Linux cheat-sheet: reminders and tips for the memory challenged

Index

Converting OpenSSH keys to SSH2 and vice-versa

CentOS 5.7 LAMP Server with PHP 5.3

Using the default CentOS repos, you'll end up with something like PHP 5.1.x, which may not be to your liking. Here is a link to a very clear guide for installing a more current LAMP stack, including PHP 5.3, Apache 2.2.3, and MySQL 5.0. If you want to set this up on a server with an existing stack, be sure to uninstall all the component packages first.

Here is the link: http://www.if-not-true-then-false.com/2010/lamp-linux-apache-mysql-php-on-fedora-centos-red-hat-rhel/

Install PHPUnit on CentOS 5.7

Zend Framework requires PHPUnit in order to create tools for new projects; If ZF is unable to find phpunit you will see a message returned after creating a project which indicates that no tools were created. I made quite a few google searches on the precise error, but found nothing that helped. I had already installed PHPUnit from the pear.phpunit.de channel, and PHPUnit was within PHP's include_path, but for some reason ZF just would not see it. Here is what fixed it...

	# pear channel-discover pear.phpunit.de
	# pear channel-discover pear.symfony-project.com
	# pear channel-discover components.ez.no
	
	# pear install --alldeps phpunit/PHPUnit

Miscelleanous Quick Commands

Description	Command
sync local file (destfile) to remote file with rsync over ssh tunnel	`rsync -av -e 'ssh -p {port}' user@host:/path/to/sourcefile /path/to/destfile`
recursively copy all .txt files to specified directory (easily modified by tinkering with find parameters)	`find . -type f -iname "*.txt" \| while read file; do cp "$file" [targetdir]; done`
create local copy of a website with wget, fixing up links to be relative as needed (this example will grab everything under /~along)	`wget -r -k -np -p -l 0 http://example.org/~along`
sort [file], omitting commented lines	`cat [file] \|sed '/^\#/d'\|sort`

Network Masks

Short Form	Full Form	No. Machines	Comment
/8	255.0.0.0	16,777,215	Used to be called an `A-class'
/16	255.255.0.0	65,535	Used to be called an `B-class'
/17	255.255.128.0	32,767
/18	255.255.192.0	16,383
/19	255.255.224.0	8,191
/20	255.255.240.0	4,095
/21	255.255.248.0	2,047
/22	255.255.252.0	1,023
/23	255.255.254.0	511
/24	255.255.255.0	255	Used to be called a `C-class'
/25	255.255.255.128	127
/26	255.255.255.192	63
/27	255.255.255.224	31
/28	255.255.255.240	15
/29	255.255.255.248	7
/30	255.255.255.252	3

Page Top

Permissions

Numeric (octal) representation

Octal digit	Text equivalent	Binary value	Meaning
0	---	000	All types of access are denied
1	--x	001	Execute access is allowed only
2	-w-	010	Write access is allowed only
3	-wx	011	Write and execute access are allowed
4	r--	100	Read access is allowed only
5	r-x	101	Read and execute access are allowed
6	rw-	110	Read and write access are allowed
7	rwx	111	Everything is allowed

chmod textual permissions

u Sets permissions for the owner of the file, e.g.: "u+w" allows the owner to write to the file
g Sets permissions for the group (to which owner belongs), e.g. "g-x" suppresses the execution of the file by the group
o Sets permissions for other users (that are not in group), e.g.: "o=r" allows others only to read the file
a Sets permissions for all (owner, group and others), e.g.: "a-w" disables write access to the file for everyone
= Assigns the permissions, e.g. "a=rw", sets read and write permissions and disables execution for all
- Removes certain thing[s] from the permissions, keeping all other (not involved) permissions. E.g. "a-x" disables execution of the file for everyone, this example doesn't touch read and write permissions.
+ Adds certain thing[s] to the permissions, keeping all other (not involved) permissions. E.g. "a+x" allows execution of the file for everyone, this example doesn't touch read and write permissions.
r Sets read permissions
w Sets write permissions
x Sets execute permissions
t Sets sticky bit, e.g. "o+t" sets sticky bit for a file
s Sets SUID or SGID. E.g.: "u+s" sets SUID, "g+s" sets SGID.

user ID, group ID, sticky bit

SUID or setuid: change user ID on execution. If setuid bit is set, when the file will be executed by a user, the process will have the same rights as the owner of the file being executed.
SGID or setgid: change group ID on execution. Same as above, but inherits rights of the group of the owner of the file. For directories it also may mean that when a new file is created in the directory it will inherit the group of the directory (and not of the user who created the file).
Sticky bit: It was used to trigger process to "stick" in memory after it is finished, now this usage is obsolete. Currently its use is system dependant and it is mostly used to suppress deletion of the files that belong to other users in the folder where you have "write" access to.

Changing permissions with find

You can use theese commands to set 755 on directories and 644 on files. THIS IS RECURSIVE!

find -type f -print -exec chmod 644 {} \;
find -type d -print -exec chmod 755 {} \;

To prevent find from descending into subdirectories, use "maxdepth -1".
Example:
> find -maxdepth 1 -type d -print (finds all directories in the current directory and prints to screen)

Permissions required for web server

The Web server assigns the rights of the web-server-specific user, typically user "nobody" (RH) or "www-data" (DEB) to the connected web client, as if "nobody" is connected to the web server. "Nobody" inherits permissions that "others" have to your files.

For generic files such as html or images you usually need 644 permissions because "nobody" needs to read the file, hence 4 (read only) permissions for both group and others. For yourself (owner) you need rights to read and write (hence 6).

For scripts you need 755 rights. The script is then read & execute by "nobody" and writable by the owner.

To quickly find the user and group your web server runs as:

grep '^User' /etc/apache2/apache2.conf; grep '^Group' /etc/apache2/apache2.conf (Apache on Ubuntu)

or
grep '^User' /etc/httpd/conf/httpd.conf; grep '^Group' /etc/httpd/conf/httpd.conf (Apache on RH)

umask

This is quoted from the ProFTPD documentation.

As for a umask, this is the REVERSE of the permissions: -rwxr-x--- is 750 The REVERSE of the umask is is 027 (-----w-rwx). I guess you could think of a umask as the permissions to TAKE AWAY from a file. by setting one's umasks to 027 would make it so any file you create, will be created with the permissions 027 REMOVED from the file. Like:

        -rwxrwxrwx 
  minus -----w-rwx 
__________________ 
 equals -rwxr-x---

What is a umask that will create 775? 002 Want to know how you can tell? 777; where each 7 is equal to rwx, therefore 002 is 775. So, then 775 = -rwxrwxr-x Where the r = 4 the w = 2 and the x = 1 ------ 7 HTH, -Sneex- :] (Note that the leading 0 is assumed -- yes it's octal :)
The permissions are a combination of the following values: 1=eXecute, 2=Write, 4=Read. To get the mask just subtract each value from 7:

   777 
        755
        ---
        022 - This is the umask that you want.

Page Top

Line numbering with nl

> nl [file]

sed

The way you usually use sed is as follows:

> sed -e 'command1' -e 'command2' -e 'command3' file
> {shell command}|sed -e 'command1' -e 'command2' 
> sed -f sedscript.sed file
> {shell command} sed -f sedscript.sed

sed examples

# delete leading whitespace (spaces, tabs) from front of each line
# aligns all text flush left
sed 's/^[ \t]*//'       # see note on '\t' at end of file

# substitute (find and replace) "foo" with "bar" on each line
sed 's/foo/bar/'             # replaces only 1st instance in a line
sed 's/foo/bar/4'            # replaces only 4th instance in a line
sed 's/foo/bar/g'            # replaces ALL instances in a line
sed 's/\(.*\)foo\(.*foo\)/\1bar\2/' # replace the next-to-last case
sed 's/\(.*\)foo/\1bar/'            # replace only the last case

# if a line ends with a backslash, append the next line to it
sed -e :a -e '/\\$/N; s/\\\n//; ta'

# delete ALL blank lines from a file (same as "grep '.' ")
sed '/^$/d'                           # method 1
sed '/./!d'                           # method 2

# delete all CONSECUTIVE blank lines from file except the first; also
# deletes all blank lines from top and end of file (emulates "cat -s")
sed '/./,/^$/!d'          # method 1, allows 0 blanks at top, 1 at EOF
sed '/^$/N;/\n$/D'        # method 2, allows 1 blank at top, 0 at EOF

# print only lines which match regular expression (emulates "grep")
sed -n '/regexp/p'           # method 1
sed '/regexp/!d'             # method 2


USE OF '\t' IN SED SCRIPTS: For clarity in documentation, we have used
the expression '\t' to indicate a tab character (0x09) in the scripts.
However, most versions of sed do not recognize the '\t' abbreviation,
so when typing these scripts from the command line, you should press
the TAB key instead [or CNTRL-V + TAB]. '\t' is supported as a 
regular expression metacharacter in awk, perl, and HHsed, sedmod, 
and GNU sed v3.02.80.


The sed regular expressions are essentially the same as the grep regular 
expressions. They are summarized below. Note that you have to escape with 
backslashes the many characters:

curlies  \{ \} , round brackets \( \), vertical bars \| 
star \*, plus \+,  question mark \?
 
^       matches the beginning of the line 
$       matches the end of the line 
.       dot matches any single character
...   \*        match zero or more occurences of (char or something)
...   \+        match one or more occurences of (char or something)
...   \?        Match 0 or 1 instance of (character)
[abcdef]        Match any character enclosed in [] (in this instance, a b c d e or f) 
        ranges of characters such as [a-z] are permitted. The behaviour of this 
        deserves more description. See the page on grep for more details about 
        the syntax of lists. Tto include  `]' in the list, make it the first char,  
        to include `-' in the list, make it the first or last 
[^abcdef]       Match any character NOT enclosed in [] (in this instance, any 
        character other than a b c d e or f)
(character)\{m,n\}      Match m-n repetitions of (character)
(character)\{m,\}       Match m or more repetitions of (character)
(character)\{,n\}       Match n or less (possibly 0) repetitions of (character)
(character)\{n\}        Match exactly n repetitions of (character)
\(expression\)  Group operator. Also memorizes into numbered variables - 
        use for backreference as \1 \2 .. \9
\n      Backreference - matches nth group
expression1\|expression2        Matches expression1 or expression 2. Works with 
        GNU sed, but this feature might not work with other forms of sed.
\1 \2 ...\9     backreference, matches i-th memorized \(..\)

Monster sed cleanup command

Cleans comments, consecutive blank lines and leading whitespace

cat [file} | sed -e 's/^[ \t]*//' -e '/^\#/d' -e '/./,/^$/!d'| less

Remove lines with leading comment '#', whether or not preceeded by whitespace. This leaves inline '#' alone.

sed '1p; /^[[:blank:]]*#/d; s/[[:blank:]][[:blank:]]*#.*//'

Heres another cleanup for removing comments and blank lines that seems to work quite well

sed -e '1p; /^[[:blank:]]*#/d; s/[[:blank:]][[:blank:]]*#.*//' -e '/./!d'

Processing multiple files with sed

Execute something like this from the directory containing the files:

        foreach file (*dat)
        sed '/^\#/d' $file > tt
        mv tt $file
        end

Sed script to capitalize words

From sourceforge.net (http://sed.sourceforge.net/grabbag/scripts/cflword5.sed)

#! /bin/sed -f

# capit.sed -- capitalize words 
# 
# $Id: capit.sed,v 1.4 1998/07/06 20:32:46 cdua Exp $
# Carlos Duarte, 970519

# split words into \n word
s/[a-zA-Z][a-zA-Z]\+/\
&/g

# add conversion table: \n\n table
# table format: <to-char> <from-char>
s/$/\
\
AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz/

# subs every lower case first char
ta
:a
s/\n\(.\)\(.*\n\n.*\)\([A-Z]\)\1/\3\2\3\1/
ta

# cleanup...
s/\n\n.*//
s/\n//g

Page Top

vi

Just a few...

h : left
j : down
k : up
l : right
0 : move to beginning of current line
$ : move to last character of current line
H : move to home position on screen
L : move to last line on screen
CNTRL-d : scroll down half-screen
CNTRL-u : scroll up half-screen
CNTRL-f : move forward one screen
CONTR-b : move back one screen
/reg_exp : move to next occurence of reg_exp
/[enter] : repeat forward search
?reg_exp : move back to previous ocurrence of reg_exp
N : repeat back search

dw : Delete "small" word forward
d3w : Delete three "small" words forward
3dw : Three times, delete "small" word forward
3d3w : Three times, delete three "small" words forward (that is, delete nine "small" words forward)
d+ : Delete current line and next line down
d/the : Delete from current character up to but not including the next occurrence of the pattern 
the.
d$ : Delete to end of line
d0 : Delete to beginning of line
d30G : Delete from the curent line to and including Line 30
dG : Delete from current line to and including last line
d1G : Delete from current line to and including Line 1

cc : Change current line
5cc : Change five lines (current and next four)
c/the : Change from current character up to but not including the next occurrence of the pattern the
c$ : Change to end of line
c30G : Change from the current line to and including Line 30
cG : Change from curernt line to and including last line
c1G : Change from curernt line to and including Line 1

:se nu! : toggle line numbers

Page Top

postfix

Broken SMTPD greeting on postfix behind Cisco PIX firewall

If your postfix MTA's are behind a PIX firewall and you see a garbled greeting when you telnet to port 25, try disabling the smtp fixup protocol on your PIX:

        > enable
        > config t
        > no fixup protocol smtp 25
        > exit
        > write mem
        > exit

Switching from sendmail to postfix (RH, RHEL, CentOS)

Install "system-switch-mail" with yum and then run it. This should work for all RH based systems. You will still need to check your postfix configuration (/etc/postfix/main.cf).

Set postfix to use alternate smtpd client port

By default postfix listens on port 25, the standard smtp port. To change this (or add another port), edit /etc/postfix/master.cf:

smtp            inet    n       -       n       -       -       smtpd
#submission     inet    n       -       n       -       -       smtpd

To change the listening smtpd port to 587 (standard alternate smtp port) modify to look like this:

#smtp            inet    n       -       n       -       -       smtpd
submission     inet    n       -       n       -       -       smtpd

You can also add a port (be sure to include "smtpd" in the last field. Don't forget to update your firewall!

Note: The format of master.cf... each line contains 8 fields seperated by whitespace, so tabs or spaces are both OK.

Postfix log stats with pflogsumm by James Seymour

pflogsumm is a nifty perl script which generates "an over-view of postfix activity, with just enough detail to give the administrator a "heads up" for potential trouble spots." Installation is a snap; I run it via crontab and send the output via email. Here's a sample crontab entry which will run the script every two hours.

0 0,2,4,6,8,10,12,14,16,18,20,22 * * * pflogsumm -d today /var/log/maillog 2>&1 \
| mail -s "pfloggsumm for [HOST]" [user or email address]

Page Top

MySQL

Change root password after installation

> mysqladmin -u root password 'newpassword'

Remove anonymous accounts after installation

 mysql> use mysql;
mysql> delete from user where user = '';

Search and replace in a mysql query

mysql> UPDATE [table_name] SET [field_name] = REPLACE
    ->([field_name],'[string_to_find]','[string_to_replace]');

Load a csv file into MySQL database

mysql> LOAD DATA INFILE 'file.csv' INTO TABLE table
    -> FIELDS TERMINATED BY ','
    -> LINES TERMINATED BY '\r\n' ; # windows style return+linefeed

Find and remove duplicates from MySQL

There are many ways to handle this task, and the following is a little excercise I went through to better understand one of them. The method works well.

We start with a table 'mail' which contains duplicate data in the email column. Since we don't want to send multiple mails to the same address, we need to clean up a bit.

mysql> select * from mail;
+----+-------+-------+----------------+-------+-------+
| id | first | last  | email          | text1 | text2 |
+----+-------+-------+----------------+-------+-------+
|  1 | John  | Jay   | jjay@mail.com  |       |       | 
|  2 | John  |       | jjay@mail.com  |       |       | 
|  3 |       | Jay   | jjay@mail.com  |       |       | 
|  4 | Mary  | Berry | mary@mail.com  |       |       | 
|  5 | Rich  | Ray   | rich@money.com |       |       | 
|  6 | Ed J. | Jones | ed@jones.com   |       |       | 
|  7 | Ed    | Jones | ed@jones.com   |       |       | 
+----+-------+-------+----------------+-------+-------+
7 rows in set (0.00 sec)

Here is one way to perform a query to obtain the number of rows containing each email value.

mysql> select first,last,email,count(*) as email_count
    -> from mail
    -> group by email;
+-------+-------+----------------+-------------+
| first | last  | email          | email_count |
+-------+-------+----------------+-------------+
| Ed J. | Jones | ed@jones.com   |           2 | 
| John  | Jay   | jjay@mail.com  |           3 | 
| Mary  | Berry | mary@mail.com  |           1 | 
| Rich  | Ray   | rich@money.com |           1 | 
+-------+-------+----------------+-------------+
4 rows in set (0.00 sec)

Note that the values for our uncounted columns do not do us much good here. They only reflect the values in one row of the duplicates. Here another way of displaying the duplicates. Note that we must have a unique id field to work with.

mysql> select max(id) as dupid,count(email) as dupcnt
    -> from mail
    -> group by email having dupcnt>1;
+-------+--------+
| dupid | dupcnt |
+-------+--------+
|     7 |      2 | 
|     3 |      3 | 
+-------+--------+
2 rows in set (0.00 sec)

Now, delete the [max(id)] row with duplicate data in the 'email' column...

mysql> delete mail 
    -> from mail, 
    -> (select max(id) as dupid,first,last,count(email) as dupcnt 
    -> from mail 
    -> group by email 
    -> having dupcnt>1) as dups 
    -> where mail.id=dupid;
Query OK, 2 rows affected (0.00 sec)

Running the dupe-check again, we now see only one duplicate...

mysql> select max(id) as dupid,first,last,count(email) as dupcnt 
    -> from mail 
    -> group by email 
    -> having dupcnt>1;
+-------+-------+------+--------+
| dupid | first | last | dupcnt |
+-------+-------+------+--------+
|     2 | John  | Jay  |      2 | 
+-------+-------+------+--------+
1 row in set (0.00 sec)

Run the delete-dupe query once more...

mysql> delete mail 
    -> from mail, 
    -> (select max(id) as dupid,first,last,count(email) as dupcnt 
    -> from mail 
    -> group by email 
    -> having dupcnt>1) as dups 
    -> where mail.id=dupid;
Query OK, 1 row affected (0.00 sec)

...And the table is clean...

mysql> select * from mail;
+----+-------+-------+----------------+-------+-------+
| id | first | last  | email          | text1 | text2 |
+----+-------+-------+----------------+-------+-------+
|  1 | John  | Jay   | jjay@mail.com  |       |       | 
|  4 | Mary  | Berry | mary@mail.com  |       |       | 
|  5 | Rich  | Ray   | rich@money.com |       |       | 
|  6 | Ed J. | Jones | ed@jones.com   |       |       | 
+----+-------+-------+----------------+-------+-------+
4 rows in set (0.00 sec)

NOTE!: The delete query only deletes one duplicate record on each pass; we had 3 (highest number) of dupes in our table, so we had to run the query x2.

Let's see what another pass would do if we overshot and ran the delete query again...

mysql> delete mail 
    -> from mail, 
    -> (select max(id) as dupid,first,last,count(email) as dupcnt 
    -> from mail 
    -> group by email 
    -> having dupcnt>1) as dups 
    -> where mail.id=dupid;
Query OK, 0 rows affected (0.00 sec)

No harm done!

Page Top

Wireless

Fedora Core 6 WLAN with D-Link WDA-2320 Wireless Adaptor (PCI) and D-Link WBR-2310 Wireless Router

Requirements: madwifi, Wireless Tools (iwconfig), wpa_supplicant (wpasupplicant), root access

Note: I tried first using the madwifi rpm (sudo yum install madwifi) available at livna. For some reason, I could not get this working. I then removed the rpm (sudo yum erase madwifi) and tried building from source, which worked.

After a successful install of madwifi, lsmod should return something like this:

   ath_rate_sample 15872   1 
        ath_pci         93984   0 
        wlan            188356  5       wlan_tkip,wlan_scan_sta,ath_rate_sample,ath_pci
        ath_hal         195536  3       ath_rate_sample,ath_pci

Use the documents at madwifi.org to install and configure:
- Requirements: http://madwifi.org/wiki/Requirements
- MadWifi 'First Time User' HOWTO: http://madwifi.org/wiki/UserDocs/FirstTimeHowTo
- Setting up a Client Using WPA-PSK: http://madwifi.org/wiki/UserDocs/802.11i

Bring up the wlan interface:

> ifconfig ath0 up

Scan for AP's:
Load the scanning module:

> modprobe wlan_scan_sta

Perform the scan:

> iwlist ath0 scan

Connect with dhcp:

> dhclient ath0

Connect with WPA:

> wpa_supplicant -Bw -Dwext -iath0 -c/etc/wpa_supplicant.conf

(assuming you have already set up wpasupplicant and created the configuration file /etc/wpa_supplicant.conf as per the instructions at http://madwifi.org/wiki/UserDocs/802.11i)

Although I was able to aquire an ip via dhcp, I was unable to ping the gateway (or WAN) after bringing down eth0. Doing > /sbin/route made clear why; my default route was bound to interface eth0. Solution: after bringing down eth0 do:

> /sbin/route add default gw [ip.of.gateway]

(This only needs to be done once.)

Putting this all together, we can do the following after a reboot:

> sudo ifconfig ath0 up # (bring up the interface)
> sudo /usr/sbin/wpa_supplicant -Bw -Dwext -iath0 -c/etc/wpa_supplicant.conf # (connect with WPA)
> sudo dhclient ath0 # (request an ip address)

To scan for AP's using iw_list, part of the Wireless Tools

> iw_list ath0 scan

GRUB et.al.

Get UUID of hard disks

Ubuntu typically uses disk UUID's in /etc/fstab. Here's a command to retrieve them:

> ls -l /dev/disk/by-uuid

Page Top

crontab

Crontab is used to schedule commands which cron will run at designated times. Be aware that some systems may use alternate packages for scheduling, such as anacron or vixiecron. Here are the basics...

Two files govern who may use cron: cron.allow and cron.deny. If cron.allow exists, and you are listed in it, you may use cron. If that file does not exist, you may use cron so long as you are not listed in cron.deny. If neither file exists, only root may use cron. The format of cron.allow/deny is very straight-forward; a single username on each new line.

Crontab may be executed with the following parameters:

 crontab -e             # edit your crontab
 crontab -l             # display your crontab
 crontab -r             # remove your contab
 crontab -v             # display when the last edit was performed

The syntax of a crontab file:

*     *   *   *    *  /path/to/executable
-     -    -    -    -
|     |     |     |     |
|     |     |     |     +----- day of week (0 - 6) (Sunday=0)
|     |     |     +------- month (1 - 12)
|     |     +--------- day of month (1 - 31)
|     +----------- hour (0 - 23)
+------------- min (0 - 59)

* in the value field above means all legal values as in braces for that column. The value column can have a * or a list of elements separated by commas. An element is either a number in the ranges shown above or two numbers in the range separated by a hyphen (meaning an inclusive range).

By default cron jobs sends a email to the user account executing the cronjob. If this is not needed put the following command at the end of the cron job line "> /dev/null 2>&1" (no quotes).

Cron may be used to call scripts or executables; it is also possible to place scripts directly in /etc/cron/daily/, /etc/cron/weekly/, or /etc/cron/monthly.

Page Top

SSH quick reference

Tunnel port 10000 (webmin) on webminhost to port 443 on localhost via ssh (port 2222) on gateway.com (securely connect to the webmin server on targethost when I only have access to the gateway).

> ssh -p 2222 -L 443:webminhost:10000 user@gateway.example.com

Tunnel port 3306 (MySQL) on mysqlhost to port 5001 on localhost via direct ssh connection with mysqlhost, this time using the default ssh port of 22.

> ssh  -L 5001:localhost:3306 user@mysqlhost.example.com

Tunnel two ports with one command... in this case pop (110) and smtp (25). The -N flag instructs ssh not to execute remote commands.

> ssh -L 110:mailhost:110 -L 25:mailhost:25 -l user -N mailhost

Proxy Web traffic over SSH tunnel (CYGWIN)

This method uses an ssh connection established under CYGWIN and OpenSSH to securely tunnel web requests from our Windows box through the secure connection to our Linux box. This is useful if I find myself on a public or untrusted network and I want to secure my web traffic. You must already have a working CYGWIN envrionment with OpenSSH installed on your Windows box for this to work.

First, open a CYGWIN bash prompt on the WIndows box and create the tunnel to our remote Linux server:

> ssh  -ND 9999 user@host.ip.address

Now open Firefox and configure it to use a socks proxy on localhost port 9999.

Converting OpenSSH format keys to to SSH2 and vice-versa

Convert OpenSSH key to SSH2 key (on the server running OpenSSH)

# ssh-keygen -e -f ~/.ssh/id_dsa.pub > ~/.ssh/id_dsa_ssh2.pub

Convert SSH2 key to OpenSSH key (on the server running OpenSSH)

   # ssh-keygen -i -f ~/.ssh/id_dsa_1024_a.pub > ~/.ssh/id_dsa_1024_a_openssh.pub

Page Top

Apache SSL/TLS

This is a vey brief outline of configuring Apache for SSL/TLS using openssl and mod_ssl. The setup here may not be ideal, but it worked for me.

1. Make sure the required modules for SSL are installed.

	openssl
	openssl-devel
	mod_ssl (for apache)
	
	The names may be different on your distro.

You may want to edit the openssl.cnf file to change the
default template for new certificates to match your needs.
On my host, this file was in /etc/pki/tls/openssl.cnf.

	countryName_default: put the name of your country
	stateOrProvinceName_default: put the name of your state or province
	localityName_default: put the name of your locality (street? region?)
	0.organizationName_default: put the default organization name
	organizationalUnitName_default: put your organization unit (OU) name

2. Create a new private key

	% cd /etc/httpd/conf.d	(could be elsewhere)
	% openssl genrsa -out ca.key 1024

	This creates a private key in the file ca.key.

3. Generate a CSR (certificate signing request) from the key

	% openssl req -new -key ca.key -out ca.csr
	
	This creates a CSR file named ca.csr using the ca.key key file. You 
	can submit this file to a certification authority and they will create
	a certificate for you (costs $). You may also create a self-signed
	certificate (see #4).

4. Create a self-signed certificate (from the CSR).

	% openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
	
	Note: change the days as required
	
	The certificate will be saved in the file ca.crt. You can use this file 
	in your software & services like apache httpd, postfix, dovecot etc.
	
5. Edit /etc/httpd/conf.d/ssl.conf:

	SSLCertificateFile /path/to/ca.crt
	SSLCertificateKeyFile /path/to/ca.key
	SSLProtocol -all +TLSv1 +SSLv3
	SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
	
	NOTE: the out-of-box configuration is more relaxed

REFERENCES USED:
 1. http://docs.huihoo.com/apache/httpd/apache2.html
 2. http://blog.taragana.com/index.php/archive/openssl-how-to-create-self-signed-certificate/
 3. http://www.securityfocus.com/infocus/1818

rpmnew, rpmsave files and diff

After an update on an rpm based distro, we often see that rpm installs *rpmnew files (new configuration defaults) or *.rpmsave files (our original configuration file). Unless we take measures to deal with these files we risk losing custom configurations and/or consuming disk space with needless clutter.

The first step is simply to locate the files; for this task we can use the find command piped to igrep:

$ find / \( -path /bak -o -path /proc \) -prune -o -print | egrep "rpmnew$|rpmsave$" \
  # we omit looking under /bak and /proc 
-- OR --
$ find / -path /bak -prune -o -print | egrep "rpmnew$|rpmsave$" \
  # we omit looking under /bak

Next we must compare each "pair" of configuration files, ie. comparing /etc/sudoers (our old file) to /etc/sudoers.rpmnew (the new files installed during the upgrade). Unfortunately I have found no easy way to do this due to the complexity of comparisons. Often, I resort to downloading the pairs to a Windows machine and firing up "Beyond Compare". If the differnces are few, a simple diff may suffice.

Windows: non-user input data filter won't install

I recently found my Windows laptop plagued by the appearance of a dialog telling me the HID Non-user input data filter could not be installed. A bit of searching lead me to a proposed solution: delete C:\Windows\System32\Drivers\wdf01000.sys and then launch Windows Update, selecting "HID non-user Input data filter" from the hardware section.

Links and resources

Page Top

Last updated December 4, 2011