Linux login control Linux/Unix tips from nixCraft

7 Powerful Firefox Password Managers [ Add-ons ]

last updated December 8, 2008 in GNU/Open source, Howto, Linux desktop, Linux login control, Mozilla, OS X, Security, Sys admin, Windows, windows vista

Choosing the password is only the first step; you have got to remember it. You can not remember 100s of password at a time. However, with the help of a password manager, you can organize passwords, host names, and PIN codes.

Like most of you, I love using Firefox and explaining the advantages of Firefox to others who use other browsers. Unlike other browsers, Firefox has huge list of excellent add-ons that will satisfy almost all of your requirements in using a browser. Following are the list of 7 powerful Firefox password related add-ons that will make your life in managing passwords very safe, secure and easy under Mac OS X, Linux / UNIX and Windows operating system.

pssh: Run Command On Multiple SSH Servers

last updated November 1, 2008 in Debian Linux, Download of the day, GNU/Open source, Howto, HP-UX, Linux, Linux distribution, Linux Log Management, Linux login control, Linux Scalability, Networking, OpenBSD, OS X, RedHat/Fedora Linux, Ubuntu Linux, UNIX

I’ve already written about tentakel tool and shell script hack to run a single command on multiple Linux / UNIX / BSD server. This is useful to save time and run UNIX commands on multiple machines. Linux.com has published an article about a new tool called pssh:

If you want to increase your productivity with SSH, you can try a tool that lets you run commands on more than one remote machine at the same time. Parallel ssh, Cluster SSH, and ClusterIt let you specify commands in a single terminal window and send them to a collection of remote machines where they can be executed.

Emergency Server Management With Intelligent Platform Management Interface (IPMI)

last updated May 7, 2008 in FreeBSD, Hardware, High performance computing, Howto, HP-UX, Linux, Linux login control, Networking, OpenBSD, UNIX

Intelligent Platform Management Interface (IPMI) is a hardware level interface specification that defines a common, abstracted, message-based interface to platform monitoring and control functions. Both IPMI and KVM over IP can be used in emergency situations.

How to: Install KDE 4 Desktop under Ubuntu Linux 7.10

last updated January 20, 2008 in Howto, Kde, Linux, Linux desktop, Linux laptop, Linux login control, Tip of the day, Tips, Ubuntu Linux

KDE 4 has been released. I’ve received couple of questions about installing KDE 4 under Ubuntu Linux 7.10. KDE 4 Packages are available for Ubuntu Linux version 7.10 (Gutsy) and from development Ubuntu Linux Hardy version. They install to /usr/lib/kde4 and can be installed alongside your existing KDE 3. However these packages are not compatible with KDE 4 beta packages. Following simple step will help you install KDE 4.

How do I install KDE 4 under Ubuntu Linux?

First you need to update Ubuntu package source file.

Warning examples may crash your computer

WARNING! These examples may crash your Desktop as KDE v4.0 packages are not 100% compatible with Ubuntu 7.10. Following instructions worked on my desktop but failed to work on Laptop. YMMV.

Step # 1: Update Source File

Open a terminal

Open /etc/apt/sources.list file using a text editor such as vi or gedit, enter:
$ sudo vi /etc/apt/sources.list
OR
$ sudo gedit /etc/apt/sources.list
Append following line:
deb http://ppa.launchpad.net/kubuntu-members-kde4/ubuntu gutsy main
Close and save the file. Type the following command to update package list:
$ sudo apt-get update

GUI tool to update software source

Alternatively, you can use GUI tool by visiting System > Administration > Software Sources > Third Party Software > Add > Enter url ‘deb http://ppa.launchpad.net/kubuntu-members-kde4/ubuntu gutsy main‘ > Add Source > Update > Close

(Fig. 01: Update Software Source for KDE 4)

Step # 2: Install KDE 4 desktop

To install kde 4, enter:
$ sudo apt-get install kde4-core
You’ll get a warning when installing kde 4, just force to install the same without verification:

WARNING: The following packages cannot be authenticated!
Install these packages without verification [y/N]? y

Output:

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  dbus-x11 dolphin-kde4 kappfinder-kde4 kde-icons-oxygen kde4libs-bin kdebase-bin-kde4 kdebase-data-kde4 kdebase-kde4 kdebase-runtime
  kdebase-runtime-bin-kde4 kdebase-runtime-data kdebase-runtime-data-common kdebase-workspace kdebase-workspace-bin kdebase-workspace-data
  kdelibs5 kdelibs5-data kdepasswd-kde4 kdepimlibs-data kdepimlibs5 kfind-kde4 klipper-kde4 konqueror-kde4 konqueror-nsplugins-kde4
  konsole-kde4 ksysguard-kde4 ksysguardd-kde4 kwin-kde4 kwrite-kde4 libcapseo0 libcaptury0 libclucene0 libexiv2-0 libgpgme11 libkonq5
  libkonq5-templates libphonon4 libplasma1 libpth20 libqimageblitz4 libraptor1 librasqal0 librdf0 libsoprano4 libstreamanalyzer0
  libstreams0 libstrigiqtdbusclient0 systemsettings-kde4
Suggested packages:
  kdebase kde-i18n sword-frontend gpgsm
Recommended packages:
  exiv2 raptor-utils redland-utils
The following NEW packages will be installed:
  dbus-x11 dolphin-kde4 kappfinder-kde4 kde-icons-oxygen kde4-core kde4libs-bin kdebase-bin-kde4 kdebase-data-kde4 kdebase-kde4
  kdebase-runtime kdebase-runtime-bin-kde4 kdebase-runtime-data kdebase-runtime-data-common kdebase-workspace kdebase-workspace-bin
  kdebase-workspace-data kdelibs5 kdelibs5-data kdepasswd-kde4 kdepimlibs-data kdepimlibs5 kfind-kde4 klipper-kde4 konqueror-kde4
  konqueror-nsplugins-kde4 konsole-kde4 ksysguard-kde4 ksysguardd-kde4 kwin-kde4 kwrite-kde4 libcapseo0 libcaptury0 libclucene0 libexiv2-0
  libgpgme11 libkonq5 libkonq5-templates libphonon4 libplasma1 libpth20 libqimageblitz4 libraptor1 librasqal0 librdf0 libsoprano4
  libstreamanalyzer0 libstreams0 libstrigiqtdbusclient0 systemsettings-kde4
0 upgraded, 49 newly installed, 0 to remove and 2 not upgraded.
Need to get 105MB of archives.
After unpacking 204MB of additional disk space will be used.
Do you want to continue [Y/n]? y
WARNING: The following packages cannot be authenticated!
  libphonon4 libstreams0 libstreamanalyzer0 kdelibs5-data kde4libs-bin kdelibs5 libstrigiqtdbusclient0 libkonq5-templates libkonq5
  dolphin-kde4 kappfinder-kde4 kdebase-data-kde4 kdebase-bin-kde4 kdepasswd-kde4 kfind-kde4 konqueror-nsplugins-kde4 konqueror-kde4
  konsole-kde4 kwrite-kde4 kdebase-kde4 kdebase-workspace-data libplasma1 ksysguardd-kde4 ksysguard-kde4 kdebase-workspace-bin klipper-kde4
  kwin-kde4 systemsettings-kde4 kdebase-workspace kdepimlibs-data kdepimlibs5 kde4-core...
Install these packages without verification [y/N]? y
Get:1 http://ppa.launchpad.net gutsy/main libphonon4 4:4.0.0-0ubuntu2~gutsy1~ppa1 [164kB]
Get:2 http://archive.ubuntu.com gutsy-backports/universe kde-icons-oxygen 4:4.0.0-0ubuntu1~gutsy1 [45.4MB]
Get:3 http://in.archive.ubuntu.com gutsy/main dbus-x11 1.1.1-3ubuntu4 [34.8kB]
................
...
.........
Setting up systemsettings-kde4 (4:4.0.0-0ubuntu7~gutsy1~ppa1) ...

Setting up kdebase-workspace (4:4.0.0-0ubuntu7~gutsy1~ppa1) ...
Setting up kde4-core (3.3~gutsy1~ppa1) ...
Processing triggers for libc6 ...
ldconfig deferred processing now taking place

Note: It may take some time to install kde 4. You also need to disable compiz 3d desktop effect support.

References:

=> Kubuntu Project – Be Free with KDE 4.0

When a user logs in what files are updated in UNIX / Linux

last updated October 2, 2007 in Linux, Linux login control, RedHat/Fedora Linux, UNIX

One of our regular reader asks:

Iâ€™d like to discover information about who is currently using the system. When a user logs in what files are updated in UNIX / Linux?

Linux / UNIX have utmp and wtmp files to keep login records. Following three files keeps track of all logins and logouts to the system.

=> /var/run/utmp : List of current login sessions.
=> /var/log/wtmp : Database of past user logins / previous login sessions.
=> /var/log/lastlog : Last logins information about users

How do I access login records files?

These are a binary log files, and grows linearly at its end. So you cannot view records using cat or other text based utilities. The file <utmp.h> declares the structures used to record information about current users in the file. This can be accessed using C programs or other specialized utilities:

The utmp file is used and accessed by the following commands:
The wtmp file is used and accessed by the following command:
- last command to find system last reboot date and time
- ac command to keep a detailed audit trail of whatâ€™s being done on your Linux systems

Linux allow / restrict system logins to specific user groups only using pam_listfile PAM module

last updated September 13, 2007 in CentOS, Debian Linux, Gentoo Linux, Howto, Linux, Linux distribution, Linux login control, RedHat/Fedora Linux, Security, Sys admin, Tips, Ubuntu Linux

There are two ways to allow / restrict system login to specific user groups only. The simplest method is to use a PAM module called pam_listfile.so. Another option is to use login access control table. Locking down system login access is very important task if you need a secure system.

The system administrator is free to choose how individual service-providing applications will authenticate users. Many new admins not aware of PAM and related services. In this tip you are going to use authentication (auth) group, which authenticate a user and set up user credentials.

Deny or allow access to groups using PAM

pam_listfile is a PAM module which provides a way to deny or allow access to services based on an arbitrary file. Service can be any one of the following
=> su
=> sudo
=> ftp
=> Mail Service (MTA/POP3/IMAP)
=> SSH
=> Samba
=> Crond
=> Squid and many others

How do I setup pam_listfile PAM module for group based login?

Let us say you would like to allow login to only members of wheel (root user) and webdev groups.

Step # 1: Create /etc/login.group.allowed file

/etc/login.group.allowed filename contains one line per group listed. If the group name is found, then login is allowed; else authorization request denied:
# vi /etc/login.group.allowed
Add group names:
root wheel webdev
Save and close the file.

Step # 2: Allow group based login to all services

Open /etc/pam.d/system-auth file if you are using Redhat / RHEL / Fedora / CentOS Linux. If you are using Debian / Ubuntu Linux use /etc/pam.d/common-auth file:
# vi /etc/pam.d/system-auth
You must add the following config directive at the top of the file:
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed
Where,

auth required pam_listfile.so : Pam module name required for allowing group based login
onerr=fail : What to do if something weird happens like being unable to open the file or busy disk I/O. In our case login is denied till weird problem is sorted out.
item=group : Check for group name
sense=allow : The authorization request to succeed if group name found in /etc/login.group.allowed file
file=/etc/login.group.allowed : Filename contains one line per group name listed. If the group name is found, then if sense=allow, PAM_SUCCESS is returned, causing the authorization request to succeed.

Caution: Please note that by adding above line you are forcing this configuraion on all login services including ssh, telnet, mail, su, sudo and all PAM aware services. If you need login restrictions for specific service modify specific service located in /etc/pam.d/service-name file.

Save and close the file. This will only allow users that belong to the root, wheel and webdev group to login to the system. You can apply above technique to:

User names
Shell
Tty names
Rhost / Ruser (remote login host / user id)

The config can be reversed to denied login to specific group name by modify the configuration file. This is left as exercise to our reader (hint type man pam_listfile).

Increase the maximum number of pseudo – terminals ~ PTY on Linux for remote Login session

last updated September 11, 2007 in CentOS, Debian Linux, Gentoo Linux, Howto, Linux, Linux login control, Networking, RedHat/Fedora Linux, Suse Linux, Sys admin, Tips, Troubleshooting, Tuning, Ubuntu Linux

Generally service such as ssh, screen, expect, telnet etc use pty (pseudo-terminals) in master â€“ slave mode for login and other purposes. If pty setting is too low many users will not able to login to system using ssh or other commands. In this tip I will explain how to increase the maximum number of pseudo-terminals.

pty man page defines pseudo-terminal as follows:

A pseudo-terminal is a pair of virtual character devices that provide a bidirectional communication channel. One end of the channel is called the master; the other end is called the slave. The slave end of the pseudo-terminal provides an interface that behaves exactly like a classical terminal. A process that expects to be connected to a terminal, can open the slave end of a pseudo-terminal and then be driven by a program that has opened the master end. Anything that is written on the master end is provided to the process on the slave end as though it was input typed on a terminal.

List the maximum number of Pseudo-terminals

Just run the following command to list / display the maximum number of Pseudo-terminals under Linux
$ cat /proc/sys/kernel/pty/max
Output:

Increase the maximum number of Pseudo-terminals (PTY)

If you have large Linux installation such as University or ISP login service you need to increase the PTYs to allow more login sessions. Open kernel configuration file – /etc/sysctl.conf:
# vi /etc/sysctl.conf
Append following config directive (support 5120 ptys)
kernel.pty.max = 5120
Save and close the file. Reload the changes:
# sysctl -p
Verify that the new maximum number of pseudo-terminals value is changed, enter:
$ cat /proc/sys/kernel/pty/max

Setup OpenLDAP authentication on Linux for OSX Client and sync / share home directory

last updated August 28, 2007 in Debian Linux, File system, Howto, Linux, Linux distribution, Linux login control, Networking, OS X, UNIX

Finally, someone spends time to work with a Linux server and OS X authentication issue:

OSX has what I would call an undocumented feature of the operating system- the portable home directory. Basically, it keeps a user’s home directory sync’d up between a network share and the local pc. If you are not on the network you work on the local home directory. Whenever you login on the network, the mirror agent running on the local pc synchronizes the two directories.

Full Stack: Portable Home Directory over NFS on OSX authenticated via OpenLDAP on Debian Linux

Download of the day: SSH Menu ~ Save and Open SSH Connections on a single mouse click

last updated August 20, 2007 in Download of the day, GNU/Open source, Howto, Linux, Linux login control, Networking, RedHat/Fedora Linux, Security, Sys admin, Tips

For last couple of years Iâ€™ve used my own shell script based solution to list and open ssh connections. Now I found a nice applet called SSHMenu:

The SSHMenu is a panel applet that makes all your regular SSH connections a single mouse click away. Each menu option will open an SSH session in a new terminal window. You can arrange groups of hosts with separator bars or sub-menus. You can even open all the connections on a submenu (in separate windows or tabs) with one click.

Overall I’m quite happy with SSHMenu, a must have tool for all admin, IMHO.

Features

a] SSHMenu allows you to add key so that you can run rest of the all session without a problem and password.
b] Every connection you make using using SSHMenu will use the terminal profile you’ve selected, to set the color scheme, terminal font and other settings.
c] You can open all connection at a time and much more…

(SSHMenu in action – click to enlarge)

Download SSHMenu

=> Visit official site here ( hat tip to carthik )

Linux configure point to point tunneling PPTP VPN client for Microsoft PPTP vpn server

last updated June 11, 2007 in FreeBSD, Howto, Linux, Linux distribution, Linux laptop, Linux login control, Networking, OpenBSD, RedHat/Fedora Linux, Security, Sys admin, Tips, Troubleshooting, Ubuntu Linux, Windows server

With this tip you will be able to work from home using VPN and that too from Linux / FreeBSD system for the proprietary Microsoft Point-to-Point vpn server.

Different organization uses different VPN connection options such as SSL, PPTP or IPSEC. When you need to access corporate network and its services, you need to login using VPN.

The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. It works on Data link layer (#2 layer) on TCP/IP model. Personally I prefer IPSEC. PPTP Client is a Linux, FreeBSD, NetBSD and OpenBSD client for the proprietary Microsoft Point-to-Point Tunneling Protocol, PPTP. Allows connection to a PPTP based Virtual Private Network (VPN) as used by employers and some cable and ADSL internet service providers.

But many originations use PPTP because it is easy to use and works with Windows, Mac OS X, Linux/*BSD and other handled devices.

Compatibility note

Iâ€™ve tested instructions and pptp on:
[a] CentOS / RHEL / Fedora Core Linux running 2.6.15+ kernel
[b] Ubuntu and Debian Linux running 2.6.15+ kernel
[c] FreeBSD etc

I’ve found that pptp client is 100% compatible with the following servers/products:
[a] Microsoft Windows VPN Server
[b] Linux PPTP Server
[c] Cisco PIX etc

How do I install PPTP client under Linux?

By default most distro installs PPTP client called PPTP-linux which is the client for the proprietary Microsoft Point-to-Point Tunneling. Use apt-get or yum command to install pptp client:
$ sudo apt-get install pptp-linux network-manager-pptp
Fedora Core user can install client using rpm command:
# rpm -Uvh http://pptpclient.sourceforge.net/yum/stable/fc6/pptp-release-current.noarch.rpm # yum --enablerepo=pptp-stable install pptpconfig

[a] network-manager-pptp or pptpconfig – A gui network management framework (PPTP plugin) for network-admin tool (frontend)
[b] pptp-linux – Point-to-Point Tunneling Protocol (PPTP) command line client

How do I configure client using command line (cli)?

You need to edit / create following configuration files

/etc/ppp/chap-secrets – Add your login name / password for authentication using CHAP. Pppd stores secrets for use in authentication in secrets files.
/etc/ppp/peers/myvpn-name – A dialup connection authenticated with PAP / CHAP configuration file. You need to add your dialup server name and other information in this file.

Sample configuration data

PPTP server name: pptp.vpn.nixcraft.com
VPN User Name : vivek
VPN Password: VpnPassword
Connection name: delhi-idc-01

Open /etc/ppp/chap-secrets file:
# vi /etc/ppp/chap-secrets
OR
$ sudo vi /etc/ppp/chap-secrets
Append line as follows:
vivek PPTP VpnPassword *

Save and close the file.

Create a connection file called /etc/ppp/peers/delhi-idc-01 (replace delhi-idc-01 with your connection name such as office or vpn):
# vi /etc/ppp/peers/delhi-idc-01
Append configuration data as follows:
pty "pptp pptp.vpn.nixcraft.com --nolaunchpppd" name vivek remotename PPTP require-mppe-128 file /etc/ppp/options.pptp ipparam delhi-idc-01

Close and save the file. Where,

pty “pptp pptp.vpn.nixcraft.com –nolaunchpppd”: Specifies that the command script is to be used to communicate rather than a specific terminal device. Pppd will allocate itself a pseudo-tty master/slave pair and use the slave as its terminal device. The script will be run in a child process with the pseudo-tty master as its standard input and output. An explicit device name may not be given if this option is used. (Note: if the record option is used in conjunction with the pty option, the child process will have pipes on its standard input and output.). In this case we are using pptp client to establishes the client side of a Virtual Private Network (VPN) using the Point-to-Point Tunneling Protocol (PPTP). pptp.vpn.nixcraft.com is my host name (or IP address) for the PPTP server. –nolaunchpppd option means do not launch pppd but use stdin as the network connection. Use this flag when including pptp as a pppd connection process using the pty option.
name vivek: VPN username
remotename PPTP: Set the assumed name of the remote system for authentication purposes to name. If you don’t know name ask to network administrator
require-mppe-128: Require the use of MPPE, with 128-bit encryption. You must encrypt traffic using encryption.
file /etc/ppp/options.pptp: Read and apply all pppd options from options.pptp file. Options used by PPP when a connection is made by a PPTP client.
ipparam delhi-idc-01 : Provides an extra parameter to the ip-up, ip-pre-up and ip-down scripts (optional).

Route traffic via ppp0

To route traffic via PPP0 interface add following route command to /etc/ppp/ip-up.d/route-traffic
# vi /etc/ppp/ip-up.d/route-traffic
Append following sample code (modify NET an IFACE as per your requirments):
#!/bin/bash NET="10.0.0.0/8" # set me IFACE="ppp0" # set me #IFACE=$1 route add -net ${NET} dev ${IFACE}
Save and close the file:
# chmod +x /etc/ppp/ip-up.d/route-traffic

Task: connect to PPTP server

Now you need to dial out to your office VPN server. This is the most common use of pppd. This can be done with a command such as:
# pppd call delhi-idc-01
If everything is went correctly you should be online and ppp0 should be up. Remote server will assign IP address and other routing information. Here is the message from my /var/log/messages file:
# tail -f /var/log/messages
Output:

Jun 11 23:38:00 vivek-desktop pppd[30088]: pppd 2.4.4 started by root, uid 0
Jun 11 23:38:00 vivek-desktop pppd[30088]: Using interface ppp0
Jun 11 23:38:00 vivek-desktop pppd[30088]: Connect: ppp0 <--> /dev/pts/4
Jun 11 23:38:03 vivek-desktop pppd[30088]: CHAP authentication succeeded
Jun 11 23:38:03 vivek-desktop kernel: [37415.524398] PPP MPPE Compression module registered
Jun 11 23:38:03 vivek-desktop pppd[30088]: MPPE 128-bit stateless compression enabled
Jun 11 23:38:05 vivek-desktop pppd[30088]: local  IP address 10.5.3.44
Jun 11 23:38:05 vivek-desktop pppd[30088]: remote IP address 10.0.5.18

Task: Disconnect PPTP server vpn connection

Simply kill pppd service, enter:
# killall pppd
OR
# kill {pppd-PID}

How do I configure PPTP client using GUI tools?

If you are using Debian / Ubuntu, just click on Network configuration Icon on taskbar > VPN Connection > Configure VPN > Add:

Click forward :

(click to enlarge)

Select PPTP tunnel > Forward:

(click to enlarge)
Enter Connection Name, VPN Server / Gateway hostname/IP address > Click on diffrent tabs to configure other parameters > Forward >

(click to enlarge)

Save and close the dialog box. To connect via VPN click on Network Icon > Select VPN Connection > Connection name (Mumbai VSNL IDC) > Enter your VPN username and password and click on Ok

If you are using Fedora core Linux, run pptpconfig as root and just follow on screen instructions:
# pptconfig &

Troubleshooting hints

If the connection fails, you might need to gather more information and try out following troubleshooting tips.

Q. I’m authenticated successfully but cannot route traffic..

A. Use route command to add route manually:
# ip route add {NETWORK} dev ppp0 # ip route add 10.0.0.0/8 dev ppp0
Or use route command:
# route add -net 10.0.0.0 netmask 255.0.0.0 dev ppp0

Q. I’m authenticated successfully, I can ping to remote gateway but cannot access host by name…

A. Setup correct DNS server names in /etc/resolv.conf file:
# cat /etc/resolv.conf
Output:
search nixcraft.com nameserver 10.0.6.1 nameserver 10.0.6.2 nameserver 208.67.222.222

Q. How do I open my local network (laptop, desktop and other system) to talk with any computer behind VPN server via this local Linux ppp0 interface (i.e. act this computer as router)…?

A. Append following two rules in your existing iptables rules to turn on routing (adjust IP address range as per your setup):
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE iptables -I INPUT -s 10.0.0.0/8 -i ppp0 -j ACCEPT iptables --append FORWARD --in-interface eth0 -j ACCEPT

Q. Point-to-Point Encryption is not working and I’m not able to connect to remote PPTP server…

A. Make sure you are using 2.6.15 or above kernel. If you are using old kernel version upgrade to latest version and compile support for ppp_mppe kernel module. If you are using latest version, load driver using modprobe:
# modprobe ppp_mppe # pppd call myoffice

Note: You can always get more information by reading pptp diagnosis howto here.

A note to readers

As I said earlier I prefer to use open source solution such as OpenVPN or IPsec as they are more secure. The PPTP is not secure enough for some information security policies. Next time I will write about OpenVPN and IPsec.