Recently in Security Category

Automating SSH public key pushes with Perl

By Baldwin Sung on January 4, 2010 1:18 PM | 0 Comments

Automating SSH public key pushes to servers.

The code below uses Expect and SSH to create & permission the .ssh directory. Followed by SSH copying the local temp file as the authorized_keys file to the .ssh subdir on the target server .

Be sure to set StrictHostKeyChecking=no in the SSH client side config.

---

#!/usr/bin/perl

use strict;
use warnings;
use English;
use Expect;
use Net::Ping;

my $username = "USER";
my $password = "PASS";
my $homedir  = "\/export\/home\/$username";
my $ssh_dir  = "$homedir\/.ssh";
my $ssh_pub  = "
ssh-dss BLAH BLAH use your own public key file entry here.
";

if ( ! $ARGV[0] ) {
        print "$0  \n";
        exit
} 

my $host = "$ARGV[0]";
my $p 	 = Net::Ping->new();
if ( $p->ping($host) ) {
	print "Deploying public key to $host \n";
	create_ssh_dir();
	chmod_ssh_dir();
	push_ssh_key();
} else {
	print "Seems $host is not reachable \n";
}
$p->close();

sub create_ssh_dir {
my $ssh_cmd  = "/usr/bin/ssh $username\@$host 'mkdir $ssh_dir'";

my $timeout  = '5';
my $exp      = Expect->spawn($ssh_cmd) or die "Cannot spawn ssh command \n";
$exp->expect($timeout, ["Password:"]);
$exp->send("$password\n");
$exp->soft_close();
}

sub chmod_ssh_dir {
my $ssh_cmd  = "/usr/bin/ssh $username\@$host 'chmod 755 $ssh_dir'";

my $timeout  = '5';
my $exp      = Expect->spawn($ssh_cmd) or die "Cannot spawn ssh command \n";
$exp->expect($timeout, ["Password:"]);
$exp->send("$password\n");
$exp->soft_close();
}

sub push_ssh_key {
my $tmp_file  = "/tmp/authorized_keys.$$";
chomp $ssh_pub;

open  ( AUTHKEY, ">$tmp_file") || die ("Unable to create $tmp_file\n");
print AUTHKEY "$ssh_pub" . "\n";
close ( AUTHKEY );

my $scp_cmd  = "/usr/bin/scp $tmp_file $username\@$host:$ssh_dir/authorized_keys";

my $timeout = '5';
my $exp = Expect->spawn($scp_cmd) or die "Cannot spawn scp command \n";
$exp->expect($timeout, ["Password:"]);
$exp->send("$password\n");
$exp->soft_close();

unlink("$tmp_file");
}

Generating Self Signed Certificate using genkey

By Baldwin Sung on October 13, 2009 11:10 AM | 0 Comments 
yum install crypto-utils -y
genkey --days 365 mail.example.com

Generating Self Signed Certificate

By Baldwin Sung on October 13, 2009 11:07 AM | 0 Comments 
# mkdir selfcert
# cd selfcert

# openssl genrsa -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
.........................++++++
..................++++++
e is 65537 (0x10001)

# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:New York
Locality Name (eg, city) [Newbury]:New York
Organization Name (eg, company) [My Company Ltd]:Example
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:cert.example.com
Email Address []:support@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=/C=US/ST=New York/L=New York/O=Example/CN=cert.example.com/emailAddress=support@example.com
Getting Private key

# ls
ca.crt  ca.csr  ca.key

Compiling rssh on Solaris

By Baldwin Sung on October 7, 2009 12:40 AM | 0 Comments 
# DISABLE STATIC LINKING... its BROKEN on Solaris
./configure --prefix=/opt/rssh-2.3.2 MAKE=gmake --disable-static

SudoScript on Solaris 10

By Baldwin Sung on February 6, 2009 9:48 AM | 0 Comments | 0 TrackBacks

Sudoscript is a pair of Perl scripts (sudoscriptd/sudoshell) that provide an audited shell using sudo. SudoScript by Howard Owen can be found at http://www.egbok.com/sudoscript .

Here are my notes to configure SudoScript for Solaris 10.

1 - Update the setlogsock from "unix" to "stream" in sudoscriptd



#setlogsock 'unix';

setlogsock 'stream';

2 - /etc/shells does not exist on Solaris 10, create a /etc/shells file with the appropriate shells defined



/bin/sh

/bin/csh

/bin/ksh

/bin/bash

3 - Define the location of your sudo binary in Sudoscript.pm



#$self->{SUDO}="sudo";

$self->{SUDO}="/opt/sfw/bin/sudo";

Firewall Rules for NFS

By Baldwin Sung on February 1, 2008 11:56 AM | 0 Comments | 0 TrackBacks

To allow NFS through a firewall,the following services & ports need to be opened up on the firewall. You should not expose these ports to the public internet.

  1. Sun RPC aka rpcbind 111 tcp/udp
  2. NFS mountd 871 tcp/udp
  3. NFS rquotad 863 tcp/udp
  4. NFS status listen 865 tcp/udp
  5. NFS status send 866 tcp/udp
  6. NFS nfsd 2049 tcp/udp
  7. NFS lockd 4045 tcp/udp
« Networking | Main Index | Archives | Storage »