System Adm » Linux

Updating partition table in Linux

Lincoln Zuljewic Silva — Mon, 15 Mar 2010 14:53:16 +0000

When you use the "fdisk" to handle the partitions of a disk, depending on the disc, the "fdisk" will bring the following message:

WARNING: Re-reading the partition table failed with error 22: Invalid argument. The kernel still uses the old table. The new table will be used at the next reboot. Syncing disks.

No, you do not have to restart the server for the changes are applied, simply use the following command (example):
kpartx -a /dev/sda

This will re-read the partition table on /dev/sda and create the mapping of the system partitions (/dev/sda1, /dev/sda2, etc).

Martian Friend

Lincoln Zuljewic Silva — Tue, 15 Sep 2009 16:59:06 +0000

You may find some weird messages indications in your syslog telling you something like “martian source” like the followings:

When a host needs send a package to another host, it can define the route on the network or use the default route. Those “source routed packages” are identified in Linux as martian packages. You can configure your Linux log/do not log those packages:

# echo 0 > /proc/sys/net/ipv4/conf/*/log_martians #do not log

Resizing lvol in Red Hat AS 4

Lincoln Zuljewic Silva — Tue, 18 Aug 2009 13:32:55 +0000

As incredible as it seems, RHAS4 doesn't came with the resize2fs command (just like the others RH distributions). After some research, I found the tool that replace the resize2fs command and it's the ext2online, for example:

# ext2online /dev/mapper/VG00-vl02

rlogin access denied

Lincoln Zuljewic Silva — Mon, 15 Jun 2009 13:54:48 +0000

In some specific situations, you need use rlogin to remote access a server, but you can face the following error:

clientServer:~ # rlogin rloginServer Password: Password: Login incorrect


	login: root

	Password:

	Login incorrect
	login: root

	Password:

	Login incorrect
	login: root

	Password:

	Login incorrect

rlogin: connection closed.

If you check the /var/log/secure log on the “rloginServer”, you will find the following messages:
Jun 15 10:44:41 rloginServer rlogind[16640]: pam_securetty(rlogin:auth): access denied: tty 'rlogin' is not secure ! Jun 15 10:44:41 rloginServer rlogind[16640]: pam_rhosts_auth(rlogin:auth): denied to root@10.11.4.9 as root: access not allowed Jun 15 10:44:47 rloginServer login: pam_securetty(remote:auth): access denied: tty 'pts/0' is not secure ! Jun 15 10:44:51 rloginServer login: FAILED LOGIN 1 FROM 10.11.4.9 FOR root, Authentication failure Jun 15 10:44:53 rloginServer login: pam_securetty(remote:auth): access denied: tty 'pts/0' is not secure ! Jun 15 10:44:58 rloginServer login: FAILED LOGIN 2 FROM 10.11.4.9 FOR root, Authentication failure Jun 15 10:44:58 rloginServer login: pam_unix(remote:auth): bad username [] Jun 15 10:44:58 rloginServer login: pam_succeed_if(remote:auth): error retrieving information about user Jun 15 10:44:58 rloginServer login: FAILED LOGIN 3 FROM 10.11.4.9 FOR , User not known to the underlying authentication module Jun 15 10:44:59 rloginServer login: pam_unix(remote:auth): bad username [] Jun 15 10:44:59 rloginServer login: pam_succeed_if(remote:auth): error retrieving information about user Jun 15 10:44:59 rloginServer login: FAILED LOGIN SESSION FROM 10.11.4.9 FOR , User not known to the underlying authentication module

The problem here, is that “rlogin” is not a “secure” shell. To configure it, you should add “rlogin” (without the quotes) to /etc/securetty .

After that, you will be able to access the rlogin server.

Setting session timeout on Linux

Lincoln Zuljewic Silva — Wed, 27 May 2009 12:41:14 +0000

To set an automatically shell timeout on Linux (that Will logoff that session after X seconds), you just need setup the following variable (put it in your /etc/profile):

# echo “TMOUT=300; readonly TMOUT; export TMOUT” >> /etc/profile

The “readonly” option will not allow an normal user change (ou unset) it.

Rotate log files in Linux

Lincoln Zuljewic Silva — Fri, 15 May 2009 21:31:43 +0000

An easy way (shell script) to rotate log files in Linux can be:

#!/bin/bash # Include the following line in crontab: #00 5 * * * /bin/rotate_logs.sh > /dev/null 2>&1 #


	DATE=`date "+%Y%m%d"`

	cd /var/log/
	for i in messages secure cron lastlog

	do

	cp ${i} ${i}.${DATE}

	> ${i}

	gzip -9 ${i}.${DATE}

	done

/etc/init.d/syslog restart

If you have any other log to rotate, you can change the line 8 and 10.

Disable CTRL+C on Linux

Lincoln Zuljewic Silva — Thu, 30 Apr 2009 18:25:39 +0000

To disable CTRL+C on Linux, you can use the following command:

# stty intr undef

Renaming a network interface on Linux

Lincoln Zuljewic Silva — Wed, 29 Apr 2009 19:29:09 +0000

Sometimes, when you add/remove a network card in Linux, the system automatically change the name of the interfaces (for example your eth0 became eth1). Depending of the system, it can cause a big problem to you, so you can use the command nameif to rename it back (or just rename your interfaces):

Create a file named /etc/mactab with the interface names and its mac address:
eth0 00:0B:DB:D5:6E:DD eth1 00:03:47:3b:ef:b9 eth2 00:0B:DB:D5:6E:DE banana01 00:03:47:3B:EF:B8

After that, you should run the command nameif (/sbin/nameif) to apply your new configuration.

Note 01: you can rename your interfaces to whatever you want.
Note 02a: before run the nameif, you should stop the interfaces.
Note 02b: you can do an ifdown
Note 03: if you reboot the server, this configuration will be lost, so you can create a simple shell script to rename it automatically on boot:

vi /etc/init.d/nameif #!/bin/bash


	case "$1" in

	start)

	    echo "Renaming the network interfaces..."

	    /sbin/nameif

	;;
	stop)

	    echo "Ok"

	;;

	esac

chmod 755 /etc/init.d/nameif ln -s /etc/init.d/nameif /etc/rc3.d/S04nameif

I know that you can use udev to rename an interface, but I believe that nameif is simpler.

Using vi as crontab editor

Lincoln Zuljewic Silva — Wed, 22 Apr 2009 12:37:00 +0000

The default Debian installation use a non-vi editor when you try to use crontab (ie: “crontab -e”).

To change it to vi, you should do the following:

# rm -f /etc/alternatives/editor ln -s /usr/bin/vi /etc/alternatives/editor

SSH Memory fault(coredump) in HP-UX

Lincoln Zuljewic Silva — Thu, 16 Apr 2009 19:21:37 +0000

If you try to access from a HP-UX another machine that has a newer version of SSH running, you may get a “SSH Memory fault(coredump)” message like the following one:

# ssh -v server Debian OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0×0090609f 16153: debug1: Reading configuration data /opt/ssh/etc/ssh_config16153: debug1: Rhosts Authentication disabled, originating port will not be trusted.16153: debug1: ssh_connect: needpriv 0 16153: debug1: Connecting to serverDebian [10.0.0.1] port 22.16153: debug1: Connection established.16153: debug1: identity file /.ssh/id_rsa type -116153: debug1: identity file /.ssh/id_dsa type -116153: debug1: Remote protocol version 1.99, remote software version OpenSSH_4.2-chrootssh16153: debug1: match: OpenSSH_4.2-chrootssh pat OpenSSH* 16153: debug1: Enabling compatibility mode for protocol 2.0 16153: debug1: Local version string SSH-2.0-OpenSSH_3.5p1 Memory fault(coredump)

To solve it, you should create a empty file named /etc/krb5.conf in HP-UX. After that, you will be able to use SSH

Forcing a user changing the password on Linux

Lincoln Zuljewic Silva — Wed, 15 Apr 2009 11:52:44 +0000

When creating a new user, you can use the following command to force a user changing its password on first logon:

# chage -d 0

Doing this, the user will receive the following message:

Password change requested. Choose a new password. Old Password:

Locking a Linux account

Lincoln Zuljewic Silva — Thu, 09 Apr 2009 14:11:31 +0000

Before you remove an account from a system, is a good idea lock it for one week to make sure that no one use it.

To lock, you can use the follow command:

# passwd -l username (where username is the login id).

After that, if someone try to loginusing this account, the system will return:

# su - foobar

This account is currently not available.

Stop/Start a Guest OS in Vmware Server 2.0

Lincoln Zuljewic Silva — Wed, 08 Apr 2009 14:01:12 +0000

The VMWare 2.0 has a command named “vmrun” that can control the state of the VMs. The syntax is:

vmrun [AUTHENTICATION-FLAGS] COMMAND [PARAMETERS]

To list all started VM:

# vmrun -u root -h ‘https://192.168.0.14:8333/sdk’ -p YOURPASSWORD list Total running VMs: 3 [standard] Apolo/Apolo.vmx [standard] Ares - NS01/Ares - NS01.vmx [standard] hades - NS02/hades - NS02.vmx

To stop a VM:

# vmrun -u root -h ‘https://192.168.0.14:8333/sdk’ -p YOURPASSWORD stop “[standard] Apolo/Apolo.vmx”

To start a VM:

# vmrun -u root -h ‘https://192.168.0.14:8333/sdk’ -p YOURPASSWORD start “[standard] Apolo/Apolo.vmx”

Installing OpenSSH from source on SuSe 10

Lincoln Zuljewic Silva — Tue, 07 Apr 2009 14:13:35 +0000

The current version of my SuSe is:
# cat /etc/SuSE-release SUSE Linux Enterprise Server 10 (i586) VERSION = 10 PATCHLEVEL = 1

1 – Download OpenSSH:
# cd /usr/src # wget http://anga.funkfeuer.at/ftp/pub/OpenBSD/OpenSSH/portable/openssh-5.2p1.tar.gz

2 – Unpack it:
# tar zxvf openssh-5.2p1.tar.gz

3 – Check if you have the necessary packages:
automake-1.9.6-2.i586.rpm cpp-4.0.2_20050901-3.i586.rpm gcc-4.0.2_20050901-3.i586.rpm gcc-c++-4.0.2_20050901-3.i586.rpm glibc-2.3.5-40.i586.rpm glibc-devel-2.3.5-40.i586.rpm libselinux-1.23.11-3.i586.rpm libstdc++-4.0.2_20050901-3.i586.rpm libstdc++-devel-4.0.2_20050901-3.i586.rpm openssl-devel-0.9.8a-18.15.i586.rpm pam-devel-0.99.6.3-28.8.i586.rpm pam_ssh-1.91-19.2.i586.rpm sudo-1.6.8p9-2.i586.rpm tcpd-devel-7.6-731.2.i586.rpm zlib-devel-1.2.3-3.i586.rpm

You can check it by typing:
# rpm -qa (example: "rpm -qa |grep openssl-devel")

4 – If there are some packeage missing, I advice you search it in www.filewatcher.com and install using:
# rpm -ivh (example: "rpm -ivh tcpd-devel-7.6-731.2.i586.rpm")

5 – Run configure:
# cd /usr/src/openssh-5.2p1 # ./configure --prefix=/opt/ssh2 --with-libs=-ldl --disable-suid-ssh --with-privsep-user=sshd -with-tcp-wrappers --with-pam

After some time, you should see something like this:
OpenSSH has been configured with the following options: User binaries: /opt/ssh2/bin System binaries: /opt/ssh2/sbin Configuration files: /opt/ssh2/etc Askpass program: /opt/ssh2/libexec/ssh-askpass Manual pages: /opt/ssh2/share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/opt/ssh2/bin Manpage format: doc PAM support: yes OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no libedit support: no Solaris process contract support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Host: i686-pc-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -std=gnu99 Preprocessor flags: Linker flags: Libraries: -lresolv -lcrypto -lutil -lz -lnsl -ldl -lcrypt +for sshd: -lwrap -lpam

PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory

6 – Install contrib scripts. Check into /usr/src/openssh-5.2p1/contrib some files that we can use to setup our server:
# cp sshd.pam.generic /etc/pam.d/sshd # cp rc.sshd /etc/init.d/sshd # cp sysconfig.ssh /etc/sysconfig/ssh # cp rc.config.sshd /etc/rc.d/sshd # chmod 755 /etc/init.d/sshd /etc/rc.d/sshd # ln -s /etc/init.d/sshd /etc/rc.d/rc3.d/S20-sshd

7 – Configure some parameters. Edit the main SSHD configuration file
# vi /opt/ssh2/etc/sshd_config Ensure that some lines are uncommented: Line 21: Protocol 2 -> Enable just the protocol version 2 (more secure) Line 41: PermitRootLogin no -> Do not enable root login Line 46: RSAAuthentication yes -> enable authentication thru auth-keys Line 47: PubkeyAuthentication yes -> enable authentication thru auth-keys Line 48: AuthorizedKeysFile .ssh/authorized_keys -> enable authentication thru auth-keys (keys location - user's home) Line 86: UsePAM yes -> enable PAM authentication Line 113: Subsystem sftp /opt/ssh2/libexec/sftp-server -> enable the sftp subsystem (for secure file transfer - NOT SCP)

8 – Start the server:
# /etc/init.d/sshd start

9 – Place a login test

10 – Check in your /var/log/message. If you see the following message:
Apr 7 10:02:48 localhost sshd[8388]: pam_unix(sshd:setcred): Unknown option: `shadow' Apr 7 10:02:48 localhost sshd[8388]: pam_unix(sshd:setcred): Unknown option: `nodelay' Apr 7 10:02:48 localhost sshd[8390]: pam_unix(sshd:setcred): Unknown option: `shadow' Apr 7 10:02:48 localhost sshd[8390]: pam_unix(sshd:setcred): Unknown option: `nodelay'

Edit your /etc/pam.d/sshd and change the following lines:
auth required /lib/security/pam_unix.so shadow nodelay
to
auth required /lib/security/pam_unix.so

and

password required /lib/security/pam_unix.so shadow nullok use_authtok
to
password required /lib/security/pam_unix.so use_authtok

Thats it!