Scenario I

Backup directory /mnt/one from server pris to client directory /home/user/two on client deckard by initiating the the copy from the client deckard. (i.e. send files from the server to the client)

• create ssh keys using ssh-keygen

  
[user@deckard ~]$ cd .ssh
[user@deckard .ssh]$ ssh-keygen -t dsa -f deckard
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in deckard.
Your public key has been saved in deckard.pub.
The key fingerprint is:
17:f4:69:30:6c:67:5a:73:2e:6f:ba:4b:8b:94:2a:f9 user@deckard.example.com
The key's randomart image is:
+--[ DSA 1024]----+
|         .+      |
|         .o+=..  |
|         ..=++   |
|          .o. .  |
|        S .  o   |
|         . .  o  |
|       .  o .o   |
|      o  o o..   |
|       oE . +o   |
+-----------------+
 


• create a new user for the sync operation and copy the public key you just created to pris

  
[root@pris ~]# useradd deckardsync
[root@pris ~]# su - deckardsync
[deckardsync@pris ~]$ mkdir .ssh
[deckardsync@pris ~]$ cd .ssh
[deckardsync@pris .ssh]$ scp user@deckard:.ssh/deckard.pub authorized_keys
deckard.pub                              100% 1194     1.2KB/s   00:00


• make the /mnt/one directory accessible to deckardsync (or ideally owned by this user)

  
[root@pris ~]# chown deckardsync /mnt/one


• edit authorized_keys and add the commands for rsync into the key

  
command="rsync --server  --sender -vlogDtprCz . /mnt/one/" ssh-dss AAAAB3NzaC1kc3MAAACBANbyPA4Vkem1tXrBcmkc9+SHeBrgHKbeBdS2MZKMBT/CsPWPSwMFQGg3GzX2KFrIVlZW/+OfkFcrZabMxtLb4CfvFgZsK18hcyYWZobhtpzqfsoolVnWbHdcmxFqyUq9fIK5iPA2UnvLoLRCDuklQNZ+V8o7fiCiPzXw5sqw3weRAAAAFQDKbAINhyt3OzJhP680PqrA9vHNFwAAAIB0mmnu9rfUKnSAH8UV068H28NEaNuIvSzQchvsPpBZmLpN/yr0mUbWdUJtVfFO72fbhQW+gQmEydCoPgehAGCx0g5jcs+0J7nhDlCqCqYAluD/79jJvEr7Tc33u0QTJSEX9My5X6OVtKByGfGPIyeLdhdsM2s70xbXKpfV4j8KpgAAAIEAnbxqsdbxpZ/vKZMJCW4TuHzOk76By5HHHHRb6XIUTsImQmoHrH1T2ioVil6eNp+V02hbYzbs8OuMqj6ne3gLzIyPqIP1OHuusisrLKgtWTC74lZnZ48d9QCyUHI48yZyoISs0HvEvC08LHYqsq1z1ntCHAde4iszE2TAMsYBat4= user@deckard.example.com


  Note: there are no line breaks in the above key… the file has only one line.
• copy something into /mnt/one on pris

  
[root@pris ~]# cd /mnt/one
[root@pris one]# cp -a /usr/share/doc/rsync-2.6.8 .


• start rsync on deckard using the ssh key

  
[user@deckard .ssh]$ rsync -e 'ssh -i deckard -l deckardsync' -Cavz pris:/mnt/one /home/user/two/
receiving file list ... done
./
rsync-2.6.8/
rsync-2.6.8/COPYING
rsync-2.6.8/README
rsync-2.6.8/tech_report.tex
 
sent 98 bytes  received 14416 bytes  29028.00 bytes/sec
total size is 36507  speedup is 2.52
[user@deckard .ssh]$ ls ~/two
rsync-2.6.8


Scenario II

Backup directory /home/user/two from client deckard to server directory /mnt/three on server pris

The steps involved here are essentially the same with only one small change in the authorized_keys, drop the —sender option to rsync (since pris is no longer the sender)

• create new ssh key for the transfer in this direction.

  
[user@deckard .ssh]$ ssh-keygen -t dsa -f pris
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in pris.
Your public key has been saved in pris.pub.
The key fingerprint is:
75:67:7a:ca:2f:b2:11:f4:83:50:27:07:50:0b:55:a3 user@deckard.math.ias.edu
The key's randomart image is:
+--[ DSA 1024]----+
|        o+*o=    |
|         o * .   |
|        . E . o  |
|         + + +   |
|        S o + .  |
|           o +   |
|          . o    |
|          ....   |
|          .o ..  |
+-----------------+


• copy the key to pris and append it to authorized_keys

  
[root@pris .ssh]# scp user@deckard:.ssh/pris.pub .
user@deckard's password:
pris.pub                                      100%  617     0.6KB/s   00:00    
[root@pris .ssh]# echo -n 'command="rsync --server -vlogDtprCz . /mnt/three" ' >>authorized_keys
[root@pris .ssh]# cat pris.pub >>authorized_keys


• initiate the transfer from deckard, this time acting as the sender not the receiver (flip sender for receiver)

  
[user@deckard .ssh]$ rsync -e 'ssh -i pris -l deckardsync' -Cavz /home/user/two/ pris:/mnt/three
building file list ... done
./
rsync-2.6.8/
rsync-2.6.8/COPYING
rsync-2.6.8/README
rsync-2.6.8/tech_report.tex
 
sent 14422 bytes  received 98 bytes  29040.00 bytes/sec
total size is 36507  speedup is 2.51


Now you just need to put that rsync line in a cronjob and you’ll have automatic syncing. (if you do, remember to use the full path for the ssh-keys you generated). The nice thing here is that if the key should be discovered, the only thing the attacker can do is run rsync.

We had a problem where new clients couldn’t get their keys signed properly by the puppetmaster. Both the client and the server were in perfect sync with our ntp server. date on both machines returned the expected results. We are running mongrel so I went down the wrong path of thinking apache was to blame for the time problem. It wasn’t until I started going through the certificate_factory stuff that I found the problem. Read the rest of this entry »

using fedora-ds/redhat-ds it creates cert8.db and key3.db to store the certs. I wanted to extract the private key as PEM so I could import it elsewhere. Read the rest of this entry »

Was getting this error on our puppetmaster that only had a few clients. Read the rest of this entry »

We had a machine that would keep coming up with devXXXXX where XXXXX is a seemingly random number. Read the rest of this entry »

This is my first android phone, so I thought I’d share my experience of rooting the phone. All credit to Zinx Verituse over on Alldroid.org

Note: I just updated to the update released December 10th for the droid and was able to reapply the update.zip.

The instructions are here

• Download this file and rename it update.zip on the sdcard.
• turn off the phone
• turn on the phone holding down the x key on the keyboard
• When you see the Motorola symbol, press Vol+ and Camera buttons together.
• An onscreen menu will appear, use the d-pad to navigate to update.zip and type return to apply
• After the phone reboots, Go to Settings -> Applications -> Development and enable USB Debugging
• Connect the droid to your desktop, download the sdk
• unpack the sdk and navigate to tools directory
• as root/administrator run adb start-server
• next run adb shell
• su to root /system/bin/su
• remount the root filesystem rw

  
# mount
rootfs / rootfs ro 0 0
tmpfs /dev tmpfs rw,mode=755 0 0
devpts /dev/pts devpts rw,mode=600 0 0
proc /proc proc rw 0 0
sysfs /sys sysfs rw 0 0
tmpfs /sqlite_stmt_journals tmpfs rw,size=4096k 0 0
none /dev/cpuctl cgroup rw,cpu 0 0
/dev/block/mtdblock4 /system yaffs2 ro 0 0
/dev/block/mtdblock6 /data yaffs2 rw,nosuid,nodev 0 0
/dev/block/mtdblock5 /cache yaffs2 rw,nosuid,nodev 0 0
/dev/block/mtdblock0 /config yaffs2 ro 0 0
/dev/block//vold/179:1 /sdcard vfat rw,dirsync,nosuid,nodev,noexec,uid=1000,gid=1015,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
# mount -o remount -o rw -t yaffs2 /dev/block/mtdblock4 /system


  I don’t know if the device will always be the same (/dev/block/mtdblock4), best to check first.
• now make a copy of sh and call it su-something or replace su

  
# cd /system/bin
# cat sh > su
or
# cat sh >su-fake
# chmod 4775 su
or
# chmod 4775 su-fake
# exit


You now have either su or su-fake that you can run from terminal emulator on the phone and become root. To start using your new privileges, install busybox and symlink to it for all the tools that are missing…

After upgrading to 0.25, the following error occurs:

Could not retrieve catalog from remote server: Could not intern from pson: Could not convert from pson: Could not find relationship target ”

Read the rest of this entry »

The problem I was trying to fix here was that I had a package that required a much newer version of a library than the system had installed on it. I didn’t want to ruin the stability of the system by updating the library so I build it and placed it in a non standard location (harkening back to the solaris days I guess). If you can’t guess what the problem was, I called the library package qt4-vlc…hint hint. Read the rest of this entry »

I posted some additional material on building rpms in the appendix of the book. I cover how to build an example spec file from scratch. This is similar to what I did in my presentation, just with a lot more detail. I hope to expand this section to cover nested packages and kernel modules. Those sections are not done yet…read it here.

I’m still working with my own kvm implementation even though RedHat has released their own in RHEL 5.4, they are, however, at version 83, I’m on 88. I’d rather stay current since kvm is moving so fast that each new version fixes bugs and adds many new features. Read the rest of this entry »