All SysAdmins know the importance of using strong passwords. These are the life blood of our systems, since a weak password will allow an adversary to enter our systems with a minimal amount of work. There are dozens oftools that can generate strong passwords, as well as a number of tools that can be used to force users to select strong passwords when they change their passwords.
The most common way to enforce strong passwords is through the pam_cracklib.so PAM plug-in. This useful module checks the input password against a series of rules. The rules cover a wide variety of criteria, including:
The pam_cracklib.so shared library contains a number of options to control the size and strength of the password as well as the number of times the user can retry changing their password after a failure. These options are passed to the pam_cracklib.so plug-in via one more options specified in the file for each facility you need to enforce strong passwords on. Here is one example:
$ cd /etc/pam.d && grep pam_cracklib.so password-auth
password requisite pam_cracklib.so try_first_pass retry=3 type=
All of the options are documented in the pam_cracklib(8) manual page, so I won’t go into any additional detail on them. While I was reading about this module I found out that the libcrack.so library is the heart and sole of password complexity checking, and there is a good amount of documentation that describes how to integrate this with your software. It’s also neat to see installers taking advantage of this. I recently input a weak Fedora password to see what would happen, and to my amazement Fedora immediatelyprinted a warning tell me that I was using a weak password. We all know we need to use strong passwords, and pam_cracklib.so can ensure that you and your users are actively doing so!
A few weeks back I ran into a situation that required me to locate a data given a file with various variations of that data. I proceeded to grep for each form of the string (e.g., “teh”, “the”, “tte”) I could think of, but wasn’t getting the results I wanted. After a bit of poking around, I came across the incredibly useful agrep utility. This utility allows you to look for approximate matches in files, specifying the number of variations that can occur. If you were given a file with various variations of the string “the”:
$ cat input.txt
teh
the
tte
thw
You could locate each string by running agrep with the string you want to look for and a variation of 1:
$ agrep -1 the input.txt
teh
the
tte
thw
This is a useful utility and one I hope my fellow SysAdmins enjoy. Hope everyone had a merry Christmas!
I am currently running dd-wrt at home. Dd-wrt works pretty well, but I recently started to do some digging to see what other routing / firewall solutions existed. There are a bunch of routing / firewall gateway solutions available, and each one provides a unique experience. Some run on Linux, some on OpenBSD, and others on Linux. Most of the solutions have a GUI of some sorts to assist with configuring the device, but one or two require you to use the good old CLI. A number of solutions provide pretty visuals to review traffic and connectivity information, while others require you do use character-based tools to see what is up with your router. Of the various solutions I’ve look at, the following ones stood out:
There are additional solutions out there, and I suspect the decision on which one to use really comes down to how customizable you need it to be and more importantly how much time do you want to devote to installing and maintaining it. There are also questions like do you want to dedicate a PC to routing and firewalling your networks? Will a cheap $50 router from Fry’s be able to handle your traffic? Maybe you want to fine tune everything about your firewall so rolling your own installation with OpenBSD or Linux is the only solution. I’ve been extremely content with dd-wrt, and about the only thing I could see myself doing is upgrading to a newer router that has a faster CPU, more memory and 802.11N. What routing / firewalling solution do you use? Any other quality firewall / routing gateways you would add to this list?
One of my friends sent me an e-mail earlier this week inquiring about SSH keys. Specifically, he wanted to know how he could determine the type of key and the key-size in a public key file. All openssh implementations ship with the ssh-keygen utility, which has a “-l” option that can be used to print the type of key, the size of the key and the key’s fingerprint:
$ ssh-keygen -l -f id_dsa.pub
1024 a1:89:c8:19:a0:1a:d7:37:fa:5d:22:24:97:d7:6e:3d id_dsa.pub (DSA)
I needed to summarize all of the keys on some systems I managed a few years back, and found a new friend in ssh-keygen.
Having lived in a big city for the past 10-years of my life, I’ve encountered a number of unpleasant things when I’ve been out and about. A few weeks back I hit one of the most frustrating ones of my life when a nail punctured one my tires while I was running errands. This shouldn’t have been an issue, but alas my spare tire was on the low side and I didn’t feel comfortable driving with it. With no gas stations in sight the feeling of “oh crap” came over me.
After spending 30 minutes on the phone with my insurance company, the agent told me that my insurance policy included roadside assistance. Thank goodness! They showed up an hour later and filled my spare and changed out my flat. After thanking the assitance guy 50 times, I proceed to head to a automotive shop to get my flat tire patched.
This experience got me thinking about ways to prevent this in the future, and after doing a bit of research I came across the Wagan 400-Watt Power Dome EX jumpstarter with built-in air compressor. This nifty little device comes with a number of useful features:
I tested out the radio, light and air compressor after my unit arrived from Amazon, and they all worked as advertised. This past week one of my co-worker’s had a dead battery in her car, so I got to verify the jumpstarting feature worked. Jumpstarting her car worked flawlessly, and I have since stashed my powerdome EX in the trunk of my vehicle.
This crappy experience has taught me a couple of valuable lessons. Cars are just like servers. They fail when you don’t want them to, and sometimes the easiest problems become the most difficult ones to solve. I’m planning to pick up a few more gadgets for my car to avoid getting into a similar situation in the future! If you keep anything in your vehicle to help out with emergencies, please let me know! I’d like to be better prepared for future events.