The importance of keeping your storage array firmware up to date
A couple of weeks back I attempted to migrate a pair of clustered Solaris 10 servers to a new disk storage array. After rebooting into single user mode to pick up the new devices, I went to add the new quorum disk with clquorum. This resulted in both nodes panicking with the following panic string: At first I thought I was doing something wrong, but after a lot of research I figured out that there were a couple of Solaris-related bugs in the version of the storage array firmware we were using. One of the bugs was triggering the panic above, and after the array was patched everything worked as expected…
$ read more →How to figure out if a processes has been chroot()'ed
A number of applications (e.g., custom chroot jails, openssh, vsftp, apache) support the ability to chroot themselves. To find out if a process called chroot() at startup, you can check the /proc/ /root entry for the process. For non-chrooted processes this entry will point to /: For a chrooted process the root directory will point to the directory passed to the chroot() system call: Chroot environments can be made secure, especially if you follow the coding practices discussed in Building Secure Software and Using Chroot Securely. These are must reads for anyone who plans to use chroot()!
$ read more →Learn Python video series from Google
I've been trying to expand my Python knowledge and recently came across Nick Parlante's 6-part learn Python series on Youtube. I've watched several of the videos, and I am impressed with Nick's teaching ability. Here are links to the 6-part series: Day 1 part 1: Introduction and Strings: Watch on YouTube Day 1 part 2: Lists, Sorting and Tuples: Watch on YouTube Day 1 part 3: Dicts and Files: Watch on YouTube Day 2 part 1: Regular Expressions: Watch on YouTube Day 2 part 2: OS and Commands Watch on YouTube Day 2 part 3: URLs, HTTP and Exceptions Watch on YouTube If you are looking to learn Python this is a great place to start!
$ read more →A couple of gotchas with the OpenSSH chroot() implementation
I previously discussed the OpenSSH Match directive, and how it can be used to chroot SSH and SFTP users. Over the past couple of months I've encountered some gotchas with the chroot implementation in OpenSSH. Since I had to figure these items out myself, I figured I would share my findings here so folks wouldn't need to spend hours looking at source code (if you want to geek out and see how this works, check out session.c in the OpenSSH source code). The first gotcha occurs when the users home directory doesn't have the correct permissions…
$ read more →How to encrypt an SSH private key
If you are using SSH key-based authentication you should be encrypting your private key. This ensures that if someone breaks into your server and steals your keys, they won't be able to utilize them to access other systems. If your private key isn't encrypted you can use the ssh-keygen utilities "-p" option to do so: This option can be used to change the password used to encrypt a private key, and to add a password to an existing private key. Viva la OpenSSH!
$ read more →