OpenSUSE Linux Rants

OpenSUSE Linux Tips, tricks, how-tos, opinions, and news

My Resume  -  My LinkedIn Profile

November 9, 2009

Linux LiveCD Saves Windows Admin Jobs

by @ 1:53 am. Filed under Linux tips, security, sweet tools

Ophcrack Linux LiveCD

Ophcrack is the Linux LiveCD that you reach for when you forget your admin password on your Win32 (incl. XP and Vista) box.

From the Ophcrack Sourceforge page:

“Ophcrack is a Windows password cracker based on a time-memory trade-off using rainbow tables. This is a new variant of Hellman’s original trade-off, with better performance. It recovers 99.9% of alphanumeric passwords in seconds.”

For all admins who use said proprietary OS, if you ever forget your admin password, this is one great way to recover it, and help you keep your job.

Please do not ever, ever, ever use tools like this for malicious purposes, because that’s just plain not very nice.

November 4, 2009

Pimping Linux with Gigolo

by @ 1:45 am. Filed under Linux tips, sweet tools

As many know, one of my BIGGEST gripes with Gnome and/or GTK-based apps is their inability to NATIVELY support remote filesystem access, like Konqueror does by default, and Kate does by default, and many of the other applications built for KDE do by default. As mentioned in a previous post:

kio-slave – For anyone who doesn’t know what this does, it gives KDE the ability to interact with remote filesystems via FTP, SSH, etc. You can open up a remote filesystem, and drag and drop a text file right onto your Kate icon. Kate will open the file for you to edit it. When you are done editing, just click SAVE and close the file. KDE via kio-slave saves the file back to the remote fileystem (assuming you have the proper privileges). This is the one thing that has the supremest of importance to me. It is possible to have one Konqueror window open and have it split into 16 different panes, each pane connected to a different filesystem or directory, whether local or remote. If you have never done this, you have to try it some time. You can split Kate windows the same way. Before anyone says it, I realize that you can make other desktop environments do this, but KDE just does it right out of the box.”

Some may even remember when I posted a bit of a rant about this. I use remote filesystems ALL DAY LONG.

As I’m moving away from KDE and everything that ties me to it, the need arose to access remote filesystems very quickly in a windowing system. I realize ssh does this. With ssh, it takes about 12 seconds to log in and copy a file over, not to mention all the keystrokes. With Konqueror, I click the Konqueror Icon, press CTRL+SHIFT+L, and select the remote filesystem I want from my bookmarks and I’m there. All of 3 seconds and a tenth of the effort.

How to mimic the functionality I want?

One possibility is a little app called gigolo. Why the name? As the author says, “Because it mounts what its told to.”

For XFCE4 users, this little baby is pretty fun. It allows you to bookmark remote filesystems, autoconnect to them, and all sorts of great stuff, quite a bit like kio-slave does. Just a bit more cumbersome, but at least I get the functionality.

Experience is a great teacher, so add the repo and install gigolo:

[1207][root@suse-desktop:/home/scott]$ zypper addrepo "http://download.opensuse.org/repositories/X11:/xfce/openSUSE_11.1" XFCE4 ; zypper modifyrepo -r XFCE4 ; zypper in gigolo
Adding repository 'XFCE4' [done]
Repository 'XFCE4' successfully added
Enabled: Yes
Autorefresh: No
URI: http://download.opensuse.org/repositories/X11:/xfce/openSUSE_11.1

Autorefresh has been enabled for repository 'XFCE4'.
Retrieving repository 'XFCE4' metadata [done]
Building repository 'XFCE4' cache [done]
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following NEW package is going to be installed:
  gigolo


Overall download size: 90.0 K. After the operation, additional 310.0 K will be used.
Continue? [YES/no]:
Retrieving package gigolo-0.3.2-1.1.i586 (1/1), 90.0 K (310.0 K unpacked)
Retrieving: gigolo-0.3.2-1.1.i586.rpm [done]
Installing: gigolo-0.3.2-1.1 [done]
[1208][root@suse-desktop:/home/scott]$

Now just run it. You’ll get a window similar to the following:

Gigolo Window

Press CTRL+B to edit your bookmarks. A window like this comes up:

Manage Bookmarks Window

Click ADD. In the box that appears, fill out the info and click OK:

Adding a Bookmark

If you selected autoconnect, you’ll be prompted for the password:

Password Prompt

You may also have to create a keyring password. When you are done, if you selected autoconnect, you’ll see an icon showing that it’s connected:

Showing Connection

If not, click the down arrow next to the bookmark button (furthest left), and select the bookmark you want to connect to:

Connect via Bookmarks

Once you have connected to a bookmark, double-click it in the gigolo window. Nautilus comes up displaying the remote filesystem. Not sure if you can use other file managers, but if you can, let me know.

October 28, 2009

Slick Linux Virtual Terminal: aterm

by @ 1:32 am. Filed under command-line, Linux tips, SUSE Tips & Tricks, terminal

In the search for a full weight loss program for my window manager (I’m switching from KDE 3.5 to XFCE4), it became clear that another terminal would have to replace Konsole. After 11 full minutes of considerable thought, agonizing contemplation, deliberation and extensive research, aterm became the obvious choice.

aterm looked interesting to me because it has a small memory footprint. Konqueror takes up about 7 times the RAM that aterm does, while xterm takes over twice the RAM that aterm does. aterm also has very little dependencies. Additionally, it supports pseudo-transparencies, while remaining very responsive and quick.

The first thing you want to do is install aterm. This does not appear to be available on OpenSUSE 11.1 by default. But just add the following repo:

http://download.opensuse.org/repositories/home:/-miska-:/Release/openSUSE_11.1

Add the repo as root like this:

[1049][root@laptop:~]$ zypper addrepo http://download.opensuse.org/repositories/home:/-miska-:/Release/openSUSE_11.1 aterm
Adding repository 'aterm' [done]
Repository 'aterm' successfully added
Enabled: Yes
Autorefresh: No
URI: http://download.opensuse.org/repositories/home:/-miska-:/Release/openSUSE_11.1

[1049][root@laptop:~]$

Refresh the repo:

[1049][root@laptop:~]$ zypper refresh aterm
Retrieving repository 'aterm' metadata [done]
Building repository 'aterm' cache [done]
Specified repositories have been refreshed.
[1050][root@laptop:~]$

Install aterm:

[1112][root@dev:/home/scott]$ zypper install aterm
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following NEW package is going to be installed:
  AfterStep_applets_all 


Overall download size: 310.0 K. After the operation, additional 1.1 M will be used.
Continue? [YES/no]: 
Retrieving package AfterStep_applets_all-070412-5.13.x86_64 (1/1), 310.0 K (1.1 M unpacked)
Retrieving: AfterStep_applets_all-070412-5.13.x86_64.rpm [done]         
Installing: AfterStep_applets_all-070412-5.13 [done]
[1112][root@dev:/home/scott]$ 

Now, run aterm in a terminal window or something to make sure it’s installed.

On to the configuration (which is the cool part, really).

First, determine which font you want to use by running xfontsel. It opens up a window where you can fine-tune the font you want aterm to use.

Then, you’ll want to set up your configuration file. I use .Xresources although there are others you can use.

Copy and paste this into your .Xresources file, and then adjust as necessary:

aterm*font: -*-fixed-medium-r-*-*-18-*-*-*-*-*-iso8859-*
aterm*font1: -*-*-*-*-*-*-2-*-*-*-*-*-*-*
aterm*font2: -misc-fixed-*-r-normal-*-8-*-*-*-*-*-iso8859-*
aterm*font3: -b&h-lucidatypewriter-bold-*-*-*-12-*-*-*-*-*-*-*
aterm*font4: -*-screen-bold-r-normal-*-16-*-*-*-*-*-iso8859-*
aterm*font5: -*-lucidatypewriter-medium-*-*-*-18-*-*-*-*-*-*-*
aterm*font6: -*-lucidatypewriter-medium-*-*-*-20-*-*-*-*-*-*-*
aterm*font7: -dec-terminal-bold-r-normal-*-14-*-*-*-*-*-iso8859-*

aterm*background: black
aterm*foreground: white
aterm*pointerColor: red
aterm*pointerColorBackground: black
aterm*cursorColor: blue
aterm*internalBorder: 3
aterm*loginShell: true

! Do you want a scrollbar?
aterm*scrollBar: true
aterm*scrollKey: true

! How many lines do you want to save in the buffer?
aterm*saveLines: 32767
aterm*multiClickTime: 250

! Do you want transparency?
aterm*transparent: true

! Do you want transparency in the scrollbar?
aterm*transpscrollbar: true

! How much transparency do you want (in percent)?
aterm*shading:20

!aterm*tintingType: true
!aterm*tinting: #a07040

! How many characters wide and tall should your window be?
aterm*geometry: 80x40

! Do you want a visual bell rather than an audio bell?
aterm*visualBell: true

Hopefully, it’s apparent that you can use exclamation points for comments.

Everything in this sample .Xresources config file should be fairly self-explanatory.

aterm takes many of the same configuration directives as xterm. So if you see an xterm directive you want aterm to use, throw it in the .Xresources file and reload it. You reload the .Xresources file with the following command:

[1058][scott@dev:~]$ xrdb -merge .Xresources
[1058][scott@dev:~]$ 

If you are running that command in an open aterm window, you will have to close the window and re-run aterm.

aterm is very quick and responsive, looks nice, and doesn’t take up too much memory. Take a look at it, play around with it, and enjoy it.

October 21, 2009

SSH Tip for the Day

by @ 8:14 am. Filed under bash, command-line, Linux tips, ssh tips

When you are forwarding ports through a tunnel, either locally or remotely (i.e., with the -L or -R switches), you can modify the session real-time. The way that you do this is after you start the session, you press SHIFT + ` + c (The ` key also has a ~ in it, which is the actual keypress sent to the session). If it doesn’t work the first time, press ENTER a couple of times and try it again. Once you get the “ssh>” prompt, type “?” for the commands you can put in. Here’s an example session:

[0908][scott@dev:~]$ ssh -R 8080:suseblog.com:8080 scott@suseblog.com
Password:
Last login: Thu Oct 15 11:59:43 2009 from 67.214.232.162
Have a lot of fun...
[1109][scott@mail:~]$ [PRESS SHIFT + ` + c HERE]
ssh> ?
Commands:
      -L[bind_address:]port:host:hostport    Request local forward
      -R[bind_address:]port:host:hostport    Request remote forward
      -KR[bind_address:]port                 Cancel remote forward
[PRESS ENTER HERE]
[1110][scott@mail:~]$ [PRESS SHIFT + ` + c HERE]
ssh> -R8080:letslearnlinux.com:1080
Forwarding port.

[1110][scott@mail:~]$

OpenSSH has got to be one of the freakin’ sweetest tools *EVAR*. Anyway, enjoy!

October 16, 2009

[Linux] – Socks Proxy in One Command

by @ 3:54 pm. Filed under command-line, Linux tips, ssh tips

If you have difficulty browsing on your Linux workstation at work, say, because of filters and such, this will make your day. One other thing is that you need a Linux server that is outside your network at work. Once you have this, you can use ssh to create a socks proxy. Even as an un-privileged user, type in this command:

ssh -D 8080 <username>@<host>

Replace <username> with your username and <host> with your remote Linux server host name. Once that’s successful, pop open Firefox. Go to the EDIT Menu => Preferences. Select the ADVANCED button, then go to the “Network” tab. Click the “Settings” button. Select the “Manual Proxy Configuration” radio button. In the SOCKS Host, put in either the IP or the domain name of your remote Linux box. In the port, put in 8080, as that’s the one we used.

Click “OK” and close everything (except firefox). You should now be able to browse wherever your little heart desires.

One thing to note. NS queries are NOT proxied. So if your admins are looking at the name server lookup requests, you could still get nailed. Anyway, pretty neat little thing to know about ssh. Not sure that I’ve ever seen this capability on a Win32 platform. Yet another one of the many reasons that I really enjoy Linux.

Have a totally spectacular weekend.

July 28, 2009

Linux, what nice… passwords you have… and your prompts are incredible…

by @ 6:01 pm. Filed under bash, command-line, General Linux, Linux tips

When you have the level of paranoia that I do, being able to generate ultra-secure passwords is a very nice thing.

My bash prompt is also something I take great pride in. Not only that, I really like it.

Well guess what, folks… you can do both with the same file. This would be your .bashrc file. Here’s a basic look at my prompt:


[1850][scott@laptop:~]$

It shows me the time, the account with which I am logged in, the hostname of the local machine, and the present working directory. All handy things to know.

Now, for the password generation thing, check this out:

[1855][scott@laptop:~]$ genpasswd 64
(#b-p>yi>ojSw@oS6PN,uo_A`;.}DuyfG{levk[Q$UgfrmAkE^t|&)dZb!Nry;
[1855][scott@laptop:~]$

You can make rainbow tables ’til the end of time, and let John the Ripper go on the /etc/shadow file with that password in it, and you ain’t gonna be cracking that password.

If this is interesting to you, or you have other suggestions of a similar nature, please, let’s have ’em.

That all said, here’s the .bashrc file that makes this prompt and password generator possible:

# /etc/skel/.bashrc:                                          
# This file is sourced by all *interactive* bash shells on startup.  This
# file *should generate no output* or it will break the scp and rcp commands.

# colors for ls, etc.
eval `dircolors -b /etc/DIR_COLORS`
alias d="ls --color"
alias ls="ls --color=auto"
alias ll="ls -al --color"

# Change the window title of X terminals
case $TERM in
        xterm*|rxvt|Eterm|eterm)
                PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME%%.*}:${PWD/$HOME/~}\007"'
                ;;
        screen)
                PROMPT_COMMAND='echo -ne "\033_${USER}@${HOSTNAME%%.*}:${PWD/$HOME/~}\033\\"'
                ;;
esac

##uncomment the following to activate bash-completion:
#[ -f /etc/profile.d/bash-completion ] && source /etc/profile.d/bash-completion


function proml {
local       BLUE="\[\033[0;34m\]"
local        RED="\[\033[0;31m\]"
local  LIGHT_RED="\[\033[1;31m\]"
local      WHITE="\[\033[1;37m\]"
local LIGHT_GRAY="\[\033[0;37m\]"
case $TERM in
    xterm*)
        TITLEBAR='\[\033]0;\u@\h:\w\007\]'
        ;;
    *)
        TITLEBAR=""
        ;;
esac

PS1="${TITLEBAR}\
$BLUE[$RED\$(date +%H%M)$BLUE]\
$BLUE[$LIGHT_RED\u@\h:\w$BLUE]\
$WHITE\$$LIGHT_GRAY "
PS2='> '
PS4='+ '
}

proml

alias ifconfig="/sbin/ifconfig"

genpasswd() {
        local l=$1
        [ "$l" == "" ] && l=20
        tr -dc A-Za-z0-9\-_~\!@#$%^\&*\(\)\\\`\+\[\{\]\}\|\;:\",\<.\>/?\= < /dev/urandom | head -c ${l} | xargs
}

Hope that's as useful for you as it has been for me.

July 16, 2009

SSH Attack Foghorn

by @ 6:20 am. Filed under bash, General Linux, Linux tips, ssh tips, sweet tools, Work-Related

I don’t like it when people try and hack my web servers. To make myself aware of people trying to access my ssh daemon, I wrote me a little script. Yup, I’m certainly aware of DenyHosts. Notwithstanding, in the hopes that this script may find use elsewhere, I post it here. Behold, enjoy, and chuckle a bit at how much better you could write it. Then, let me know how you’d improve it:

#!/bin/sh
LOGFILE=/root/hack_attempts
IFS=$'\n'
PATTERN="^"`date --date="1 minute ago" "+%b %e %H:%M:"`""
tail -n 1000 /var/log/messages | grep ""$PATTERN"" | grep sshd | grep -i "invalid user" | grep " from " > "$LOGFILE"
if [ $(stat -c%s "$LOGFILE") -gt 0 ] ; then
	echo "See the attached log for details" | mailx -a "$LOGFILE" -s "Possible hack attempt" YOUREMAIL@YOURDOMAIN.COM
fi
rm "$LOGFILE"

Copy it to your /root folder. Name it something cool like ‘ssh_foghorn’, and chmod +x it to make it executable. Put it in your /etc/crontab file to run once every minute. Make sure you set the system log to whatever your distro uses. And change the email address to your own. Doesn’t cure cancer, but for 8 lines of code, it does what it needs to.

Again, I’m sure there are better ways to do this, so let’s hear ’em!

June 11, 2009

Reset MySQL root Password in Linux

by @ 9:36 pm. Filed under Linux tips

Stolen From Here

Reset Forgotten MySQL Root Password

Have you ever forgotten the root password on one of your MySQL servers? No? Well maybe I’m not as perfect as you. This is a quick h00tow (how to) reset your MySQL root password. It does require root access on your server. If you have forgotten that password wait for another article. Original article posted on reset mysql root password.

First things first. Log in as root and stop the mysql daemon. Now lets start up the mysql daemon and skip the grant tables which store the passwords.

mysqld_safe –skip-grant-tables

You should see mysqld start up successfully. If not, well you have bigger issues. Now you should be able to connect to mysql without a password.

mysql –user=root mysql

update user set Password=PASSWORD(‘new-password’) where user=’root’;
flush privileges;
exit;

Now kill your running mysqld, then restart it normally. You should be good to go. Try not to forget your password again.

May 21, 2009

OpenSUSE Linux: Creating Self-Signed SSL Certificates

by @ 2:54 pm. Filed under Linux tips, security, SUSE Tips & Tricks

Originally written Jun 2, 2008, and updated on May 21, 2009

Overview

At some point or another, you’ll likely end up needing an SSL certificate for a Web site somewhere along the line. For a commercial site, your hosting provider can or will help you get this all squared away. This article is not for people in that situation.

What we’re doing here will be to create our own Certificate Authority. Then, we’ll create our own server key and a signing request. Then, we’ll sign our own certificate using the key and certificate from our own Certificate Authority. In other words, we’re not just going to create an SSL certificate, but we’re going to sign that bad boy, too.

This is useful for personal websites that need a little security, or when you’re waiting for your real cert from a real Certificate Authority. Perhaps you need it for transmitting data from an external server to your Intranet. Or perhaps you need it in any of the three hundred thousand seven hundred forty-two other situations that may arise.

Certificate Authority

The first thing that you’ll need is root access to the server. SSH in and head somewhere secure like /root.

Next, we’ll go ahead and generate our own Certificate Authority key. In this step, we are impersonating someone like Verisign or Thawte. Well, not impersonating, but we are going to do the same thing for ourselves that they would normally do.

To create our key, we’ll run this command:

openssl genrsa -des3 -out ca.key 4096

When we do that, it looks something like this:

[1257][root@mail:~/cert]$ openssl genrsa -des3 -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
...............................................................................................................................++
.................................................++
e is 65537 (0x10001)
Enter pass phrase for ca.key: [enter a pass phrase here for the CA key]
Verifying - Enter pass phrase for ca.key: [verify the same pass phrase here]
[1258][root@mail:~/cert]$ 

Note that those pass phrases are something you make up right then. You are not authenticating anything, but rather setting up a pass phrase for authenticating later.

Next, we’ll need to use that key to create a certificate. Before we do this, the information that you will enter here is NOT the information you will enter later for your own server. Remember, we are emulating a Certificate Authority here. When we generate our server certificate, we will put in the real information which must differ from what is here. With that, let’s whip out the certificate. Notice that we are making it good for 3650 days, or 10 years. Adjust to your taste. So let’s make the cert, now. This is done with the following command:

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

And doing this may resemble something like this:

[1306][root@mail:~/cert]$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Enter pass phrase for ca.key: [enter the CA pass phrase from above here]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:WA
Locality Name (eg, city) []:Redmond
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Microsoft Corporation
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.microsoft.com
Email Address []:bill.gates@microsoft.com
[1307][root@mail:~/cert]$ 
Our Server Key and CSR

Next up on the list is to create a key that corresponds to our server. The first one we made was for the Certificate Authority. This one will be generated by and for our own server. We will do that with this command:

openssl genrsa -des3 -out server.key 4096

The output should look familiar:

[1310][root@mail:~/cert]$ openssl genrsa -des3 -out server.key 4096
Generating RSA private key, 4096 bit long modulus
................................++
....++
e is 65537 (0x10001)
Enter pass phrase for server.key: [enter a pass phrase here for our server key]
Verifying - Enter pass phrase for server.key: [verify the same pass phrase here]
[1313][root@mail:~/cert]$ 

Again, those pass phrases are something you make up right then. You are not authenticating anything, but rather setting up a pass phrase for authenticating later.

Now… let’s see… oh yeah. Now, we have to create a signing request, or CSR, from the server key we just made. This signing request will usually make a trip to a genuine Certificate Authority to have the key signed and a real, verified, bonafide signed certificate returned back to us. So, to generate our signed certificate, we’ll need to first have a signing request so we can make the signed cert. See how that works?

To create the CSR, we do this:

openssl req -new -key server.key -out server.csr

Now remember, kids. This is the part where we do put in our actual real information because the server does in fact belong to us. Put in the real domain where it says “Common Name (eg, YOUR name) []:”. Fill out everything correctly. And so we do:

[1313][root@mail:~/cert]$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: [enter the pass phrase here for our server key from above]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:UT
Locality Name (eg, city) []:Eagle Mountain
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Suse Blog
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.suseblog.com
Email Address []:my-address@suseblog.com [put in your real email address here]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[1323][root@mail:~/cert]$ 
Sign the Certificate

Now, we are going to take all these files and make them do some voodoo. We are going to sign the signing request using the Certificate Authority certificate and key that we made at the beginning. What we will get is our perfectly forged signed certificate. OK, not perfectly, because we are not a real CA. But we’ll get a pretty darn good signed cert that will work for us rather nicely.

The command we’re going to run looks like this:

openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

And when we run it, we see something hopefully resembling this:

[1326][root@mail:~/cert]$ openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Signature ok
subject=/C=US/ST=UT/L=Eagle Mountain/O=Suse Blog/CN=www.suseblog.com/emailAddress=my-address@suseblog.com
Getting CA Private Key
Enter pass phrase for ca.key: [enter the CA pass phrase from above here]
[1332][root@mail:~/cert]$ 
Generate server.key That Won’t Prompt for Password

Now, we have a little problem. Our server.key file will cause apache2 to prompt us for a password every time it starts. We need to fix it so that doesn’t happen. We’ll do that with these three commands:

openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

When we run these commands, here’s our output:

[1354][root@mail:~/cert]$ openssl rsa -in server.key -out server.key.insecure
Enter pass phrase for server.key: [enter the pass phrase here for our server key from above]
writing RSA key
[1354][root@mail:~/cert]$ mv server.key server.key.secure
[1354][root@mail:~/cert]$ mv server.key.insecure server.key
[1354][root@mail:~/cert]$
Placing the Files

At this stage, you should now have a bunch of files. These, in fact:

[1354][root@mail:~/cert]$ ll
total 32
drwxr-xr-x  2 root root 4096 2008-06-02 13:54 .
drwx------ 10 root root 4096 2008-06-02 13:35 ..
-rw-r--r--  1 root root 2529 2008-06-02 13:07 ca.crt [CA certificate]
-rw-r--r--  1 root root 3311 2008-06-02 12:58 ca.key [CA key]
-rw-r--r--  1 root root 2049 2008-06-02 13:32 server.crt [our server certificate]
-rw-r--r--  1 root root 1748 2008-06-02 13:23 server.csr [our server signing request]
-rw-r--r--  1 root root 3243 2008-06-02 13:54 server.key [our password-less server key]
-rw-r--r--  1 root root 3311 2008-06-02 13:13 server.key.secure [our passworded server key]
[1355][root@mail:~/cert]$

Just having them doesn’t get us anywhere, so let’s get them installed. First, we are going to change some permissions, because we don’t want just anyone having access to these files. To apply the appropriate permissions, run this:

chmod 0600 server.key.secure server.key server.csr server.crt

Now, here’s where things depend on the distribution that you are using. I will describe what I am doing so that if you are not on OpenSUSE, you will still be able to get this working.

In OpenSUSE, the apache2 config directory is located at /etc/apache2. Underneath that, there are a handful of directories. The three we care about are /etc/apache2/ssl.crt, /etc/apache2/ssl.csr, and /etc/apache2/ssl.key. The server.crt needs to be moved to /etc/apache2/ssl.crt. The server.csr file needs to be moved to /etc/apache2/ssl.csr. And the server.key file needs to be moved to /etc/apache2/ssl.key:

[1348][root@mail:~/cert]$ mv server.key /etc/apache2/ssl.key/server.key
[1349][root@mail:~/cert]$ mv server.crt /etc/apache2/ssl.crt/server.crt
[1349][root@mail:~/cert]$ mv server.csr /etc/apache2/ssl.csr/server.csr
[1349][root@mail:~/cert]$

Yep, pretty complex stuff, moving files.

Now, we need to make a handful more edits to some files, and we’re just about there.

System Configuration

First thing is to edit /etc/sysconfig/apache2. Search through that file for the directive called APACHE_MODULES. Make sure you see ‘ssl’ in there. If not, add it. Then, search through the file and find APACHE_SERVER_FLAGS. Make sure it has ‘SSL’ in it. If not, add it. Save and close the file.

You can also manage apache’s modules with the ‘a2enmod’ command. To view the list of loaded modules, run ‘a2enmod -l’.

Next, open up the config file that tells apache2 which ports to listen on. In OpenSUSE, this file is /etc/apache2/listen.conf. Rip that bad boy open. You will see the following line:

Listen 80

Add a new line for port 443, our HTTPS port, so that it looks like this:

Listen 80
Listen 443

Then, look for the following line:

NameVirtualHost *:80

Add a new line for port 443, our HTTPS port, so that it looks like this:

NameVirtualHost *:80
NameVirtualHost *:443

Save and quit.

Virtual Host Configuration

In OpenSUSE, it’s really easy to have virtual hosts on a machine. I have like 10 on mine. One of them is my blog, www.suseblog.com. Well, to make this easy, in OpenSUSE, the virtual domain configuration files are located in /etc/apache2/vhosts.d, each with their own name. My www.suseblog.com configuration file is called suseblog.conf. To set up SSL for this virtual host, just duplicate the file and give it another name. In my case, I named it ssl-suseblog.conf.

Now, we’re going to open up that file and add like 4 lines to it. No sweat.

At the top of the file, there is a line that looks like this:

<VirtualHost *:80>

Change the port from 80 to 443, so it looks like this:

<VirtualHost *:443>

Then, go down a ways and add these lines:

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key

Save and quit on that one, too.

Configure Firewall

We can configure this thing perfectly, but if the firewall doesn’t know to let traffic through, we will not have HTTPS access to the server. Let’s check the firewall really quick to make sure.

Fire up YAST. Go to the Security & Users option on the right, and select FIREWALL from the left. If you do not have a firewall running on the machine, you can just exit now. If you do, you will need to go to ALLOWED SERVICES. In the SERVICES TO ALLOW drop-down on the right, select HTTPS Server. Then click ADD. Then click NEXT, and finally FINISH. You should now have port 443 opened for HTTPS business.

Now, let’s go ahead and restart apache and enjoy our new self-signed self-generated SSL cert on our HTTPS service:

[1426][root@mail:/etc/apache2]$ /etc/init.d/apache2 restart
Syntax OK
Shutting down httpd2 (waiting for all children to terminate)          done
Starting httpd2 (prefork)                                             done
[1427][root@mail:/etc/apache2]$ 
Conclusion

Well, we’ve concluded. Enjoy.

More info on the mod_ssl page

April 3, 2009

Linux Commands to Create NTFS Filesystem on USB Stick

by @ 9:26 am. Filed under bash, command-line, How-To, Linux tips

First, the stick should be in, but not mounted. If it is mounted, find the partition represented by your usb stick, as such:

[0959][scott@laptop:~]$ mount
/dev/sda2 on / type ext3 (rw,acl,user_xattr)
/proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
debugfs on /sys/kernel/debug type debugfs (rw)
udev on /dev type tmpfs (rw)
devpts on /dev/pts type devpts (rw,mode=0620,gid=5)
/dev/sda1 on /windows/C type fuseblk (rw,allow_other,blksize=4096)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
gvfs-fuse-daemon on /home/scott/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=scott)
/dev/sdc1 on /media/disk-1 type vfat (rw,nosuid,nodev,shortname=winnt,uid=1000)
/dev/sdb1 on /media/disk-2 type fuseblk (rw,nosuid,nodev,allow_other,default_permissions,blksize=1024)
[0959][scott@laptop:~]$

It will likely be a /dev/sdxx type device. In this case, the one I’m looking for is sdb1.

We need to unmount it as root (‘su’):

laptop:/home/scott # umount /dev/sdb1
laptop:/home/scott #

Now, fdisk the usb stick, and not the partition. In other words, leave off the trailing digit:

laptop:/home/scott # fdisk /dev/sdb

Command (m for help):

Press ‘p’ to view the partitions on the drive. Delete all partitions. Create a new one with ‘n’. It will be a primary partition, and it will be partition 1. Now, we need to set the filesystem type. Press ‘t’, and then if you’d like to see all the filesystem types, press ‘L’, but I’ll just tell you that NTFS is 7. Press ‘7’, and then ‘w’ to write the partition table, and exit:

Command (m for help): p

Disk /dev/sdb: 1027 MB, 1027604480 bytes
64 heads, 32 sectors/track, 980 cylinders
Units = cylinders of 2048 * 512 = 1048576 bytes
Disk identifier: 0x610fbfb2

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *           1         980     1003504    c  W95 FAT32 (LBA)

Command (m for help): d
Selected partition 1

Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-980, default 1):
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-980, default 980):
Using default value 980

Command (m for help): t
Selected partition 1
Hex code (type L to list codes): 7
Changed system type of partition 1 to 7 (HPFS/NTFS)

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.
laptop:/home/scott #

Now, we need to actually format the new partition. Include the partition number at the end. It should be 1. You will do this as root (‘su’), like so:

laptop:/home/scott # mkntfs /dev/sdb1
Cluster size has been automatically set to 1024 bytes.
Initializing device with zeroes: 100% - Done.
Creating NTFS volume structures.
mkntfs completed successfully. Have a nice day.
laptop:/home/scott #

K, well, there you are. Mount it up any way you see fit, and you are all set.

March 31, 2009

Linux Contributions from Andrew

by @ 9:02 am. Filed under How-To, Linux tips

Recently, Andrew wrote me an email, which I shall pass on for the benefit of all:

Hi Scott
I started off writing a serious email, but your “why Santa Can’t Exist” converted me to tears of laughter, the story above it soon gave me a reality check, poor girl.

I was before I was interrupted with humour reading your blog posts on Linux, and was very impressed with the informative way that you write. We create video based tutorials and over the last 18 months we have been turning more of our resources to covering Linux based subjects. We have also been converting our videos to play in Flash as well as QuickTime, so Linux users don’t have to mess around installing 3rd party apps and invoke all kinds of trickery just to watch a simple training video.

I was wondering if you would consider offering some of our links to your visitors, I have listed the tutorials below that may be of interest:-

http://www.computer-training-software.com/opensuse.htm
http://www.computer-training-software.com/ubuntu-linux.htm
http://www.computer-training-software.com/ubuntu-server.htm
http://www.computer-training-software.com/ubuntu-certification.htm
http://www.computer-training-software.com/linux-security.htm
http://www.computer-training-software.com/lpi.htm
http://www.computer-training-software.com/lpic-2.htm
http://www.computer-training-software.com/linux.htm

Thanks, Andrew.

March 18, 2008

ssh Without a Password

by @ 9:09 am. Filed under bash, command-line, Linux tips, ssh tips

If you use Linux for day-to-day computing, you likely use the secure shell, or ssh. If you are like me, you may grow weary of constantly having to type in passwords to access remote machines. Or maybe you have the perfect backup system, except that it uses ssh to transfer files, and requires you to type in a password (such as rsync or rdiff-backup). There is a way to access those machines without using a password. This technique should be used with care. I’d use it only on machines that I have access to, for example. You don’t want to set up passwordless access from a public machine to your production server, in other words. Use with caution.

The principle is that you generate a public and private key on the local machine. This will be whatever machine you are connecting from. You then transfer the public key to the remote machine. Then, when you ssh into the remote machine, it uses the keys to authenticate. You don’t type in a password, it just takes you straight to the shell prompt. How do we set this up?

Log into the machine you are going to connect from. Let’s say that your account is called ‘user’ and you are going to connect from a machine called ‘desktop’. Log in as ‘user’ on the ‘desktop’ machine and pull up a shell. Run this command. The stuff in red is what you do,not what you type:

[0218][user@desktop:~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_dsa): [JUST PRESS ENTER HERE]
Enter passphrase (empty for no passphrase): [JUST PRESS ENTER HERE]
Enter same passphrase again: [JUST PRESS ENTER HERE]
Your identification has been saved in /home/user/.ssh/id_dsa.
Your public key has been saved in /home/user/.ssh/id_dsa.pub.
The key fingerprint is:
a5:25:c0:aa:fe:f3:9f:46:7a:23:e3:6e:10:ec:6f:d3 user@desktop
[0218][user@desktop:~]$

Your keys are generated. On that machine, view /home/user/.ssh/id_dsa.pub. You will see something like this:

ssh-dss AAAAA3NzAC1kc3MAAACAANfnr9xkAks2u8Xd5I9nozzsXLKCYA8o9h3cMwL5QMcZGxz84Dyl3IyRwozv3I2xGwJAYyAHvJAS7AQmtFXtfmQts3dt2ZnlAmKj0TkC8pwDgvXJYzARJpCP2Zx7iwD/OCO3sTgT0wGwYtQrAcTeW5Tt6sSmQjEJ2rJj+Q5XA1xvAAAAFQDWcQ+OJRnk+jCYqESWqxHcyw74DwAAAIA9qAQyZrOJkjpzMSWAcliHvvuyCN8RInlgq+IwWynukOX7zYXcE2dJPopgpG3Aiiq/fxAQX5dUzXfSrL3KYftQOd/RNkAzMHAAzAJeQAA0wEt4uAjhGRwCOSg6wKMYJPYfVghnwIKARuSTUS8NjRXVKteHg7frOOHZwRGIm36pxgAAAIA8/CKLLn5QRctsvvvmvpOn2Xhek02z8K0YukYcXJOQ1FMTYWoHujA39sEAFsdx6Nq1t58lI2dsj6fpf7LOOvoYWtKQnTNRUptlOx27LTO9Q6DhKPV/93nLI/xFOFo/8twZ1TmpAgpAI3SQ9YCnX2A8H686OUwUPmY0kA+H8GKnug== user@desktop

What you need to do now, is determine the remote machine you are going to log into. Then, decide what user you are going to log in as on that machine. We are going to log in as a user called ‘admin’ on a server called ‘server’. First, we will ssh into ‘server’ as ‘admin’. Then, edit the file located at ~/.ssh/authorized_keys2. If it is not there, create it. All you need to do is paste the contents of the id_dsa.pub file from the ‘user’ account on the ‘desktop’ machine into the ~/.ssh/authorized_keys file for ‘admin’ on ‘server’.

For example:

I go to my desktop, log in as ‘user’. I run ‘ssh-keygen -t dsa’. It generates a ~/.ssh/id_dsa.pub file in my home directory.

I want to connect as ‘admin’ on a box called ‘server’. I ssh in normally as ‘admin’ into the ‘server’ machine. I edit the ~/.ssh/authorized_keys2 using my favorite text editor. I add the contents of the ~/.ssh/id_dsa.pub file from my desktop machine into the authorized_keys2 file on ‘server’. I then save and quit. I then close all connections to ‘server’. Then, I type ‘ssh admin@server’, and hit ENTER. It drops me straight to a shell prompt.

This is a nice way to access a machine without having to type in the password every time. Only do this from machines that only you or authorized personnel have access to. Otherwise, you could have a li’l security problem.

February 4, 2008

Viewing all the gory details of an RPM

by @ 6:59 am. Filed under command-line, General Linux, Linux tips

RPM Icon

Linux has a varied methodology of managing packages. RPMs are one of the most common. Some distros have source-based package management systems, such as Portage for Gentoo. Derivatives of Debian such as Ubuntu have packages in DEB format.

For the RPM-based distributions, the package manager tries to take care of resolving dependencies for you. Some of them do a great job at this. At some point, however, you’ll likely have to work directly with an RPM package on the command-line.

One thing I really like about YAST (and others) is that you can browse and search through the description, and view other package details. You can see the author, version, vendor, build date, build host, size, etc. You can also see a list of what files will be installed, and where they will be placed.

So how do we view all that info from the command line?

This is fully possible by using the rpm command. Let’s say we are going to install vsftpd from an RPM from the command line. Using the rpm command, we add a few switches to display the information:

rpm -qpil vsftpd-2.0.5-78.x86_64.rpm

The ‘q’ is for ‘query’. The ‘p’ refers to querying a package file. ‘i’ means, “Display package information, including name, version, and description.” The ‘l’ tells the rpm command to list all the files in the package.

Output of this command would look something like the following:

[1116][scott@tomahawk:~/64-bit software/vsftpd]$ rpm -qpil vsftpd-2.0.5-78.x86_64.rpm
Name        : vsftpd                       Relocations: (not relocatable)
Version     : 2.0.5                             Vendor: SUSE LINUX Products GmbH, Nuernberg, Germany
Release     : 78                            Build Date: Fri 21 Sep 2007 02:34:57 PM MDT
Install Date: (not installed)               Build Host: glinka.suse.de
Group       : Productivity/Networking/Ftp/Servers   Source RPM: vsftpd-2.0.5-78.src.rpm
Size        : 286006                           License: GPL v2 or later
Signature   : DSA/SHA1, Fri 21 Sep 2007 02:43:56 PM MDT, Key ID a84edae89c800aca
Packager    : http://bugs.opensuse.org
URL         : http://vsftpd.beasts.org
Summary     : Very Secure FTP Daemon - Written from Scratch
Description :
Vsftpd is an FTP server, or dæmon. The "vs" stands for Very Secure.
Obviously this is not a guarantee, but the entire codebase was written
with security in mind, and carefully designed to be resilient to
attack.

Recent evidence suggests that vsftpd is also extremely fast (and this
is before any explicit performance tuning!). In tests against wu-ftpd,
vsftpd was always faster, supporting over twice as many users in some
tests.



Authors:
--------
    Chris Evans 
Distribution: openSUSE 10.3 (X86-64)
/etc/init.d/vsftpd
/etc/logrotate.d/vsftpd
/etc/pam.d/vsftpd
/etc/sysconfig/SuSEfirewall2.d/services/vsftpd
/etc/vsftpd.conf
/etc/xinetd.d/vsftpd
/usr/sbin/rcvsftpd
/usr/sbin/vsftpd
/usr/share/doc/packages/vsftpd
/usr/share/doc/packages/vsftpd/AUDIT
/usr/share/doc/packages/vsftpd/BUGS
/usr/share/doc/packages/vsftpd/COPYING
/usr/share/doc/packages/vsftpd/Changelog
/usr/share/doc/packages/vsftpd/EXAMPLE
/usr/share/doc/packages/vsftpd/EXAMPLE/INTERNET_SITE
/usr/share/doc/packages/vsftpd/EXAMPLE/INTERNET_SITE/README
/usr/share/doc/packages/vsftpd/EXAMPLE/INTERNET_SITE/vsftpd.conf
/usr/share/doc/packages/vsftpd/EXAMPLE/INTERNET_SITE/vsftpd.xinetd
/usr/share/doc/packages/vsftpd/EXAMPLE/INTERNET_SITE_NOINETD
/usr/share/doc/packages/vsftpd/EXAMPLE/INTERNET_SITE_NOINETD/README
/usr/share/doc/packages/vsftpd/EXAMPLE/INTERNET_SITE_NOINETD/vsftpd.conf
/usr/share/doc/packages/vsftpd/EXAMPLE/PER_IP_CONFIG
/usr/share/doc/packages/vsftpd/EXAMPLE/PER_IP_CONFIG/README
/usr/share/doc/packages/vsftpd/EXAMPLE/PER_IP_CONFIG/hosts.allow
/usr/share/doc/packages/vsftpd/EXAMPLE/README
/usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_HOSTS
/usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_HOSTS/README
/usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_USERS
/usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_USERS/README
/usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_USERS/logins.txt
/usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_USERS/vsftpd.conf
/usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_USERS/vsftpd.pam
/usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_USERS_2
/usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_USERS_2/README
/usr/share/doc/packages/vsftpd/FAQ
/usr/share/doc/packages/vsftpd/INSTALL
/usr/share/doc/packages/vsftpd/LICENSE
/usr/share/doc/packages/vsftpd/README
/usr/share/doc/packages/vsftpd/README.SUSE
/usr/share/doc/packages/vsftpd/README.security
/usr/share/doc/packages/vsftpd/REWARD
/usr/share/doc/packages/vsftpd/SECURITY
/usr/share/doc/packages/vsftpd/SECURITY/DESIGN
/usr/share/doc/packages/vsftpd/SECURITY/IMPLEMENTATION
/usr/share/doc/packages/vsftpd/SECURITY/OVERVIEW
/usr/share/doc/packages/vsftpd/SECURITY/TRUST
/usr/share/doc/packages/vsftpd/SIZE
/usr/share/doc/packages/vsftpd/SPEED
/usr/share/doc/packages/vsftpd/TODO
/usr/share/doc/packages/vsftpd/TUNING
/usr/share/empty
/usr/share/man/man5/vsftpd.conf.5.gz
/usr/share/man/man8/vsftpd.8.gz
/usr/share/omc
/usr/share/omc/svcinfo.d
/usr/share/omc/svcinfo.d/vsftpd.xml
[1116][scott@tomahawk:~/64-bit software/vsftpd]$

Now, we can see where the binaries will be installed. We can see where the config file will be. We can see where the docs and man pages will be placed.

If you need to install an RPM from the command line, normally, you could issue a command such as:

rpm -i [packagename]

A better way to do this may be as follows:

rpm -Uvh [packagename]

The “U” means upgrade. In cases where you have an older version of an RPM installed, and you’re trying to install a newer version, the -i will not do this. You’d first have to erase the RPM with the -e switch. However, if you have dependencies that rely on that RPM, you won’t be able to erase the old version of the RPM unless you want to get even more hairy. It’s easier to just tell it to upgrade. In cases where you do not have an older version of the RPM installed, the command will still install the intended RPM.

The “v” is for verbose. This just provides more information about the installation process of the RPM.

The “h” option is for “show hashes.”

The problem here is that it doesn’t automatically install dependencies.

The other thing is that you can create your own installation repository (super easy) with createrepo. Install the createrepo package. Then, you create a directory which you will use as the repository, such as /my_inst_src. Dump the RPM in there. Then, you run the createrepo command, pointing it to the new repository:

createrepo /my_inst_src

You then go into YAST and add /my_inst_src as an installation source.

You should now be able to go into YAST and install it just like you do any other RPM. Dependencies should be resolved as usual, should any exist.

If you are interested in package management through YAST, there is just such an ebook available from suseblog.com. In the upper left corner, there is a place to grab some ebooks. One of them is called “YAST – Installation and Management of Software.” Take a look at that and see if it’s helpful for you.

January 28, 2008

Want the new Linux 2.6.24 Kernel? Easy Upgrade Tutorial

by @ 7:11 am. Filed under General Linux, General SUSE, How-To, kernel, Linux tips, SUSE Tips & Tricks

INTRODUCTION

Now and then, you will likely need to familiarize yourself with a technically scientific process called “Fiddling With the Kernel.” There is quite a bit of documentation on this topic. I don’t want to go too far into the specifics of which options to set and how to tweak everything.

What I hope to do here is introduce you to a general overview of the steps involved with upgrading your kernel. I can hear it now, “You mean I can upgrade my kernel without knowing what CONFIG_INIT_ENV_ARG_LIMIT or CONFIG_USB_EHCI_ROOT_HUB_TT or CONFIG_SOUND_TRACEINIT means?” Why yes, yes, you can. I did this very process only yesterday, and I realized that I had done this process a number of times successfully. Thus, it seemed only fair to release it into the wild in hopes that someone else may benefit from it.

What on earth would possess someone to do something like upgrade a kernel? Well, let’s say you are using an RPM-based distro, such as OpenSUSE 10.x. You need the kernel source header files so that you can install the Nvidia driver for your new ultra-sick Nvidia card. You may need to compile the ndiswrapper kernel module. You may need to install VMware, which compiles a kernel module. Easy, right? Just install the kernel-source package that matches the kernel version you are running.

K, what if you have a newer kernel installed that the newest kernel-source package available? Or, what if you were anxiously awaiting some feature of the kernel that was just released, and you don’t want to wait for it to be available from a repository? There could be a host of reasons why you’d want to upgrade your kernel. This is a gentle introduction to one way of doing this.

Please be aware, though. You will usually not want to put a brand new kernel onto a production box, unless you have an exact reason in mind. Also, understand that you are doing this stuff at your own risk. Like I said, I did this yesterday, and have done it many times before. If you do it and your computer turns into radioactive hazardous waste (which it really shouldn’t do), don’t come crying to me.

All that disclaimer-ish junk out of the way, let’s get on to the cool stuff.

What will we be doing?

Step 1. – Download and unarchive the kernel source code
Step 2. – Prep and compile the kernel
Step 3. – Install the new kernel
Step 4. – Set up Grub
Step 5. – Reboot into the new kernel

GET THE KERNEL SOURCE

First things first. We’ll need the latest release of the kernel source code, available from none other than http://www.kernel.org/. On this page, you are looking for where it says, “The latest stable version of the Linux kernel is:”. Just to the right of the date on that line, there is a hyperlinked “F”. That is the Full source to the kernel. Right-click, copy the link.

Then, open a terminal and switch to root (with ‘su’). Change over to the /usr/src/ directory. Then, download the source using ‘wget’. When you’re done, unarchive it. This process should look something like this:

[1314][scott@linux:~]$ su
Password:
linux:/home/scott # cd /usr/src
linux:/usr/src # wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.tar.bz2
--13:14:20--  http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.tar.bz2
           => `linux-2.6.24.tar.bz2'
Resolving www.kernel.org... 204.152.191.5, 204.152.191.37
Connecting to www.kernel.org|204.152.191.5|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46,737,783 (45M) [application/x-bzip2]

100%[=============================================>] 46,737,783   578.56K/s    ETA 00:00

13:15:36 (604.56 KB/s) - `linux-2.6.24.tar.bz2' saved [46737783/46737783]

linux:/usr/src # tar -xvf linux-2.6.24.tar.bz2

Then you hang for awhile until the source decompresses.

PREP AND COMPILE THE KERNEL

Next, we need to make sure we have everything installed as necessary. Depending on the machine and what you already have installed, you may need to install one or more packages. Here are a few of the packages I have had to install to make things work properly:

gcc – this is the compiler – you won’t get far without this
nfs-kernel-server – on pre-OpenSUSE 10.3 boxes, use nfs-utils
oprofileabout this package
ncurses-devel

An easy way to see if they are installed or which need to be installed is with the rpm command. Install missing packages with yast. Recheck to make sure everything is there:

linux:/usr/src # rpm -qa gcc nfs-kernel-server oprofile ncurses-devel
gcc-4.2-24
linux:/usr/src # yast -i nfs-kernel-server oprofile ncurses-devel
linux:/usr/src # rpm -qa gcc nfs-kernel-server oprofile ncurses-devel
gcc-4.2-24
nfs-kernel-server-1.1.0-8
ncurses-devel-5.6-41
oprofile-0.9.3-25
linux:/usr/src # 

If one of the packages doesn’t show up, go ahead and use YAST to install it. Also, note that the one package is nfs-utils on OpenSUSE 10.2 and older, and nfs-kernel-server on OpenSUSE 10.3.

Next, we need to compile the kernel. Put away the defibrillation paddles. Contrary to popular belief, this step does not cause cardiac arrest (at least it didn’t in the lab rats we trained on kernel upgrades).

In your terminal, make sure you are in the directory with the kernel source code, something like /usr/src/linux-2.6.24/. Make sure you are working with a clean directory. Then, we are going to grab the configuration of the kernel that is currently running. This is as simple as:

linux:/usr/src # cd linux-2.6.24/
linux:/usr/src/linux-2.6.24 # make mrproper
linux:/usr/src/linux-2.6.24 # zcat /proc/config.gz > .config
linux:/usr/src/linux-2.6.24 #

Just about every time a new kernel comes out, new configuration options appear in it. If we were to just jump right in and start compiling the kernel now, it would stop when it reaches each new option and ask us what we want to do with it. Fortunately, there is a simple way around this. Unfortunately, the cost of simplicity is that you are accepting the default values for these options. But again, the object here is to keep it simple. If you’re feeling leet and hardcore, you can always go back and fiddle.

To get around this problem, we run make menuconfig just like if we were going to go in and hand-tweak the kernel. Instead of doing a thing, however, we tab over to EXIT and hit ENTER. We make sure to save the configuration.

We are ready to compile the kernel and all the modules, done by running this commandline:

linux:/usr/src/linux-2.6.24 # make ; make modules ; make modules_install

Because we have left everything with default settings, we will be compiling here for a long time. Actual time spent depends on your hardware specs.

INSTALL THE NEW KERNEL

When all the compiling finishes, you need to do two more things. You have to install the new kernel and configure grub to use it upon restart.

Next, we have to get our new kernel installed. We just copy a few files and create an initial ramdisk. We will copy the kernel image and System.map to /boot. We can then generate an initial ramdisk from that kernel and System.map file. Finally, I also like to back up .config to /boot as well, just so everything is in the same place. To accomplish all of this, these are the commands you will execute:

linux:/usr/src/linux-2.6.24 # cp arch/`uname -i`/boot/bzImage /boot/vmlinuz-2.6.24
linux:/usr/src/linux-2.6.24 # cp System.map /boot/System.map-2.6.24
linux:/usr/src/linux-2.6.24 # cp System.map /boot/System.map
linux:/usr/src/linux-2.6.24 # cp .config /boot/config-2.6.24
linux:/usr/src/linux-2.6.24 # mkinitrd -k vmlinuz-2.6.24 -i initrd-2.6.24

Kernel image:   /boot/vmlinuz-2.6.24
Initrd image:   /boot/initrd-2.6.24
Root device:    /dev/disk/by-id/scsi-SATA_WDC_WD1200BEVS-_WD-WXEX07392815-part2 (/dev/sda2) (mounted on / as ext3)
Resume device:  /dev/sda1
Kernel Modules: processor thermal scsi_mod libata ahci pata_atiixp fan jbd mbcache ext3 edd sd_mod usbcore ohci-hcd uhci-hcd ehci-hcd ff-memless hid usbhid
Features:       block usb resume.userspace resume.kernel
Bootsplash:     SuSE (800x600)
36561 blocks
linux:/usr/src/linux-2.6.24 #

Because I don’t really care to type all of that out every time, I have created a script that will do all of this for me:

#!/bin/sh

# EDIT THE KERNEL VERSION AS NECESSARY
KERNEL_VERSION=2.6.24

# REMOVE THESE FILES IF THEY ALREADY EXIST (I.E., IF WE ARE DOING THIS AGAIN
# FROM A PREVIOUS ATTEMPT)
# THE -f IS SO WE DON'T GET ALERTS IF THE FILES AREN'T THERE
rm -f /boot/bzImage-$KERNEL_VERSION
rm -f /boot/System.map-$KERNEL_VERSION
rm -f /boot/config-$KERNEL_VERSION

# COPY THE KERNEL OVER TO /BOOT AND BACK UP THE SYSTEM.MAP AND .CONFIG FILES
cp /usr/src/linux-"$KERNEL_VERSION"/arch/`uname -i`/boot/bzImage /boot/vmlinuz-$KERNEL_VERSION
cp /usr/src/linux-"$KERNEL_VERSION"/System.map /boot/System.map-$KERNEL_VERSION
cp /usr/src/linux-"$KERNEL_VERSION"/.config /boot/config-$KERNEL_VERSION

rm -f /boot/System.map
cp /usr/src/linux-"$KERNEL_VERSION"/System.map /boot/System.map

#MAKE THE INITIAL RAM DISK FOR THE NEW KERNEL
mkinitrd -k vmlinuz-$KERNEL_VERSION -i initrd-$KERNEL_VERSION
rm -f /boot/System.map

You should now have a kernel compiled very closely to the one your system is currently running, but with the newest kernel source. The compiled kernel image should now be in /boot, along with an initial ramdisk to go with it. All we have left is to set up grub to see the new kernel. Then, we can reboot into it.

SET UP GRUB

This is one of the easiest steps. We are going to open up a text file, copy and paste a few lines, change just a bit, and save the file back out. So go ahead and edit /boot/grub/menu.lst in your favorite text editor. You will see something like this:

# Modified by YaST2. Last modification on Sun Dec 30 21:00:56 MST 2007
default 0
timeout 8
gfxmenu (hd0,1)/boot/message
##YaST - activate

###Don't change this comment - YaST2 identifier: Original name: linux###
title openSUSE 10.3 - 2.6.22.13-0.3
    root (hd0,1)
    kernel /boot/vmlinuz-2.6.22.13-0.3-default root=/dev/disk/by-id/scsi-SATA_WDC_WD1200BEVS-_WD-WXEX07392815-part2 vga=0x314 resume=/dev/sda1 splash=silent showopts
    initrd /boot/initrd-2.6.22.13-0.3-default

###Don't change this comment - YaST2 identifier: Original name: failsafe###
title Failsafe -- openSUSE 10.3 - 2.6.22.13-0.3
    root (hd0,1)
    kernel /boot/vmlinuz-2.6.22.13-0.3-default root=/dev/disk/by-id/scsi-SATA_WDC_WD1200BEVS-_WD-WXEX07392815-part2 vga=normal showopts ide=nodma apm=off acpi=off noresume nosmp noapic maxcpus=0 edd=off 3
    initrd /boot/initrd-2.6.22.13-0.3-default

Copy the section that begins with the line “####Don’t change this comment – YaST2 identifier: Original name: linux###” and ends at the line “initrd /boot/initrd-2.6.22.12-0.1-default”. Your version number may be different. We are just duplicating the original kernel entry. We are not going to edit that one directly, because we want to use it to get back into the system in case things go south.

You should now have something that looks like this (the green is what I pasted as a new entry):

# Modified by YaST2. Last modification on Sun Dec 30 21:00:56 MST 2007
default 0
timeout 8
gfxmenu (hd0,1)/boot/message
##YaST - activate

###Don't change this comment - YaST2 identifier: Original name: linux###
title openSUSE 10.3 - 2.6.22.13-0.3
    root (hd0,1)
    kernel /boot/vmlinuz-2.6.22.13-0.3-default root=/dev/disk/by-id/scsi-SATA_WDC_WD1200BEVS-_WD-WXEX07392815-part2 vga=0x314 resume=/dev/sda1 splash=silent showopts
    initrd /boot/initrd-2.6.22.13-0.3-default

###Don't change this comment - YaST2 identifier: Original name: linux###
title openSUSE 10.3 - 2.6.22.13-0.3
    root (hd0,1)
    kernel /boot/vmlinuz-2.6.22.13-0.3-default root=/dev/disk/by-id/scsi-SATA_WDC_WD1200BEVS-_WD-WXEX07392815-part2 vga=0x314 resume=/dev/sda1 splash=silent showopts
    initrd /boot/initrd-2.6.22.13-0.3-default

###Don't change this comment - YaST2 identifier: Original name: failsafe###
title Failsafe -- openSUSE 10.3 - 2.6.22.13-0.3
    root (hd0,1)
    kernel /boot/vmlinuz-2.6.22.13-0.3-default root=/dev/disk/by-id/scsi-SATA_WDC_WD1200BEVS-_WD-WXEX07392815-part2 vga=normal showopts ide=nodma apm=off acpi=off noresume nosmp noapic maxcpus=0 edd=off 3
    initrd /boot/initrd-2.6.22.13-0.3-default

Now, for the edits. Go to the ‘title’ line of that section you pasted. Change the title to reflect the new kernel, maybe something like this: “title openSUSE 10.3 – 2.6.24 [TEST]”. Then, we’re looking for the line that starts with “kernel”. Change the version on the end of “vmlinuz” to the correct version. In this case, it is 2.6.24. Then, change the line that starts with “initrd” the same way. These two paths are pointing to your new kernel image and your new initial ram disk image, respectively.

If you want to make sure that you have the paths correct, you can use file. If you have the correct files, this is what you will see:

linux:/usr/src/linux-2.6.24 # file /boot/vmlinuz-2.6.24
/boot/vmlinuz-2.6.24: Linux/x86 Kernel, Setup Version 0x207, bzImage, Version 2.6.24, RO-rootFS, root_dev 0x802, swap_dev 0x1, Normal VGA
linux:/usr/src/linux-2.6.24 # file /boot/initrd-2.6.24
/boot/initrd-2.6.24: gzip compressed data, from Unix, last modified: Sat Jan 26 19:44:58 2008, max compression
linux:/usr/src/linux-2.6.24 # 

If the files do not exist, you will see this:

linux:/usr/src/linux-2.6.24 # file /boot/vmlinuz-2.6.24
/boot/vmlinuz-2.6.24: cannot open `/boot/vmlinuz-2.6.24' (No such file or directory)
linux:/usr/src/linux-2.6.24 # file /boot/initrd-2.6.24
/boot/initrd-2.6.24: cannot open `/boot/initrd-2.6.24' (No such file or directory)
linux:/usr/src/linux-2.6.24 # 

At this point, you should have the right paths to these two files and that you have them in your menu.lst file correctly. It might look something like this (the green bits are what I have changed):

# Modified by YaST2. Last modification on Sun Dec 30 21:00:56 MST 2007
default 0
timeout 8
gfxmenu (hd0,1)/boot/message
##YaST - activate

###Don't change this comment - YaST2 identifier: Original name: linux###
title openSUSE 10.3 - 2.6.24 [TEST]
    root (hd0,1)
    kernel /boot/vmlinuz-2.6.24 root=/dev/disk/by-id/scsi-SATA_WDC_WD1200BEVS-_WD-WXEX07392815-part2 vga=0x314 resume=/dev/sda1 splash=silent showopts
    initrd /boot/initrd-2.6.24

###Don't change this comment - YaST2 identifier: Original name: linux###
title openSUSE 10.3 - 2.6.22.13-0.3
    root (hd0,1)
    kernel /boot/vmlinuz-2.6.22.13-0.3-default root=/dev/disk/by-id/scsi-SATA_WDC_WD1200BEVS-_WD-WXEX07392815-part2 vga=0x314 resume=/dev/sda1 splash=silent showopts
    initrd /boot/initrd-2.6.22.13-0.3-default

###Don't change this comment - YaST2 identifier: Original name: failsafe###
title Failsafe -- openSUSE 10.3 - 2.6.22.13-0.3
    root (hd0,1)
    kernel /boot/vmlinuz-2.6.22.13-0.3-default root=/dev/disk/by-id/scsi-SATA_WDC_WD1200BEVS-_WD-WXEX07392815-part2 vga=normal showopts ide=nodma apm=off acpi=off noresume nosmp noapic maxcpus=0 edd=off 3
    initrd /boot/initrd-2.6.22.13-0.3-default

With this step, we’ve opened the grub configuration file and made a copy of the entry running the current kernel. Then, we’ve changed it to give it a new title, and pointed it to the new kernel and initial ramdisk. Save the file and exit.

REBOOT INTO YOUR NEW KERNEL

All that we really have left now is to reboot into the new kernel. We still have the original installed and working. The grub configuration for the original is still intact. Because of this, if we have any problems whatsoever, we can just reboot and use that kernel instead. So, we can reboot with this command:

linux:/usr/src/linux-2.6.24 # shutdown -r now

Broadcast message from root (pts/2) (Sat Jan 26 20:32:20 2008):

The system is going down for reboot NOW!
linux:/usr/src/linux-2.6.24 # 

When the grub menu comes up, make sure you select the entry called “title openSUSE 10.3 – 2.6.24 [TEST]” (or whatever you called the new one). You should be able to boot just fine off this kernel (this process has always worked for me). If not, reboot and select the original one when the grub menu appears. This will get you back into your original kernel.

January 25, 2008

Linux commands for “What is taking up all my space?”

by @ 6:49 am. Filed under bash, command-line, General Linux, How-To, Linux tips

Terminal Icon

When you’re in the trenches, pounding out solutions, it’s nice to have any added advantage that you can. Finding the source of what is taking up all the space on a given Linux partition may just find itself on your priority list some day. And when you need to know right now where it is, it’s great to have the following solutions.

Should you need to find the source of what is taking up the space on one of your Linux boxen, you can use this command to get you through:

stage:/ # du -s * | sort -g
0       proc
0       sys
4       media
4       mnt
16      lost+found
68      tmp
100     srv
112     dev
2564    home
7568    bin
9280    sbin
9916    boot
28528   etc
70844   lib
209624  var
221708  root
429396  opt
1848788 VM
2686844 usr
stage:/ # 

So now obviously, my /usr path is taking up the most space. Let’s head into /usr and run the command again:

stage:/ # cd usr
stage:/usr # du -s * | sort -g
0       tmp
12      X11R6
16      i586-suse-linux
76      local
3404    games
12124   include
18100   sbin
100424  bin
331616  src
1103240 share
1117832 lib
stage:/usr # 

We then see that /var/lib and /var/share are taking up the most space.

Once you find the culprits, you can archive them, back them up, truncate them, or just plain rm them (please use ‘rm’ with care).

Also, if you are looking for all files on your drive larger than a certain size, the following script may be useful to you. Don’t forget to ‘chmod +x’ it to make it executable:

#!/bin/sh

# In kilobytes on older machines
MINSIZE=1000

IFS=$'\\n'

# Find the files and put them in a list
FILELIST=`find . -size +"$MINSIZE"k -print`

for FILE in $FILELIST ; do

        FILESIZE=`stat \-\-format=%s "$FILE"`
        FILEM=$(echo "scale=2;$FILESIZE/1048576" | bc -l)
        printf ""$FILE"\\n"
        printf "\\tsize is "$FILEM" Megabytes\\t"
        printf "\\ttype is `file -b "$FILE"`\\n\\n"

done


You may ask, “What is this IFS thing?” Well, it is explained quite well on tldp.org. But for those of us who don’t want to go read that, I’ll just copy and paste the important part for ya’ll:

internal field separator

This variable determines how Bash recognizes fields, or word boundaries, when it interprets character strings.

In other words, bash by default uses spaces to separate things into lists. You are telling it to split the list of files up by the \n or carriage return character rather than by spaces.

Anyway, use the command demonstrated above, and the bash script demonstrated below, to find the files that are taking up all your space.

OpenSUSE Linux Rants
Official OpenSUSE Linux Site

internal links:

categories:

SUSE Resources

search blog:

archives:

August 2018
S M T W T F S
« Feb    
 1234
567891011
12131415161718
19202122232425
262728293031  

78 queries. 1.890 seconds