OpenSSH and SSH.COM Key generation - Some Concerns...

Where I work some people use a very old commercial SSH Client - Its from circa 2002 and its really not that great.  So we're switching to key based auth -- This brings some problems about.  Some of my users will be using this antiquated client which generates some ugly keys. I'd prefer everything be openssh based. So, I found some information about this on someones blog, and I decided I would share it here on my blog, and leave it here for my reference as well as yours! Happy converting.
--

Connecting two server running different type of SSH can be nightmare if you does not know how to convert the key. In this tutorial, I will try to explain on how to convert the public key from OpenSSH to SSH2 and SSH2 to OpenSSH. To convert the key, it must be done in OpenSSH server.
Convert OpenSSH key to SSH2 key

• Run the OpenSSH version of ssh-keygen on your OpenSSH public key to convert it into the format needed by SSH2 on the remote machine. This must be done on the system running OpenSSH.
  #ssh-keygen -e -f ~/.ssh/id_dsa.pub > ~/.ssh/id_dsa_ssh2.pub

Convert SSH2 key to OpenSSH key

• Run the OpenSSH version of ssh-keygen on your ssh2 public key to convert it into the format needed by OpenSSH. This needs to be done on the system running OpenSSH.
  #ssh-keygen -i -f ~/.ssh/id_dsa_1024_a.pub > ~/.ssh/id_dsa_1024_a_openssh.pub

Steps involved to produce and convert the keys.
OpenSSH
To generate an OpenSSH sshv2 key
$ ssh-keygen -t dsa -f newkey
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in newkey.
Your public key has been saved in newkey.pub.
The key fingerprint is:
c6:db:3a:ff:4c:79:a7:d8:cb:be:82:e8:9d:db:8c:e9 brad@eta
To export to ssh.com
$ ssh-keygen -e -f newkey.pub
—- BEGIN SSH2 PUBLIC KEY —-
Comment: “1024-bit DSA, converted from OpenSSH by brad@eta”
AAAAB3NzaC1kc3MAAACBAJ7QKkrLoOE9TNPVmKVedk1GAr/S+Cruq3/GtjRnxvJqbBbfne
lWYUC+vbHc5a+7bgRsQfCgoCeGKH5wGD4CDWQMhy2XYomnGf1gUC86Hq77/Noqa02N441E
FSTIEoNlU2aYi8zwVQKlgP6e22mG9sK7zSaGX639ctaigHuST8qPAAAAFQC2az8dfxHkkD
ZAEw+RcvRn3cpXFQAAAIEAgYpPs6d+Kyw37ZaBarlMEaZoEfrxhUZ44SN+KoqBZYpSVwyH
J+/RB0zVUizXCmZ5RhYSsYZ57Iixx1bBmBxogaEh5d7xxUpg/9Xctf94Jsf7vxccjZ4XYA
RrVikq/0L9fuKOmo4ET9iAf+GL7w2u5gzxxZr+xX5jw/A7907lOCwAAACAMoHHk0o1XkG+
yeaPtuwbrHshGqTjpOUkJ/AYuQ8OBuVAOdqse1di9JpeHko26G0zoH3N+nDHMGdYYTNHzR
NYRd2q20ztcAP52crZo1rtpNdvs6c+RTEIgoP3oYh1e1+rg70tWKIW3R/NYB39CESHoyqs
AJ7vzOPm0iUOd36YECY=
—- END SSH2 PUBLIC KEY —-
SSH
To generate a key:
$ ssh-keygen
Generating 2048-bit dsa key pair
1 oOo.oO
Key generated.
2048-bit dsa, marshalb@obelix.cqu.edu.au, Tue Jul 15 2003 13:53:34 +1000
Passphrase :
Again      :
Private key saved to /usr/users/staff/m/marshalb/.ssh2/id_dsa_2048_b
Public key saved to /usr/users/staff/m/marshalb/.ssh2/id_dsa_2048_b.pub
To convert from ssh.com to OpenSSH (using OpenSSH ssh-keygen):
$ ssh-keygen -i -f id_dsa_2048_b.pub
ssh-dss AAAAB3NzaC1kc3MAAAEBAKueha6mfr5OUcscc88lmQUBBgYSZ08htHFaYzke2N
5WG6ql1NgwQsyY2mMRxvvGckBeInx2GvRlz1+izDs5p4UGhkMzG8qOoT2y2vLwTFQyxi4I
XET1e0E8VYC0dcLfs5Zg6RxEY7GA5FiydS6dceuPnLJgCYDfyb9Qbk4rVEvREODo8dV/KR
lZxecEgaeKOO7ZnEzaIVPRCVb6U6EaRtZvxKfGnNFI957AfZ+Hqevz1IeQNDCp00EmaNli
8Ow4rjOPlH7o818r35Ea8mMoV0hkirNQ25zf/Z1LvCS3649537YDi/SVmMMpGCvT93w/TR
vk5RKlwVVy+TH52C8/MKEAAAAVAOuDCV61LvfKz0bd8hYEJ/gGof9XAAABAQCFRhlpWtVO
hTxcWcrnZp9EbbVRZO16St5TPjL86khb7b/VjScOAgt0tslHwtEEQzImv1xRkk6ZQ1o9pv
Azb1fMZrZMGIy9zUXvL0v6LNXxCxN9YIjx14OXYfH8EIQDZJGRJoxHvEvUVjv3lHnTuxbd
Krcbagvakxvgjq1wVyEueilO+g+WhJm+Q+XIYRl0TK9qtsAVFmzxBxT5USZFJ+1kbG7ipp
fFSGWRd3KPUCVQ8iGO3IMjtIlfcuGOArbKB06kMlxsdjNjhcEIHtR0jpaEeB2X+HrVScQE
oXG4S8YkiIExlIvjhrVr571BTOuO9H5VHt4CtKUxeXxKZWslulYwAAABAHm3zlMsXxPL/H
Oq29qf7Lk90b7El+j19E2UkyssfSu6+/k4bFf6ax2n3yEn31S5bUdNvgqmlEjdERc4SkU6
5b5LW2ZI1v7kRoegG+bD2Q21N9Rv/lwS7CTprenKiMMRJ8TU7FMIVT3zEZkV+etC7cbaN+
09GoiFTt+h7IDmo7onlo64oSMrcc+xt++ZUzENTVBgDoS92jlpnELkyJqZgb1/fdEPT6wR
j132yBxWLqDGmbp9msmY1us+XNDY8isF80u9yTTXGTskOtCSaeavDDtPOKN5ZR20sHpIBg
t6zd6mm/zKD6OZo14BLSJr7ldwSRzNNYMtkLnNyFSYxAIrm9Y=
You can then use the output in authorized_keys file on an openssh box.
OpenSSH v2 -> SSH v2
On the OpenSSH box, create a DSA key via the following:
$ ssh-keygen -t dsa
Export the key into ssh.com v2 format:
$ ssh-keygen -e -f ~/.ssh/id_dsa.pub > newPubKey
Copy the converted ssh key to the ssh.com server
$ scp newPubKey server:.ssh2/id_dsa.pub
On the server, tell the ssh.com server that the public key is allowed:
echo “Key id_dsa.pub” >> ~/.ssh2/authorization
SSH v2 -> OpenSSH v2
On the ssh.com box, generate a DSA key:
$ ssh-keygen
Copy the generated key to the openssh box:
$ scp ~/.ssh2/id_dsa_1024_a.pub server:.ssh
Convert the public key to openssh format and append to authorized_keys:
$ ssh-keygen -i -f id_dsa_1024_a.pub >> ~/.ssh/authorized_keys
On the ssh.com box setup the private key:
$ echo “IdKey id_dsa_1024_a” >> ~/.ssh2/identification
SSH v2 -> SSH v2
On the ssh.com client, generate a DSA key:
$ ssh-keygen
Copy the generated key to the server:
$ scp ~/.ssh2/id_dsa_1024_a.pub server:.ssh2
On the server, tell the ssh.com server that the public key is allowed:
$ echo “Key id_dsa._1024_a.pub” >> ~/.ssh2/authorization
On the ssh.com client setup the private key:
$ echo “IdKey id_dsa_1024_a” >> ~/.ssh2/identification
OpenSSH v2 -> OpenSSH v2
On the OpenSSH box, create a DSA key via the following:
$ ssh-keygen -t dsa
Copy the ssh key to the server
$ scp ~/.ssh/id_dsa.pub server:.ssh/id_dsa.pub
Add the key to the authorized_keys file on the server
$ cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys

Oracle on Linux needs access to /proc? Only for Enterprise Manager?

So, on some of our systems oracle runs as the oracle user, and the /proc filesystem is off limits for standard user accounts. This hasn't affected much...however I came across the error:
Error retrieving information from EMD. Exception: oracle.sysman.emSDK.emd.comm.MetricGetException: Could not open /proc/partitions

today...Hrm. Wonder what thats hurting...Probably nothing as everything seems to be running properly.

In addition...uname must be unrestricted in order for Oracle Wallet Manager (owm) to function. Probably lots of other java stuff too.

Linux, sudo, and environment variables

Our DBA came to me and said he was having some problems with sudo. A little background, we recently upgraded our test systems to the latest version of RedHat Enterprise Linux.  We have a pretty complicated setup with Oracle and Fujitsu NetCOBOL and a lot of customizations for our site.  My latest round of updates with the systems prompted me to enact a new baseline security policy.  One of the features of this new baseline policy is that it requires us going to a new procedure for issuing super user commands... Used to we'd just su, as thats how it had always been done here on HPUX and other UNIX Operating Systems.  With little separation of duty due to such a small staff, the DBA and others have all frequently pitched in to help with administration tasks.

Anyway, enforcing su provides a lot of benefit, even if it does mean we have to change the way we're doing some things.  Our system relies a lot upon environment variables being carried over from one environ to the other, and some of our system users and the tasks they perform depend largely upon those envars.  So, it came to pass that there is a directive in the sudoers file that allows (or, by default, disallows) environment variables passing through with sudo execution. This is "Default env_reset" - Changed to "Default !env_reset" to say ! = NO! Don't reset the envars when using sudo!

This solved our issue, and the DBA was able to complete the upgrades.

unix security problems

so, you're in a meeting and you get asked to provide an account to a group thats not in your department. when you tell your friends they tell you to tell the people you work "if you're so good at security make your own account"

that wouldn't go over well.

session recording with 'script' in linux/unix hosts.

don't forget you can use the 'script' command 'script output.log' to record all commands you type.
you can use this as a reference to see what you've done in the session ( such as wanting to record all file permission changes that you make in a session )

Enable Oracle Application Server to run on port <1024 on HPUX

Below are the instructions, probably a little too detailed, on how to enable oracle to start httpd as root then fork to user specified in httpd.conf (em -> advanced properties -> httpd.conf) - For most people, Since Oracle App server is just a modified apache...Task 1 is the only thing you really have to do. You can then add the port in EM, and add the vhost directive in either ssl.conf or whatever file you're sourcing vhosts from.

--

Task 1: Enable Oracle HTTP Server to Run as Root for Ports Set to Less Than 1024 (Unix Only)

If you are on a UNIX system and you are changing the Listen port to a number less than 1024, perform these steps before you change the Oracle HTTP Server Listen port.
By default, Oracle HTTP Server runs as a non-root user (the user that installed Oracle Application Server). On UNIX systems, if you change the Oracle HTTP Server Listen port number to a value less than 1024, you must enable Oracle HTTP Server to run as root, as follows:

1. Log in as root.
   
2. Run the following commands in the middle-tier Oracle home:
   
   
   

   cd ORACLE_HOME/Apache/Apache/bin
   chown root .apachectl
   chmod 6750 .apachectl
   

Task 2: Use the portconfig Command to Change the Oracle HTTP Server Listen Ports

Use the following procedure to change the Oracle HTTP Server HTTP or HTTPS listen port:

1. Set the ORACLE_HOME environment variable to the home directory of the Oracle Application Server instance where the Oracle HTTP Server resides.
   For example:
   
   
   

   (UNIX) setenv ORACLE_HOME /dev0/private/oracle/appserv1/ 
   
   

2. On UNIX systems, set the LD_LIBRARY_PATH, LD_LIBRARY_PATH_64, LIB_PATH, or SHLIB_PATH environment variables to the proper values. The actual environment variables and values that you must set depend on the type of your UNIX operating system.
   
   
3. Create an alias (on UNIX systems) to represent the portconfig command.
   For example, to execute the command as an alias on UNIX systems, enter the following command:
   
   
   

   alias portconfig '$ORACLE_HOME/jdk/bin/java -cp 
   $ORACLE_HOME/sysman/webapps/emd/WEB-INF/lib/emd.jar:
   $ORACLE_HOME/dcm/lib/dcm.jar:
   $ORACLE_HOME/sso/lib/ossoreg.jar
   oracle.sysman.ias.sta.tools.PortConfigCmdLine \!*'
   
   

4. Use the newly created portconfig command as follows:
   
   
   

   portconfig -oracleHome ORACLE_HOME 
   -oldPort old_port 
   -newPort new_port 
   [-sso -url http://sso_host:port -user http_server_admin_user 
     [-site name_of_sso_partner_application]
     [-admin mod_osso_admin_user]
     [-vHost path_to_mod_osso_configuration_file]]
   [-webCache] [-debug]
   {-start | -restart}
   
   

   For example, on UNIX systems:
   
   
   

   portconfig -oracleHome $ORACLE_HOME -oldPort 7777 -newPort 7778 -webCache
   

Changing VSWIF IP in VMWare ESX

Pretty nice post on esxcfg commands...

Esxcfg command help

Esxcfg-firewall
Description: Configures the service console firewall ports
Syntax: esxcfg-firewall

Options:

-q	Lists current settings
-q	Lists settings for the specified service
-q incoming|outgoing	Lists settings for non-required incoming/outgoing ports
-s	Lists known services
-l	Loads current settings
-r	Resets all options to defaults
-e	Allows specified service through the firewall (enables)
-d	Blocks specified service (disables)
-o	Opens a port
-c	Closes a port previously opened by –o
-h	Displays command help
-allowincoming	Allow all incoming ports
-allowoutgoing	Allow all outgoing ports
-blockincoming	Block all non-required incoming ports (default value)
-blockoutgoing	Block all non-required outgoing ports (default value)

Default Services:

AAMClient	Added by the vpxa RPM: Traffic between ESX Server hosts for VMware High Availability (HA) and EMC Autostart Manager – inbound and outbound TCP and UDP Ports 2050 – 5000 and 8042 – 8045
activeDirectorKerberos	Active Directory Kerberos - outbound TCPs Port 88 and 464
CIMHttpServer	First-party optional service: CIM HTTP Server - inbound TCP Port 5988
CIMHttpsServer	First-party optional service: CIM HTTPS Server - inbound TCP Port 5989
CIMSLP	First-party optional service: CIM SLP - inbound and outbound TCP and UDP Ports 427
commvaultDynamic	Backup agent: Commvault dynamic – inbound and outbound TCP Ports 8600 – 8619
commvaultStatic	Backup agent: Commvault static – inbound and outbound TCP Ports 8400 – 8403
ftpClient	FTP client - outbound TCP Port 21
ftpServer	FTP server - inbound TCP Port 21
kerberos	Kerberos - outbound TCPs Port 88 and 749
LicenseClient	FlexLM license server client - outbound TCP Ports 27000 and 27010
nfsClient	NFS client - outbound TCP and UDP Ports 111 and 2049 (0 – 65535)
nisClient	NIS client - outbound TCP and UDP Ports 111 (0 – 65535)
ntpClient	NTP client - outbound UDP Port 123
smbClient	SMB client - outbound TCP Ports 137 – 139 and 445
snmpd	SNMP services - inbound TCP Port 161 and outbound TCP Port 162
sshClient	SSH client - outbound TCP Port 22
sshServer	SSH server - inbound TCP Port 22
swISCSIClient	First-party optional service: Software iSCSI client - outbound TCP Port 3260
telnetClient	NTP client - outbound TCP Port 23
TSM	Backup agent: IBM Tivoli Storage Manager – inbound and outbound TCP Ports 1500
veritasBackupExec	Backup agent: Veritas BackupExec – inbound TCP Ports 10000 – 10200
veritasNetBackup	Backup agent: Veritas NetBackup – inbound TCP Ports 13720, 13732, 13734, and 13783
vncServer	VNC server - Allow VNC sessions 0-64: inbound TCP Ports 5900 – 5964
vpxHeartbeats	vpx heartbeats - outbound UDP Port 902

Note: You can configure your own services in the file /etc/vmware/firewall/services.xml

esxcfg-firewall examples:
Enable ssh client connections from the Service Console:
# esxcfg-firewall -e sshClient
Disable the Samba client connections:
# esxcfg-firewall -d smbClient
Allow syslog outgoing traffic:
# esxcfg-firewall -o 514,udp,out,syslog
Turn off the firewall:
# esxcfg-firewall -allowIncoming
# esxcfg-firewall -allowOutgoing
Re-enable the firewall:
# esxcfg-firewall -blockIncoming
# esxcfg-firewall –blockOutgoing


Esxcfg-nics
Description: Prints a list of physical network adapters along with information on the driver, PCI device, and link state of each NIC. You can also use this command to control a physical network adapter’s speed and duplexing.
Syntax: esxcfg-nics [nic]

Options:

-s	Set the speed of this NIC to one of 10/100/1000/10000. Requires a NIC parameter.
-d	Set the duplex of this NIC to one of 'full' or 'half'. Requires a NIC parameter.
-a	Set speed and duplex automatically. Requires a NIC parameter.
-l	Print the list of NICs and their settings.
-r	Restore the NICs configured speed/duplex settings. (Internal use only)
-h	Displays command help

esxcfg-nics examples:
Set the speed and duplex of a NIC (vmnic2) to 100/Full:
esxcfg-nics -s 100 -d full vmnic2
Set the speed and duplex of a NIC (vmnic2) to auto-negotiate:
esxcfg-nics -a vmnic2


Esxcfg-vswitch
Description: Creates and updates virtual machine (vswitch) network settings
Syntax: esxcfg-vswitch [vswitch[:ports]]

Options:

-a	Add a new virtual switch.
-d	Delete the virtual switch.
-l	List all the virtual switches.
-L	Set pnic as an uplink for the vswitch.
-U	Remove pnic from the uplinks for the vswitch.
-p	Specify a portgroup for operation. Use ALL for operation to work on all portgroups
-v	Set VLAN ID for portgroup specified by -p. 0 would disable the VLAN.
-c	Check to see if a virtual switch exists. Program outputs a 1 if it exists, 0 otherwise.
-A	Add a new portgroup to the virtual switch.
-D	Delete the portgroup from the virtual switch.
-C	Check to see if a portgroup exists. Program outputs a 1 if it exists, 0 otherwise.
-r	Restore all virtual switches from the configuration file (Internal use only)
-h	Displays command help

esxcfg-vswitch examples:
Add a pnic (vmnic2) to a vswitch (vswitch1):
esxcfg-vswitch -L vmnic2 vswitch1
Remove a pnic (vmnic3) from a vswitch (vswitch0):
esxcfg-vswitch -U vmnic3 vswitch0
Create a portgroup (VM Network3) on a vswitch (vswitch1):
esxcfg-vswitch -A "VM Network 3" vSwitch1
Assign a VLAN ID (3) to a portgroup (VM Network 3) on a vswitch (vswitch1):
esxcfg-vswitch -v 3 -p "VM Network 3" vSwitch1


Esxcfg-vswif
Description: Creates and updates service console network settings. This command is used if you cannot manage the ESX Server host through the VI Client because of network configuration issues.
Syntax: esxcfg-vswif [vswif]

Options:

-a	Add vswif, requires IP parameters. Automatically enables interface.
-d	Delete vswif.
-l	List configured vswifs.
-e	Enable this vswif interface.
-s	Disable this vswif interface.
-p	Set the portgroup name of the vswif.
-i or DHCP	The IP address for this vswif or specify DHCP to use DHCP for this address.
-n	The IP netmask for this vswif.
-b	The IP broadcast address for this vswif. (not required if netmask and ip are set)
-c	Check to see if a virtual NIC exists. Program outputs a 1 if the given vswif exists, 0 otherwise.
-D	Disable all vswif interfaces. (WARNING: This may result in a loss of network connectivity to the Service Console)
-E	Enable all vswif interfaces and bring them up.
-r	Restore all vswifs from the configuration file. (Internal use only)
-h	Displays command help.

Note: You can set the Service Console default gateway by editing the /etc/sysconfig/network file or through the VI Client under Configuration, DNS & Routing.

esxcfg-vswif examples:
Change your Service Console (vswif0) IP and Subnet Mask:
esxcfg-vswif -i 172.20.20.5 -n 255.255.255.0 vswif0
Add a Service Console (vswif0):
esxcfg-vswif -a vswif0 -p "Service Console" -i 172.20.20.40 -n 255.255.255.0


Esxcfg-route
Description: Sets or retrieves the default VMkernel gateway route
Syntax: esxcfg-route [ [] ]
can be specified in 2 ways: as a single argument in / format or as a pair.
is either an IP address or 'default'

Options:

-a	Add route to the VMkernel, requires network address (or 'default') and gateway IP address.
-d	Delete route from the VMkernel, requires network address (or 'default').
-l	List configured routes for the Service Console.
-r	Restore route setting to configured values on system start. (Internal use only)
-h	Displays command help

esxcfg-route examples:
Set the VMkernel default gateway route:
esxcfg-route 172.20.20.1
Add a route to the VMkernel:
esxcfg-route -a default 255.255.255.0 172.20.20.1


Esxcfg-vmknic
Description: Creates and updates VMkernel TCP/IP settings for VMotion, NAS, and iSCSI
Syntax: esxcfg-vmknic [[portgroup]]

Options:

-a	Add a VMkernel NIC to the system, requires IP parameters and portgroup name.
-d	Delete VMkernel NIC on given portgroup.
-e	Enable the given NIC if disabled.
-D	Disable the given NIC if enabled.
-l	List VMkernel NICs.
-i	The IP address for this VMkernel NIC. Setting an IP address requires that the -n option be given in same command.
-n	The IP netmask for this VMkernel NIC. Setting the IP netmask requires that the -i option be given in the same command.
-r	Restore VMkernel TCP/IP interfaces from configuration file. (Internal use only)
-h	Displays command help

esxcfg-vmknic examples:
Add a VMkernel NIC and set the IP and subnet mask:
esxcfg-vmknic -a "VM Kernel" -i 172.20.20.19 -n 255.255.255.0

Serial Console on VMWare ESX

I primarily use HP ILO's on our DL360s. I never get ILO Advanced Pack..Its expensive, and I ues UNIX so, for my BSD and Linux machines I just use serial consoles... It beats buying the license...and I don't need the graphical stuff... Thats what X servers are for.

Compiled this from a defunct wiki from some edu, but its pretty much common sense. Just wanted to document it for those who care ;)

For an ESX Server:
This is about enabling the console of ESX server to be a serial port. Running an IP KVM for ESX servers seems a really expensive thing to do, when it just needs a shell.

This is a method I use for RHEL/CentOS. I had to modify it slightly for VMware ESX:
Edit /boot/grub/grub.conf
Add the following lines after "timeout=3" line

serial --unit=0 --speed=9600 --word=8 --parity=no --stop=1
terminal --timeout=8 serial console

* The first line tells GRUB to use the first serial port at a baud rate of 9600
* The second line gives the user 8 seconds to decide where GRUB should output it's information. * Please adjust port number and speed as per your setup.

Append the kernel entry in /boot/grub/grub.conf to add serial console:


kernel /vmlinuz ro root=UUID=675026ae-e3ee-4340-8614-9173f59d5bfb mem=300M quiet console=ttyS0,9600

Edit /etc/inittab to add a new line for agetty. I placed this after the mingetty entries:

s0:2345:respawn:/sbin/agetty -L -f /etc/issueserial 9600 ttyS0 vt100

Additional notes: - root logins are restricted over ttysX by default unless your ttysX is added to the securetty config. So, edit /etc/securettty and add your port to your config if you want to allow root logins.

For a VM:
To add a serial console to VMWare ESX, there's no way to do it either from the web console nor from their dinky vmware-console. There's just grayed out menu items that torment your soul leaving you with a bitter taste of unfulfilled possibilites. Yet there is hope!

Here I add serial console 0. serial0.present = "TRUE" serial0.fileType = "file" serial0.fileName = "/tmp/console.debian26_dan"

then add in your kernel boot options (ie, in /boot/grub/menu.lst) console=ttyS0,19200
like this: kernel /boot/vmlinuz root=/dev/sdc1 ro console=ttyS0,19200 console=tty0

now as you do crazy things to the kernel and crash it (ie, run zap), you can access your kernel log for debugging information in /tmp/console.debian26_dan.

NOTE: this enables a serial console for a guest machine on ESX. It does not enable a serial console for the ESX system itself, for that see above. ;p

cups-pdf, cups, RHEL, Linux, and EPEL repositories...

Soo...you want to add some other packages...
OK!

su -c 'rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm'

they should now be available in yum...in my case, cups-pdf.

using firefox 3.5.x in Linux ... Its not just that easy, apparently.

I got tired of looking for a repo version and decided to get the bin pkg from Mozilla.

Here’s a really quick way to get 3.5.2 running on your Ubuntu or RHEL/CentOS system.

I removed the Firefox 3.0 that shipped... In this case, with CentOS. This tutorial taken from some Ubuntu user's post/page...I forget.

Open up Terminal (Applications > Accessories > Terminal) and run the following commands:

1. cd /tmp
2. wget "http://download.mozilla.org/?product=firefox-3.5.2&os=linux&lang=en-US"
   Note: Your download link may be different depending on your country and language. I got the link by clicking the download link, canceling the automatic download, right-clicking the “Your download should automatically begin in a few seconds, but if not, click here” link, and selecting Copy Link Location.
3. tar xvjf firefox-*.bz2
4. sudo cp -r firefox /usr/lib/firefox-3.5.2
5. sudo mv /usr/bin/firefox /usr/bin/firefox.old
6. sudo ln -s /usr/lib/firefox-3.5.2/firefox /usr/bin/firefox-3.5.2
7. sudo ln -s /usr/bin/firefox-3.5.2 /usr/bin/firefox

Close Firefox and then reopen. You should now be running Firefox 3.5.2.

If for whatever reason you’d like to switch back to your previous version of Firefox, simply run the following commands from Terminal:

1. sudo mv /usr/bin/firefox /usr/bin/firefox.bak
2. sudo mv /usr/bin/firefox.old /usr/bin/firefox

enable rpmfusion, epel for CentOS / RHEL5 to install other repos...

[root@caliban-centos ~]# su -c 'rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm'

[root@caliban-centos ~]# su -c 'rpm -Uvh http://download1.rpmfusion.org/free/el/updates/testing/5/i386/rpmfusion-free-release-5-0.1.noarch.rpm http://download1.rpmfusion.org/nonfree/el/updates/testing/5/i386/rpmfusion-nonfree-release-5-0.1.noarch.rpm'

- this should then allow software to be pulled from rpmfusion!

Resetting OS Passwords! Just a good writeup for those interested. ;)

Windows
Windows is still the most popular operating system, and the method used to discover the login password is the easiest. The program used is called Ophcrack, and it is free. Ophcrack is based on Slackware, and uses rainbow tables to solve passwords up to 14 characters in length. The time required to solve a password? Generally 10 seconds. The expertise needed? None.

Simply download the Ophcrack ISO and burn it to a CD (or load it onto a USB drive via UNetbootin). Insert the CD into a machine you would like to gain access to, then press and hold the power button until the computer shuts down. Turn the computer back on and enter BIOS at startup. Change the boot sequence to CD before HDD, then save and exit.

The computer will restart and Ophcrack will be loaded. Sit back and watch as it does all the work for your. Write down the password it gives you, remove the disc, restart the computer, and log in as if it were you own machine.

Mac
The second most popular operating system, OS X is no safer when it comes to password cracking then Windows.

The easiest method would be to use Ophcrack on this, also, as it works with Mac and Linux in addition to Windows. However, there are other methods that can be used, as demonstrated below.

If the Mac runs OS X 10.4, then you only need the installation CD. Insert it into the computer, reboot. When it starts up, select UTILITIES > RESET PASSWORD. Choose a new password and then use that to log in.

If the Mac runs OS X 10.5, restart the computer and press COMMAND + S. When at the prompt, type:

fsck -fy

mount -uw /

launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist

dscl . -passwd /Users/UserName newpassword

That’s it. Now that the password is reset, you can login.

Linux
Finally, there is Linux, an operating system quickly gaining popularity in mainstream, but not so common you’re likely to come across it. Though Mac and Linux are both based on Unix, it is easier to change the password in Linux than it is OS X.

To change the password, turn on the computer and press the ESC key when GRUB appears. Scroll down and highlight ‘Recovery Mode’ and press the ‘B’ key; this will cause you to enter ‘Single User Mode’.

You’re now at the prompt, and logged in as ‘root’ by default. Type ‘passwd’ and then choose a new password. This will change the root password to whatever you enter. If you’re interested in only gaining access to a single account on the system, however, then type ‘passwd username’ replacing ‘username’ with the login name for the account you would like to alter the password for.

Conclusion
There you have it - that is how simple it is for someone to hack your password. It requires no technical skills, no laborious tasks, only simple words or programs. The moral of the story? Encrypt your data to keep it safe. Don’t use only a password, but actually encryption, such as Blowfish or AES-128. There are a number of programs that can do this - TrueCrypt for Windows, or the native encryption found on Ubuntu, creating a disk image in Mac, etc.

neopi, oracle on linux...10gr2..and my birthday.

oh, and today is my birthday. yay.

so, i finally got around to writing about this. I succesfully got ora 10gr2 installed on RHEL5. thanks to the help of gathering dependencies by this free product called NEOPI. Its pretty nice...just a kind of automatic dependency generator, and it runs some other checks too, but it helped solve the issues I was running into with the misplaced/mislinked libraries. hopefully that puts the RHEL5 Oracle10gr2 fears to rest...and I can move on.

Oracle 10gR2 on RHEL5

Preamble

This manual is directed show how to install Oracle database 10g on RedHat Enterprise Linux 5. The article show the process from system administrator point of view ad try to simplicity most of the tasks not related to system administration will in deep explanation of tasks and impacts of them. Be aware RHEL 5 x86 is not supported platform (in this moment) for Oracle 10g so when you ask questions in metalink don't be surprised get no answer. According to the product documentation supported platforms for x96 are RHEL AS/ES 3.4 or later, RHEL 4, SUSE Linux Enterprise Server 9.0SP2 or later and Asianux 1.0 and 2.0. Additionally you can't expect reliability from this system for production environment.

[edit]

Hardware requirements

From documentation you read Oracle 10g need at least 1 gigabyte of memory, but the absolute minimum is 512 MB. OK, with so little memory you are on the bottom line for required shared memory, but database can start. for testing 768 MB sound's much better. Similar is the situation with swap. Everything will work fine with only 1024 MB of swap.

[edit]

Software requirements

List of packages you will need for install Oracle 10g on RHEL include

binutils
compat-db
compat-libstdc++
control-center
gcc
gcc-c++
glibc
glibc-common
gnome-libs
libstdc++
libstdc++-devel
make
pdksh  (RHEL 5 ships with ksh instead)
sysstat
xscreensaver
setarch
libXp (to start runInstaller)

[edit]

Preinstalation tasks

Let's create users and groups for installation

# groupadd dba
# groupadd oinstall
# useradd -G dba -d /home/oracle -g oinstall oracle
# passwd oracle

Next create filesystem for oracle files and database. Do not forget to create appropriate changes in /etc/fstab to mount this filesystem on startup. In documentation of product is mentioned to use only RAID10 array(s) and for production is wise to use hardware based arrays, but here we just play and any filesystem and volume will be OK. Transfer files to the machine and extract zip's somewhere. I write files, because i recommend for installation not only Oracle database server, but 10g Release 2 (10.2.0.3) Patch Set 2 ever only for testing and playing. For more info about the the patch set read document 316900.1 and download file p5337014_10203_LINUX.zip from metalink. Now is time to login on the machine as root to set some parameters in linux kernel and operating system

- check if FQHN exist in /etc/hosts
- check the id of oracle user to ensure oinstall is primary group of user and user is member of group dba
- check for existence of user nobody
- check and set if need the parameters for semaphors:
semmsl - 250
semmns - 32000
semopm - 100
semmni – 128

[edit]

Semaphores explanation

semmsl – maximum number of semaphores per semaphore identifier. Should be increased carefully because very big number will eat memory not used later
semmns - maximum number of semaphores in the system. Size it carefully because of above reason
semopm - Define maximum number of semaphore operations per system call
semmni – maximum number of semaphores per semaphore identifier. Do not increase it over needed limit, because of waste of memory
if you have attached to the server additional hardware read carefully documentation of drivers for this hardware, because for example some drivers for FC controllers need additional semaphors to be set per controller

---

- check and set if need the parameters for shared memory
shmall 2097152
shmmax Half the size of physical memory (in bytes) or current value if bigger
shmmni 4096

[edit]

Shared memory explanation

shmall - maximum number of shared memory pages. If you set it to too low value can slowdown any program usng shared memory
shmmax – maximum size of shared memory segment that can be allocated in the memory. For servers with lots of memory can be increased to 80% of memory to avoid shared memory fragmentation
shmmni – maximum number of segments. It's good idea to change it only by vendor recommendation

---

- check and set if need the parameters for maximum number of file handlers, supported by system
file-max 65536

---

- check and set if need the parameters for network
ip_local_port_range Minimum:1024 Maximum:65000
rmem_default 1048576
rmem_max 1048576
wmem_default 262144
wmem_max 262144

[edit]

Network setting explanation

ip_local_port_range – define full range of local ports in Linux, normally upper limit is 32000
rmem_default Default Receive Window
rmem_max Maximum Receive Window
wmem_default Default Send Window
wmem_max Maximum Send Window

---

So you can add you /etc/sysctl.conf file something like

kernel.shmall = 2097152
kernel.shmmax = 2147483648
kernel.shmmni = 4096
kernel.sem = 250 32000 100 128
fs.file-max = 65536
net.ipv4.ip_local_port_range = 1024 65000
net.core.rmem_default = 1048576
net.core.rmem_max = 1048576
net.core.wmem_default = 262144
net.core.wmem_max = 262144

and execute

# sysctl -p

Next is time to set some environment variables for oracle user. Do not forget to put the in shell profile for oracle user. They should look's like

ORACLE_BASE=/home/oracle
ORACLE_HOME=$ORACLE_BASE/product/10.2.0
ORACLE_SID=test01

On this point it is very good idea to check the available diskspace in directory where will be installed oracle – you will need 4 GB average for software and database. To start successfully installer it's need to edit /etc/redhat-release and to change release from 5 to 4. Do not forget to return the value back later, otherwise you will be no able to update your server. Next is time to run runInstall. You will need running X server, because interactive installation need graphic display

[edit]

Actual installation

On the first step we choose advanced installation to have better control over the packages and options to be installed on the server. Later if it's need we can install additional packages almost seamless. Our target is Enterprise Server as more powerful and complex. on the next step Oracle Installer check for prerequisites for installation as physical memory, swap, networking, environment variables, etc. If you get warning about the amount of memory you can skip it without any problem. Next we will install only software without create new database. There is program, named dbca – database configuration assistant which one can help to create new database. Then read the summary screen and go back to change some packages you do not need or other parameter. It's out of scope of this document to discuss the idea and purpose of packages you can find in oracle database. Next we press install and wait a lot, because of very long process of installation. On the bottom part of the screen you can see the path to log file for current installation and you can inspect it if you get some errors or just from curiosity. In on of the stages of installation (almost on the end) you should execute 2 scripts as root user. And at the end we have installed Oracle database 10g. If you have patch mentioned above installation process for patch is similar: runInstaller....

Et voila, we are ready to play and test oracle on our RHEL 5 server :-)

tar over ssh to pipe files..

I didn't have enough space on a vm i just built to copy all the data over as a tar and then untar it, so I went on a search...I found this and it worked VERY well:

From: http://www.cyberciti.biz/faq/howto-use-tar-command-through-network-over-ssh-session/

Q. How do I use tar command over secure ssh session?

A. The GNU version of the tar archiving utility (and other old version of tar) can be use through network over ssh session. Do not use telnet command, it is insecure. You can use Unix/Linux pipes to create actives. Following command backups /wwwdata directory to dumpserver.nixcraft.in (IP 192.168.1.201) host over ssh session.

The default first SCSI tape drive under Linux is /dev/st0. You can read more about tape drives naming convention used under Linux here.

# tar zcvf - /wwwdata | ssh root@dumpserver.nixcraft.in "cat > /backup/wwwdata.tar.gz"OR# tar zcvf - /wwwdata | ssh root@192.168.1.201 "cat > /backup/wwwdata.tar.gz"

Output:

tar: Removing leading `/' from member names
/wwwdata/
/wwwdata/n/nixcraft.in/
/wwwdata/c/cyberciti.biz/
....
..
...
Password:

You can also use dd command for clarity purpose:# tar cvzf - /wwwdata | ssh ssh root@192.168.1.201 "dd of=/backup/wwwdata.tar.gz"It is also possible to dump backup to remote tape device:# tar cvzf - /wwwdata | ssh ssh root@192.168.1.201 "cat > /dev/nst0"OR you can use mt to rewind tape and then dump it using cat command:# tar cvzf - /wwwdata | ssh ssh root@192.168.1.201 $(mt -f /dev/nst0 rewind; cat > /dev/nst0)$You can restore tar backup over ssh session: # cd /
# ssh root@192.168.1.201 "cat /backup/wwwdata.tar.gz" | tar zxvf - If you wish to use above command in cron job or scripts then consider SSH keys to get rid of the passwords.

ubuntu intrepid ibex java needs icedtea

in order to get mozilla working with java, you need to install the icedtea plugin after installing the open java stuff.

unix and windows: carriage returns with tr/sed/awk

cat -v myfile.csv

...and then you will see them at the end of the line as ^M (Ctrl-M)

delete them using tr like this, but this will only work in the following form if "\r" is recognised as a carriage return character. Some versions of tr and sed do not. So before you try this out you should set up a test file with a few "r"s in it in obvious places to make sure the following command is not just deleting "r"s.

tr -d '\r' <> outfile.csv

If the above command deleted "r"s instead of carriage returns then instead of using '\r' use 'Cntl-v-m'. The Cntl-v works on a few shells to let it know that you are going to enter a special character and the "m" you follow it with indicates a carriage return. "m" as in the "^M" you see at the end of the lines when you use cat -v.

There are other ways of removing these carriage returns. You can use sed to do it but again you have to check is it accepts "\r" as a carriage return by experimenting on a very small test file with a few obvious "r"s in it.

sed 's/\r$//' infile.csv > outfile.csv

On a final note, you might have to convert a Unix file to a DOS/Windows file sometimes. You can do it like this:

awk '{ print $0 "\r"}' unix.txt > dos.txt

---

simple:
tr -d '\015' <> new.file

more simple:
perl -pi -e 's/\015//g' file