Archive

Posts Tagged ‘linux’

Sharing CentOS Files with Remote Windows Systems- …

Although Linux is increasingly making inroads into the desktop market, its origins are very much server based. It is not surprising therefore that Linux has the ability to act as a file server. It is also extremely common for Linux and Windows systems to be used side by side both in home and business environments.

It is a common requirement, therefore, that files on a Linux system be accessible to both Linux, UNIX and Windows based systems over network connections. Similarly, shared folders residing on Windows systems must also be accessible from CentOS systems.

Windows systems share resources such as file systems and printers using a protocol called Server Message Block(SMB). In order for a Linux system to serve such resources over a network to a Windows system and vice versa it must, therefore, support SMB. This is achieved using Linux based technology called Samba. In addition to providing integration between Linux and Windows systems, Samba may also be used to provide folder sharing between Linux systems.

In this tutorial we will look at the steps necessary to share file system resources and printers on a CentOS system with remote Windows and Linux systems.

Read the tutorial here

SOURCE

Advertisements

Install JBoss 7.0.2 Application Server on Ubuntu 11.10 or Ubuntu 11.04 or Ubuntu 10.10 or Ubuntu 10.04 LTS

Uploading Known ssh Host Key in EC2 user-data Script

June 2, 2012 1 comment

I have not tested this personally, but seems to be a correctly put by  . If you try, do let me know if you find any catchs. 🙂

The ssh protocol uses two different keys to keep you secure:

  1. The user ssh key is the one we normally think of. This authenticates us to the remote host, proving that we are who we say we are and allowing us to log in.
  2. The ssh host key gets less attention, but is also important. This authenticates the remote host to our local computer and proves that the ssh session is encrypted so that nobody can be listening in.

Every time you see a prompt like the following, ssh is checking the host key and asking you to make sure that your session is going to be encrypted securely.

The authenticity of host 'ec2-...' can't be established. ECDSA key fingerprint is ca:79:72:ea:23:94:5e:f5:f0:b8:c0:5a:17:8c:6f:a8. Are you sure you want to continue connecting (yes/no)? 

If you answer “yes” without verifying that the remote ssh host key fingerprint is the same, then you are basically saying:

I don’t need this ssh session encrypted. It’s fine for any man-in-the-middle to intercept the communication.

Ouch! (But a lot of people do this.)

Note: If you have a line like the following in your ssh config file, then you are automatically answering “yes” to this prompt for every ssh connection.

# DON'T DO THIS! StrictHostKeyChecking false 

Care about security

Since you do care about security and privacy, you want to verify that you are talking to the right server using encryption and that no man-in-the-middle can intercept your session.

There are a couple approaches you can take to check the fingerprint for a new Amazon EC2 instance. The first is to wait for the console output to be available from the instance, retrieve it, and verify that the ssh host key fingerprint in the console output is the same as the one which is being presented to you in the prompt.

Scott Moser has written a blog post describing how to verify ssh keys on EC2 instances. It’s worth reading so that you understand the principles and the official way to do this.

The rest of this article is going to present a different approach that lets you in to your new instance quickly and securely.

Passing ssh host key to new EC2 instance

Instead of letting the new EC2 instance generate its own ssh host key and waiting for it to communicate the fingerprint through the EC2 console output, we can generate the new ssh host key on our local system and pass it to the new instance.

Using this approach, we already know the public side of the ssh key so we don’t have to wait for it to become available through the console (which can take minutes).

Generate a new ssh host key for the new EC2 instance.

tmpdir=$(mktemp -d /tmp/ssh-host-key.XXXXXX) keyfile=$tmpdir/ssh_host_ecdsa_key ssh-keygen -q -t ecdsa -N "" -C "" -f $keyfile 

Create the user-data script that will set the ssh host key.

userdatafile=$tmpdir/set-ssh-host-key.user-data cat <<EOF >$userdatafile #!/bin/bash -xeu cat <<EOKEY >/etc/ssh/ssh_host_ecdsa_key $(cat $keyfile) EOKEY cat <<EOKEY >/etc/ssh/ssh_host_ecdsa_key.pub $(cat $keyfile.pub) EOKEY EOF 

Run an EC2 instance, say Ubuntu 11.10 Oneiric, passing in the user-data script. Make a note of the new instance id.

ec2-run-instances --key $USER --user-data-file $userdatafile ami-4dad7424 instanceid=i-... 

Wait for the instance to get a public DNS name and make a note of it.

ec2-describe-instances $instanceid host=ec2-...compute-1.amazonaws.com 

Add new public ssh host key to our local ssh known_hosts after removing any leftover key (e.g., from previous EC2 instance at same IP address).

knownhosts=$HOME/.ssh/known_hosts ssh-keygen -R $host -f $knownhosts ssh-keygen -R $(dig +short $host) -f $knownhosts ( echo -n "$host "; cat $keyfile.pub echo -n "$(dig +short $host) "; cat $keyfile.pub ) >> $knownhosts 

When the instance starts running and the user-data script has executed, you can ssh in to the server without being prompted to verify the fingerprint

ssh ubuntu@$host 

Don’t forget to clean up and to terminate your test instance.

rm -rf $tmpdir ec2-terminate-instances $instanceid 

Caveat

There is one big drawback in the above sample implementation of this approach. We have placed secret information (the private ssh host key) into the EC2 user-data, which I generally recommend against.

Any user who can log in to the instance or who can cause the instance to request a URL and get the output, can retrieve the user-data. You might think this is unlikely to happen, but I’d rather avoid or minimize unnecessary risk.

In a production implementation of this approach, I would take steps like the following:

  1. Upload the new ssh host key to S3 in a private object.
  2. Generate an authenticated URL to the S3 object and have that URL expire in, say, 10 minutes.
  3. In the user-data script, download the ssh host key with the authenticated, expiring S3 URL.

Now, there is a short window of exposure and you don’t have to worry about protecting the user-data after the URL has expired.

SOURCE

Install JAVA on Linux using rpm files

May 18, 2012 3 comments

Steps for installing JAVA (JDK 6) on linux using rpm files:

1. Log into the linux shell and become root user by running the command

su –i

2. Change directory.

cd /opt

3. Please search at http://www.oracle.com/technetwork/java/javase/downloads/index.html for newer versions to download.

You can download to any directory you choose; it does not have to be the directory where you want to install the JDK. Before you download the file, notice its byte size provided on the download page on the web site. Once the download has completed, compare that file size to the size of the downloaded file to make sure they are equal.

To download use one of the below commands, depending on the server’s architecture (32/64 bit) :
64 bit:
wget http://download.oracle.com/otn-pub/java/jdk/6u31-b04/jdk-6u31-linux-x64-rpm.bin

32 bit:
wget http://download.oracle.com/otn-pub/java/jdk/6u31-b04/jdk-6u31-linux-i586-rpm.bin

4. Make sure that execute permissions are set in the self-extracting binary.
Enter ls –la to see the permissions for the file.

5. Run below command to grant execute permission to the file:

chmod a+x <<name-of-rpm-file-downloaded-earlier>>
 
For e.g.:
chmod +x jdk-6u25-linux-x64-rpm.bin\?e\=1306317438\&h\=294de0d36f54e28dd65fc8370e3c406d

6. Change directory to the location where you would like the files to be installed. The next step installs the JDK into the current directory.

7. Execute the downloaded file, prepended by the path to it.
For example, if the file is in the current directory, prepend it with “./”  :
./<<name-of-rpm-file-downloaded-earlier>>
For e.g.:

./jdk-6u25-linux-x64-rpm.bin\?e\=1306317438\&h\=294de0d36f54e28dd65fc8370e3c406d

8. The binary code license is displayed, and you are prompted to agree to its terms.

9. Check if java is installed using command

java -version

The java version must be displayed correctly. You may also want to run commands like java or javac to check if installation is proper.

10. Execute below command to test if the JAVA_HOME environment variable is set.

echo $JAVA_HOME

It must display the location where java is installed.

11.  Delete the bin and rpm files if you want to save disk space.

rm -rf sun*