Cain Manor » UNIX

Push SSH public keys to multiple host

Greg Cain — Tue, 02 Aug 2011 18:27:52 +0000

I’m starting a new job where I need to have my SSH keys pushed to hundreds of Red Hat servers. The special sauce is a command called ssh-copy-id. However, using this command requires you answering a (yes/no) question, then shortly thereafter enter your password. Painful. Here’s how push your keys without the pain.

The first problem is having to answer (yes/no) for each server. Normally you see this…

The authenticity of host 'myfirsthost.work.cainmanor.com (10.256.33.106)' can't be established.
RSA key fingerprint is fc:40:7c:de:b8:ac:a2:f5:d4:11:d0:0e:b2:77:8a:63.
Are you sure you want to continue connecting (yes/no)? yes

To stop this prompt, we need to edit your ~/.ssh/config file. Add these two lines

StrictHostKeyChecking no
UserKnownHostsFile=/dev/null

Setting your UserKnownHostsFile should only be a temporary fix. After you’ve pushed your keys, you should comment out both of those settings.

Your password is the next problem. We can solve that with sshpass. sshpass takes your password and passes it on when ssh ask for it. There are three ways to do it, all of them insecure. Read the man page and decide which of those you want to use. For my purposes I just put it on the command line – I’m on my personal machine with no other users, and only I know the passwords to the box. Don’t do this on a shared server.

Here is an example of how to push your public key one. Try it on a new server to make sure you get the results you expect.

sshpass -p 'MY_PASSWORD' ssh-copy-id gregc@new_host_with_no_keys

Now that we’ve got the prompts turned off, we’ll wrap a script around this. How you get the list of appropriate hostnames or IP’s is your business.

for X in `cat my_host_that_need_keys`
do
sshpass -p 'MY_PASSWORD' ssh-copy-id gregc@${X}
done

Happy Computing!!

Installing APC (Alternative PHP Cache) on CentOS 5.6

Greg Cain — Tue, 12 Jul 2011 02:12:04 +0000

There were more than a few instructions on how to do this. They were all wrong, at least for my default install of CentOS 5.6.

In a nutshell, here is how I was able to do it:

cd /tmp
yum install pcre-devel
wget http://pecl.php.net/get/APC-3.1.9.tgz
tar -xvf APC-3.1.9.tgz
cd APC-3.1.9
phpize
whereis php-config
./configure –enable-apc –enable-apc-mmap –with-apxs –with-php config=/path/to/php-config
make
make install
echo "extension=apc.so" >> /etc/php.d/apc.ini
echo "apc.slam_defense=0" >> /etc/php.d/apc.ini
echo "apc.write_lock=1" >> /etc/php.d/apc.ini
service httpd restart

I also make these changes to my httpd.conf file

Timeout 40
KeepAlive On
MaxKeepAliveRequests 200
KeepAliveTimeout 2

Install Django on OS-X Snow Leopard using sqlite3

Greg Cain — Sun, 09 Jan 2011 01:40:29 +0000

Download django. It should default to your ~/Downloads folder and it should be untarred. Go into that directory (in my case, /Users/gregcain/Downloads/Django-1.2.4), and install Django.

sudo python setup.py install

Now we need to configure our first project, which we’ll call myBooks. Create the parent directory you want your project to live in.

mkdir ~/Django

Let’s create the first project

django-admin.py startproject myBooks

You’ll see a directory created underneath your Django directory called myBooks. (~/Django/myBooks) In that directory, you’ll see the following files…

__init__.py
manage.py
settings.py
urls.py

Start the built in web server. From the directory ~/Django/myBooks directory

python manage.py runserver

Which gives you this..

Django version 1.2.4, using settings 'myBooks.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

If you point your web browser to http://127.0.0.1:8000/ you should see this basic getting started page

If you see that, all is good so far…

Now let’s configure Django to use sqlite as it’s database. All you need to do is edit the settings.py file in ~/Django/myBooks. You need to change ENGINE to the sqlite3 instance, and tell it where you want your database to live. You’ll create that database in the next step.

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.sqlite3', # Add 'postgresql_psycopg2', 'postgresql', 'mysql', 'sqlite3' or 'oracle'.
        'NAME': '/Users/gregcain/Django/myBooks/myBooksDB',                      # Or path to database file if using sqlite3.
        'USER': '',                      # Not used with sqlite3.
        'PASSWORD': '',                  # Not used with sqlite3.
        'HOST': '',                      # Set to empty string for localhost. Not used with sqlite3.
        'PORT': '',                      # Set to empty string for default. Not used with sqlite3.
    }
}

Now create the database

python manage.py syncdb

You’ll be asked a few questions, including one to setup a super user.

Now that the database is created, let’s go in and see if it looks correct. To open a connection to the database

sqlite3 myBooksDB

and to see the schema

.schema

Happy Coding!!

Basic Samba-Active Directory troubleshooting using wbinfo

Greg Cain — Wed, 08 Sep 2010 19:25:39 +0000

This document is intended to step you through some of the basics of troubleshooting samba connectivity with your domain controller, using wbinfo. This is not intended to show you how to configure Samba to talk to your domain controller. Others have done a much better job that I can.

winbind must be running in order for wbinfo to work, and you need to be connected to your domain.

wbinfo -p
Ping to winbindd succeeded on fd 4

A simple ping test to see if your DC is alive

wbinfo -t
checking the trust secret via RPC calls succeeded

Verify that the workstation trust account created when the Samba server is added to the Windows NT domain is working. This is a good first step to make sure you can talk to your DC

wbinfo -u

This will list your domain users. Make sure the users you expect are there

wbinfo -a greg.cain%password

This is an easy way to check that your user can authenticate against the domain. However, I’d recommend against using it since it will show your password on the command line, in your history, and in the ps command if it’s executed at the right time (there are many other reasons, but those should be enough to dissuade you.) Use a dummy account if possible.

wbinfo -g

Show a list of domain groups. Again, make sure the groups you expect are present.

wbinfo -n greg.cain
S-1-5-21-XXXX789314-3545391909-2802175779-XXXX User (1)

This will get you the SID for the user you’ve specified (greg.cain in this case.)

wbinfo -s S-1-5-21-XXXX789314-3545391909-2802175779-XXXX
DOMAIN\greg.cain

Using the SID you just returned, let’s make sure the reverse mappings are correct.

wbinfo -r greg.cain
16XXX216
16XXX217
....

This will show a list of groups that the user greg.cain belongs to.

wbinfo -G 16XXX217
S-1-5-21-1540789314-3545391909-2802175779-YYY

This converts the GID to the SID.

wbinfo -Y S-1-5-21-1540789314-3545391909-2802175779-YYY
16XXX217

This is the reverse mapping of the SID to the GID

Setup logging for Varnish – The right way

Greg Cain — Fri, 30 Jul 2010 02:45:45 +0000

Initially, logging Varnish didn’t really work that well. Varnish, by default, doesn’t log (varnishncsa can do some logging, but I haven’t figured that out yet.) I’ve been parsing my logs with JAWstats, which reads the Apache logs. However, by default, varnish will replace the IP address of the originating client with the IP address of the proxy server, meaning all traffic will look like it comes from my single server. This is what an entry looks like

173.230.157.240 - - [29/Jul/2010:15:47:47 -0700] "GET / HTTP/1.1" 200 20046 "-" "Pingdom.com_bot_version_1.4_(http://www.pingdom.com/)"
173.230.157.240 - - [29/Jul/2010:15:47:48 -0700] "GET / HTTP/1.1" 200 20046 "-" "Pingdom.com_bot_version_1.4_(http://www.pingdom.com/)"
173.230.157.240 - - [29/Jul/2010:15:47:49 -0700] "GET / HTTP/1.1" 200 20046 "-" "Pingdom.com_bot_version_1.4_(http://www.pingdom.com/)"
173.230.157.240 - - [29/Jul/2010:15:47:50 -0700] "GET / HTTP/1.1" 200 20046 "-" "Pingdom.com_bot_version_1.4_(http://www.pingdom.com/)"
Yeah, I made this up, but you get the idea.

That’s no good. How will I tell that I’m famous in Sweden? I found a way to get the client IP information passed to the backend

sub vcl_recv {
       remove req.http.X-Forwarded-For;
       set    req.http.X-Forwarded-For = client.ip;
}

This is what we get from this.

207.218.231.170, 207.218.231.170 - - [29/Jul/2010:15:47:47 -0700] "GET / HTTP/1.1" 200 20046 "-" "Pingdom.com_bot_version_1.4_(http://www.pingdom.com/)"

Ok, this is better, but the IP address is duplicated. I don’t know if it causes trouble with JAWstats (I assume it does), but I know that it is ugly to me. After much googling, I found this…

sub vcl_recv {
# 	Rename the incoming XFF header to work around a Varnish bug.
  if (req.http.X-Forwarded-For) {
#	Append the client IP
    set req.http.X-Real-Forwarded-For = req.http.X-Forwarded-For ", " regsub(client.ip, ":.*", "");
    unset req.http.X-Forwarded-For;
  }
  else {
    // Simply use the client IP
    set req.http.X-Real-Forwarded-For = regsub(client.ip, ":.*", "");
  }
}

And finally we have a working log file.

This is the first log file from this server

82.103.128.63 - - [04/Jul/2010:03:57:47 -0400] "GET / HTTP/1.0" 200 23301 "-" "Pingdom.com_bot_version_1.4_(http://www.pingdom.com/)"

And this is the last

24.19.50.69 - - [29/Jul/2010:19:44:18 -0700] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 177 "http://cainmanor.com/wp-admin/post-new.php" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-us) AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16"