OpenSUSE Linux Rants

Stolen From Here

Reset Forgotten MySQL Root Password

Have you ever forgotten the root password on one of your MySQL servers? No? Well maybe I’m not as perfect as you. This is a quick h00tow (how to) reset your MySQL root password. It does require root access on your server. If you have forgotten that password wait for another article. Original article posted on reset mysql root password.

First things first. Log in as root and stop the mysql daemon. Now lets start up the mysql daemon and skip the grant tables which store the passwords.

mysqld_safe –skip-grant-tables

You should see mysqld start up successfully. If not, well you have bigger issues. Now you should be able to connect to mysql without a password.

mysql –user=root mysql

update user set Password=PASSWORD(’new-password’) where user=’root’;
flush privileges;
exit;

Now kill your running mysqld, then restart it normally. You should be good to go. Try not to forget your password again.

Did you like this? If so, please bookmark it, about it, and subscribe to the blog RSS feed.

Originally written Jun 2, 2008, and updated on May 21, 2009

At some point or another, you’ll likely end up needing an SSL certificate for a Web site somewhere along the line. For a commercial site, your hosting provider can or will help you get this all squared away. This article is not for people in that situation.

What we’re doing here will be to create our own Certificate Authority. Then, we’ll create our own server key and a signing request. Then, we’ll sign our own certificate using the key and certificate from our own Certificate Authority. In other words, we’re not just going to create an SSL certificate, but we’re going to sign that bad boy, too.

This is useful for personal websites that need a little security, or when you’re waiting for your real cert from a real Certificate Authority. Perhaps you need it for transmitting data from an external server to your Intranet. Or perhaps you need it in any of the three hundred thousand seven hundred forty-two other situations that may arise.

The first thing that you’ll need is root access to the server. SSH in and head somewhere secure like /root.

Next, we’ll go ahead and generate our own Certificate Authority key. In this step, we are impersonating someone like Verisign or Thawte. Well, not impersonating, but we are going to do the same thing for ourselves that they would normally do.

To create our key, we’ll run this command:

openssl genrsa -des3 -out ca.key 4096

When we do that, it looks something like this:

[1257][root@mail:~/cert]$ openssl genrsa -des3 -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
...............................................................................................................................++
.................................................++
e is 65537 (0x10001)
Enter pass phrase for ca.key: [enter a pass phrase here for the CA key]
Verifying - Enter pass phrase for ca.key: [verify the same pass phrase here]
[1258][root@mail:~/cert]$ 

Note that those pass phrases are something you make up right then. You are not authenticating anything, but rather setting up a pass phrase for authenticating later.

Next, we’ll need to use that key to create a certificate. Before we do this, the information that you will enter here is NOT the information you will enter later for your own server. Remember, we are emulating a Certificate Authority here. When we generate our server certificate, we will put in the real information which must differ from what is here. With that, let’s whip out the certificate. Notice that we are making it good for 3650 days, or 10 years. Adjust to your taste. So let’s make the cert, now. This is done with the following command:

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

And doing this may resemble something like this:

[1306][root@mail:~/cert]$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Enter pass phrase for ca.key: [enter the CA pass phrase from above here]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:WA
Locality Name (eg, city) []:Redmond
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Microsoft Corporation
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.microsoft.com
Email Address []:bill.gates@microsoft.com
[1307][root@mail:~/cert]$ 

Next up on the list is to create a key that corresponds to our server. The first one we made was for the Certificate Authority. This one will be generated by and for our own server. We will do that with this command:

openssl genrsa -des3 -out server.key 4096

The output should look familiar:

[1310][root@mail:~/cert]$ openssl genrsa -des3 -out server.key 4096
Generating RSA private key, 4096 bit long modulus
................................++
....++
e is 65537 (0x10001)
Enter pass phrase for server.key: [enter a pass phrase here for our server key]
Verifying - Enter pass phrase for server.key: [verify the same pass phrase here]
[1313][root@mail:~/cert]$ 

Again, those pass phrases are something you make up right then. You are not authenticating anything, but rather setting up a pass phrase for authenticating later.

Now… let’s see… oh yeah. Now, we have to create a signing request, or CSR, from the server key we just made. This signing request will usually make a trip to a genuine Certificate Authority to have the key signed and a real, verified, bonafide signed certificate returned back to us. So, to generate our signed certificate, we’ll need to first have a signing request so we can make the signed cert. See how that works?

To create the CSR, we do this:

openssl req -new -key server.key -out server.csr

Now remember, kids. This is the part where we do put in our actual real information because the server does in fact belong to us. Put in the real domain where it says “Common Name (eg, YOUR name) []:”. Fill out everything correctly. And so we do:

[1313][root@mail:~/cert]$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: [enter the pass phrase here for our server key from above]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:UT
Locality Name (eg, city) []:Eagle Mountain
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Suse Blog
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.suseblog.com
Email Address []:my-address@suseblog.com [put in your real email address here]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[1323][root@mail:~/cert]$ 

Now, we are going to take all these files and make them do some voodoo. We are going to sign the signing request using the Certificate Authority certificate and key that we made at the beginning. What we will get is our perfectly forged signed certificate. OK, not perfectly, because we are not a real CA. But we’ll get a pretty darn good signed cert that will work for us rather nicely.

The command we’re going to run looks like this:

openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

And when we run it, we see something hopefully resembling this:

[1326][root@mail:~/cert]$ openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Signature ok
subject=/C=US/ST=UT/L=Eagle Mountain/O=Suse Blog/CN=www.suseblog.com/emailAddress=my-address@suseblog.com
Getting CA Private Key
Enter pass phrase for ca.key: [enter the CA pass phrase from above here]
[1332][root@mail:~/cert]$ 

Now, we have a little problem. Our server.key file will cause apache2 to prompt us for a password every time it starts. We need to fix it so that doesn’t happen. We’ll do that with these three commands:

openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

When we run these commands, here’s our output:

[1354][root@mail:~/cert]$ openssl rsa -in server.key -out server.key.insecure
Enter pass phrase for server.key: [enter the pass phrase here for our server key from above]
writing RSA key
[1354][root@mail:~/cert]$ mv server.key server.key.secure
[1354][root@mail:~/cert]$ mv server.key.insecure server.key
[1354][root@mail:~/cert]$

At this stage, you should now have a bunch of files. These, in fact:

[1354][root@mail:~/cert]$ ll
total 32
drwxr-xr-x  2 root root 4096 2008-06-02 13:54 .
drwx------ 10 root root 4096 2008-06-02 13:35 ..
-rw-r--r--  1 root root 2529 2008-06-02 13:07 ca.crt [CA certificate]
-rw-r--r--  1 root root 3311 2008-06-02 12:58 ca.key [CA key]
-rw-r--r--  1 root root 2049 2008-06-02 13:32 server.crt [our server certificate]
-rw-r--r--  1 root root 1748 2008-06-02 13:23 server.csr [our server signing request]
-rw-r--r--  1 root root 3243 2008-06-02 13:54 server.key [our password-less server key]
-rw-r--r--  1 root root 3311 2008-06-02 13:13 server.key.secure [our passworded server key]
[1355][root@mail:~/cert]$

Just having them doesn’t get us anywhere, so let’s get them installed. First, we are going to change some permissions, because we don’t want just anyone having access to these files. To apply the appropriate permissions, run this:

chmod 0600 server.key.secure server.key server.csr server.crt

Now, here’s where things depend on the distribution that you are using. I will describe what I am doing so that if you are not on OpenSUSE, you will still be able to get this working.

In OpenSUSE, the apache2 config directory is located at /etc/apache2. Underneath that, there are a handful of directories. The three we care about are /etc/apache2/ssl.crt, /etc/apache2/ssl.csr, and /etc/apache2/ssl.key. The server.crt needs to be moved to /etc/apache2/ssl.crt. The server.csr file needs to be moved to /etc/apache2/ssl.csr. And the server.key file needs to be moved to /etc/apache2/ssl.key:

[1348][root@mail:~/cert]$ mv server.key /etc/apache2/ssl.key/server.key
[1349][root@mail:~/cert]$ mv server.crt /etc/apache2/ssl.crt/server.crt
[1349][root@mail:~/cert]$ mv server.csr /etc/apache2/ssl.csr/server.csr
[1349][root@mail:~/cert]$

Yep, pretty complex stuff, moving files.

Now, we need to make a handful more edits to some files, and we’re just about there.

First thing is to edit /etc/sysconfig/apache2. Search through that file for the directive called APACHE_MODULES. Make sure you see ’ssl’ in there. If not, add it. Then, search through the file and find APACHE_SERVER_FLAGS. Make sure it has ‘SSL’ in it. If not, add it. Save and close the file.

You can also manage apache’s modules with the ‘a2enmod’ command. To view the list of loaded modules, run ‘a2enmod -l’.

Next, open up the config file that tells apache2 which ports to listen on. In OpenSUSE, this file is /etc/apache2/listen.conf. Rip that bad boy open. You will see the following line:

Listen 80

Add a new line for port 443, our HTTPS port, so that it looks like this:

Listen 80
Listen 443

Then, look for the following line:

NameVirtualHost *:80

Add a new line for port 443, our HTTPS port, so that it looks like this:

NameVirtualHost *:80
NameVirtualHost *:443

Save and quit.

In OpenSUSE, it’s really easy to have virtual hosts on a machine. I have like 10 on mine. One of them is my blog, www.suseblog.com. Well, to make this easy, in OpenSUSE, the virtual domain configuration files are located in /etc/apache2/vhosts.d, each with their own name. My www.suseblog.com configuration file is called suseblog.conf. To set up SSL for this virtual host, just duplicate the file and give it another name. In my case, I named it ssl-suseblog.conf.

Now, we’re going to open up that file and add like 4 lines to it. No sweat.

At the top of the file, there is a line that looks like this:

<VirtualHost *:80>

Change the port from 80 to 443, so it looks like this:

<VirtualHost *:443>

Then, go down a ways and add these lines:

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key

Save and quit on that one, too.

We can configure this thing perfectly, but if the firewall doesn’t know to let traffic through, we will not have HTTPS access to the server. Let’s check the firewall really quick to make sure.

Fire up YAST. Go to the Security & Users option on the right, and select FIREWALL from the left. If you do not have a firewall running on the machine, you can just exit now. If you do, you will need to go to ALLOWED SERVICES. In the SERVICES TO ALLOW drop-down on the right, select HTTPS Server. Then click ADD. Then click NEXT, and finally FINISH. You should now have port 443 opened for HTTPS business.

Now, let’s go ahead and restart apache and enjoy our new self-signed self-generated SSL cert on our HTTPS service:

[1426][root@mail:/etc/apache2]$ /etc/init.d/apache2 restart
Syntax OK
Shutting down httpd2 (waiting for all children to terminate)          done
Starting httpd2 (prefork)                                             done
[1427][root@mail:/etc/apache2]$ 

Well, we’ve concluded. Enjoy.

More info on the mod_ssl page

Did you like this? If so, please bookmark it, about it, and subscribe to the blog RSS feed.

First, the stick should be in, but not mounted. If it is mounted, find the partition represented by your usb stick, as such:

[0959][scott@laptop:~]$ mount
/dev/sda2 on / type ext3 (rw,acl,user_xattr)
/proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
debugfs on /sys/kernel/debug type debugfs (rw)
udev on /dev type tmpfs (rw)
devpts on /dev/pts type devpts (rw,mode=0620,gid=5)
/dev/sda1 on /windows/C type fuseblk (rw,allow_other,blksize=4096)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
gvfs-fuse-daemon on /home/scott/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=scott)
/dev/sdc1 on /media/disk-1 type vfat (rw,nosuid,nodev,shortname=winnt,uid=1000)
/dev/sdb1 on /media/disk-2 type fuseblk (rw,nosuid,nodev,allow_other,default_permissions,blksize=1024)
[0959][scott@laptop:~]$

It will likely be a /dev/sdxx type device. In this case, the one I’m looking for is sdb1.

We need to unmount it as root (’su’):

laptop:/home/scott # umount /dev/sdb1
laptop:/home/scott #

Now, fdisk the usb stick, and not the partition. In other words, leave off the trailing digit:

laptop:/home/scott # fdisk /dev/sdb

Command (m for help):

Press ‘p’ to view the partitions on the drive. Delete all partitions. Create a new one with ‘n’. It will be a primary partition, and it will be partition 1. Now, we need to set the filesystem type. Press ‘t’, and then if you’d like to see all the filesystem types, press ‘L’, but I’ll just tell you that NTFS is 7. Press ‘7′, and then ‘w’ to write the partition table, and exit:

Command (m for help): p

Disk /dev/sdb: 1027 MB, 1027604480 bytes
64 heads, 32 sectors/track, 980 cylinders
Units = cylinders of 2048 * 512 = 1048576 bytes
Disk identifier: 0x610fbfb2

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *           1         980     1003504    c  W95 FAT32 (LBA)

Command (m for help): d
Selected partition 1

Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-980, default 1):
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-980, default 980):
Using default value 980

Command (m for help): t
Selected partition 1
Hex code (type L to list codes): 7
Changed system type of partition 1 to 7 (HPFS/NTFS)

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.
laptop:/home/scott #

Now, we need to actually format the new partition. Include the partition number at the end. It should be 1. You will do this as root (’su’), like so:

laptop:/home/scott # mkntfs /dev/sdb1
Cluster size has been automatically set to 1024 bytes.
Initializing device with zeroes: 100% - Done.
Creating NTFS volume structures.
mkntfs completed successfully. Have a nice day.
laptop:/home/scott #

K, well, there you are. Mount it up any way you see fit, and you are all set.

Did you like this? If so, please bookmark it, about it, and subscribe to the blog RSS feed.

Recently, Andrew wrote me an email, which I shall pass on for the benefit of all:

Hi Scott
I started off writing a serious email, but your “why Santa Can’t Exist” converted me to tears of laughter, the story above it soon gave me a reality check, poor girl.

I was before I was interrupted with humour reading your blog posts on Linux, and was very impressed with the informative way that you write. We create video based tutorials and over the last 18 months we have been turning more of our resources to covering Linux based subjects. We have also been converting our videos to play in Flash as well as QuickTime, so Linux users don’t have to mess around installing 3rd party apps and invoke all kinds of trickery just to watch a simple training video.

I was wondering if you would consider offering some of our links to your visitors, I have listed the tutorials below that may be of interest:-

http://www.computer-training-software.com/opensuse.htm
http://www.computer-training-software.com/ubuntu-linux.htm
http://www.computer-training-software.com/ubuntu-server.htm
http://www.computer-training-software.com/ubuntu-certification.htm
http://www.computer-training-software.com/linux-security.htm
http://www.computer-training-software.com/lpi.htm
http://www.computer-training-software.com/lpic-2.htm
http://www.computer-training-software.com/linux.htm

Thanks, Andrew.

Did you like this? If so, please bookmark it, about it, and subscribe to the blog RSS feed.

Did you like this? If so, please bookmark it, about it, and subscribe to the blog RSS feed.

Did you like this? If so, please bookmark it, about it, and subscribe to the blog RSS feed.

Did you like this? If so, please bookmark it, about it, and subscribe to the blog RSS feed.

Did you like this? If so, please bookmark it, about it, and subscribe to the blog RSS feed.

So the boss wants me to learn Ruby on Rails. As a sidenote, right now I’m running OpenSUSE 11.0.

I’d like to use a great IDE so that I can get going quickly. So I have to learn the IDE and the language.

Which IDE to use? Well, I thought since Eclipse is an IDE platform, that I could do PHP and Ruby on it.

I spent the next few days learning how to install Eclipse so that it would work with Ruby on Rails.

Here’s where I stand:

First, install libmysqlclient-devel, because you’ll need to compile the mysql gem for Ruby. Then, install ruby (1.8.6 patchlevel 114 worked best for me), and make sure gcc is installed so you can compile gems when necessary.

When you’re done with this step, check to see what version of ruby you have, and make sure it’s 1.8.6:

$ ruby -v
ruby 1.8.6 (2008-03-03 patchlevel 114)

Next, install eclipse. I found version 3.4 from the OpenSUSE BuildService. Version 3.3 is available for OpenSUSE 10.3.

While that is installing, install rubygems 1.3.1. Again, this version for OpenSUSE 11.0 was only available on the BuildService.

Then, you’ll need to update your gem repository, and then install a handful of gems:

$ gem sources -u
$ gem install rails
$ rails -v
Rails 2.2.2
$gem install mysql cgi_multipart_eof_fix ruby-prof linecache ruby-debug-ide ruby-debug-base mongrel gem_plugin
$ gem update // gets the latest versions of installed gems

When eclipse is done installing, follow the instructions in the “Plugging Aptana into an existing Eclipse configuration” article.

It will prompt you for lots of updates, just go ahead and do them all. Once in awhile, I’ve had it crash, so I just start the article over from the beginning.

Finally, run eclipse, go to the MyAptana view, click on the Plugins icon. You’ll see a list of available plugins. One is PHP, and one is Aptana Radrails. Click on “Get it”. You’ll go through a similar installation process to install that plugin.

Again, if there are any updates, go ahead and do them.

Now, that is how far I’ve gotten, and I’ve even been able to do a tutorial or two with that setup. For all the ruby experts out there who are running it on Linux, what IDE do you use? If you use Eclipse w/RadRails, do you have any further suggestions? If you don’t use Eclipse, why? And if you don’t use Eclipse, what tutorials exist that teach one how to use your preferred IDE with Ruby on Rails?

Did you like this? If so, please bookmark it, about it, and subscribe to the blog RSS feed.

I have updated the ’sup’ bash script so that you can see some useful stats about your Linux box at a glance. Here is some output:

  User:         scott (uid:1000)
  Groups:       users dialout video
  Working dir:  /home/scott
  Home dir:     /home/scott
  Hostname:     suse-linux
  IP (lo):      127.0.0.1/8
  IP (lo):      127.0.0.2/8
  IP (eth0):    192.168.12.144/24
  Gateway:      192.168.12.2
  Name Server:  192.168.12.1
  Date:         Wed Jan 21 09:38:57 MST 2009
  Uptime:        9:38am  up 15 days 23:36,  6 users,  load average: 0.22, 0.22, 0.24
  Kernel:       Linux suse-linux 2.6.25.18-0.2-pae #1 SMP 2008-10-21 16:30:26 +0200 i686 i686 i386 GNU/Linux
  Memory:       Total: 2016Mb   Used: 972Mb     Free: 1044Mb
  Swap:         Total: 4102Mb   Used: 150Mb     Free: 3952Mb
  Architecture: i686
  Processor:    0 : Intel(R) Pentium(R) Dual CPU E2160 @ 1.80GHz
  Processor:    1 : Intel(R) Pentium(R) Dual CPU E2160 @ 1.80GHz

I’ve added the processor info and gateway and nameserver info. I’ve commented out some other stuff that will give you your sound card info, video card info, and basically everything you can get with “lspci -v”. That would be why it’s commented out. Anyway, take a look at the new version:

Linux ’sup’ bash script

Did you like this? If so, please bookmark it, about it, and subscribe to the blog RSS feed.