LinuxAdminTricks
Make an encrypted copy of a file protected with a passphrase
If your are in a hurry :
gpg -c name_of_file_to_encrypt
This will give an encrypted file named name_of_file_to_encrypt.gpg
Check a network port on a distant machine
Imagine you want to check if a firewall doesn't prevent you to access a port on a distant machine. The command nc (or netcat) is the perfect tool for that. It can be used to generate or listen to TCP/UDP traffic. Here is an example :
- On the destination machine (mp.iihe.ac.be) :
nc -l -p 7512
The destination machine is now listening (-l) on its port 7512.
- On the source machine :
hostname | nc mp.iihe.ac.be 7512
The source machine is sending the result of the hostname command to the destination mp.iihe.ac.be on the port 7512. If everything goes well, you should see the result of hostname appearing of the destination machine.
Remove the passphrase from an SSH key
Two methods :
- Long method :
cp ./.ssh/id_rsa ./.ssh/id_rsa.bak openssl rsa -in ./.ssh/id_rsa.bak -out ./.ssh/id_rsa chmod 0400 ./.ssh/id_rsa
- Short method :
ssh-keygen -p
Send a mail with commands
Imagine that the content of your mail is in the file my_mail.txt :
cat my_mail.txt | mail -s "test mail" mdupont@ulb.ac.be -- -r rootfs@ulb.ac.be
It will send a mail to mdupont@ulb.ac.be with sendor rootfs@ulb.ac.be. Note : it will only work if Sendmail is correctly configured (try on CCQ).
Repeat a command every x second
An example :
watch -n 2 iptables -vL
This command will repeat "iptables -vL" every 2 second. That's useful to watch the evolution of the number of blocked paquets on a firewall.
Apply a command to a list
Use the command xargs ! Example : you want to create a tarball with the files from the list contained in the file "list.txt" :
cat list.txt |xargs tar cvf test.tar
Note that if the command behind the pipe can only take one argument at the time, then you must use "xargs -n 1".
Print the list of the PIDs of all the processes belonging to a user
If your want to print the PIDs of the processes belonging to user "cms001", then type :
ps aux | grep '^cms001' | awk '{print $2}'
Extract a list of logins from /etc/passwd
Let's say for example we want to print the cms logins :
grep cms /etc/passwd | awk -F ":" '{print $1}'
Add users from one group to another group
Imagine that we want to add all the users of the group enmhprahp (enmhprahp000,enmhprahp001,...) to the group enmhps. The solution is :
egrep '^enmhprahp[0-9]+' /etc/passwd | awk -F ":" '{print $1}' | xargs -n 1 usermod -Genmhps,enmhprahp
The option "-n 1" of the xargs command deserves an explanation : as the command usermod cannot be applied to a list of users separated by a whitespace, we have to specify that at most one username must be used at each reiteration of the command usermod.
Delete all users with a given prefix
We want to delete all users with prefix "dte" on the storage pools, taking care not to delete the users with prefix "dteg" :
./distrib_exec_list liste_des_behars "egrep -e '^dte([0-9][0-9][0-9]|s|p)' /etc/passwd | awk -F \":\" '{print \$1}' | xargs -n 1 userdel"
The rpm command
To get the list of all installed packages :
rpm -qa
If you want to print the architecture (i386, noarch or x86_64) :
rpm -qa --queryformat='%{N}-%{V}-%{R}.%{arch}\n'
To determine which rpm a file is coming from :
rpm -qf /full/path/of/the/file
To get the list of the files in a package :
rpm -ql <name_of_the_rpm>
Installation of Java Plugin for Firefox under Linux
This plugin is needed if you want to connect to an HP machine with Integrated Lights-Out and open a remote console. Let's suppose that you've already installed the Java jdk. You still have to indicate to Firefox where it can find the plugin, thanks to a symbolic link. Do the following under you usual user account :
cd ~/.mozilla/plugins ln -s /usr/java/jdk1.6.0_23/jre/lib/amd64/libnpjp2.so libnpjp2.so
Of course, adapt the path of the target in the previous command according to the actual version of the jdk that is installed on your machine.
Mirror a directory from a site
Let's say, for example, that you want to create a mirror of the Scientific Linux 5.5 (x86_64) distribution. Here is what you should type :
wget -np -m http://quattorsrv.lal.in2p3.fr/packages/os/sl550-x86_64/
The -np option is very important : it will tell wget to not download the parent directories.
Firewall configuration for a KVM host doing NAT for its guest VMs
Suppose that you want to hide your VMs behind the virtualization host, using NAT. Then there is a few things to configure on the host :
- forwarding should be enabled :
echo 1 > /proc/sys/net/ipv4/ip_forward in /etc/sysctl.conf --> net.ipv4.ip_forward = 1
- you have to configure the firewall with iptables to enable NAT and allow forwarding; here is the kind of rules you need in your /etc/sysconfig/iptables to achieve this :
*nat :PREROUTING ACCEPT ![0:0] :POSTROUTING ACCEPT ![0:0] :OUTPUT ACCEPT ![0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE COMMIT *filter :INPUT ACCEPT ![0:0] :FORWARD ACCEPT ![0:0] :OUTPUT ACCEPT ![0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable COMMIT
Note : if you copy-paste the previous lines, please remove the ! before the square-brackets, they are there only to escape the [] !
How to install a Perl module ?
Let's say we want to install File::Grep :
perl -MCPAN -e 'install File::Grep'
Password encryption
To encrypt a password in the "/etc/shadow" style :
openssl passwd -1 your_password
Note : if you password contains special characters, you can enclose it between quotes, otherwise bash might get confused while interpreting the command.
As a result of the previous command, you then get something like this :
$1$qGmhOQim$RJ25QfcYEhCBR2qG2u80T.
The sequence between the second and third dollar signs (in this example : qGmhOQim) is called "salt". Its goal is to randomize hash generation so to increase security. If you want to reproduce the hash knowing the salt :
openssl passwd -1 -salt qGmhOQim your_password
Solution for automatic scripts that need to interact with the freeipa server
The main problem here is that, before issuing ipa commands, you need to have a valid kerberos ticket that you would normally be created by issuing the command "kinit admin". Hélàs, if the ipa commands are embedded in a script that will be executed automatically (by a cron task, for example), this won't work because the admin password needs to be typed, and you don't want of a solution where the password in kept in clear in a text file !
To get rid of this problem, the trick is to create, from the freeipa server, a keytab like this :
kadmin.local -q "xst -norandkey -k admin.keytab admin"
and then to copy the keytab created above to the "client" machine.
Important note : Please, always create your keytabs following the method described above, and never use any other method unless you know exactly what you are doing, otherwise you might have the kind of issue that is described here.
After that, you can add in your scripts :
kinit admin@WN.IIHE.AC.BE -k -t admin.keytab
This will create a valid kerberos ticket without prompting for a password. Needless to say, the keytab file must remain in a safe place with restricted (600) permissions.