The easiest way to test the memory in your Intel-based PC!

Most admins have a series of tools they use to check for faulty hardware. This toolkit most likely includes the ultimate boot disk, a network accessible memtest and preclear_disk.sh on a USB stick. I was always curious why Linux disitrubtions didn’t integrate these items into their install / live CDs, since it would make debugging flakey hardware a whole lot easier. Well, I was pleasantly surprised this week when I booted the Fedora 14 installation DVD and saw the following screen:

null

Once I selected the memory test option I was thrown directly into memtest:

null

This is solid, since one CD can now be used to test the memory in a server and repair things that go south. The Fedora 14 CD can be downloaded from the Fedora project website, and it’s definitely something that every Fedora admin should burn and store in a readily accessible location.

Forcing your Linux users to use strong passwords

All SysAdmins know the importance of using strong passwords. These are the life blood of our systems, since a weak password will allow an adversary to enter our systems with a minimal amount of work. There are dozens of tools that can generate strong passwords, as well as a number of tools that can be used to force users to select strong passwords when they change their passwords.

The most common way to enforce strong passwords is through the pam_cracklib.so PAM plug-in. This useful module checks the input password against a series of rules. The rules cover a wide variety of criteria, including:

1. Is the password a palindrome?

2. Is the only difference between the new and old password a change of case?

3. Is the new password similar to the old password?

4. Is the new password too small?

5. Is the new password a rotated version of the old password?

6. Does the new password contain the user’s name?

The pam_cracklib.so shared library contains a number of options to control the size and strength of the password as well as the number of times the user can retry changing their password after a failure. These options are passed to the pam_cracklib.so plug-in via one more options specified in the file for each facility you need to enforce strong passwords on. Here is one example:

$ cd /etc/pam.d && grep pam_cracklib.so password-auth
password requisite pam_cracklib.so try_first_pass retry=3 type=

All of the options are documented in the pam_cracklib(8) manual page, so I won’t go into any additional detail on them. While I was reading about this module I found out that the libcrack.so library is the heart and sole of password complexity checking, and there is a good amount of documentation that describes how to integrate this with your software. It’s also neat to see installers taking advantage of this. I recently input a weak Fedora password to see what would happen, and to my amazement Fedora immediately printed a warning tell me that I was using a weak password. We all know we need to use strong passwords, and pam_cracklib.so can ensure that you and your users are actively doing so!

Finding approximate matches in a data file with agrep

A few weeks back I ran into a situation that required me to locate a data given a file with various variations of that data. I proceeded to grep for each form of the string (e.g., “teh”, “the”, “tte”) I could think of, but wasn’t getting the results I wanted. After a bit of poking around, I came across the incredibly useful agrep utility. This utility allows you to look for approximate matches in files, specifying the number of variations that can occur. If you were given a file with various variations of the string “the”:

$ cat input.txt
teh
the
tte
thw

You could locate each string by running agrep with the string you want to look for and a variation of 1:

$ agrep -1 the input.txt
teh
the
tte
thw

This is a useful utility and one I hope my fellow SysAdmins enjoy. Hope everyone had a merry Christmas!

Making sense of the various routing / firewall solutions that are available

I am currently running dd-wrt at home. Dd-wrt works pretty well, but I recently started to do some digging to see what other routing / firewall solutions existed. There are a bunch of routing / firewall gateway solutions available, and each one provides a unique experience. Some run on Linux, some on OpenBSD, and others on Linux. Most of the solutions have a GUI of some sorts to assist with configuring the device, but one or two require you to use the good old CLI. A number of solutions provide pretty visuals to review traffic and connectivity information, while others require you do use character-based tools to see what is up with your router. Of the various solutions I’ve look at, the following ones stood out:

IPcop – Linux firewall distribution with a web-based GUI.

pfsense – Customized FreeBSD distribution tailored for firewall / routing use.

Tomato – Replacement routing / firewalling firmware for Linsys and Buffalo routers.

dd-wrt – Replacement routing / firewalling firmware for various routers.

m0n0wall – Embedded firewall package for FreeBSD.

There are additional solutions out there, and I suspect the decision on which one to use really comes down to how customizable you need it to be and more importantly how much time do you want to devote to installing and maintaining it. There are also questions like do you want to dedicate a PC to routing and firewalling your networks? Will a cheap $50 router from Fry’s be able to handle your traffic? Maybe you want to fine tune everything about your firewall so rolling your own installation with OpenBSD or Linux is the only solution. I’ve been extremely content with dd-wrt, and about the only thing I could see myself doing is upgrading to a newer router that has a faster CPU, more memory and 802.11N. What routing / firewalling solution do you use? Any other quality firewall / routing gateways you would add to this list?

Locating the SSH key type and key size from a public key file

One of my friends sent me an e-mail earlier this week inquiring about SSH keys. Specifically, he wanted to know how he could determine the type of key and the key-size in a public key file. All openssh implementations ship with the ssh-keygen utility, which has a “-l” option that can be used to print the type of key, the size of the key and the key’s fingerprint:

$ ssh-keygen -l -f id_dsa.pub
1024 a1:89:c8:19:a0:1a:d7:37:fa:5d:22:24:97:d7:6e:3d id_dsa.pub (DSA)

I needed to summarize all of the keys on some systems I managed a few years back, and found a new friend in ssh-keygen.