Category: WLUG

Categories
MetaNET Tool of the Week WLUG

Restricting ssh password auth by group or shell

Matt Brown asked if I could think of any way to allow a certain group of users to scp into a host and use a password, while requiring a valid key pair for most other users. Perry suggested a solution to this a while ago, so I sat down and had a quick look at it, and got it working.

I configured sshd such that:

[code]

PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
[/code]

This bypasses direct /etc/passwd auth, but allows standard PAM based auth via the ChallengeResponseAuthentication mechanism. This will allow everyone to login with a password if possible, so we need to configure pam. For this, I used the pam_listfile module, checking that the user had a particular shell, /usr/bin/scponly, as their shell:

[code]

cat “/usr/bin/scponly” > /etc/scpshells

[/code]

I then edited /etc/pam.d/sshd:

[code]

auth required pam_env.so
auth required pam_listfile.so item=shell sense=allow file=/etc/scpshells onerr=fail
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so
auth required pam_nologin.so

session required pam_limits.so
session required pam_unix.so

account required pam_unix.so

password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password required pam_deny.so

[/code]

I probably don’t need all of that in the sshd pam snippet, but I just dumped the contents of the included files into to to make editing it easier.

To test this I added /bin/bash to /etc/scpshells, and verified that I could ssh in by using a pasword. I then removed it, and verified that I could no longer ssh in with a password. Combine this with a suitable shell (/usr/bin/scponly), and I can create users that can scp in with a password – or with a key if they care – but cannot get a local shell; all other users cannot authenticate via PAM, and so must provide a valid key.

Categories
General WLUG

Backspace in Firefox 2

As part of my upgrade to Edgy the other day, Firefox was upgraded to 2.0. It’s been upgraded every day since then, and is I think finally running a real 2.0 build

[code]

$ apt-cache show firefox | grep Version
Version: 2.0+0dfsg-0ubuntu3
[/code]

The biggest interface changes I’ve noticed to Firefox 2 so far include some cosmetic changes to the tab panel layout, which I’m mostly used to, and the ‘backspace’ button now no longer steps backwards in your history.

This behaviour is controllable via about:config however. Setting the following will revert to the old behaviour.
[code]

browser.backspace_action = 0
[/code]

Categories
General WLUG

Edgy Eft RC1 announced

After seeing this announcement for the Edgy Eft RC1 release, I decided to upgrade my Dapper laptop to Edgy. Thanks to the NZ mirror already being up to date, it didn’t take long to download the 700MB of packages that I needed.

I’d like to say the upgrade went smoothly, but it didn’t. Part of that is my own fault – I accidentally used apt-get instead of aptitude to handle the upgrade, and so a lot of packages were missed, and some dependency resolution was fumbled which meant the upgrade process broke hard along the way.

After manually removing a bunch of packages then getting the upgrade to restart, then repeating “aptitude dist-upgrade” about 6 times after it thought it’d finished, each time installing a couple of new packages, and then finally rebooting one more time because I couldn’t get X to start again, it all looked good.

Except that when I logged in, GNOME didn’t appear to start. I killed X and added a new user, then logged in as them – worked fine. Tried my user – no go. I spent a long time trying to move various GNOME configs out of the way, and eventually resorted to creating a new blank homedir for myself – still wouldn’t work. So I rebooted one more time and it started working after that. Very strange.

I’d suggest waiting for the final release to upgrade, but if you do go ahead, make absolutely sure you use aptitude and not apt-get. It may also work better if you use the CD and boot into an upgrade mode, I can’t comment.

I would file a bug, but I’m not sure it’ll help. I can’t pin down what was wrong because I used the wrong tool to upgrade. I have a Dapper install on my desktop at home, and I’ll try upgrading that next week when I get some free time, however it’ll probably “just work” by then anyway.

New things noticed in Edgy Eft so far:

  • Firefox 2
  • Network-manager-applet has a dialup account plugin.

Yeah. It looks the same. Edgy does have new features under the hood, but I haven’t looked into those yet.

Update: Yeah, it’s called Edgy Eft, not Efty Edge.

Categories
General NSP WLUG

Xensource Xen Enterprise

I’ve been following the Xensource Xen Enterprise product for a couple of months at work. The current release ships with an install CD which preps a barebones server. It installs linux with a Xen kernel and the Xen toolset, but doesn’t ask you many questions – the dom0 is really only there to support the hypervisor after all. There are no options for software raid in the installer, but that might be because software raid isn’t considered an “enterprise” tool by some people.

Once it’s installed, you can run a JAVA based console from your desktop. This will connect to the XenEnterprise server and let you run some of the hypervisor commands as well as provision and configure domU.  XE ships with support for installing a debian server from a template, and for installing RHEL from a network install server. Apparently  it’s fairly straight forward to modify the templates or to create your own, I haven’t looked into that yet.

The console provides some monitoring of the dom0 and the domUs – network, cpu, disk and memory utilisation. The
console will connect to multiple XE hosts, letting you monitor and configure your domUs across your entire network.

One other neat tool that ships with XE is a P2V migration tool. That’s Physical to Virtual migration – you run a program on your existing physical machine, and XE will create a domU suitable for it and migrate the filesystem into the new host. However, I’ve yet to use this to see how well it works.
The kicker is, of course, the pricing. XE’s pricing is available online, and it starts at $750 + $150 annual maintainance for a 2 cpu server. The big benefits of XE come in when you have multiple servers in use, so start to scale that price up accordingly.   XE is also a bit limited in that you can’t do anything outside of the box yet. Which means that if you want, for example, pass a PCI device (eg, network card or SCSI controller) through to a specific domU, you are out of luck. This may not happen very often or at all, but it does make it somewhat less useful.

Overall, it’s a nice enough tool. If you are looking at managing a large number of densely packed Xen servers and want to be able to quickly provision new servers, clone existing servers, and migrate guests easily between hosts, it’s probably spot on.

Categories
General WLUG

Trouble playing movies with Totem?

I’ve never really liked totem. It’s set up as the default movie player, but I always had problems getting it to play movies – some would play fine, others wouldn’t. It always worked for quicktime movies however.

Today, Craig asked about playing quicktime under Totem. This suprised me, because it was the one thing I had working well. We both run Ubuntu Dapper.

After closer inspection, it seems we had different gstreamer plugins installed. There’s quite a few of these packages in Ubuntu, so missing one or another is probably quite easy.

  • gstreamer0.10-plugins-base – GStreamer plugins from the “base” set
  • gstreamer0.10-plugins-good – GStreamer plugins from the “good” set
  • gstreamer0.10-plugins-bad – GStreamer plugins from the “bad” set
  • gstreamer0.10-plugins-ugly – GStreamer plugins from the “ugly” set
  • gstreamer0.10-plugins-ugly-multiverse – GStreamer plugins from the “ugly” set (Multiverse Variant)
  • gstreamer0.10-plugins-bad-multiverse – GStreamer plugins from the “bad” set (Multiverse Variant)

These are described better at  http://gstreamer.freedesktop.org/modules/.

So now I have gstreamer0.10-plugins-bad-multiverse installed which includes the xvid codec. All good!

Categories
Tool of the Week WLUG

Building Debian packages with YADA

I have recently had to build some debian packages for software we distribute to our clients. I’ve built debian packages in the past, but I was a bit rusty so was looking at a similar package to the one I was working on at the time, a collection of php scripts for a web based tool. As it happened, the debian package I chose to inspect, phpmyadmin, used a program called YADA as an aid for building the deb.
YADA stands for Yet Another Debianisation Aid. I can’t find a decent definitive website for it (it’s not yada.sf.net, btw!), but it’s in sarge and ubuntu. YADA takes two input files – debian/changelog and debian/packages, and generates a suitable set of files inside the debian/ subdir so that you can create your .deb package. The format of the debian/packages file is quite simple and gives, as far as I can tell, full control over the resulting configuration.

There is good documentation in the yada-doc package, including example packages files take from a range of debian packages that make use of YADA already.

Categories
advocacy WLUG

2.6.16 sensibleness

From a post on Ian McDonald’s Blog:
Is it me or is it crazy the pace of point releases at the moment? Do we really need four kernels in three days?

Actually it’s just you, and perhaps a few others, who for some reason still don’t see any point in the 2.6.x.y release of kernels.

We haven’t had 4 new kernels in 3 days. We’ve had 4 small patchsets covering regressions and security flaws. In each case, the patches are less than 100 lines of code, and are considered “simple”. The fact that there are 4 of them represents the high level of effort the stable tree maintainer, and people submitting patches, is putting into the kernel.

I’d much rather have 4 security releases in 3 days, then be told to wait until the next stable kernel. Or have to track down and find the patch myself, only to discover that it doesn’t apply cleanly. I’m capable of doing these things, but there are plenty of people who aren’t, and the 2.6.x.y stable series provides a great infrastructure for the announcement and dissemination of timely security and regression patches.

At the end of the day, the chances are fairly good you’ll never need any of the patches in the stable series. What’s more, the 2.6.x.y patches all get rolled into 2.6.x+1 anyway, so you’ll get them all then. So feel free to ignore these “crazy” “kernel releases”

Categories
Tool of the Week WLUG

Assigning rights to users with Samba

In a recent Linux Journal article I noticed an interesting piece of information: as of Samba 3.0.11, you can assign rights to users and groups. This eliminates the need to have samba account with the uid of 0 (eg, root), or mapping the Administrator to local uid 0 (which is practically the same thing). In particular it means that the ‘Administrator’ user, and anyone in the ‘Domain Admins’ group, can be given rights to add machines to the domain. This was a major part of a Samba backed windows domain that troubled me.

I’m running Samba 3.0.21c, packaged by samba.org.


file:~# net rpc rights
net rpc rights list [{accounts|privileges} [name|SID]] View available or assigned privileges
net rpc rights grant Assign privilege[s]
net rpc rights revoke Revoke privilege[s]

Both ‘grant’ and ‘revoke’ require a SID and a list of privilege names.
For example

net rpc rights grant ‘VALE\biddle’ SePrintOperatorPrivilege SeDiskOperatorPrivilege

would grant the printer admin and disk manager rights to the user ‘VALE\biddle


file:~# net rpc rights list -U root
Password:
SeMachineAccountPrivilege Add machines to domain
SeTakeOwnershipPrivilege Take ownership of files or other objects
SeBackupPrivilege Back up files and directories
SeRestorePrivilege Restore files and directories
SeRemoteShutdownPrivilege Force shutdown from a remote system
SePrintOperatorPrivilege Manage printers
SeAddUsersPrivilege Add users and groups to the domain
SeDiskOperatorPrivilege Manage disk shares


file:~# net rpc rights grant Administrator SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPriviledge -U root
Password:
Successfully granted rights.


file:~# net rpc rights list Administrator -U root
Password:
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege

And now my ‘Administrator’ user can perform any of the tasks related to those rights. I’ve only used this to add machines to the domain so far, as I’ve not worked out how to make Windows tie into the samba add user functionality.
Resources: