Category Archives: Unix

ssh-keygen

Scenario; set up ssh keys to machine so that you do not require a password for use with something like scp.

First you need a slave user. If you ‘adduser’ on both machines and pick a user name. Make sure they have a shell account but do not require authentication using a password.

On the remote machine you need to run ssh-keygen when you have logged in as that user. You can do something like – su username. Once you run that you will see in /home/username/.ssh/id_rsa.pub you now have a public key, which you need to copy onto the following file on the remote machine –

/home/username/.ssh/authorized_keys

You then need to ensure permissions are set properly on all the files to the user you created. chmod -R username /home/username/.ssh

Do this on both machines.

You can then – su username on the local machine and try a scp command and it should not prompt you for the password.

 

You can either then run a script via the crontab as that user, or if you like something like this should work –

su username -c “scp -B remotehost:/etc/somefile /tmp”

Mikrotik Hairpin NAT

I needed to configure some NAT rules on a Mikrotik, but the rules only worked from outside in. The customer uses split DNS for the domain, so a local address on the mail client, and it needed a loopback rule. In the end I wrote the rules into the router using the terminal, or ssh.

Here’s an example of forwarding port 25.

Router is on 192.168.1.254

Server is on 192.168.1.250

/ip firewall nat
add chain=dstnat dst-address-type=local protocol=tcp dst-port=25 \
action=dst-nat to-address=192.168.1.250 to-port=25
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
dst-address=192.168.1.250 protocol=tcp dst-port=25 \
out-interface=bridge-local action=masquerade

 

You can then open up winbox, go to IP / Firewall / NAT and you will see your new rules.

 

FreeBSD 10 source tree missing /usr/src/

I recently installed FreeBSD 10, as I broke my server by trying to install a 32bit ESET av, which is actually all they provide for FreeBSD. Anyway, I couldn’t see anything in the source /usr/src/ so I tried to install it using sysinstall.

# sysinstall
bash: sysinstall: command not found

sysinstall for FreeBSD 10 has been replaced by bsdinstall now, but looking at that it only provides facility to partition. After some reading I found this thread – http://forums.freebsd.org/viewtopic.php?t=29172

I also read this – https://www.freebsd.org/doc/handbook/svn.html

You need to install subversion first –

# cd /usr/ports/devel/subversion

# make install clean

Once you have this installed, you can do a checkout, but you need to find the version of FreeBSD first –

 

# uname -a

FreeBSD mymailfilter.richsphere.local 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260789: Thu Jan 16 22:34:59 UTC 2014     root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

Check here for the link –

https://svn0.us-west.FreeBSD.org/base/releng/

Mine would be https://svn0.us-west.freebsd.org/base/releng/10.0/

So I ran this – svn checkout https://svn0.us-west.freebsd.org/base/releng/10.0/ /usr/src/

You will need to accept the security certificate on first go.

In my case I needed this to compile sendmail with ssl support, which is a post I created some time ago. You’re welcome to read that, if you need, here — http://richsphere.co.uk/?p=23

 

Thanks for reading!

 

Remove the passphrase from the certificate.

I installed a certificate for apache to enable SSL on a website. To create the CSR for the authority it asks for a passphrase.

When you install the certificate and restart the httpd service it asks for the passphrase, so it needs to be removed from the private key.

 

 

To do this use the following command:

openssl rsa -in securesite.domain.net.uk.key -out securesite.domain.net.uk.nopass.key

It should ask for the pass phrase again but it will save it as the nopass version.

Make sure you change your ssl.conf file to use the new file:

SSLCertificateKeyFile “/path/to/certficates/securesite.domain.net.uk.nopass.key”

 

Installing TLS for Sendmail on FreeBSD

Installing TLS on sendmail Freebsd  –

cd /usr/ports/security/cyrus-sasl2-saslauthd && make install

echo ‘saslauthd_enable=”YES”‘ >> /etc/rc.conf

Start the saslauthd –

/usr/local/etc/rc.d/saslauthd.sh start

Changing sendmail build options –

vi /etc/make.conf

#Add the following –

# SASL (cyrus-sasl v2) sendmail build flags…

SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2

SENDMAIL_LDFLAGS=-L/usr/local/lib

SENDMAIL_LDADD=-lsasl2

# Adding to enable alternate port (smtps) for sendmail…

SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL

 

Once you have all this in place, it’s time to recompile sendmail.

cd /usr/src/lib/libsmutil && make cleandir && make obj && make

cd /usr/src/lib/libsm && make cleandir && make obj && make

cd /usr/src/usr.sbin/sendmail && make cleandir && make obj && make && make install

 

I added my certificates in /etc/mail/certs.

So –

mkdir /etc/mail/certs

add your certificate files in here. A wildcard domain certificate is usually the best to grab.

chmod -R 600 /etc/mail/certs/*

Make sure sendmail is using saslauthd for authentication in /usr/local/lib/sasl2/Sendmail.conf –

pwcheck_method: saslauthd

 

We then need to add the following details on your fqdn.mc file located within /etc/mail/ directory –

 

define(`confAUTH_MECHANISMS’,`PLAIN LOGIN’)dnl

TRUST_AUTH_MECH(`PLAIN LOGIN’)dnl

define(`CERT_DIR’, `/etc/mail/certs’)dnl

define(`confCACERT_PATH’, `CERT_DIR’)dnl

define(`confCACERT’, `CERT_DIR/ca-bundle.crt’)dnl

define(`confSERVER_CERT’, `CERT_DIR/your_certificate.pem’)dnl

define(`confSERVER_KEY’, `CERT_DIR/your_wildcard_key.key’)dnl

define(`confCLIENT_CERT’, `CERT_DIR/your_certificate.pem’)dnl

define(`confCLIENT_KEY’, `CERT_DIR/your_wildcard_key.key’)dnl

DAEMON_OPTIONS(`Port=smtp, Name=MTA’)dnl

DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s’)dnl

 

You want to download the ca-bundle.crt from google or here – http://certifie.com/ca-bundle/ca-bundle.crt.txt

cd /etc/mail && make all install restart

Vi – Useful tricks

I use vi a lot on nix machines and there’s a lot of useful tricks you can do to edit files.

 

A good trick to get rid of those annoying ^M characters from a dos file is –

 

:%s/(ctrl-v)(ctrl-m)//g

 

So you want to type :%s/  and then ctrl & v and without spaces ctrl & m//g

 

What you are doing here is just a regular expression, changing ^m for // (nothing – basically removing them from the entire file (g).