Most of my readers utilize SSH keys to access remote systems. The security benefits are well known, and key-based authentication makes automating remote tasks a whole lot easier. When you use key-based authentication it becomes imperative to protect your private key, since a third party could access your systems if they were able to gain access to your account. The SSH key generator (ssh-keygen) will attempt to encrypt your private key by default, and can also be used ssh-keygen to add a password to a private key after the fact.
With passwords comes prompts, and with prompts comes frustration. To alleviate this frustration you can use the ssh-agent process to minimize the number of times you need to type your password. Ssh-agent stores your private keys securely in memory, and hands them out to the ssh process when you attempt to connect to remote systems. Keys are added to ssh-agent through the ssh-add command line utility, which will prompt you for your private key password prior to adding them to the keys held in memory by ssh-agent.
Each time you access a remote system the ssh client will contact the ssh-agent process to acquire your private keys. If you start ssh-agent and run ssh-add to add your private keys when you login to a server, you will now be able to access other hosts using key-based authentication without a password for the length of the shell session. You will find this especially useful when you are using tools like clusterit to manage remote machines.
To automate the process above, I like to modify my bash environment to prompt me for the password when I login to my servers. The ssh-add prompt I get looks similar to this:
$ ssh proxy.prefetch.net
Last login: Tue Jan 17 20:37:54 2012 from 192.168.1.121
Starting an ssh-agent process
Enter passphrase for /home/matty/.ssh/id_dsa:
Identity added: /home/matty/.ssh/id_dsa (/home/matty/.ssh/id_dsa)
Once I’ve input the correct password I can then access other systems freely and without a password. So what exactly did I do to integrate ssh-agent into my shell environment? First I added an exec statement to create an ssh-agent process and make the bash process a child of it (the reasons why this is required are documented in the SSH FAQ):
$ grep ssh-agent .bash_profile
# Start an ssh-agent process and start bash as a child of it
echo "Starting an ssh-agent process"
exec ssh-agent bash
Once ssh-agent is tied into the environment I call ssh-add from my .bashrc to add my private keys:
$ grep ssh-add .bashrc
# Add the encrypted private keys to my in-memory key store with
ssh-add.
echo "Calling ssh-add to add my private key to ssh-agent"
ssh-add
The second entry is what causes the following password prompt when I login to my servers:
Enter passphrase for /home/matty/.ssh/id_dsa:
I always try to do everything I can to improve security, and this is definitely one of those every admin should do to protect their beloved private key(s). :) If you are doing something differently, please share your thoughts in the comment section below.
I just came across the new boston video tutorial series. I’ve watched 20 of the PHP videos and am hooked. The production quality is great, and the content is really, really good! Once I finish the 200 PHP videos I plan to watch their MySQL and HTML5 videos. Can’t recommend these videos enough, and the fact that they’re free makes them even better! Nice!
A couple of weeks back I attempted to migrate a pair of clustered Solaris 10 servers to a new disk storage array. After rebooting into single user mode to pick up the new devices, I went to add the new quorum disk with clquorum. This resulted in both nodes panicking with the following panic string:
panic[cpu3]/thread=fffffe800125bc60: Reservation Conflict
Disk: /scsi_vhci/disk@g6000d310002c6700000000000000003e
fffffe800125ba40 fffffffff7959e39 ()
fffffe800125ba70 sd:sd_pkt_status_reservation_conflict+c8 ()
fffffe800125bab0 sd:sdintr+431 ()
fffffe800125bb50 scsi_vhci:vhci_intr+3da ()
fffffe800125bb70 fcp:ssfcp_post_callback+4a ()
fffffe800125bba0 fcp:ssfcp_cmd_callback+4c ()
fffffe800125bc00 qlc:ql_task_thread+756 ()
fffffe800125bc40 qlc:ql_task_daemon+94 ()
fffffe800125bc50 unix:thread_start+8 ()
At first I thought I was doing something wrong, but after a lot of research I figured out that there were a couple of Solaris-related bugs in the version of the storage array firmware we were using. One of the bugs was triggering the panic above, and after the array was patched everything worked as expected. Keeping up to date with firmware is just as important as keeping up to date with OS patches. It’s amazing how many firmware bugs there are, and they bite you in the oddest ways.
A number of applications (e.g., custom chroot jails, openssh, vsftp, apache) support the ability to chroot themselves. To find out if a process called chroot() at startup, you can check the /proc//root entry for the process. For non-chrooted processes this entry will point to /:
$ ps auxwww | grep [s]endmail
root 3643 0.0 0.1 69032 2344 ? Ss 2011 0:01 sendmail: accepting connections
smmsp 3651 0.0 0.0 59784 1780 ? Ss 2011 0:01 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
$ cd /proc/3643
$ ls -lad root
lrwxrwxrwx 1 root root 0 Jan 22 10:23 root -> /
For a chrooted process the root directory will point to the directory passed to the chroot() system call:
$ ps auxwww | grep [n]amed
named 18298 0.0 2.3 243632 49084 ? Ssl 2011 15:16 /usr/sbin/named -u named -t /var/named/chroot
$ cd /proc/18298
$ ls -lad root
lrwxrwxrwx 1 named named 0 Jan 22 10:19 root -> /var/named/chroot
Chroot environments can be made secure, especially if you follow the coding practices discussed in Building Secure Software and Using Chroot Securely. These are must reads for anyone who plans to use chroot()!
I’ve been trying to expand my Python knowledge and recently came across Nick Parlante’s 6-part learn Python series on Youtube. I’ve watched several of the videos, and I am impressed with Nick’s teaching ability. Here are links to the 6-part series:
Day 1 part 1: Introduction and Strings:
Day 1 part 2: Lists, Sorting and Tuples:
Day 1 part 3: Dicts and Files:
Day 2 part 1: Regular Expressions:
Day 2 part 2: OS and Commands
Day 2 part 3: URLs, HTTP and Exceptions
If you are looking to learn Python this is a great place to start!