LinuxAdminTricks: Difference between revisions

From T2B Wiki
Jump to navigation Jump to search
No edit summary
Line 170: Line 170:
The main problem here is that, before issuing ipa commands, you need to have a valid kerberos ticket that you would normally be created by issuing the command "kinit admin". Hélàs, if the ipa commands are embedded in a script that will be executed automatically (by a cron task, for example), this won't work because the admin password needs to be typed, and you don't want of a solution where the password in kept in clear in a text file !
The main problem here is that, before issuing ipa commands, you need to have a valid kerberos ticket that you would normally be created by issuing the command "kinit admin". Hélàs, if the ipa commands are embedded in a script that will be executed automatically (by a cron task, for example), this won't work because the admin password needs to be typed, and you don't want of a solution where the password in kept in clear in a text file !


To get rid of this problem, the trick is to create a keytab like this :
To get rid of this problem, the trick is to create, from the freeipa server, a keytab like this :
<pre>
<pre>
ipa-getkeytab -s freeipa.wn.iihe.ac.be -p admin -k test.keytab
kadmin.local -q "xst -norandkey -k admin.keytab admin"
</pre>
</pre>
and then to copy the keytab created above to the "client" machine.
After that, you can add in your scripts :
After that, you can add in your scripts :
<pre>
<pre>

Revision as of 12:34, 24 January 2017

Make an encrypted copy of a file protected with a passphrase

If your are in a hurry :

gpg -c name_of_file_to_encrypt

This will give an encrypted file named name_of_file_to_encrypt.gpg

Check a network port on a distant machine

Imagine you want to check if a firewall doesn't prevent you to access a port on a distant machine. The command nc (or netcat) is the perfect tool for that. It can be used to generate or listen to TCP/UDP traffic. Here is an example :

  • On the destination machine (mp.iihe.ac.be) :
nc -l -p 7512
 The destination machine is now listening (-l) on its port 7512.
  • On the source machine :
hostname | nc mp.iihe.ac.be 7512
The source machine is sending the result of the hostname command to the destination mp.iihe.ac.be on the port 7512.
If everything goes well, you should see the result of hostname appearing of the destination machine.

Remove the passphrase from an SSH key

Two methods :

  • Long method :
cp ./.ssh/id_rsa ./.ssh/id_rsa.bak
openssl rsa -in ./.ssh/id_rsa.bak -out ./.ssh/id_rsa
chmod 0400 ./.ssh/id_rsa
  • Short method :
ssh-keygen -p

Send a mail with commands

Imagine that the content of your mail is in the file my_mail.txt :

cat my_mail.txt | mail -s "test mail" mdupont@ulb.ac.be -- -r rootfs@ulb.ac.be

It will send a mail to mdupont@ulb.ac.be with sendor rootfs@ulb.ac.be. Note : it will only work if Sendmail is correctly configured (try on CCQ).

Repeat a command every x second

An example :

watch -n 2 iptables -vL

This command will repeat "iptables -vL" every 2 second. That's useful to watch the evolution of the number of blocked paquets on a firewall.

Apply a command to a list

Use the command xargs ! Example : you want to create a tarball with the files from the list contained in the file "list.txt" :

cat list.txt |xargs tar cvf test.tar

Note that if the command behind the pipe can only take one argument at the time, then you must use "xargs -n 1".

Print the list of the PIDs of all the processes belonging to a user

If your want to print the PIDs of the processes belonging to user "cms001", then type :

ps aux | grep '^cms001' | awk '{print $2}'

Extract a list of logins from /etc/passwd

Let's say for example we want to print the cms logins :

grep cms /etc/passwd | awk -F ":" '{print $1}'

Add users from one group to another group

Imagine that we want to add all the users of the group enmhprahp (enmhprahp000,enmhprahp001,...) to the group enmhps. The solution is :

egrep '^enmhprahp[0-9]+' /etc/passwd | awk -F ":" '{print $1}' | xargs -n 1 usermod -Genmhps,enmhprahp

The option "-n 1" of the xargs command deserves an explanation : as the command usermod cannot be applied to a list of users separated by a whitespace, we have to specify that at most one username must be used at each reiteration of the command usermod.

Delete all users with a given prefix

We want to delete all users with prefix "dte" on the storage pools, taking care not to delete the users with prefix "dteg" :

./distrib_exec_list liste_des_behars "egrep -e '^dte([0-9][0-9][0-9]|s|p)' /etc/passwd | awk -F \":\" '{print \$1}' | xargs -n 1 userdel"

The rpm command

To get the list of all installed packages :

rpm -qa

If you want to print the architecture (i386, noarch or x86_64) :

rpm -qa --queryformat='%{N}-%{V}-%{R}.%{arch}\n'

To determine which rpm a file is coming from :

rpm -qf /full/path/of/the/file

To get the list of the files in a package :

rpm -ql <name_of_the_rpm>

Installation of Java Plugin for Firefox under Linux

This plugin is needed if you want to connect to an HP machine with Integrated Lights-Out and open a remote console. Let's suppose that you've already installed the Java jdk. You still have to indicate to Firefox where it can find the plugin, thanks to a symbolic link. Do the following under you usual user account :

cd ~/.mozilla/plugins
ln -s /usr/java/jdk1.6.0_23/jre/lib/amd64/libnpjp2.so libnpjp2.so

Of course, adapt the path of the target in the previous command according to the actual version of the jdk that is installed on your machine.

Mirror a directory from a site

Let's say, for example, that you want to create a mirror of the Scientific Linux 5.5 (x86_64) distribution. Here is what you should type :

wget -np -m http://quattorsrv.lal.in2p3.fr/packages/os/sl550-x86_64/

The -np option is very important : it will tell wget to not download the parent directories.

Firewall configuration for a KVM host doing NAT for its guest VMs

Suppose that you want to hide your VMs behind the virtualization host, using NAT. Then there is a few things to configure on the host :

  • forwarding should be enabled :
 echo 1 > /proc/sys/net/ipv4/ip_forward
 in /etc/sysctl.conf --> net.ipv4.ip_forward = 1
 
  • you have to configure the firewall with iptables to enable NAT and allow forwarding; here is the kind of rules you need in your /etc/sysconfig/iptables to achieve this :
*nat
:PREROUTING ACCEPT ![0:0]
:POSTROUTING ACCEPT ![0:0]
:OUTPUT ACCEPT ![0:0]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE 
COMMIT
*filter
:INPUT ACCEPT ![0:0]
:FORWARD ACCEPT ![0:0]
:OUTPUT ACCEPT ![0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT 
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT 
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT 
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT 
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable 
COMMIT
 

Note : if you copy-paste the previous lines, please remove the ! before the square-brackets, they are there only to escape the [] !

How to install a Perl module ?

Let's say we want to install File::Grep :

perl -MCPAN -e 'install File::Grep'

Password encryption

To encrypt a password in the "/etc/shadow" style :

 openssl passwd -1 your_password

Note : if you password contains special characters, you can enclose it between quotes, otherwise bash might get confused while interpreting the command.

As a result of the previous command, you then get something like this :

$1$qGmhOQim$RJ25QfcYEhCBR2qG2u80T.

The sequence between the second and third dollar signs (in this example : qGmhOQim) is called "salt". Its goal is to randomize hash generation so to increase security. If you want to reproduce the hash knowing the salt :

openssl passwd -1 -salt qGmhOQim your_password

Solution for automatic scripts that need to interact with the freeipa server

The main problem here is that, before issuing ipa commands, you need to have a valid kerberos ticket that you would normally be created by issuing the command "kinit admin". Hélàs, if the ipa commands are embedded in a script that will be executed automatically (by a cron task, for example), this won't work because the admin password needs to be typed, and you don't want of a solution where the password in kept in clear in a text file !

To get rid of this problem, the trick is to create, from the freeipa server, a keytab like this :

kadmin.local -q "xst -norandkey -k admin.keytab admin"

and then to copy the keytab created above to the "client" machine. After that, you can add in your scripts :

kinit admin@WN.IIHE.AC.BE -k -t test.keytab

This will create a valid kerberos ticket without prompting for a password. Needless to say, the keytab file must remain in a safe place with restricted (600) permissions.

Template:TracNotice