would be. Perhaps you would care to elaborate? I know that rc stands for resource configuration but other than that I don't know why this statement would be more appropriate in the .bash_profile. However you do seem well versed in this and I hope you don't mind answering this question. So this is what I put into my .bash_profile $(keychain --eval --agents ssh id_rsa) and here is an ssh session from after when I did this: [bluethundr@LCENT01:~]#bash [bluethundr@LCENT01:~]#ssh-agent SSH_AUTH_SOCK=/tmp/ssh-cBwwRR5466/agent.5466; export SSH_AUTH_SOCK; SSH_AGENT_PID=5467; export SSH_AGENT_PID; echo Agent pid 5467; [bluethundr@LCENT01:~]#ssh-add Could not open a connection to your authentication agent. [bluethundr@LCENT01:~]#exec ssh-agent bash [bluethundr@LCENT01:~]#ssh-add Enter passphrase for /home/bluethundr/.ssh/id_rsa: Identity added: /home/bluethundr/.ssh/id_rsa (/home/bluethundr/.ssh/id_rsa) So this behavior did not change. I still have to enter my passphrase again after I put this into my .bash_profile [bluethundr@LCENT01:~]#ssh virt1 Last login: Sat Jan 15 11:51:08 2011 from 192.168.1.42 # # SUMMITNJHOME.COM# # TITLE: LB1 BOX# # HOST:VIRTCENT01 # # LOCATION:SUMMIT BASEMENT# # * keychain 2.7.0 ~ http://www.funtoo.org * Found existing ssh-agent: 27556 * Adding 1 ssh key(s): /home/bluethundr/.ssh/id_rsa Enter passphrase for /home/bluethundr/.ssh/id_rsa: Bad passphrase, try again for /home/bluethundr/.ssh/id_rsa: * ssh-add: Identities added: /home/bluethundr/.ssh/id_rsa This is new.. now I get prompted for the passphrase AGAIN once I reach the server I am ssh'ing in to. I should point out that I am operating from a shared NFS mounted home directory. -bash: SSH_AUTH_SOCK=/tmp/ssh-Tqzln27555/agent.27555;: No such file or directory [bluethundr@VIRTCENT01:~]#ssh virt2 ssh: connect to host virt2 port 22: No route to host [bluethundr@VIRTCENT01:~]#ssh sum2 Enter passphrase for key '/home/bluethundr/.ssh/id_rsa': Enter passphrase for key '/home/bluethundr/.ssh/id_rsa': Last login: Sat Jan 15 10:54:51 2011 from 192.168.1.50 # # SUMMITNJHOME.COM# # TITLE: SUM2 BOX # # HOST:LCENT02# # LOCATION:SUMMIT BASEMENT# # * keychain 2.7.0 ~ http://www.funtoo.org * Starting ssh-agent... * Adding 1 ssh key(s): /home/bluethundr/.ssh/id_rsa Enter passphrase for /home/bluethundr/.ssh/id_rsa: * ssh-add: Identities added: /home/bluethundr/.ssh/id_rsa -bash: SSH_AUTH_SOCK=/tmp/ssh-JGlcJj6111/agent.6111;: No such file or directory Well it seems that I am still trying to figure this situation out. If you have any further insight into what may be going on here I would certainly appreciate your input. On Sat, Jan 15, 2011 at 6:15 PM, Cameron Kerr came...@humbledown.org wrote: On 16/01/2011, at 11:56 AM, Cameron Kerr wrote: On 16/01/2011, at 5:22 AM, bluethundr wrote: I have this line in my .bashrc file $(keychain --eval --quick --quiet private_key1 private_key2 private_key3) Should not this go into your ~/.bash_profile? (disclaimer: I've not used the 'keychain' program before) According to the docs for keychain, it should look something more like the following: eval `keychain --eval --agents ssh id_dsa` The 'eval' at the start is probably more important than you think... I noted myself that the following are quite different in a bash script I was working on: $@ eval $@ (only the latter works, the former ended up not doing anything in a #!/bin/bash script) https://github.com/funtoo/keychain and http://www.funtoo.org/en/security/keychain/intro/ for more information regarding keychain. You might also like adding || exit 1 or similar to the 'eval' call, for debugging, as shown in the docs. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pgp.mit.edu --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] keychain problem
That's a great clarification for which I cannot thank you enough. I will look up SSH Agent Forwarding and start getting the hang of it. The centos list is a tremendous help for situations like these! :) On Sun, Jan 16, 2011 at 12:22 AM, Cameron Kerr came...@humbledown.org wrote: On 16/01/2011, at 2:12 PM, bluethundr wrote: Hello and thanks for your reply! Well I took your advice and removed that keychain scriptlet from .bashrc and put it into .bash_profile. Not sure what the functional difference between the two would be. Perhaps you would care to elaborate? I know that rc stands for resource configuration but other than that I don't know why this statement would be more appropriate in the .bash_profile. However you do seem well versed in this and I hope you don't mind answering this question. .bash_profile is executed for login shells (followed by .bashrc). .bashrc is executed for non-login shells as well. .bash_profile should therefore be used for session setup tasks. So this is what I put into my .bash_profile $(keychain --eval --agents ssh id_rsa) and here is an ssh session from after when I did this: [bluethundr@LCENT01:~]#bash [bluethundr@LCENT01:~]#ssh-agent SSH_AUTH_SOCK=/tmp/ssh-cBwwRR5466/agent.5466; export SSH_AUTH_SOCK; SSH_AGENT_PID=5467; export SSH_AGENT_PID; Here you are not actually starting the ssh-agent in the background (which explains why it is outputting environment variables). You should give it a second parameter to tell it which program to launch. ssh-agent bash However, this will cause the parent shell to become redundant, so you want to instead replace it with the shell that ssh-agent starts (that shell has the environment variables set appropriately). exec ssh-agent bash Now when you use ssh-add, it should be able to see the agent. echo Agent pid 5467; [bluethundr@LCENT01:~]#ssh-add Could not open a connection to your authentication agent. [bluethundr@LCENT01:~]#exec ssh-agent bash [bluethundr@LCENT01:~]#ssh-add Enter passphrase for /home/bluethundr/.ssh/id_rsa: Identity added: /home/bluethundr/.ssh/id_rsa (/home/bluethundr/.ssh/id_rsa) So this behavior did not change. I still have to enter my passphrase again after I put this into my .bash_profile Of course. The passphrase is important because it encrypts the private key. This, presumably, is why you are using the 'keychain' program, which is typically used to have a key unlocked manually by a system administrator (eg. after boot), so that cron jobs, etc, can access it. [bluethundr@LCENT01:~]#ssh virt1 Last login: Sat Jan 15 11:51:08 2011 from 192.168.1.42 # # SUMMITNJHOME.COM # # TITLE: LB1 BOX # # HOST: VIRTCENT01 # # LOCATION: SUMMIT BASEMENT # # * keychain 2.7.0 ~ http://www.funtoo.org * Found existing ssh-agent: 27556 * Adding 1 ssh key(s): /home/bluethundr/.ssh/id_rsa Enter passphrase for /home/bluethundr/.ssh/id_rsa: Bad passphrase, try again for /home/bluethundr/.ssh/id_rsa: * ssh-add: Identities added: /home/bluethundr/.ssh/id_rsa This is new.. now I get prompted for the passphrase AGAIN once I reach the server I am ssh'ing in to. This is why ssh-add (and presumably also 'keychain'), should NOT be included in your ~/.bash_profile or ~/.bashrc (or similar). SSH Agent Forwarding is the correct way to approach this problem: it generally increases system security (keys become easier to manage) and reduces user support requirements. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pgp.mit.edu --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] cron jobs fail to run
hey centos long time no hear! :) I'm having a small issue where the backup jobs that I set to run in the crontab of the backup user do not appear to be running. Here's how I set it up (with crontab -e as the backup user): run amanda every night (check at 2:45 and backup at 3) 45 2 * * * /usr/sbin/amcheck /var/log/amanda/crontab/amcheck.log * 3 * * * /usr/sbin/amdump /var/log/amanda/crontab/amdump.log The executables are where they are supposed to be and run if you type them in on the command line: [amandabac...@amanda ~]$ ls -l /usr/sbin/amcheck -rwsr-x--- 1 root disk 68624 Dec 29 14:08 /usr/sbin/amcheck [amandabac...@amanda ~]$ ls -l /usr/sbin/amdump -rwxr-xr-x 1 amandabackup disk 9637 Dec 29 14:08 /usr/sbin/amdump Although I'm not sure what the 's' indicates in the permissions of amcheck. And here's a tail of the cron logs [r...@amanda init.d]# tail /var/log/cron Jan 5 07:01:01 newamanda crond[13612]: (root) CMD (run-parts /etc/cron.hourly) Jan 5 07:17:09 newamanda crontab[13652]: (amandabackup) BEGIN EDIT (amandabackup) Jan 5 07:18:00 newamanda crontab[13652]: (amandabackup) REPLACE (amandabackup) Jan 5 07:18:00 newamanda crontab[13652]: (amandabackup) END EDIT (amandabackup) Jan 5 07:18:01 newamanda crond[1448]: (amandabackup) RELOAD (cron/amandabackup) Jan 5 07:18:39 newamanda crond[13686]: (CRON) STARTUP (V5.0) Jan 5 07:23:01 newamanda crontab[13699]: (amandabackup) BEGIN EDIT (amandabackup) Jan 5 07:23:47 newamanda crontab[13699]: (amandabackup) END EDIT (amandabackup) Jan 5 07:25:38 newamanda crontab[13751]: (amandabackup) BEGIN EDIT (amandabackup) Jan 5 07:25:53 newamanda crontab[13751]: (amandabackup) END EDIT (amandabackup) thanks in advance! -- GPG me!! gpg --keyserver pgp.mit.edu --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] cron jobs fail to run
sorry forgot to mention that cron IS running r...@amanda init.d]# ps -ef | grep cron root 13686 1 0 07:18 ?00:00:00 crond root 13771 6676 0 07:34 pts/200:00:00 grep cron On Wed, Jan 5, 2011 at 7:29 AM, bluethundr bluethu...@gmail.com wrote: hey centos long time no hear! :) I'm having a small issue where the backup jobs that I set to run in the crontab of the backup user do not appear to be running. Here's how I set it up (with crontab -e as the backup user): run amanda every night (check at 2:45 and backup at 3) 45 2 * * * /usr/sbin/amcheck /var/log/amanda/crontab/amcheck.log * 3 * * * /usr/sbin/amdump /var/log/amanda/crontab/amdump.log The executables are where they are supposed to be and run if you type them in on the command line: [amandabac...@amanda ~]$ ls -l /usr/sbin/amcheck -rwsr-x--- 1 root disk 68624 Dec 29 14:08 /usr/sbin/amcheck [amandabac...@amanda ~]$ ls -l /usr/sbin/amdump -rwxr-xr-x 1 amandabackup disk 9637 Dec 29 14:08 /usr/sbin/amdump Although I'm not sure what the 's' indicates in the permissions of amcheck. And here's a tail of the cron logs [r...@amanda init.d]# tail /var/log/cron Jan 5 07:01:01 newamanda crond[13612]: (root) CMD (run-parts /etc/cron.hourly) Jan 5 07:17:09 newamanda crontab[13652]: (amandabackup) BEGIN EDIT (amandabackup) Jan 5 07:18:00 newamanda crontab[13652]: (amandabackup) REPLACE (amandabackup) Jan 5 07:18:00 newamanda crontab[13652]: (amandabackup) END EDIT (amandabackup) Jan 5 07:18:01 newamanda crond[1448]: (amandabackup) RELOAD (cron/amandabackup) Jan 5 07:18:39 newamanda crond[13686]: (CRON) STARTUP (V5.0) Jan 5 07:23:01 newamanda crontab[13699]: (amandabackup) BEGIN EDIT (amandabackup) Jan 5 07:23:47 newamanda crontab[13699]: (amandabackup) END EDIT (amandabackup) Jan 5 07:25:38 newamanda crontab[13751]: (amandabackup) BEGIN EDIT (amandabackup) Jan 5 07:25:53 newamanda crontab[13751]: (amandabackup) END EDIT (amandabackup) thanks in advance! -- GPG me!! gpg --keyserver pgp.mit.edu --recv-keys F186197B -- GPG me!! gpg --keyserver pgp.mit.edu --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] happy new years ssh key problem :)
Hi List, Happy New Years and I was hoping to get some help on an ssh issue that I am having. For some reason I am unable to scp to hosts on this network using RSA keys. Here is what I am doing/what is going on; scp the public key to remote host [amandabac...@virtcent18 ~]$ scp ~/.ssh/id_rsa_amdump.pub amandabac...@lb1:~ amandabac...@lb1's password: id_rsa_amdump.pub 100% 408 0.4KB/s 00:00 ssh (w/passwd) to remote host [amandabac...@virtcent18 ~]$ ssh lb1 amandabac...@lb1's password: Last login: Fri Dec 31 10:57:05 2010 from 192.168.1.40 # # SUMMITNJHOME.COM# # TITLE: LB1 BOX# # HOST:VIRTCENT01 # # LOCATION:SUMMIT BASEMENT# # check to see if the key exists in authorized_keys [amandabac...@virtcent01 ~]$ grep -f id_rsa_amdump.pub ~/.ssh/authorized_keys it didn't so cat it into authorized_keys [amandabac...@virtcent01 ~]$ cat id_rsa_amdump.pub ~/.ssh/authorized_keys check again, just to make sure that it's there [amandabac...@virtcent01 ~]$ grep -f id_rsa_amdump.pub ~/.ssh/authorized_keys ssh-rsa BlAB3Nza/FAKE-KEY-DATA--KEY-DATAKfMq4DDa0xaKb/FAKE-KEY-DATA--KEY-DATAsoqCu/boKNa/FAKE-KEY-DATA--KEY-DATAp1n9TcDtxm2XFHcOKUw2/14/bz1pWNDI/FAKE-KEY-DATA--KEY-DATAr9951JdK7Ny6lk/FAKE-KEY-DATA--KEY-DATA1/FAKE-KEY-DATA--KEY-DATAwh2dmgyxI9N69x3ypvWcGWShZw1BCJI06j5qIxvin99/FAKE-KEY-DATA--KEY-DATA It is. so good so far. Check permissions on authorized_keys file [amandabac...@virtcent01 ~]$ ls -l ~/.ssh/authorized_keys -rw--- 1 amandabackup disk 408 Dec 31 11:02 /var/lib/amanda/.ssh/authorized_keys make sure we have the right home environment HOME=/var/lib/amanda Also good. Now, make sure ssh is looking at the right file [r...@virtcent01 ~]# grep -i authorizedkeysfile /etc/ssh/sshd_config AuthorizedKeysFile ~/.ssh/authorized_keys It is. Now exit and try to ssh in [amandabac...@virtcent01 ~]$ exit Connection to lb1 closed. [amandabac...@virtcent18 ~]$ ssh -vvv amandabac...@lb1 OpenSSH_5.6p1lpk, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to lb1 [192.168.1.23] port 22. debug1: Connection established. debug1: identity file /var/lib/amanda/.ssh/id_rsa type -1 debug1: identity file /var/lib/amanda/.ssh/id_rsa-cert type -1 debug1: identity file /var/lib/amanda/.ssh/id_dsa type -1 debug1: identity file /var/lib/amanda/.ssh/id_dsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.6 debug1: match: OpenSSH_5.6 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.6 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,z...@openssh.com,zlib debug2: kex_parse_kexinit: none,z...@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit:
[CentOS] amanda backup ssh key
hello list, I am attempting to ssh via a user account setup for amanda backups from the backup server to the test backup client. AFAIK everything is setup correctly yet when I ssh as the user to the client I have to type the password. the public key is in the authorized_keys file of the client and permissions all seem correct. Here is a verbose output of the ssh session [amandabac...@virtcent18 .ssh]$ ssh -vvv lb1 OpenSSH_5.6p1lpk, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to lb1 [192.168.1.23] port 22. debug1: Connection established. debug1: identity file /var/lib/amanda/.ssh/id_rsa type -1 debug1: identity file /var/lib/amanda/.ssh/id_rsa-cert type -1 debug1: identity file /var/lib/amanda/.ssh/id_dsa type -1 debug1: identity file /var/lib/amanda/.ssh/id_dsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.6 debug1: match: OpenSSH_5.6 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.6 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,z...@openssh.com,zlib debug2: kex_parse_kexinit: none,z...@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,z...@openssh.com debug2: kex_parse_kexinit: none,z...@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server-client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client-server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 126/256 debug2: bits set: 514/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: host lb1 filename /var/lib/amanda/.ssh/known_hosts debug3: check_host_in_hostfile: host lb1 filename /var/lib/amanda/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug3: check_host_in_hostfile: host 192.168.1.23 filename /var/lib/amanda/.ssh/known_hosts debug3: check_host_in_hostfile: host 192.168.1.23 filename /var/lib/amanda/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host 'lb1' is known and matches the RSA host key. debug1: Found key in /var/lib/amanda/.ssh/known_hosts:1 debug2: bits set: 516/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /var/lib/amanda/.ssh/id_rsa ((nil)) debug2: key: /var/lib/amanda/.ssh/id_dsa ((nil)) debug1: Authentications that can continue:
[CentOS] pam account lockout duration
hey list I'm doing a PCI audit for my company. One of the requirements is to specify a lockout duration of 30 minutes after 6 failed login attempts: For a sample of system components, obtain and insp 8.5.14 rd parameters system configuration settings to verify that passwo ed out, it are set to require that once a user account is lock a system remains locked for a minimum of 30 minutes or until administrator resets the account I'm pretty sure this is a pam thing but does anyone know how this can best be achieved? thanks! -- GPG me!! gpg --keyserver pgp.mit.edu --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] cobbler fails to recognize semanage rules
I am having a bit of trouble setting up cobbler on this machine. cobbler check points out a few things to correct: [r...@virtcent04:~]#cobbler check The following are potential configuration items that you may want to fix: 1 : you need to set some SELinux content rules to ensure cobbler serves content correctly in your SELinux environment, run the following: /usr/sbin/semanage fcontext -a -t public_content_t /tftpboot/.* /usr/sbin/semanage fcontext -a -t public_content_t /var/www/cobbler/images/.* 2 : you need to set some SELinux rules if you want to use cobbler-web (an optional package), run the following: /usr/sbin/semanage fcontext -a -t httpd_sys_content_rw_t /var/lib/cobbler/webui_sessions/.* 3 : some network boot-loaders are missing from /var/lib/cobbler/loaders, you may run 'cobbler get-loaders' to download them, or, if you only want to handle x86/x86_64 netbooting, you may ensure that you have installed a *recent* version of the syslinux package installed and can ignore this message entirely. Files in this directory, should you want to support all architectures, should include pxelinux.0, menu.c32, elilo.efi, and yaboot. The 'cobbler get-loaders' command is the easiest way to resolve these requirements. 4 : since iptables may be running, ensure 69, 80, and 25151 are unblocked 5 : debmirror package is not installed, it will be required to manage debian deployments and repositories 6 : The default password used by the sample templates for newly installed machines (default_password_crypted in /etc/cobbler/settings) is still set to 'cobbler' and should be changed, try: openssl passwd -1 -salt 'random-phrase-here' 'your-password-here' to generate new one Restart cobblerd and then run 'cobbler sync' to apply changes. I try to apply the first suggestion: [r...@virtcent04:~]#/usr/sbin/semanage fcontext -a -t public_content_t /tftpboot/.* /usr/sbin/semanage fcontext -a -t public_content_t /var/www/cobbler/images/.* /usr/sbin/semanage: File context for /tftpboot/.* already defined And the system points out that the rules are already defined by semanage. the cobbler service restarts: [r...@virtcent04:~]#service cobblerd restart Stopping cobbler daemon: [ OK ] Starting cobbler daemon: [ OK ] [r...@virtcent04:~]#SERVING! sync is fine [r...@virtcent04:~]#cobbler sync task started: 2010-12-18_105137_sync task started (id=Sync, time=Sat Dec 18 10:51:37 2010) running pre-sync triggers cleaning trees removing: /tftpboot/pxelinux.cfg/default removing: /tftpboot/s390x/profile_list copying bootloaders copying: /usr/lib/syslinux/pxelinux.0 - /tftpboot/pxelinux.0 copying: /usr/lib/syslinux/menu.c32 - /tftpboot/menu.c32 copying: /boot/memtest86+-1.65 - /tftpboot/memtest86+-1.65 copying: /usr/lib/syslinux/memdisk - /tftpboot/memdisk copying distros copying images generating PXE configuration files rendering Rsync files generating PXE menu structure running post-sync triggers *** TASK COMPLETE *** run cobbler check again: [r...@virtcent04:~]#cobbler check The following are potential configuration items that you may want to fix: 1 : you need to set some SELinux content rules to ensure cobbler serves content correctly in your SELinux environment, run the following: /usr/sbin/semanage fcontext -a -t public_content_t /tftpboot/.* /usr/sbin/semanage fcontext -a -t public_content_t /var/www/cobbler/images/.* 2 : you need to set some SELinux rules if you want to use cobbler-web (an optional package), run the following: /usr/sbin/semanage fcontext -a -t httpd_sys_content_rw_t /var/lib/cobbler/webui_sessions/.* 3 : some network boot-loaders are missing from /var/lib/cobbler/loaders, you may run 'cobbler get-loaders' to download them, or, if you only want to handle x86/x86_64 netbooting, you may ensure that you have installed a *recent* version of the syslinux package installed and can ignore this message entirely. Files in this directory, should you want to support all architectures, should include pxelinux.0, menu.c32, elilo.efi, and yaboot. The 'cobbler get-loaders' command is the easiest way to resolve these requirements. 4 : since iptables may be running, ensure 69, 80, and 25151 are unblocked 5 : debmirror package is not installed, it will be required to manage debian deployments and repositories 6 : The default password used by the sample templates for newly installed machines (default_password_crypted in /etc/cobbler/settings) is still set to 'cobbler' and should be changed, try: openssl passwd -1 -salt 'random-phrase-here' 'your-password-here' to generate new one Restart cobblerd and then run 'cobbler sync' to apply changes. same thing... what can I do to get beyond this infinite loop? -- GPG me!! gpg --keyserver pgp.mit.edu --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] heartbeat configuration for lb
hey guys thanks for the tip.. I haven't had a chance to play with heartbeat as we decided to go with keepalived as per Emmet's suggestion. It works beautifully with two keepalived/haproxy load balancers. I really appreciate emmet's advice and sorry I didn't let you know it was working sooner. At any rate, I was told to add a 3rd load balancer to the mix and that adds a new wrinkle. I need to add a new keepalived instance and I can't quite figure out how that's done. It would seem to me to be an issue of the priorities as that is the only thing I altered in the files. Initially, nodes A and B were set to 101 and 100 respectively. I set node A to 102, node B to 101 and node C to 100... keepalived restarts and the virtual IP is pingable. But the website goes down! :( SO then I tried Node A set to 101, node B to 100 and node C to 99. Same thing, I restated keepalived and the site goes down, tho the virtual IP remains pinagble and keepalived and haproxy are running. Does anyone know how to address this issue? Thanks!! On Mon, Dec 13, 2010 at 3:04 AM, Juergen Gotteswinter j...@internetx.de wrote: Not 100% On Topic, but perhaps you should try keepalived for vrrp failover on Loadbalancers. Much more reliable, easier to setup and faster switch to the standby host keepalived.org Am 13.12.10 04:50, schrieb Emmett Culley: On 12/11/2010 07:26 PM, bluethundr wrote: Sorry I forgot to finish the story!!! :) And the interface doesn't appear to be sharing the address: [r...@virtcent01:~]#ip addr sh eth0 2: eth0:BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:16:36:22:92:70 brd ff:ff:ff:ff:ff:ff inet 192.168.1.23/24 brd 192.168.1.255 scope global eth0 inet6 fe80::216:36ff:fe22:9270/64 scope link valid_lft forever preferred_lft forever And I can't ping the virtual address I had tried to setup using heartbeat: [r...@virtcent01:~]#ping 192.168.1.200 PING 192.168.1.200 (192.168.1.200) 56(84) bytes of data. From 192.168.1.23 icmp_seq=1 Destination Host Unreachable From 192.168.1.23 icmp_seq=2 Destination Host Unreachable From 192.168.1.23 icmp_seq=3 Destination Host Unreachable thanks again!!! On Sat, Dec 11, 2010 at 10:13 PM, bluethundrbluethu...@gmail.com wrote: hello list! I am attempting to setup haproxy using a shared up I am trying to setup using the heartbeat package that I currently have installed: [r...@virtcent01:~]#rpm -qa | grep heartbeat | grep -v -e stonith -e pils heartbeat-2.1.4-11.el5 heartbeat-2.1.4-11.el5 I have /etc/ha/.d authkeys setup this way: # auth 2 #1 crc 2 sha1 {SHA}secret I have /etc/ha.d/resources setup like this: VIRTCENT01.summitnjhome.com 192.168.1.23 And I have /etc/ha.cf setup like this: # What UDP port to use for udp or ppp-udp communication? # udpport 694 bcast eth0 mcast eth0 225.0.0.1 694 1 0 ucast eth0 192.168.1.200 # What interfaces to heartbeat over? udp eth0 # # Facility to use for syslog()/logger (alternative to log/debugfile) # logfacility local0 # # Tell what machines are in the cluster # node nodename ... -- must match uname -n node lb1.summitnjhome.com node lb2.summitnjhome.com The service seems to start ok: [r...@virtcent01:~]#service heartbeat restart Stopping High-Availability services: [ OK ] Waiting to allow resource takeover to complete: [ OK ] Starting High-Availability services: 2010/12/11_22:03:55 INFO: Resource is stopped [ OK ] (tho I am unsure of that the INFO notice is of the resource being stopped). And I have verified that it is running with ps: [r...@virtcent01:~]#ps auxwww | grep heartbeat root 3646 0.1 4.6 12260 12256 ? SLs 22:03 0:00 heartbeat: master control process nobody 3648 0.0 2.1 5664 5660 ? SL 22:03 0:00 heartbeat: FIFO reader nobody 3649 0.0 2.1 5660 5656 ? SL 22:03 0:00 heartbeat: write: bcast eth0 nobody 3650 0.0 2.1 5660 5656 ? SL 22:03 0:00 heartbeat: read: bcast eth0 root 3653 0.0 0.2 61180 736 pts/1 S+ 22:04 0:00 grep heartbeat And verified that the box is listening on port 694 (the port that I have set for heartbeat): [r...@virtcent01:~]#netstat -tulpn | grep heartbeat udp 0 0 0.0.0.0:694 0.0.0.0:* 3649/heartbeat: wri udp 0 0 0.0.0.0:50550 0.0.0.0:* 3649/heartbeat: wri However although I have the port enabled in iptables: -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 694 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT An nmap scan does not see anything active
[CentOS] heartbeat configuration for lb
hello list! I am attempting to setup haproxy using a shared up I am trying to setup using the heartbeat package that I currently have installed: [r...@virtcent01:~]#rpm -qa | grep heartbeat | grep -v -e stonith -e pils heartbeat-2.1.4-11.el5 heartbeat-2.1.4-11.el5 I have /etc/ha/.d authkeys setup this way: # auth 2 #1 crc 2 sha1 {SHA}secret I have /etc/ha.d/resources setup like this: VIRTCENT01.summitnjhome.com 192.168.1.23 And I have /etc/ha.cf setup like this: # What UDP port to use for udp or ppp-udp communication? # udpport694 bcast eth0 mcast eth0 225.0.0.1 694 1 0 ucast eth0 192.168.1.200 # What interfaces to heartbeat over? udp eth0 # # Facility to use for syslog()/logger (alternative to log/debugfile) # logfacility local0 # # Tell what machines are in the cluster # nodenodename ...-- must match uname -n nodelb1.summitnjhome.com nodelb2.summitnjhome.com The service seems to start ok: [r...@virtcent01:~]#service heartbeat restart Stopping High-Availability services: [ OK ] Waiting to allow resource takeover to complete: [ OK ] Starting High-Availability services: 2010/12/11_22:03:55 INFO: Resource is stopped [ OK ] (tho I am unsure of that the INFO notice is of the resource being stopped). And I have verified that it is running with ps: [r...@virtcent01:~]#ps auxwww | grep heartbeat root 3646 0.1 4.6 12260 12256 ?SLs 22:03 0:00 heartbeat: master control process nobody3648 0.0 2.1 5664 5660 ?SL 22:03 0:00 heartbeat: FIFO reader nobody3649 0.0 2.1 5660 5656 ?SL 22:03 0:00 heartbeat: write: bcast eth0 nobody3650 0.0 2.1 5660 5656 ?SL 22:03 0:00 heartbeat: read: bcast eth0 root 3653 0.0 0.2 61180 736 pts/1S+ 22:04 0:00 grep heartbeat And verified that the box is listening on port 694 (the port that I have set for heartbeat): [r...@virtcent01:~]#netstat -tulpn | grep heartbeat udp0 0 0.0.0.0:694 0.0.0.0:* 3649/heartbeat: wri udp0 0 0.0.0.0:50550 0.0.0.0:* 3649/heartbeat: wri However although I have the port enabled in iptables: -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 694 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT An nmap scan does not see anything active on 694: bluethu...@bluethundr-laptop:~$ sudo nmap -sT -A virt1 Starting Nmap 5.00 ( http://nmap.org ) at 2010-12-11 22:07 EST Warning: Traceroute does not support idle or connect scan, disabling... Interesting ports on 192.168.1.23: Not shown: 997 filtered ports PORTSTATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.6 (protocol 2.0) | ssh-hostkey: 1024 b0:gu:s (DSA) |_ 2048 b0:gu:s (RSA) 80/tcp closed http 631/tcp closed ipp MAC Address: 00:16:36:22:92:70 (Quanta Computer) Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.15 - 2.6.26 Network Distance: 1 hop OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.27 seconds I am enclosing an archive of my /etc/ha.d directory in case this is of use to anyone. I would certainly appreciate any help anyone could provide! Thanks!! -- GPG me!! gpg --keyserver pgp.mit.edu --recv-keys F186197B ha.d.tar.gz Description: GNU Zip compressed data ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] heartbeat configuration for lb
Sorry I forgot to finish the story!!! :) And the interface doesn't appear to be sharing the address: [r...@virtcent01:~]#ip addr sh eth0 2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:16:36:22:92:70 brd ff:ff:ff:ff:ff:ff inet 192.168.1.23/24 brd 192.168.1.255 scope global eth0 inet6 fe80::216:36ff:fe22:9270/64 scope link valid_lft forever preferred_lft forever And I can't ping the virtual address I had tried to setup using heartbeat: [r...@virtcent01:~]#ping 192.168.1.200 PING 192.168.1.200 (192.168.1.200) 56(84) bytes of data. From 192.168.1.23 icmp_seq=1 Destination Host Unreachable From 192.168.1.23 icmp_seq=2 Destination Host Unreachable From 192.168.1.23 icmp_seq=3 Destination Host Unreachable thanks again!!! On Sat, Dec 11, 2010 at 10:13 PM, bluethundr bluethu...@gmail.com wrote: hello list! I am attempting to setup haproxy using a shared up I am trying to setup using the heartbeat package that I currently have installed: [r...@virtcent01:~]#rpm -qa | grep heartbeat | grep -v -e stonith -e pils heartbeat-2.1.4-11.el5 heartbeat-2.1.4-11.el5 I have /etc/ha/.d authkeys setup this way: # auth 2 #1 crc 2 sha1 {SHA}secret I have /etc/ha.d/resources setup like this: VIRTCENT01.summitnjhome.com 192.168.1.23 And I have /etc/ha.cf setup like this: # What UDP port to use for udp or ppp-udp communication? # udpport 694 bcast eth0 mcast eth0 225.0.0.1 694 1 0 ucast eth0 192.168.1.200 # What interfaces to heartbeat over? udp eth0 # # Facility to use for syslog()/logger (alternative to log/debugfile) # logfacility local0 # # Tell what machines are in the cluster # node nodename ... -- must match uname -n node lb1.summitnjhome.com node lb2.summitnjhome.com The service seems to start ok: [r...@virtcent01:~]#service heartbeat restart Stopping High-Availability services: [ OK ] Waiting to allow resource takeover to complete: [ OK ] Starting High-Availability services: 2010/12/11_22:03:55 INFO: Resource is stopped [ OK ] (tho I am unsure of that the INFO notice is of the resource being stopped). And I have verified that it is running with ps: [r...@virtcent01:~]#ps auxwww | grep heartbeat root 3646 0.1 4.6 12260 12256 ? SLs 22:03 0:00 heartbeat: master control process nobody 3648 0.0 2.1 5664 5660 ? SL 22:03 0:00 heartbeat: FIFO reader nobody 3649 0.0 2.1 5660 5656 ? SL 22:03 0:00 heartbeat: write: bcast eth0 nobody 3650 0.0 2.1 5660 5656 ? SL 22:03 0:00 heartbeat: read: bcast eth0 root 3653 0.0 0.2 61180 736 pts/1 S+ 22:04 0:00 grep heartbeat And verified that the box is listening on port 694 (the port that I have set for heartbeat): [r...@virtcent01:~]#netstat -tulpn | grep heartbeat udp 0 0 0.0.0.0:694 0.0.0.0:* 3649/heartbeat: wri udp 0 0 0.0.0.0:50550 0.0.0.0:* 3649/heartbeat: wri However although I have the port enabled in iptables: -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 694 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT An nmap scan does not see anything active on 694: bluethu...@bluethundr-laptop:~$ sudo nmap -sT -A virt1 Starting Nmap 5.00 ( http://nmap.org ) at 2010-12-11 22:07 EST Warning: Traceroute does not support idle or connect scan, disabling... Interesting ports on 192.168.1.23: Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.6 (protocol 2.0) | ssh-hostkey: 1024 b0:gu:s (DSA) |_ 2048 b0:gu:s (RSA) 80/tcp closed http 631/tcp closed ipp MAC Address: 00:16:36:22:92:70 (Quanta Computer) Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.15 - 2.6.26 Network Distance: 1 hop OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.27 seconds I am enclosing an archive of my /etc/ha.d directory in case this is of use to anyone. I would certainly appreciate any help anyone could provide! Thanks!! -- GPG me!! gpg --keyserver pgp.mit.edu --recv-keys F186197B -- GPG me!! gpg --keyserver pgp.mit.edu --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] rpm dependencies
I have successfully created a packaged version of openssh that has the LPK patch. LPK allows you to store your public keys in LDAP. However when I go to install the package I created it complains about dependencies: [r...@virtcent13:/home/bluethundr/rpm]#rpm -Uvh openssh-5.6p1-1.i386.rpm error: Failed dependencies: openssh = 5.5p1-1.el5 is needed by (installed) openssh-clients-5.5p1-1.el5.i386 openssh = 5.5p1-1.el5 is needed by (installed) openssh-server-5.5p1-1.el5.i386 how can I get past this? thanks!! -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rpm dependencies
Sounds great guys!! on it!!! :) On Mon, Nov 29, 2010 at 11:55 AM, Robert Heller hel...@deepsoft.com wrote: At Mon, 29 Nov 2010 11:23:03 -0500 CentOS mailing list centos@centos.org wrote: I have successfully created a packaged version of openssh that has the LPK patch. LPK allows you to store your public keys in LDAP. However when I go to install the package I created it complains about dependencies: [r...@virtcent13:/home/bluethundr/rpm]#rpm -Uvh openssh-5.6p1-1.i386.rpm error: Failed dependencies: openssh = 5.5p1-1.el5 is needed by (installed) openssh-clients-5.5p1-1.el5.i386 openssh = 5.5p1-1.el5 is needed by (installed) openssh-server-5.5p1-1.el5.i386 how can I get past this? Get the spec file from the stock openssh SRPM and use that as a guide to create a spec file for openssh-5.6p1 that will create the openssh-clients and openssh-server sub-packages and then re-build it again. Now you can upgrade the three packages openssh-5.6p1-1.i386.rpm, openssh-clients-5.6p1-1.i386.rpm and openssh-server-5.6p1-1.i386.rpm. thanks!! -- Robert Heller -- 978-544-6933 / hel...@deepsoft.com Deepwoods Software -- http://www.deepsoft.com/ () ascii ribbon campaign -- against html e-mail /\ www.asciiribbon.org -- against proprietary attachments ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rpm dependencies
Hey list, I actually got the spec for openssh-lpk to build... however for some reason at this point it is ONLY building SRPMs... no idea why yet but i am plugging away at this.. I could use a spare set of eyes on this if you can spare them... spec file is enclosed... thanks!! On Mon, Nov 29, 2010 at 12:02 PM, bluethundr bluethu...@gmail.com wrote: Sounds great guys!! on it!!! :) On Mon, Nov 29, 2010 at 11:55 AM, Robert Heller hel...@deepsoft.com wrote: At Mon, 29 Nov 2010 11:23:03 -0500 CentOS mailing list centos@centos.org wrote: I have successfully created a packaged version of openssh that has the LPK patch. LPK allows you to store your public keys in LDAP. However when I go to install the package I created it complains about dependencies: [r...@virtcent13:/home/bluethundr/rpm]#rpm -Uvh openssh-5.6p1-1.i386.rpm error: Failed dependencies: openssh = 5.5p1-1.el5 is needed by (installed) openssh-clients-5.5p1-1.el5.i386 openssh = 5.5p1-1.el5 is needed by (installed) openssh-server-5.5p1-1.el5.i386 how can I get past this? Get the spec file from the stock openssh SRPM and use that as a guide to create a spec file for openssh-5.6p1 that will create the openssh-clients and openssh-server sub-packages and then re-build it again. Now you can upgrade the three packages openssh-5.6p1-1.i386.rpm, openssh-clients-5.6p1-1.i386.rpm and openssh-server-5.6p1-1.i386.rpm. thanks!! -- Robert Heller -- 978-544-6933 / hel...@deepsoft.com Deepwoods Software -- http://www.deepsoft.com/ () ascii ribbon campaign -- against html e-mail /\ www.asciiribbon.org -- against proprietary attachments ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3 -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3 %define ver 5.6p1 %define rel 7 # OpenSSH privilege separation requires a user group ID %define sshd_uid74 %define sshd_gid74 # Version of ssh-askpass %define aversion 1.2.4.1 # Do we want to disable building of x11-askpass? (1=yes 0=no) %define no_x11_askpass 0 # Do we want to disable building of gnome-askpass? (1=yes 0=no) %define no_gnome_askpass 0 # Do we want to link against a static libcrypto? (1=yes 0=no) %define static_libcrypto 0 # Do we want smartcard support (1=yes 0=no) %define scard 0 # Use GTK2 instead of GNOME in gnome-ssh-askpass %define gtk2 1 # Is this build for RHL 6.x? %define build6x 0 # Do we want kerberos5 support (1=yes 0=no) %define kerberos5 1 # Reserve options to override askpass settings with: # rpm -ba|--rebuild --define 'skip_xxx 1' %{?skip_x11_askpass:%define no_x11_askpass 1} %{?skip_gnome_askpass:%define no_gnome_askpass 1} # Is this a build for RHL 6.x or earlier? %{?build_6x:%define build6x 1} # If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc. %if %{build6x} %define _sysconfdir /etc %endif # Options for static OpenSSL link: # rpm -ba|--rebuild --define static_openssl 1 %{?static_openssl:%define static_libcrypto 1} # Options for Smartcard support: (needs libsectok and openssl-engine) # rpm -ba|--rebuild --define smartcard 1 %{?smartcard:%define scard 1} # Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no) %define rescue 0 %{?build_rescue:%define rescue 1} # Turn off some stuff for resuce builds %if %{rescue} %define kerberos5 0 %endif Summary: The OpenSSH implementation of SSH protocol versions 1 and 2. Name: openssh Version: %{ver} %if %{rescue} Release: %{rel}rescue %else Release: %{rel} %endif URL: http://www.openssh.com/portable.html Source0: openssh-5.6p1.tar.gz Source1: http://www.pobox.com/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz Patch0: contrib-openssh-lpk-5.6p1-0.3.13.patch License: BSD Group: Applications/Internet BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot Obsoletes: ssh %if %{build6x} PreReq: initscripts = 5.00 %else PreReq: initscripts = 5.20 %endif BuildPreReq: perl, openssl-devel, tcp_wrappers, openssl, zlib-devel, openldap-devel, openssl-devel, pam-devel BuildPreReq: /bin/login %if ! %{build6x} BuildPreReq: glibc-devel, pam %else BuildPreReq: /usr/include/security/pam_appl.h %endif %if ! %{no_gnome_askpass} BuildPreReq: pkgconfig %endif %package clients Summary: OpenSSH clients. Requires: openssh = %{version}-%{release} Group: Applications/Internet Obsoletes: ssh-clients %package server Summary: The OpenSSH server daemon. Group: System Environment/Daemons Obsoletes: ssh-server PreReq: openssh = %{version}-%{release}, chkconfig = 0.9 %if ! %{build6x} Requires: /etc/pam.d/system-auth %endif %package askpass Summary: A passphrase dialog for OpenSSH and X. Group: Applications/Internet Requires: openssh = %{version}-%{release} Obsoletes: ssh-extras %package askpass-gnome Summary: A passphrase
Re: [CentOS] rpm dependencies
using this command, sorry I forgot to include that.. [make...@virtcent15 SPECS]$ rpmbuild -ba openssh-lpk.spec and here's the tail end of the output: PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory + exit 0 Checking for unpackaged file(s): /usr/lib/rpm/check-files /var/tmp/openssh-5.6p1-buildroot Wrote: /home/makerpm/rpmbuild/SRPMS/openssh-5.6p1-7.src.rpm thanks! On Mon, Nov 29, 2010 at 4:19 PM, bluethundr bluethu...@gmail.com wrote: Hey list, I actually got the spec for openssh-lpk to build... however for some reason at this point it is ONLY building SRPMs... no idea why yet but i am plugging away at this.. I could use a spare set of eyes on this if you can spare them... spec file is enclosed... thanks!! On Mon, Nov 29, 2010 at 12:02 PM, bluethundr bluethu...@gmail.com wrote: Sounds great guys!! on it!!! :) On Mon, Nov 29, 2010 at 11:55 AM, Robert Heller hel...@deepsoft.com wrote: At Mon, 29 Nov 2010 11:23:03 -0500 CentOS mailing list centos@centos.org wrote: I have successfully created a packaged version of openssh that has the LPK patch. LPK allows you to store your public keys in LDAP. However when I go to install the package I created it complains about dependencies: [r...@virtcent13:/home/bluethundr/rpm]#rpm -Uvh openssh-5.6p1-1.i386.rpm error: Failed dependencies: openssh = 5.5p1-1.el5 is needed by (installed) openssh-clients-5.5p1-1.el5.i386 openssh = 5.5p1-1.el5 is needed by (installed) openssh-server-5.5p1-1.el5.i386 how can I get past this? Get the spec file from the stock openssh SRPM and use that as a guide to create a spec file for openssh-5.6p1 that will create the openssh-clients and openssh-server sub-packages and then re-build it again. Now you can upgrade the three packages openssh-5.6p1-1.i386.rpm, openssh-clients-5.6p1-1.i386.rpm and openssh-server-5.6p1-1.i386.rpm. thanks!! -- Robert Heller -- 978-544-6933 / hel...@deepsoft.com Deepwoods Software -- http://www.deepsoft.com/ () ascii ribbon campaign -- against html e-mail /\ www.asciiribbon.org -- against proprietary attachments ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3 -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3 -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] can't use godaddy SSL cert
=0x8eb62e8 ptr=0x8eb62ed end=0x8eb6307 len=26 : 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 ber_dump: buf=0x8eb7678 ptr=0x8eb7678 end=0x8eb7684 len=12 : 02 01 01 78 07 0a 01 00 04 00 04 00 ...x ber_dump: buf=0x8eb7678 ptr=0x8eb767b end=0x8eb7684 len=9 : 78 07 0a 01 00 04 00 04 00x request done: ld 0x8ead530 msgid 1 ber_dump: buf=0x8eb7678 ptr=0x8eb767b end=0x8eb7684 len=9 : 78 07 0a 01 00 04 00 04 00x ber_dump: buf=0x8eb7678 ptr=0x8eb767b end=0x8eb7684 len=9 : 78 07 0a 01 00 04 00 04 00x ber_dump: buf=0x8eb7678 ptr=0x8eb7684 end=0x8eb7684 len=0 TLS certificate verification: Error, unable to get local issuer certificate TLS: can't connect. ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Enter LDAP Password: ldap_build_search_req ATTRS: supportedSASLMechanisms ber_dump: buf=0x8f1e6a0 ptr=0x8f1e6a0 end=0x8f1e6e0 len=64 : 30 3e 02 01 02 63 39 04 00 0a 01 00 0a 01 00 02 0...c9. 0010: 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 ..object 0020: 63 6c 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 class0...support 0030: 65 64 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 edSASLMechanisms ber_dump: buf=0x8f1e6a0 ptr=0x8f1e6a5 end=0x8f1e6e0 len=59 : 63 39 04 00 0a 01 00 0a 01 00 02 01 00 02 01 00 c9.. 0010: 01 01 00 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 .objectclass 0020: 30 19 04 17 73 75 70 70 6f 72 74 65 64 53 41 53 0...supportedSAS 0030: 4c 4d 65 63 68 61 6e 69 73 6d 73 LMechanisms ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed I am including the output of a -d -1 as an attachment for those that are still curious because the output of that command is quite long. :) When I issue getent commands for passwd and group it hangs forever when it tries to access information from ldap: [r...@vircent03:~]#getent passwd | grep ldapAccount [r...@vircent03:~]#getent group | grep ldapAccount However if I remove TLS from the equation with the -x flag everything starts working again: [r...@vircent03:~]#ldapsearch -x -h ldap -b dc=summitnjhome,dc=com -D cn=Manager,dc=summitnjhome,dc=com -w localG30rg3T0wn (objectclass=sudoRole) # extended LDIF # # LDAPv3 # base dc=summitnjhome,dc=com with scope subtree # filter: (objectclass=sudoRole) # requesting: ALL # # defaults, sudoers, Services, summitnjhome.com dn: cn=defaults,ou=sudoers,ou=Services,dc=summitnjhome,dc=com objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOption's go here # %wheel, sudoers, Services, summitnjhome.com dn: cn=%wheel,ou=sudoers,ou=Services,dc=summitnjhome,dc=com objectClass: top objectClass: sudoRole cn: %wheel sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL sudoOption: !authenticate sudoUser: %wheel sudoUser: bluethundr # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 That's all I have for now. Sincere thanks to all those who have provided input. I'll keep pounding away at this and hopefully figure this out today. Best regards!!! On Thu, Nov 25, 2010 at 1:25 PM, cpol...@surewest.net wrote: bluethundr wrote: I have setup the certificate chain in my slapd.conf like so: TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt I don't see where you say which directory these are stored in: -rw-r--r-- 1 root bluethundr 2604 Nov 25 11:37 ca_bundle.crt -r--r- 1 root ldap 4604 Nov 24 18:57 gd_bundle.crt -r--r- 1 root ldap 1537 Nov 25 02:00 sf_issuing.crt [r...@lcent01:/tmp/Foswiki-1.1.2]#openssl s_client -connect ldap.example.com:389 -showcerts -CAfile sf_issuing.crt 13730:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('sf_issuing.crt','r') It looks like the expected directory is not the one being used. Perhaps try use this invocation: openssl s_client -connect ldap.example.com:389 -showcerts -CAfile /path/to/sf_issuing.crt Best regards, -- Charles Polisher ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3 [r...@vircent03:~]#ldapsearch -h ldap -b dc=summitnjhome,dc=com -d -1 -Z -D cn=Manager,dc=summitnjhome,dc=com (objectclass=sudoRole) -W ldap_create ldap_url_parse_ext(ldap://ldap) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap:389 ldap_new_socket: 3
[CentOS] ssh-agent fails to hold values
Hello list I am attempting to manage my key logins with ssh-agent. However EVERY time I try to ssh I have to go through the same exact routing and it's getting a little old... [bluethu...@lcent01:~]#ssh sum3 Enter passphrase for key '/home/bluethundr/.ssh/id_rsa': [bluethu...@lcent01:~]#exec ssh-agent bash [bluethu...@lcent01:~]#ssh-add Enter passphrase for /home/bluethundr/.ssh/id_rsa: Identity added: /home/bluethundr/.ssh/id_rsa (/home/bluethundr/.ssh/id_rsa) [bluethu...@lcent01:~]#ssh sum3 Last login: Sun Nov 28 14:32:34 2010 from localhost.localdomain # # SUMMITNJHOME.COM# # TITLE: LCENT03 BOX# # LOCATION:SUMMIT BASEMENT# # # # [bluethu...@lcent03:~]# Does anyone have any suggestions to make ssh-agent hold these values a bit more persistently? thanks!! -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ssh-agent fails to hold values
That DID it!!! thanks and I agree.. god? root? what's the difference!! :) On Sun, Nov 28, 2010 at 4:41 PM, Ron Loftin relof...@twcny.rr.com wrote: On Sun, 2010-11-28 at 16:35 -0500, bluethundr wrote: Hello list I am attempting to manage my key logins with ssh-agent. However EVERY time I try to ssh I have to go through the same exact routing and it's getting a little old... [bluethu...@lcent01:~]#ssh sum3 Enter passphrase for key '/home/bluethundr/.ssh/id_rsa': [bluethu...@lcent01:~]#exec ssh-agent bash [bluethu...@lcent01:~]#ssh-add Enter passphrase for /home/bluethundr/.ssh/id_rsa: Identity added: /home/bluethundr/.ssh/id_rsa (/home/bluethundr/.ssh/id_rsa) [bluethu...@lcent01:~]#ssh sum3 Last login: Sun Nov 28 14:32:34 2010 from localhost.localdomain # # SUMMITNJHOME.COM # # TITLE: LCENT03 BOX # # LOCATION: SUMMIT BASEMENT # # # # [bluethu...@lcent03:~]# Does anyone have any suggestions to make ssh-agent hold these values a bit more persistently? I'm not sure if this will help, but I use the keychain package from RPMForge, and it takes most of the pain out of dealing with SSH keys. thanks!! -- Ron Loftin relof...@twcny.rr.com God, root, what is difference ? Piter from UserFriendly ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] can't use godaddy SSL cert
Hey list, I was having a similar SSL/openLDAP problem to this last week. I had a chance to look at this again today and it still appears to not be working. I called godaddy and had the last cert cancelled and reissued as I had mis-typed the name of the CN on the last one. I am trying to setup a Godaddy turbo SSL certificate with an openLDAP 2.4 server under FreeBSD 8.1. The clients are mainly a network of virtual CentOS 5.5 instances. [r...@lbsd2:/usr/home/bluethundr]#pkg_info | grep openldap openldap-sasl-client-2.4.23 Open source LDAP client implementation with SASL2 support openldap-sasl-server-2.4.23 Open source LDAP server implementation I have setup the certificate chain in my slapd.conf like so: [r...@lbsd2:/usr/home/bluethundr]#grep -i tls /usr/local/etc/openldap/slapd.conf## TLS options for slapd TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /usr/local/etc/openldap/cacerts/LBSD2.summitnjhome.com.crt TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt I have tried each of the following certs with no luck in getting my cert to talk to it's CA: -rw-r--r-- 1 root bluethundr 2604 Nov 25 11:37 ca_bundle.crt -r--r- 1 root ldap4604 Nov 24 18:57 gd_bundle.crt -r--r- 1 root ldap1537 Nov 25 02:00 sf_issuing.crt and I get the same result for each when I attempt to connect to SSL on the LDAP server: [r...@lcent01:/tmp/Foswiki-1.1.2]#openssl s_client -connect ldap.example.com:389 -showcerts -CAfile sf_issuing.crt 13730:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('sf_issuing.crt','r') 13730:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125: 13730:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:279: CONNECTED(0003) 13730:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: ldapsearch -h ldap.example.com -d -1 -ZZ dc=example,dc=com TLS certificate verification: depth: 0, err: 20, subject: /O=LBSD2.summitnjhome.com/OU=Domain Control Validated/CN=LBSD2.summitnjhome.com, issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 TLS certificate verification: Error, unable to get local issuer certificate tls_write: want=7, written=7 : 15 03 01 00 02 02 30 ..0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed It seems to indicate that it can't talk to it's CA... does anyone have any suggestions on how to make this work? thanks! -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] LDAP clients fail to connect with SSL enabled
I am attempting to setup SSL/TLS support on my openLDAP 2.4 server on FreeBSD. LBSD2# pkg_info | grep openldap openldap-sasl-client-2.4.23 Open source LDAP client implementation with SASL2 support openldap-sasl-server-2.4.23 Open source LDAP server implementation I put my cert file, key file and CA certfile in a directory called /usr/local/etc/openldap/cacerts Here's how it looks: [r...@lbsd2:/usr/local/etc/openldap/cacerts]#ls -l total 48 dr--r- 2 root ldap 512 Nov 21 17:12 bak -r--r- 1 root ldap 1960 Nov 21 07:05 bsd2.summitnjhome.com.crt -r--r- 1 root ldap 4604 Nov 21 17:16 gd_bundle.crt -r--r- 1 root ldap 4689 Nov 21 18:59 sf_bundle.crt -r--r- 1 root ldap 1537 Nov 21 17:16 sf_issuing.crt -r--r- 1 root ldap 1090 Nov 21 12:29 slapd.csr -r--r- 1 root ldap 1743 Nov 21 12:26 slapd.key -r--r- 1 root ldap 1675 Nov 21 17:25 slapd.pem My cert flie is a GoDaddy turbo-ssl certfile named bsd2.summitnjhome.com.crt. slapd.key is the key file and slapd.pem is the same thing only with the password removed. I'm a little unsure of which CA file to use but I think that sf_issuing.crt _should_ work as this is the CA file that I used to setup a similar SSL enabled LDAP server for a client recently. Although I have tried all three CA files in this directory: (gd_bundle.crt, sf_bundle.crt, and sf_issuing.crt). I put the various cert/key files into my slapd.conf file like this: LBSD2# cat slapd.conf | grep -i tls ## TLS options for slapd TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /usr/local/etc/openldap/cacerts/bsd2.summitnjhome.com.crt TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt Slapd restarts cleanly! LBSD2# /usr/local/etc/rc.d/slapd restart Stopping slapd. Waiting for PIDS: 81924. Starting slapd. Then I attempt to setup a virtual instance of CentOS 5.5 on the client side and that's where things fall apart...I attempt to ssh to localhost as an LDAP account: [r...@virtcent08:/etc/openldap/cacerts]#ssh bluethu...@localhost [...tectonic plates drift, careers begin and end, babies learn to walk, talk and grow to adulthood..] Connection closed by 127.0.0.1 [r...@virtcent08:/etc/openldap/cacerts]#getent passwd | grep ldapAccount [same interminable wait as above] This is what my /etc/ldap.conf file looks like on the client: [r...@virtcent08:/etc/openldap/cacerts]#cat /etc/ldap.conf # Your LDAP server. Must be resolvable without using LDAP. # Multiple hosts may be specified, each separated by a # space. How long nss_ldap takes to failover depends on # whether your LDAP client library supports configurable # network or connect timeouts (see bind_timelimit). #host 127.0.0.1 # The distinguished name of the search base. base dc=summitnjhome,dc=com # stored in /etc/ldap.secret (mode 600) #rootbinddn cn=manager,dc=example,dc=com # The port. # Optional: default is 389. #port 389 # Search timelimit #timelimit 30 timelimit 120 # Bind/connect timelimit #bind_timelimit 30 bind_timelimit 120 # Idle timelimit; client will close connections # (nss_ldap only) if the server has not been contacted # for the number of seconds specified below. #idle_timelimit 3600 idle_timelimit 3600 # Netscape SDK LDAPS #ssl on # Netscape SDK SSL options #sslpath /etc/ssl/certs # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 #ssl start_tls #ssl on # OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is to use libldap's default behavior, which can be configured in # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for # OpenLDAP 2.0 and earlier is no, for 2.1 and later is yes. #tls_checkpeer yes # CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is yes #tls_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control uri ldap://ldap.summitnjhome.com/ ssl start_tls tls_cacertdir /etc/openldap/cacerts pam_password crypt This is how my nsswitch on the client side is setup: passwd: files ldap shadow: files ldap group: files ldap And here is the cert dir on my CentOS client: [r...@virtcent08:/etc/openldap/cacerts]#ls -l total 72 lrwxrwxrwx 1 root root 13 Nov 21 09:44 97552d04.0 - gd_bundle.crt lrwxrwxrwx 1 root root 14 Nov 21 09:44 b737b221.0 - sf_issuing.crt dr--r--r-- 2 root root 4096 Nov 21 2010 bak -r--r--r-- 1 root root 1960 Nov 21 07:05 bsd2.summitnjhome.com.crt lrwxrwxrwx 1 root root 25 Nov 21 09:44 c75be861.0 - bsd2.summitnjhome.com.crt -r--r--r-- 1 root root 4604 Nov 21 2010 gd_bundle.crt -r--r--r-- 1 root root 1537 Nov 21 2010
[CentOS] ssh prompting for password
hello list I have a network mounted home directory shared between all hosts on my network: [bluethu...@lcent03:~]#df -h FilesystemSize Used Avail Use% Mounted on /dev/mapper/VolGroup00-LogVol00 140G 4.4G 128G 4% / /dev/sda1 99M 35M 60M 37% /boot tmpfs 1.6G 0 1.6G 0% /dev/shm nas.summitnjhome.com:/mnt/nas 903G 265G 566G 32% /mnt/nas nas2.summitnjhome.com:/mnt/store 1.4T 187G 1.1T 15% /mnt/store nas2.summitnjhome.com:/mnt/home 903G 47G 784G 6% /home none 1.6G 136K 1.6G 1% /var/lib/xenstored So therefore my RSA key should already be in my authorized_keys on any host. However logging into the virtual network, I always get prompted for a password. just for the heck of it, I scp'd the key over again to one of the virtual hosts: [bluethu...@lcent03:~]#scp .ssh/id_rsa.pub virt1:~ bluethu...@virt1's password: id_rsa.pub 100% 381 0.4KB/s 00:00 ssh'd in: [bluethu...@lcent03:~]#ssh virt1 bluethu...@virt1's password: Last login: Tue Nov 16 15:57:24 2010 from 192.168.1.46 Searched for the key on the host I just ssh'd into: [bluethu...@virtcent01:~]#grep -f id_rsa.pub .ssh/authorized_keys ssh-rsa B3NzaC1yc2EBI-FAKE-DATA-dgjIWxnyplIYKE5IQw9FY2+IVsYw== As you can see, it's already there.. I then checked the modes on authorized_keys: [bluethu...@virtcent01:~]#ls -l .ssh/authorized_keys -rw--- 1 1001 1002 1597 Nov 15 12:02 .ssh/authorized_keys And checked that I was using the same shared network mounted home directory from the machine I just ssh'd in from: [bluethu...@virtcent01:~]#df -h FilesystemSize Used Avail Use% Mounted on /dev/mapper/VolGroup00-LogVol00 9.1G 1.8G 6.9G 21% / /dev/xvda1 99M 20M 75M 21% /boot tmpfs 129M 0 129M 0% /dev/shm nas.summitnjhome.com:/mnt/nas 903G 265G 566G 32% /mnt/nas nas2.summitnjhome.com:/mnt/store 1.4T 187G 1.1T 15% /mnt/store nas2.summitnjhome.com:/mnt/home 903G 47G 784G 6% /home [bluethu...@virtcent01:~]# Considering that this key is internal network only and doesn't have a passphrase set (it does not traverse internet boundaries) why on earth am I being prompted for a password whenever I ssh into this machine? thanks! -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9 Share and enjoy!! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] can't find ldapseaerch
hello list I'm having a very strange problem with my centos 5.5 system. For some strange reason, this machine cannot find ldapsearch: [r...@virtcent13 ~]# ldapsearch ldapsearch: Command not found. [r...@virtcent13 ~]# whereis ldapsearch ldapsearch: /usr/bin/ldapsearch /usr/share/man/man1/ldapsearch.1.gz ldapsearch currently lives at /usr/bin along with a lot of other really very useful tools. /usr/bin is also _clearly_ on my root path:i [r...@virtcent13 ~]# echo $PATH /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin And here are the permissions and modes for this tool: [r...@virtcent13 bin]# ls -l ldapsearch -rwxr-xr-x 1 root wheel 65336 Aug 11 09:20 ldapsearch And other things in this directory (like yum for example) work just fine: [r...@virtcent13 bin]# yum repolist Loaded plugins: fastestmirror, priorities Existing lock /var/run/yum.pid: another copy is running as pid 11750. Another app is currently holding the yum lock; waiting for it to exit... The other application is: yum-updatesd-he Memory : 65 M RSS (107 MB VSZ) Started: Sat Nov 13 18:04:22 2010 - 00:57 ago State : Running, pid: 11750 If you feed the command line the full path to ldapsearch it works as intended. I was wondering if anyone had any idea why ldapsearch isn't being found? thanks! -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9 Share and enjoy!! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] pam_ldap login under centOS
Hello List I am attempting to setup various pam modules to consult our new LDAP services in order to do what it needs to do. I have setup my /etc/pam.d sudo file (for example) this way in the attempt to accomplish this via LDAP: [r...@vircent03:~]#cat /etc/pam.d/sudo #%PAM-1.0 auth include system-auth auth required pam_ldap.so accountinclude system-auth accountrequired pam_ldap.so password include system-auth password required pam_ldap.so sessionoptional pam_keyinit.so revoke sessionrequired pam_limits.so sessionrequired pam_ldap.so but even tho the user is part of the %wheel group under LDAP it is unable to sudo to any other account (including root). If I try to sudo this is what happens: [bluethu...@vircent03:~]#sudo bash [sudo] password for bluethundr: bluethundr is not in the sudoers file. This incident will be reported. It would appear that sudo support for ldap is compiled in: [r...@vircent03:~]#ldd $(which sudo)| grep -i ldap libldap-2.3.so.0 = /usr/lib/libldap-2.3.so.0 (0x00552000) This is how I setup my ldap.conf file [r...@vircent03:~]#cat /etc/openldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URIldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never URI ldap://ldap.acadaca.net/ BASE dc=acadaca,dc=net TLS_CACERTDIR /etc/openldap/cacerts sudoers_base ou=sudoers,ou=Services,dc=acadaca,dc=net In my openldap logs on the LDAP server there appears to be no activity when I sudo. however in the secure logs on the client I do.. Nov 8 16:05:34 VIRCENT03 su: pam_unix(su-l:session): session opened for user root by bluethundr(uid=500) Nov 8 16:05:37 VIRCENT03 su: pam_unix(su-l:session): session opened for user bluethundr by bluethundr(uid=0) Nov 8 16:05:44 VIRCENT03 sudo: bluethundr : user NOT in sudoers ; TTY=pts/5 ; PWD=/home/bluethundr ; USER=root ; COMMAND=/bin/bash I do see other events in secure.log that appear to be pam successes however. am i interpreting this correctly that at least part of the system is communicating with pam on the ldap server? thanks -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9 Share and enjoy!! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos