...making Linux just a little more fun!

<-- prev | next -->

More 2 Cent Tips!

See also: The Answer Gang's Knowledge Base and the LG Search Engine


closing unneeded ports

Mike Orr (LG Contributing Editor)
Answered By Kapil Hari Paranjape, Peter Knaggs, Predrag Ivanovic, Thomas Adam

While most people know to turn off any services they don't want to offer the world, many do not realize this applies at the interface level as well as the service level.

[Kapil] Other than configuring this by editing the configuration files for the individual daemons that open the listening sockets, you can also use iptables/ipchains to block the (ir)relevant address/port pairs.
Here is the relevant portion of a file called "iptables.save" on a machine that runs a public web server and also accepts ssh connections.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d 127.0.0.1 -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
You can enable this with
	iptables-restore < iptables.save
You can add/remove ports according to what connections you wish to accept. You should probably also accept some icmp connections in order to avoid losing routing information.

A typical networked computer has two interfaces: lo (the loopback) and eth0 (the Ethernet). Most daemons listen on all interfaces unless you tell them otherwise. Obviously, your web server, mail server, and CUPS (printer) server must listen on the public interface if you want other computers to access them. But if you're running mail or CUPS only for your own computer, you should make them listen only on the localhost. This eliminates a bunch of security vunerabilities because inaccessible programs can't be exploited.

There are several portscanners available but good ol' netstat works fine if you're logged into the target computer.

# netstat -a --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:631                   *:*                     LISTEN
tcp        0      0 *:https                 *:*                     LISTEN
udp        0      0 *:bootpc                *:*
udp        0      0 *:631                   *:*

Add the "-n" option to bypass domain-name resolution. Here we see the secure web server listening on all interfaces (*:https), good. But CUPS is also listening on all interfaces (*:631, both TCP and UDP), bad. (We know port 631 is CUPS because that's what we type in our web browser to access the admin interface.) To make CUPS listen only on the localhost, I edited /etc/cups/cupsd.conf, commented the "Port 631" line and added "Listen localhost:631". (I like Listen better than Port because it shows in one line exactly which host:port combinations are in effect.) Note that you can't specify an interface directly, you have to specify the domain/IP attached to that interface.

Then I restarted the server and checked netstat again:

# /etc/init.d/cupsd restart
 * Stopping cupsd...
[ ok ]
 * Starting cupsd...
[ ok ]
# netstat -a --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 localhost:631           *:*                     LISTEN
tcp        0      0 *:https                 *:*                     LISTEN
tcp        0      0 10.0.0.1:32775          example.com:imaps ESTABLISHED
udp        0      0 *:bootpc                *:*
udp        0      0 *:631                   *:*

Good, the TCP line changed to "localhost:631". The UDP line is still "*:631". I searched the config file and "man cupsd" for "udp" but found nothing. I guess that means you can't turn it off? I decided not to worry about it.

There's a new line in netstat: "10.0.0.1:32775 to example.com:imaps". It looks like Mozilla Thunderbird is automatically checking for mail. 10.0.0.1 happens to be my public IP. (IPs/domains changed to protect the innocent.) It connected to the secure IMAP port on example.com. 32775 was a free port the kernel chose at random, as always happens when you connect to an external server.

There's still one suspicious line, "*:bootpc". I'm not running a diskless workstation or doing any exotic remote booting, so what is this? "lsof" is a very nifty program that tells you which process has a file or socket open.

# lsof -i :bootpc
COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
dhcpcd  3846 root    4u  IPv4   5398       UDP *:bootpc

I am using DHCP, which runs this daemon while you're leasing an IP. I ran "man dhcpcd" and searched for "bootpc" and "port". Nothing. I guess it uses that port for some unknown reason. I decided not to worry about it.

[Kapil] Not quite. You shouldn't be running the dhcp-server (which is what the dhcpd program is). You are using dhcp in client mode so you should disable dhcpd from starting up.
[Peter] True, but the program in question listening on the UDP port 68 (bootpc) is "dhcpcd", not the dhcp-server which indeed has the name "dhcpd". When a client requests a DHCP address, a proccess (either "dhclient" or "dhcpcd") listens on UDP port 68.

It's eleven o'clock. Do you know which services your computer is running?

[Pedja] OK, what about this?
pedja@deus:~ ]$ netstat -a --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0                *:6000                       *:*                     LISTEN
That's X server, right?
root@deus:/home/pedja#lsof -i :6000
COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
X       3840 root    1u  IPv6   9813       TCP *:6000 (LISTEN)
X       3840 root    3u  IPv4   9814       TCP *:6000 (LISTEN)
I should add something like 'tcp -nolisten' to options that are passed to X when it starts(I use startx to,well,start X :-) ). My question is where to?
[Thomas]
/etc/X11/xinit/xserverrc
Is the file you're looking for. By default (on most distros, anyway), the '-tcp nolisten' are set already.
[Pedja] There's no xserverrc in Crux, so I made one with
#!/bin/sh
exec /usr/X11R6/bin/X -dpi 100 -nolisten tcp
in it. I've put it in my home folder.
[Pedja] Should I make an alias in .bashrc,like
startx  () { /usr/X11R6/bin/startx -- -dpi 100 ${1+"$@"} 2>&1 | tee $HOME/.X.err ; }
or modify .xinitrc in ~, or... What's The Right Thing(tm) to do?
[Thomas] No alias. See above.


TFTP problem

mishradk (mishradk from vsnl.net)
Answered By Breen Mullins, Ben Okopnik

Hi,

I am a starter in GNU/Linux. I am using Linux Kernel 2.4.20-8 Redhat Linux 9.

I have written a TFTP client and server. I have created a UDP socket and as per the RFC i am sending a structure with the proper TFTP header and then data.

it is working fine and i am able to send and get files.

my problem is when i use ethereal and tell to capture the TFTP and specified port it shows that the packets are UDP + data. I think i should get UDP header , then TFTP header and then data. But this is not happening in my case. My TFTP header is also coming as data.

How can I solve this problem...

[Breen] You're not by chance using a non-standard port for your tftp server, are you? If the traffic isn't on port 69/udp, ethereal won't know to decode it as TFTP.
[Ben] I think that your best bet would be to look at a standard TFTP conversation and compare it to yours. There may be some subtle difference that you're missing, or perhaps a part of the RFC that you're misinterpreting.

I dont have any guide.. hope to get a reply and from you people.

[Ben] I have not read it myself, but I understand that Richard Stevens' "UNIX Network Programming" series is the classic reference for this kind of work.

Hi Breen

you are right.. i had used a non std port. so it was not showing it as TFTP.

[Breen] Hi Deepak --
I've got two requests:
1) Please don't post html. Email is a text medium.
2) When you ask a question on a mailing list, you should follow up on the mailing list. That allows all subscribers to benefit from the answer you receive. I've added The Answer Gang back to the recipients of this email.
Glad we were able to help you!


HTTPS question

Mike Orr (LG Contributing Editor)
Answered By Jay R. Ashworth, Brian Bilbrey, Ramon van Alteren

Is there any way to have multiple HTTPS domains on the same IP/port? The mod_ssl FAQ says name-based virtual hosts are impossible with HTTPS [1]. I've got two sites currently on different servers. Each is distinguished by a path prefix ("/a" and "/b"), so they aren't dependent on the domain name and can be installed in the same virtual host. The boss wants them consolidated on one server, and to plan for additional sites in the future. The problem is the certificates. A certificate is domain-specific, and it looks like you can have only one per virtual host.

So person A types https://a.example.com/a/ and it authenticates fine, but person B types https://b.example.com/b/ and gets a "domain does not match certificate" dialog. (I have seen this in some cases, but haven't gotten it in my tests. But it may be because we're still using unofficial certificates and getting the "unknown certificate authority" dialog instead.) The only solutions seem to be using a general domain for all the sites, getting a separate IP for each one, or running them on nonstandard ports.

[1] http://www.modssl.org/docs/2.8/ssl_faq.html ("Why can't I use SSL with name-based/non-IP-based virtual hosts?")

[Jay] Correct. You can't have more than one SSL server per IP address, because the certs are IP based, not domain name based.
They have to be, if you think about it, because you can't spoof IP [1] the way you can spoof DNS.
[1] unless you manage a backbone. :-)
[Brian] I think, if your example is true, then [IIRC, you'll have to do more research] you can spend the bucks to get a wildcard cert that will handle [a-g].example.com/blah just fine. Alternatively, get extra IP addresses, alias the eth as needed, and multiple single-host certs can be applied. That works just fine. A separate set of SSL stanzas in each virtual host section, virtual host by number, not by name.
You may, in that case, actually want to run a separate invocation of apache for the SSL side of things, so that you can do IP-based virtual hosts for SSL, and name-based virtual hosts for port 80.
[Ramon] Because encryption is set up before any HTTP headers are sent, name based vhosting with multiple certificates is not possible.
The only thing that does work is multiple vhosts with one certificate that validates all of them. I've done that successfully with a project vhost server on ssl for multiple software development projects. You can get a wildcard certificate from rapidssl http://www.rapidssl.com for $199.
They're a dirt cheap certificate provider BTW $69 for a two year standard webserver certificate accepted in most (if not all) browsers

If it were a small organization that would be a possibility. But we're part of a large organization and can't monopolize the entire domain (*.example.com). At the same time the sites are for multiple departments, and we haven't been able to come up with a *.subdomain.example.com that would satisfy all of them.

Oh wait, you're talking about wildcard IPs rather than wildcard domains? (checking rapidssl website) No, it is domains.

Hmm, getting a wildcard certificate would obviate the need for multiple certificates but that's actually the lesser of our problems. The greater problem is getting more IPs, justifying them, and putting in a new subnet for them. But I guess I'll tell management that if they really want these multiple domains on one computer, they'll have to factor a new block of IPs into the price.

Has anybody had experience with https://cert.startcom.org/ ? It appears to be a nonprofit project geared toward free certificates.

"The StartCom Certification Authority is currently undergoing an initial self and successive third party audit as required by various software vendors, such as Microsoft and Mozilla. This will lead to the natural support of the StartCom CA by the most popular browser and mail clients. Right now you still have to import our CA certificate into your browser, but chances are, that, during the life-time of your certificate (one year), your certificate will be supported without the need of the CA import."

Probably not an option for us yet, but it looks worth watching.

Duh, our netadmin pointed out that when the second site is moved over, we can take the IP from that computer. And my other site will replace seven other servers so we can take their IPs too. That'll last us past the foreseeable future. Anybody got a few HTTPS sites they need hosting for a year or two? (Just kidding.)


Mozilla hogging the screen

Neil Youngman (ny from youngman.org.uk)
Answered By Ben Okopnik

Mozilla has started hogging my screen. I can select other windows, but if Mozilla is maximised it remains in front of them. There is presumably a setting somewhere that is causing this behaviour, but the only setting I can find I can't seem to change. FYI, this is in KDE.

If I right click the Mozilla title bar and select advanced->special window settings->preferences, there is a checkbox either side of the "keep above" setting. The checkbox on the right is checked and greyed out. With a little fiddling I can get it unchecked, but if I click OK and then reopen the window to check it, I find that it is selected again.

I don't know if that setting is the source of the problem, but the other windows don't have it checked, so it's a good candidate.

Any ideas how to fix this one?

OK. Going down into the "special window settings" wasn't necessary. If I just use "advanced->keep above others" it toggles that checkbox. It's annoying and a little confusing that it can't be changed from "special window settings".

[Ben] Hmm. Perhaps one or two - my Firefox started doing some ugly thing a while back, so I whacked it over the head a couple of times, and will happily relate what LART I used. :) Mind you, this is in the nature of shotgunning rather than troubleshooting (I can hear the sounds of retching from the other techies here, but, hey, it works - and I didn't feel like pulling down a hundred meg or so of code and wanking through it.)
  1. Move your ~/.mozilla to, say, /tmp/DOTmoz.
  2. Start Mozilla.
  3. If $UGLY_BEHAVIOR is still present, uninstall the mozilla package (making sure to blow away, or at least _move_ away all the stuff in "/usr/lib" and "/etc") and reinstall from scratch. If it's still there, curse life and file a bug. :) Otherwise -
  4. Make a copy of your new ~/.mozilla (as, say, /tmp/DOTmoz_default.) Start replacing the subdirectories in the one in $HOME, one at a time, from /tmp/DOTmoz until the problem reappears. Narrow it down to the specific file, then diff that file against the default one. The line causing the problem should be relatively obvious - since Mozilla uses more-or-less sensible, descriptive names for their config variables.
To (mis)quote the folks at the Mozilla Project, "it worked for me."

I'd say this was starting from the wrong end. Possibly my fault because I flagged it as Mozilla hogging the screen. With window behaviours like this, it's far more likely to be a window manager issue.

I have solved the problem now. You should have seen a followup email on the list.

[Ben] I've had similar problems (back in Netscape days, actually), and thought that it was the WM originally - it just made sense. Turned out to be that Netscape was doing some of its own craziness, at least in that case; I can definitely see where it could just as easily be the WM.


Couple of perl related questions

Suramya Tomar (security from suramya.com)
Answered By Ben Okopnik, Jimmy O'Regan

Hi Everyone, I have a couple of questions for the perl experts that seem to lurk around the TAG mailing list.

[Ben] Never heard of any around here. :) However, I do play one on a center stage once in a while, so I'll try to help.

I was playing around with the Yahoo Search API and decided to write a program that uses it to search for images based on user input and creates a collage from the results. I actually managed to get it to work (http://scripts.suramya.com/CollageGenerator) but need some help in fine tuning it.

The program consists of two parts: the frontend which is a php page and the backend which is a perl script. The PHP frontend writes the user input to a mysql DB which another perl script I call wrapper.pl checks frequently, when it finds a new row it calls the collage.pl that creates the collage.

[Jimmy] Um... is there any reason why the information has to be in a database? It seems like you're over complicating things: PHP is able to download files (IIRC, fopen can open from URLs), and Perl is well able to do CGI (use CGI ;), and can be embedded in HTML like PHP using HTML::Embperl (http://search.cpan.org/~grichter/HTML-Embperl-1.3.6/Embperl.pod). This page (http://www.cs.wcupa.edu/~rkline/perl2php) has a Perl to PHP 'translation', but it's also good for the other direction.
You can also directly embed Perl in PHP (http://www.zend.com/php5/articles/php5-perl.php), and PHP in Perl (http://search.cpan.org/~karasik/PHP-0.09/PHP.pm http://search.cpan.org/~gschloss/PHP-Interpreter-1.0/lib/PHP/Interpreter.pm), and Perl can read some PHP directly (http://search.cpan.org/~esummers/PHP-Include-0.2/lib/PHP/Include.pm).

The original machine where my site was hosted was not a very powerful machine so the collage creation took ages.

So I decided to use a client server model where I could run the backend on multiple machines and have each of them process a small portion of the requests which the system got. Thats why there's a DB involved so that I can keep track of who's working on what query and the backend can run on my home machine or a different more powerful system.

Right now I am running just one backend process but once I get most of the bugs worked out I will prob put them on other systems I have. (Just to decrease the wait time..)

Thanks for the links though, They will be useful in other programs I am thinking about. :)

Now my first problem is that I am using the following function to download the images to the local system for processing and I am not comfortable with it.:

sub download_images
{
  my $url = shift;

  $url =~ s/\"/\%22/g;
  $url =~ s/\&/\%26/g;
  $url =~ s/\'/\%27/g;
  $url =~ s/\(/\%28/g;
  $url =~ s/\)/\%29/g;
  $url =~ s/\*/\%2A/g;
  $url =~ s/\+/\%2B/g;
  $url =~ s/\;/\%3B/g;
  $url =~ s/\[/\%5B/g;
  $url =~ s/\]/\%5D/g;
  $url =~ s/\`/\%60/g;
  $url =~ s/\{/\%7B/g;
  $url =~ s/\}/\%7D/g;
  $url =~ s/\|/\%7c/g;


  # print "Getting " . $url . "\n";

`wget -T 1 -t 1 -q $url`;
}

Is there a way I can download the images fast to my computer without having to use wget? I download upto 10 images eachtime for creating a collage. I don't like passing results I get from the net directly to a shell but this is the only way I could get it to work. Another disadvantage of wget is that if it can't download an image it takes forever to timeout and goto the next url in the list.

[Ben] Take a look at the LWP toolkit at http://cpan.org ; it contains support for any kind of HTTP/FTP/NNTP/etc. usage you might want from within Perl. The above can be done this way:
use LWP::UserAgent;
use HTTP::Request;

# Create user agent
my $u = LWP::UserAgent -> new;

# Create request
my $r = HTTP::Request -> new( GET => "$url" );
# Configure the request however you want - e.g.,
$r -> timeout( 10 );

# Pass request to UA
my $ret = $u -> request( $r );

print "Error fetching $url" if $ret -> is_error();
There are much simpler ways to do it - i.e.,
perl -MLWP::Simple -we 'mirror "http://foo.bar.com"'
does the whole thing in one shot - but it's not nearly as flexible as the above approach, which allows tweaking any part of the interaction.

Thanks for the info. I will check out this package. It looks like it does what I want. How is this package speed wise/resource usage wise?

[Ben] Forgot to mention: this is untested code, just off the top of my head - but stands a reasonably good chance of working. See 'perldoc LWP::UserAgent' and 'perldoc HTTP::Request' for the exact public interface/usage info.

Ha ha, don't worry I had guessed that this was the case. Afterall I can't expect you to do all the work for me... ;) I will try out the code and let you know how it went.

The second problem is that my mysql connection seems to drop at random times during execution. What can I do to prevent the mysql server from going away?

[Ben] 1) Stop shelling out. If in doubt, read "perldoc perlsec" (Perl security considerations) - and then stop shelling out. :) This includes command substitution (backticks) as well as the 'system' call.
2) In any interaction involving file system calls the timing of which could affect the Perl functions, force the buffers to autoflush by setting the '$|' variable to non-zero. Oh, yeah - and stop shelling out. :)

Below is the code I use in wrapper.pl to check the DB for changes:

See attached wrapper.pl.txt

The script usually dies around the last $update->execute. What I think might be happening is that the collage.pl is taking too long to run and the DB connection times out, is that possible? Can I force the connection to not timeout? (I did try searching on google but didn't find any ways of changing the keep connection alive variable from a script).

Any idea's/suggestions? Thanks in advance for the help.

PS: Any suggestions on improving the script would be most welcome as I am using this to try to learn perl.


Securing rsync

Mike Orr (LG Contributing Editor)
Answered By Benjamin Donnachie, Kapil Hari Paranjape

I'm trying to get rsync access to an OS X server with a paranoid sysadmin who doesn't know much about Unix progams. (He's a GUI kind of guy.) He's offered me FTP access to one directory but I'd really like to use rsync due to its low-bandwidth nature and auto-delete feature (delete any file at the destination that's been deleted at the source). His main desire is not to grant a general-purpose account on the server, so if I can convince him that rsync+ssh can be configured to grant access only for rsync in that directory, I may have a chance. But since they're two separate programs (as opposed to *ftpd and mysqld, which can have private password lists for only their program), I'm not sure how to enforce that. Would I have to use rsyncd alone, which I guess means no encryption? (Granted, ftp has no encryption either, but I think he's just using that due to lack of knowledge of alternatives.)

(And when is ssync going to arrive, to avoid this dual-program problem?)

[Benjamin] Take a look at rssh (http://www.pizzashack.org/rssh/index.shtml) or scponly (http://sublimation.org/scponly) - both can be used together with ssh to restrict access to just rsync.
However, access to a single directory would probably require a user jail - - all is explained in the rssh and scponly docs, but it's not really for your "GUI" types.
[Kapil] I suppose you mean something that combines ssh and rsync. In any case your particular problem might be solved by means of an authorized_keys file entry that looks like (this is all in one line one line)
from="202.41.95.13",command="rsync -aCz --server --sender $SRCDIR  .",
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
ssh-dss
AAAAB3NzaC1kc3MAAACBAMzBqJtkx52y3IL9g/B0zAna3WVP6fXDO+YZSrb8GsZ2Novx+1sa
X/wBYrIXiKlm0LayvJpz7cF17ycWEyzANF9EivYbwMXPQWecxao82999SjKiM7nX2BUmoePN
iUkqpnZuilBS2fPadkTZ7CSGevJ2Y9ryb1LOkFWkdBe2c4ETAAAAFQCUk+rB5HRYj0+KIn5H
fiOF0dQtvwAAAIA7ezUaP6CpZ45FOJLunipNdkC0oWj3C5WgguwiAVEz3/I5ALAQ9hdmy+7+
Bi0hUGdkTcRoe4UPMgsahdXLZRNettMv+zdJiQqIiEnmzlQxlNY2LBlrfQyRwVU1SW3QWGog
tssIoeOp9GRx7N5H2ZAzMoyGBaUDfHVQueI2BeJiGwAAAIEAhV0XWIm8c2hLAGRyYZeqi5G3
yDAB0DZPyiuYyfnBav3nqjkO65faDuajKUv6as90CGYVlixWO+tjOL+/D9c0DoqdMllPEiZw
aGBxd96o1pVrsFw/Ff0jJOtxzj+/Tzgaw9AdI0Usgw1cfXwWS1kJlhXqR00O/ow/XATejWpW
0i8= kapil@neem
Here you must put the appropriate source directory in $SRCDIR.
The authorized key file can be put in a dummy users directory. This dummy user should have appropriate read/write permissions for the directory in question.
As an alternative you can use a configuration file "--config=$FILE" in place of $SRCDIR.
Once this is done, the owner of the SSH private key associated with the public-key (which is the bit that starts ssh-dss AAA....) can connect to the ssh server and start the above command and only the above command.


Boot from cd via floppy

Francis Daly (francis from daoine.org)
Answered By Thomas Adam, Ben Okopnik

Hi there,

I'm not a TAG subscriber, so I can't see the list archives to verify, but hopefully this mail isn't repeating something that you've already had a dozen times this month.

[Thomas] So far, you're the first. :)

From September's gazette: "my machine only boots from floppy, and I want it to boot from cd" might be addressed with a smart boot manager, such as sbm. The debian (sarge) one credits James Su and Lonius as authors, and says it was downloaded from http://www.gnuchina.org/~suzhe , but it looks like the useful content can now be found at http://btmgr.sourceforge.net

[Thomas] Indeed. It has been mentioned in the LG in the past (twice by me, and once by Ben, I believe.)
[Ben] Wasn't me; I hadn't run across SBM until now.
[Thomas] It's OK, and provides a lot of elaborate features that can be quite interesting on certain types of hardware, it has to be said.
[Ben] As is often the case, Debian already has it as a package (pretty amazing folks, those Debian maintainers!) -
ben@Fenrir:~$ apt-cache search smart boot
bmconf - The installer and configurator of the Smart Boot Manager
sbm - Smart Boot Manager (SBM) is a full-featured boot manager
As Francis has already mentioned, though, it won't boot USB devices. Too bad; that would make it quite useful, especially given that modern kernels are too big to fit on a floppy anymore.
By the way - the fact that they are too big annoys the hell out of me. There are plenty of folks out there who need floppy-based booting - troubleshooting and booting weird hardware configurations are two situations where that capability can be critical - and "new systems all come with a CD-ROM" is NOT equivalent to "all existing systems have a CD-ROM". Yeah, older kernels, whatever; as time goes on, those become less and less useful - and support less and less common hardware. I'll admit that I'm coming from ignorance here, but - there should have been a way to make the kernel modular enough to provide the "compile small kernel" option instead of just losing this important capability.

Thanks for the reply. Oops -- I hadn't spotted that. I did try searching for "sbm", and all I found was a (presumably) mis-spelled samba config file. But now that I try again, searching for "smart boot manager", I see that it does appear in the archives.

No harm done.

"sbminst" it to a floppy to confirm that it can use your hardware, then consider putting it in your primary disk mbr, consigning lilo or other boot loader to a partition or secondary disk. Of course this last bit presumes that "my machine only boots from floppy" really means "my machine only boots from floppy or one hard disk", but that's probably a reasonable assumption.

Worked for me with an ATAPI cd drive that the BIOS didn't like. I suspect it won't work with the SCSI cd in the original problem, sadly. And am almost certain that it also won't work with the USB stick in the original original problem. So it isn't a full solution -- or even a useful solution in these specific cases -- but it might help someone with a slightly different problem.


Security implications of root login over SSH

Riza Aziz (telefonixar from yahoo.com)
Answered By Kapil Hari Paranjape

Hi there,

I'm wondering if it's wise to allow a remote user within the LAN to log in as root, by adding that user's public key to root's "authorized_keys" for that machine.

[Kapil] There is an "sudo"-like mechanism within SSH for doing this. In the authorized_keys file you put a "command=...." entry which ensures that this key can only be used to run that specific command.
All the usual warnings a la "sudo" apply regarding what commands should be allowed. It is generally a good idea to also prevent the agent forwarding, X11 forwarding and pty allocation.
Here is an entry that I use for "rsync" access. (I have wrapped the line and AAAA.... is the ssh key which has been truncated).
from="172.16.1.28",command="rsync -aCz --server --sender . .",
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
ssh-dss AAAA..... rsyncuser

I'm writing some scripts to back up data on our small business network here. One option is to get each machine to periodically dump its data on a specific machine using NFS. The option I'm interested in is to get a designated machine to remotely login to each machine and transfer the files over a tar-ssh pipe.

The only reason to be using root access is because some directories (/root, some in /var/lib) can only be read by root. Would changing permissions (e.g. /var/lib/rpm) affect anything, if I chgrp the directories to a "backup" usergroup?

I'm concerned with one machine, a web server, that will be included in the backup scheme. All machines here use Class A private network addresses and are behind a NAT firewall, but the web server can be accessed from the Internet. Will allowing root login over ssh on that machine pose a huge security risk, even by allowing ssh traffic from only the local network?


This page edited and maintained by the Editors of Linux Gazette
HTML script maintained by Heather Stern of Starshine Technical Services, http://www.starshine.org/

 

Copyright © 2005, . Released under the Open Publication license unless otherwise noted in the body of the article. Linux Gazette is not produced, sponsored, or endorsed by its prior host, SSC, Inc.

Published in Issue 119 of Linux Gazette, October 2005

<-- prev | next -->
Tux