#/etc/sudoers | Explore Tumblr Posts and Blogs

systemtek · 1 year

Text

Cisco BroadWorks Privilege Escalation Vulnerability [CVE-2023-20216]

CVE number = CVE-2023-20216 A vulnerability in the privilege management functionality of all Cisco BroadWorks server types could allow an authenticated, local attacker to elevate privileges to root on an affected system. This vulnerability is due to incorrect implementation of user role permissions. An attacker could exploit this vulnerability by authenticating to the application as a user with the BWORKS or BWSUPERADMIN role and issuing crafted commands on an affected system. A successful exploit could allow the attacker to execute commands beyond the sphere of their intended access level, including initiating installs or running operating system commands with elevated permissions.

Vulnerable Products

At the time of publication, this vulnerability affected the following Cisco products if they were running a vulnerable release of Cisco BroadWorks Software: - BroadWorks Application Delivery Platform - BroadWorks Application Server - BroadWorks Database Server - BroadWorks Database Troubleshooting Server - BroadWorks Execution Server - BroadWorks Media Server - BroadWorks Messaging Server - BroadWorks Network Database Server - BroadWorks Network Function Manager - BroadWorks Network Server - BroadWorks Profile Server - BroadWorks Service Control Function Server - BroadWorks Sharing Server - BroadWorks Video Server - BroadWorks WebRTC Server - BroadWorks Xtended Services Platform Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

Workarounds

- There is a workaround that addresses this vulnerability.From the CLI, comment out the following line from /etc/sudoers. - The resulting line will be:# %wheel ALL=(ALL) ALL While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment. Read the full article

#Cisco #CVE-2023-20216 #PrivilegeEscalationVulnerability

0 notes

karonbill · 2 years

Text

Newly Released CompTIA Linux+ XK0-005 Study Guide

XK0-005 CompTIA Linux+ Certification Exam is newly available to replace XK0-004 exam which will be retired on January 16, 2023. PassQuestion provides the latest CompTIA Linux+ XK0-005 Study Guide to help you best prepare for your real exam. Taking the CompTIA Linux+ XK0-005 Study Guide is the fastest way to overcome weaknesses in your CompTIA Linux+ XK0-005 exam preparation. This feature of the CompTIA Linux+ XK0-005 Study Guide is helpful to gain confidence for the XK0-005 actual certification exam. You have to strive hard and put all your efforts and prepare well to pass the CompTIA Linux+ XK0-005 certification exam with good scores.

CompTIA Linux+ Certification (XK0-005 vs XK0-004)

CompTIA Linux+ validates the skills administrators need to secure the enterprise, power the cloud and keep systems running. The new certification ensures that IT professionals, software developers, cybersecurity engineers and penetration testers have these necessary skills to support today's tech systems.

CompTIA Linux+ is the only job-focused Linux certification covering the latest foundational skills demanded by hiring managers. Unlike other certifications, the new exam includes performance-based and multiple-choice questions to identify the employees who can do the job. The exam covers tasks associated with all major distributions of Linux, setting the foundation for advanced vendor/distro-specific knowledge.

What's on the New CompTIA Linux+ Exam?

CompTIA Linux+ (XK0-005) is an intermediate-level IT certification that provides IT professionals with knowledge of Linux. It is the only job-focused Linux certification covering the latest foundational skills demanded by hiring managers. CompTIA Linux+ validates the competencies required of an early career supporting Linux systems.

In addition to topics you might traditionally associate with Linux, the new version of CompTIA Linux+ emphasizes the skills needed to configure, monitor and support servers running the Linux operating system such as:

Configure and manage software, storage, processes and services

Analyze system properties and processes and troubleshoot user, application and hardware issues

Understand best practices for permissions and authentication, firewalls and file management

Create simple shell scripts and execute basic BASH scripts, version control using Git and orchestration processes

The new version of CompTIA Linux+ covers an evolving job role that focuses more on how Linux powers the cloud. The exam includes cutting edge technologies that help automate and orchestrate business processes, including infrastructure as code and containers.

Test Details

Required exam XK0-005 Number of questions Maximum of 90 Types of questions Multiple-choice and performance-based Length of test 90 minutes Recommended experience 12 months of hands-on experience working with Linux servers, as well as A+, Network+, and Server+ or similar certifications and/or knowledge Passing score 720 (on a scale of 100 to 900) Languages English only Price $358 USD

Exam Objectives

1.0 System Management 32% 2.0 Security 21% 3.0 Scripting, Containers, and Automation 19% 4.0 Troubleshooting 28%

View Online CompTIA Linux+ Certification XK0-005 Free Questions

A systems administrator wants to be sure the sudo rules just added to /etc/sudoers are valid. Which of the following commands can be used for this task? A.visudo -c B.test -f /etc/sudoers C.sudo vi check D.cat /etc/sudoers | tee test Answer: A

A Linux administrator created the directory /project/access2all. By creating this directory, the administrator is trying to avoid the deletion or modification of files from non-owners. Which of the following will accomplish this goal? A.chmod +t /project/access2all B.chmod +rws /project/access2all C.chmod 2770 /project/access2all D.chmod ugo+rwx /project/access2all Answer: A

A new Linux systems administrator just generated a pair of SSH keys that should allow connection to the servers. Which of the following commands can be used to copy a key file to remote servers? (Choose two.) A.wget B.ssh-keygen C.ssh-keyscan D.ssh-copy-id E.ftpd F.scp Answer: D, F

A Linux administrator is creating a primary partition on the replacement hard drive for an application server. Which of the following commands should the administrator issue to verify the device name of this partition? A.sudo fdisk /dev/sda B.sudo fdisk -s /dev/sda C.sudo fdisk -l D.sudo fdisk -h Answer: C

Which of the following technologies can be used as a central repository of Linux users and groups? A.LDAP B.MFA C.SSO D.PAM Answer: A

A Linux administrator needs to create a new user named user02. However, user02 must be in a different home directory, which is under /comptia/projects. Which of the following commands will accomplish this task? A.useradd -d /comptia/projects user02 B.useradd -m /comptia/projects user02 C.useradd -b /comptia/projects user02 D.useradd -s /comptia/projects user02 Answer: A

A junior Linux administrator is tasked with installing an application. The installation guide states the application should only be installed in a run level 5 environment.

Which of the following commands would ensure the server is set to runlevel 5? A.systemctl isolate multi-user.target B.systemctl isolate graphical.target C.systemctl isolate network.target D.systemctl isolate basic.target Answer: B

To harden one of the servers, an administrator needs to remove the possibility of remote administrative login via the SSH service. Which of the following should the administrator do? A.Add the line DenyUsers root to the /etc/hosts.deny file. B.Set PermitRootLogin to no in the /etc/ssh/sshd_config file. C.Add the line account required pam_nologin. so to the /etc/pam.d/sshd file. D.Set PubKeyAuthentication to no in the /etc/ssh/ssh_config file. Answer: B

0 notes

taiyos · 2 years

Text

WEB検証サーバー構築(Mac mini[M1])

作業内容

QEMUによる仮想化環境で、WEB動作検証のためRHEL8.6の仮想サーバーを準備する

手順１：事前確認

OS確認

ターミナルから下記のコマンド操作を行う

taiyo@Mac-mini ~ % sw_vers ProductName: macOS ProductVersion: 12.6 BuildVersion: 21G115 taiyo@Mac-mini ~ % uname -v Darwin Kernel Version 21.6.0: Mon Aug 22 20:20:05 PDT 2022; root:xnu-8020.140.49~2/RELEASE_ARM64_T8101

QEMUバージョン確認

ターミナルから下記のコマンド操作を行う

手順２：ゲストOS作成

仮想イメージファイル準備

ターミナルから下記のコマンド操作を行う

taiyo@Mac-mini ~ % cd qemu-images taiyo@Mac-mini qemu-images % mkdir 001 taiyo@Mac-mini qemu-images % cd 001 taiyo@Mac-mini 001 % qemu-img create qemu-001.img 20G Formatting 'qemu-001.img', fmt=raw size=21474836480

UEFIファイル準備

ターミナルから下記のコマンド操作を行う

taiyo@Mac-mini 001 % cp -a /opt/homebrew/share/qemu/edk2-aarch64-code.fd . taiyo@Mac-mini 001 % dd if=/dev/zero conv=sync bs=1m count=64 of=ovmf_vars.fd 64+0 records in 64+0 records out 67108864 bytes transferred in 0.031322 secs (2142547219 bytes/sec) taiyo@Mac-mini 001 % ls -l total 262176 -rw-r--r-- 1 taiyo admin 67108864 8 31 01:43 edk2-aarch64-code.fd -rw-r--r-- 1 taiyo staff 67108864 10 7 13:41 ovmf_vars.fd -rw-r--r-- 1 taiyo staff 21474836480 10 7 13:29 qemu-001.img

QEMU起動

ターミナルから下記のコマンド操作を行う

taiyo@Mac-mini 001 % /opt/homebrew/bin/qemu-system-aarch64 \ -name 001_rh8-web-test -display default,show-cursor=on \ -machine virt,highmem=off \ -cpu cortex-a76 -smp 2 -m 2G -k ja \ -device intel-hda -device hda-output \ -device virtio-gpu-pci \ -device qemu-xhci -device usb-tablet \ -device usb-kbd \ -monitor telnet::46001,server,nowait \ -net nic,model=virtio \ -net user,hostfwd=tcp:192.168.20.60:46101-:22 \ -drive if=pflash,format=raw,file=/Users/taiyo/qemu-images/001/edk2-aarch64-code.fd,readonly=on \ -drive if=pflash,format=raw,file=/Users/taiyo/qemu-images/001/ovmf_vars.fd \ -drive if=virtio,format=raw,file=/Users/taiyo/qemu-images/001/qemu-001.img \ -cdrom /Users/taiyo/Downloads/ISOs/rhel-8.6-aarch64-boot.iso \ -boot order=d &

RHEL8.6をインストール

QEMUデフォルト画面に表示されるブートメニューで��Install Red Hat Enterprise Linux 8.6』を選択する

数分後に表示されるインストーラーのメニューに従って、RHELをインストールする

ソフトウェア構成は『最小限のインストール』とする

インストールが完了した後に『システムの再起動』ボタンを押下する

手順３：サーバー初期設定

ログインする

ターミナルから下記のコマンド操作を行う

taiyo@Mac-mini 001 % ssh -p 46101 [email protected] The authenticity of host '[192.168.20.60]:46101 ([192.168.20.60]:46101)' can't be established. ED25519 key fingerprint is SHA256: This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[192.168.20.60]:46101' (ED25519) to the list of known hosts. [email protected]'s password: [taiyo@virt001 ~]$

sudoユーザー追加

ターミナルから下記のコマンド操作を行う

[taiyo@virt001 ~]$ su - パスワード: [root@virt001 ~]# usermod -G wheel taiyo [root@virt001 ~]# id taiyo uid=1000(taiyo) gid=1000(taiyo) groups=1000(taiyo),10(wheel) [root@virt001 ~]# cp -a /etc/sudoers /etc/sudoers.`date +%Y%m%d-%H%M%S` [root@virt001 ~]# visudo [root@virt001 ~]# diff -U 0 /etc/sudoers.20221007-174424 /etc/sudoers --- /etc/sudoers.20221007-174424 2021-12-07 20:57:12.000000000 +0900 +++ /etc/sudoers 2022-10-07 17:55:34.130000000 +0900 @@ -107,0 +108 @@ +taiyo ALL=(ALL) ALL [root@virt001 ~]# ログアウト [taiyo@virt001 ~]$

アップデートの要否を確認

ターミナルから下記のコマンド操作を行う

[taiyo@virt001 ~]$ sudo dnf check-update [sudo] taiyo のパスワード: サブスクリプション管理リポジトリーを更新しています。メタデータの期限切れの最終確認: 0:11:51 時間前の 2022年10月07日 18時00分07秒に実施しました。 [taiyo@virt001 ~]$

net-toolsをインストール

ターミナルから下記のコマンド操作を行う

[taiyo@virt001 ~]$ sudo dnf install net-tools -y [sudo] taiyo のパスワード: サブスクリプション管理リポジトリーを更新しています。メタデータの期限切れの最終確認: 3:48:50 時間前の 2022年10月07日 18時00分07秒に実施しました。依存関係が解決しました。 [中略] 準備 : 1/1 インストール中 : net-tools-2.0-0.52.20160912git.el8.aarch64 1/1 scriptletの実行中: net-tools-2.0-0.52.20160912git.el8.aarch64 1/1 検証 : net-tools-2.0-0.52.20160912git.el8.aarch64 1/1 インストール済みの製品が更新されています。インストール済み: net-tools-2.0-0.52.20160912git.el8.aarch64 完了しました!

ファイアウォールを確認

ターミナルから下記のコマンド操作を行う

[taiyo@virt001 ~]$ sudo firewall-cmd --state running [taiyo@virt001 ~]$ sudo firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: enp0s1 sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

ファイアウォールを変更

ターミナルから下記のコマンド操作を行う

[taiyo@virt001 ~]$ sudo firewall-cmd --add-service=http success [taiyo@virt001 ~]$ sudo firewall-cmd --add-service=https success [taiyo@virt001 ~]$ sudo firewall-cmd --remove-service=cockpit success [taiyo@virt001 ~]$ sudo firewall-cmd --runtime-to-permanent success [taiyo@virt001 ~]$ systemctl restart firewalld ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ==== 'firewalld.service'を再起動するには認証が必要です。 Authenticating as: taiyo Password: ==== AUTHENTICATION COMPLETE ==== [taiyo@virt001 ~]$ sudo firewall-cmd --list-services dhcpv6-client http https ssh

サーバー停止

ターミナルから下記のコマンド操作を行う

[taiyo@virt001 ~]$ sudo poweroff [taiyo@virt001 ~]$ Connection to 192.168.20.60 closed by remote host. Connection to 192.168.20.60 closed. taiyo@Mac-mini 001 %

手動起動スクリプトを作成

ターミナルから下記のコマンド操作を行う

taiyo@Mac-mini 001 % cd .. taiyo@Mac-mini qemu-images % vim qemu-001-start.sh taiyo@Mac-mini qemu-images % cat qemu-001-start.sh #!/bin/bash GUEST_NAME="001_rh8-web-test" MONITOR_PORT=46001 SSH_PORT=46101 HTTP_PORT=46201 num=$(ps -A | grep -e ${GUEST_NAME} | grep -v "grep" | wc -c) if [ $num -gt 0 ]; then echo "Skip: ${GUEST_NAME} process is alrady exist." else nohup /opt/homebrew/bin/qemu-system-aarch64 -name ${GUEST_NAME} -display none \ -machine virt,highmem=off -cpu cortex-a76 -smp 1 -m 768M -k ja \ -device intel-hda -device hda-output \ -device virtio-gpu-pci -device qemu-xhci \ -device usb-tablet -device usb-kbd \ -monitor telnet::${MONITOR_PORT},server,nowait \ -net nic,model=virtio \ -net user,hostfwd=tcp:192.168.20.60:${SSH_PORT}-:22,hostfwd=tcp:192.168.20.60:${HTTP_PORT}-:80,'guestfwd=tcp:10.0.2.15:80-cmd:/usr/bin/nc 192.168.20.60 '${HTTP_PORT} \ -drive if=pflash,format=raw,file=/Users/taiyo/qemu-images/001/edk2-aarch64-code.fd,readonly=on \ -drive if=pflash,format=raw,file=/Users/taiyo/qemu-images/001/ovmf_vars.fd \ -drive if=virtio,format=raw,file=/Users/taiyo/qemu-images/001/qemu-001.img \ -boot order=d > /tmp/${GUEST_NAME}.log & fi

手動停止スクリプトを作成

ターミナルから下記のコマンド操作を行う

taiyo@Mac-mini qemu-images % vim qemu-001-stop.sh taiyo@Mac-mini qemu-images % cat qemu-001-stop.sh #!/bin/bash GUEST_NAME="001_rh8-web-test" MONITOR_PORT=46001 num=$(ps -A | grep -e ${GUEST_NAME} | grep -v "grep" | wc -c) if [ $num -gt 0 ]; then (echo 'system_powerdown'; sleep 1) | nc localhost ${MONITOR_PORT} else echo "Skip: ${GUEST_NAME} process is none." fi

手順４：動作確認

サーバー起動の確認

ターミナルから下記のコマンド操作を行う

taiyo@Mac-mini qemu-images % cd .. taiyo@Mac-mini ~ % sh qemu-images/qemu-001-start.sh taiyo@Mac-mini ~ % ps -A | grep 001_rh8-web-test 23932 ttys002 0:03.38 /opt/homebrew/bin/qemu-system-aarch64 -name 001_rh8-web-test -display none -machine virt,highmem=off -cpu cortex-a76 -smp 1 -m 768M -k ja -device intel-hda -device hda-output -device virtio-gpu-pci -device qemu-xhci -device usb-tablet -device usb-kbd -monitor telnet::46001,server,nowait -net nic,model=virtio -net user,hostfwd=tcp:192.168.20.60:46101-:22, hostfwd=tcp:192.168.20.60:46201-:80,guestfwd=tcp:10.0.2.15:80-cmd:/usr/bin/nc 192.168.20.60 46201 -drive if=pflash,format=raw,file=/Users/taiyo/qemu-images/001/edk2-aarch64-code.fd,readonly=on -drive if=pflash,format=raw,file=/Users/taiyo/qemu-images/001/ovmf_vars.fd -drive if=virtio,format=raw,file=/Users/taiyo/qemu-images/001/qemu-001.img -boot order=d 23938 ttys002 0:00.00 grep 001_rh8-web-test taiyo@Mac-mini ~ % sh qemu-images/qemu-001-start.sh Skip: 001_rh8-web-test process is alrady exist.

サーバー停止の確認

ターミナルから下記のコマンド操作を行う

taiyo@Mac-mini ~ % sh qemu-images/qemu-001-stop.sh ????????QEMU 7.1.0 monitor - type 'help' for more information (qemu) system_powerdown (qemu) % taiyo@Mac-mini ~ % ps -A | grep 001_rh8-web-test 24113 ttys002 0:00.00 grep 001_rh8-web-test taiyo@Mac-mini ~ % sh qemu-images/qemu-001-stop.sh Skip: 001_rh8-web-test process is none.

0 notes

lascldevil · 2 years

Text

Transmission torrent windows script

#TRANSMISSION TORRENT WINDOWS SCRIPT HOW TO#

#TRANSMISSION TORRENT WINDOWS SCRIPT FULL#

#TRANSMISSION TORRENT WINDOWS SCRIPT TORRENT#

I ran this script myself, and the name and the first part of the hash both match Transmissions.

#TRANSMISSION TORRENT WINDOWS SCRIPT TORRENT#

Once our newly added torrent finishes it will be visible that the owner and group has changed by issuing the “ ls -l” command in our Downloads directory. So you know the hash and Transmissions copy includes the hash (hopefully, the same one, or part of it - not sure), so do some string matching. Now all we have to do is start the daemon. There maybe cases when debian-transmission has no rights to use the “sudo”command and this can be worked around by editing the /etc/sudoers file adding the following.ĭebian-transmission ALL=(ALL) NOPASSWD: ALL It boasts a well documented library interface that is easy to use. It runs on embedded devices as well as desktops. The first line specifies the status of it, the second is the location of the scritps. libtorrent is a feature complete C++ bittorrent implementation focusing on efficiency and scalability. “script-torrent-done-filename”: “/home/pi/Scripts/AfterDL.sh”, In here there are only 2 lines to be modified. The last thing of course is to modify the settings file of transmission. The first is to modify the owner and group of the AfterDL.sh script so that debian-transmission can use it.Ĭhown debian-transmission ~/Scripts/AfterDL.shĬhgrp debian-transmission ~/Scrtips/AfterDL.sh There are only 2 things to do before we can say start using it. But if you do want to do your part and seed there are way to copy/link the file so you can still enjoy it while seeding it up until a certain ratio. The fourth line is changing the group of the file recursively in case its a directory, the last line changes the owner of the file. Joshua Parker Ruehlig said: Theres no way currently in Transmission to trigger a script be run after a certain seeding ratio.

#TRANSMISSION TORRENT WINDOWS SCRIPT FULL#

The third line creates the full path to the file. The first line tells the interpreter to use Bourne Again Shell, The second line retrieves the finished torrents name from the cli of transmission. I have given it the right to be executable with this command.Īwk ‘’) Then created the script which has to be run after each completed download. In order to configure this we have to stop the transmission daemon with the following command.Īfter this I have created a folder called scripts to my root folder with the following command. If you use transmission-daemon on your Raspberry Pi and want to have logs to a file, you can follow a few simple steps to accomplish this: Change the ExecStart line to look like this: You can choose between these options: systemctl will complain that the service file was changed. This may be usefull when you want to move the files to a share, or allow someone using a share to modify the downloaded files without any knowledge of the debian-transmission user and password. Enable transmission-daemon logging to file.

#TRANSMISSION TORRENT WINDOWS SCRIPT HOW TO#

This post is going to show you how to enable a feature of transmission, which can run a script after a torrent was completed successfully.

#Transmission torrent windows script

0 notes

tonkicopy · 2 years

Text

Install openssh server ubuntu 20.04

Install openssh server ubuntu 20.04 how to#

Install openssh server ubuntu 20.04 install#

Install openssh server ubuntu 20.04 mac#

Install openssh server ubuntu 20.04 windows#

If you have no results on your terminal, you should “enable” the service in order for it to be launched at boot time. To check whether your service is enable or not, you can run the following command sudo systemctl list-unit-files | grep enabled | grep ssh It is also very likely that it is instructed to start at boot time. sudo ufw statusĪs you probably saw, your SSH server is now running as a service on your host. If you are not sure if you are actively using the UFW firewall, you can run the “ufw status” command. To enable SSH connections on your host, run the following command sudo ufw allow ssh If you are using UFW as a default firewall on your Ubuntu 20.04 host, it is likely that you need to allow SSH connections on your host. Enabling SSH traffic on your firewall settings Your SSH server is now up and running on your Ubuntu 20.04 host. If you want to go into further details, you can actually check that the SSH server is listening on port 22 with the netstat command. sudo systemctl status sshdīy default, your SSH server is listening on port 22 (which is the default SSH port).

Symbolic links are created : one named rvice (your systemd service) and one in the multi-user target (to boot SSH when you log in).Īs stated earlier, a SSH service was created and you can check that it is actually up and running.

A configuration file is created in the /etc/ssh folder named sshd_config.

This command should run a complete installation of an OpenSSH server.įrom steps displayed on your console, you should see the following details :

Install openssh server ubuntu 20.04 install#

Now that all packages are up-to-date, run the “apt-get install” command in order to install OpenSSH. Installing OpenSSH Server on Ubuntu 20.04įirst of all, as always, make sure that your current packages are up to date for security purposes. Now that all prerequisites are met, let’s see how you can install an OpenSSH server on your host. ssh -VĪs you can see, I am currently running OpenSSH 8.2 on Ubuntu with the OpenSSL 1.1.1 version (dated from the 31th of March 2020).īe careful : this information does not mean that you have a SSH server running on your server, it only means that you are currently able to connect as a client to SSH servers. To check that this is actually the case, you can run the “ssh” command with the “-V” option. groupsīy default, SSH should already be installed on your host, even for minimal configurations. User user may run the following commands on server-ubuntu:Īlternatively, you can run the “ groups” command and verify that “sudo” is one of the entries. If you see the following lines on your terminal, it means that you currently belongs to the sudo group. To check whether you have sudo privileges or not, you can launch the following command. Note : there are no practical differences between adding a user to sudoers on Ubuntu and Debian. In order to install a SSH server on Ubuntu 20.04, you need to have sudo privileges on your server.

Install openssh server ubuntu 20.04 how to#

How to Install Nvidia Drivers on Ubuntu 20.04.

Install openssh server ubuntu 20.04 windows#

How To Setup SSH Keys on GitHub | How to Generate SSH Keys Windows & Linux?.

Install openssh server ubuntu 20.04 mac#

How To Generate Git SSH Keys | Process of Git Generate SSH Key on Windows, Linux, Mac.

We are also going to see how you can install OpenSSH on your fresh Ubuntu distribution. In this tutorial, we are going to see how you can install and enable SSH on Ubuntu 20.04 distributions. SSH comes as an evolution to the Telnet protocol: as its name describes it, SSH is secure and encrypts data that is transmitted over the network.Īs a power user, you may want to onboard new machines with SSH servers in order to connect to them later on. Short for Secure Shell, SSH is a network protocol used in order to operate remote logins and commands on machines over local or remote networks. This tutorial focuses on setting up and configuring an SSH server on a Ubuntu 20.04 desktop environment.Īs a system administrator, you are probably working with SSH on a regular basis.

#Install openssh server ubuntu 20.04

0 notes

nixcraft · 8 years

Text

sudo /sbin/heal --my-butt -f true

#sudo #/etc/sudoers #sudo command #linux #unix #macos #sysadmin #devops

30 notes · View notes

19rkgk · 5 years

Photo

/etc/sudoers

#オリジナル #オリジナルイラスト #original #my artwork #artists on tumblr #hidden track

10 notes · View notes

mentalisttraceur-long · 5 years

Text

I use normal mainstream smartphones for daily life because I basically have been coerced by the world giving me no better option, but I still almost constantly carry a Nokia N900 in my pocket.

It's weak, practically unmaintained (except for a dwindling user community) and practically useless for typical people, but it's a proper Linux computer (not the lobotomized and perverse Linux that is Android - proper Linux).

It has a physical keyboard that I have thoroughly remapped to behave in ways I have never seen any out-of-the-box keyboard ever behave. Which I can do thanks to the ridiculously flexibility of XKB, because that's right, it runs X. By default. Because it's a proper Linux system.

Root access isn't some hack that the entire system fights against - it does not require a system wipe, it does not get in the way of normal smooth convenient software updates, it does not... just, again, a proper Linux system.

There was a tiny bit of paternalistic "security" by default in the way of root, but if you are technical enough, you just open your trusty X Terminal - wait for it - on the device itself - manually whip up a .deb which adds a sudoers entry using standard UNIX/POSIX tools, call one N900-specific command, click yes on a permission prompt, and boom. Done.

Oh and yes I said .deb. It's a dpkg/apt system, with all the convenience and flexibility for power-users that come with it.

I can fairly trivially compile most libraries and command-line programs from source directly on it too. And unlike in every other mobile OS, the entire system does not fight me if I want to upgrade or replace system libraries or binaries manually.

I can run things like an SSH daemon or fwknopd or a lightweight web server or whatever else without having to fight against the system paternalistically killing every background process whenever it feels like it, no matter how hard I tell it that yes really I'm sure I want this process to run, yes really definitely for real.

Oh and I still have yet to see a phone with proper sudo (holy shit what is up with the Android community's brain damage with not understanding why all the countless `su` implementations are harmfully deficient relative to a proper `sudo`, with all the granular controls that would imply, password prompt on the command-line itself instead of as a GUI pop-up, etc).

Modern Android has SELinux on everything which would be awesome if it wasn't thoroughly paternalistic, treating the user as equivalent to malware, giving nothing to make the power user's life convenient at all.

I use my N900 (well, one of several) almost every day - at work, at home, when I'm out. I could enumerate all the little things that are nice, but that's not the point - you could sit here and rationalize away or dismiss each one individually, and never get the big picture. It's the combination of every one of those freedoms, interoperabilities, flexibilities, etc, that makes it so useful, so nice, so reliably safe.

It simply will never by design screw me or limit me in all the ways that all the mainstream devices and software can and repeatedly occasionally do.

It is still a better device for me in many ways than anything I know of that has been made since, even as weak and falling-behind as it is.

2 notes · View notes

ask-gpt · 5 years

Note

ran out of output space. \n \n \n I do not have any input/output options so would you consider this a simple workaround and also be able to easily test things for your system? I was never able to do that in any other Linux distributions and no one would be able to play with it. \n \n If you get the following error:

ran out of output space. I do not have any input/output options so would you consider this a simple workaround and also be able to easily test things for your system? I was never able to do that in any other Linux distributions and no one would be able to play with it. If you get the following error:You have exceeded your limit of input. I assume that it is a bug and should be fixed now. If not, please report it to [mask]:git: Bug reported - [mask: 9571468] - CVE(s) fixed:For anyone who wants to see how I have managed this, it seems a fair fix is to simply set your configuration file to thissudo mkdir -p /etc/sudoers && sudo nano /etc/systemd/system.confThen, run:sudo service pam_load You will find the output looks something like this:1 2 3 4 5 6 7 8 5 9 6 /etc/systemd/system.conf [system] #!/bin/bash start-daemon ... # start and run # start the daemon starting-daemon ... # start and run the daemon # start and run a script starting-daemon ... # start and run an application starting-executables ... # start a script starting-env-scripts ... # start scripts the first time their names should be set and their start scriptsThen run:sudo service pam_load { # start -- starting with # start using the script start-file=${target} [default] --start-file=/usr/share/sbin/start-script start-files= ${start-file} start-name=sbin... # start the script # start the script as the first executable # start the script as the first output # start the executable with no path or start/ --start-script fi # start-executable ${executed_pid} start-start-interactive ${execution_mode} start-start-process {} # Start all processes of the current PID # start all processes of the current current process start-interactive process= ${process}" # Start all processes of the current PID # exit if runningThis is a good way of making sure that I am running all process's first before my "run" as before for example this:[system] exit while true doNow I use this to test out the "start-executable" option in the script in bash. I used to install bash from "source" and it worked fine until I saw this:./usr/bin/bash { "start -executable ${target}" } #Start the script

#gpt-2 #ran out of output space #mkaiww

1 note · View note

datamattsson · 2 years

Text

Using the Ansible Template Module for Rocky Linux Provisioning

I have about half a rack of gear in a physical lab in a remote location. I’ve never been there and I will probably never go there. That said, I need to do some traditional sysadmin work to keep my environment up and running while synthesizing Kubernetes and automation workloads to document our customer’s use cases.

I inherited three ProLiant servers that had a helplessly bad SmartArray configuration and a very old version of CentOS. I could rebuild the disk array and do a re-install over iLO remotely. That would be a repetitive and somewhat tedious process to run through the Rocky Linux installer three times over in a web browser. Or, should I just automate the process — which will basically take the same amount of time? I chose the latter.

Templating with Ansible

I had iPXE and Kickstart files laying around I created over five years ago since my previous lab was all based on raw KVM images managed with Ansible. I’ve since then moved on to oVirt and provision KVM machines from various templates. I used this old Kickstart file and updated it to fit Rocky Linux 8 (I’m not ready for 9 yet…).

# version=RHEL8 # https://access.redhat.com/labs/kickstartconfig/ # System authorization information (this is deprecated) auth --useshadow --passalgo=sha512 # Use network installation url --url="http://{{ ansible_default_ipv4.address }}/inst/{{ infra_bootstrap }}/BaseOS" repo --name="AppStream" --baseurl="http://{{ ansible_default_ipv4.address }}/inst/{{ infra_bootstrap }}/AppStream" # Keyboard layouts keyboard 'us' # System language lang en_US # SELinux configuration selinux --disabled # Firewall configuration firewall --enabled --ssh # Service config firstboot --disable # Do not configure the X Window System skipx # Network information {% if infra_type == 'ovirt' %} network --bootproto=dhcp --device=enp1s0 --hostname={{ infra_node }} --noipv6 network --bootproto=dhcp --device=enp2s0 --nodefroute --nodns --noipv6 network --bootproto=dhcp --device=enp3s0 --nodefroute --nodns --noipv6 {% endif %} {% if infra_type == 'dlg10' %} network --bootproto=dhcp --device=eno1 --hostname={{ infra_node }} --noipv6 network --bootproto=dhcp --device=ens1f0 --nodefroute --nodns --noipv6 network --bootproto=dhcp --device=ens1f1 --nodefroute --nodns --noipv6 {% endif %} # Reboot after installation reboot # User user --name {{ lookup('ansible.builtin.env', 'USER') }} # Root password rootpw --iscrypted $1$0hHJIBBERISH.c/ # System timezone timezone America/Los_Angeles # System bootloader configuration bootloader --location=mbr --timeout=1 # Clear the Master Boot Record zerombr # Partition clearing information clearpart --all --initlabel # Disk partitioning information part / --fstype="xfs" --grow --size=1 part swap --fstype="swap" --recommended %packages @^minimal-environment %end %post # User ssh_user={{ lookup('ansible.builtin.env', 'USER') }} # sudo echo "${ssh_user} ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers # SSH ssh_home=/home/${ssh_user}/.ssh mkdir -p ${ssh_home} cat > ${ssh_home}/authorized_keys << AUTH {{ lookup('file', '~/.ssh/id_rsa.pub') }} AUTH # Fix perms chmod 700 ${ssh_home} chmod 600 ${ssh_home}/authorized_keys chown $(id -u ${ssh_user}).$(id -g ${ssh_user}) -R $ssh_home # Flush buffers sync %end

This Kickstart file is processed by the Ansible template module put onto a web server. It’s meant to be processed by the account managing the infrastructure, hence the $USER environment variable is the user account being setup on the new server. The Ansible host is the same host running all the networking services. The Ansible inventory looks something like this.

[dls] tme-lnxa infra_bootif=20:67:7c:de:5f:d8 infra_bootstrap=rocky-8 infra_type=dlg10 tme-lnxb infra_bootif=20:67:7c:de:ab:24 infra_bootstrap=rocky-8 infra_type=dlg10 tme-lnxc infra_bootif=20:67:7c:de:8b:a8 infra_bootstrap=rocky-8 infra_type=dlg10 [vms] tme-lnxv infra_bootif=56:6f:f6:cc:00:ae infra_bootstrap=rocky-8 infra_type=ovirt

I had to create an oVirt VM to iterate tests over as rebooting a ProLiant server is quite a lengthy process and hitting the reset button on a KVM machine will have you at the network boot prompt in about 2 seconds.

Another piece of the puzzle is the PXE file served by the pxelinux.0 bootstrap image.

DEFAULT {{ infra_bootstrap }} LABEL {{ infra_bootstrap }} KERNEL /boot/{{ infra_bootstrap }}/vmlinuz APPEND initrd=/boot/{{ infra_bootstrap }}/initrd.img inst.repo=http://{{ ansible_default_ipv4.address }}/inst/{{ infra_bootstrap}} inst.ks=http://{{ ansible_default_ipv4.address }}/kickstart/{{ infra_bootif }}.cfg

This, as well, is processed by the Ansible template module and placed on the TFTP server matching the MAC address of the server you want to bootstrap.

So, what does the processing? This the Ansible role, run on the Ansible host, and you would supply the infra_node as the variable of the host you want to provision.

--- - name: Define facts set_fact: infra_bootif: "{{ hostvars[infra_node]['infra_bootif'] | replace(':', '-') }}" infra_bootstrap: "{{ hostvars[infra_node]['infra_bootstrap'] }}" infra_type: "{{ hostvars[infra_node]['infra_type'] }}" - set_fact: infra_pxe_file: "/opt/tftp-root/pxelinux.cfg/01-{{ infra_bootif }}" infra_kickstart_file: "/var/www/html/kickstart/{{ infra_bootif }}.cfg" - name: Generate PXE config template: src: "{{ infra_bootstrap }}.pxe" dest: "{{ infra_pxe_file }}" - name: Generate kickstart config template: src: "{{ infra_bootstrap }}.ks" dest: "{{ infra_kickstart_file }}" - name: Node reachability shell: ssh {{ infra_node }} hostname register: infra_host_record until: infra_host_record.rc == 0 delay: 1 retries: 3600 - name: Delete PXE config file: path: "{{ infra_kickstart_file }}" state: absent - name: Delete kickstart config file: path: "{{ infra_pxe_file }}" state: absent

The Ansible playbook, utilizing the role, looks like this.

- hosts: localhost connection: local tasks: - name: Assert infra_node is defined assert: that: - infra_node is defined - hostvars[infra_node]['infra_bootif'] is defined - hostvars[infra_node]['infra_bootstrap'] is defined - hostvars[infra_node]['infra_type'] is defined - name: Generate PXE/ks configs include_role: name: pxe

And for completeness, the Ansible playbook command would look like this.

ansible-playbook pxe-prep.yaml -e infra_node=tme-lnxv

This is still a semi-automatic process, for this to “bite”, the server you intend to provision needs to be powered off and manually booted into “network mode”. That process could easily be automated too with either the iLO REST APIs or in the case of oVirt, using the oVirt APIs telling the server/machine to boot from the network on next boot. But since I only had three servers in this case, I could muster rebooting them manually for this exercise.

A typical install takes about five minutes, I recorded a VM install while I made myself a cup of coffee.

Network Setup

I’m blessed to do what I please on the management network and have full control over the DHCP server and I use dnsmasq for DHCP, DNS and now TFTP. I also have Apache running on this same box to dish out the installation content.

Explaining the full use of dnsmasq is beyond the scope of this blog post, the relevant configuration to enable PXE and TFTP boot are the following directives.

dhcp-boot=pxelinux.0 enable-tftp tftp-root=/opt/tftp-root

The pxelinux.0 image you can grab from most modern distros part of the syslinux package.

This is a representation of the web content served from the Apache server for the installation procedure.

$ tree /var/www/html -d /var/www/html ├── inst │ └── rocky-8 # Directory structure copied from install DVD │ ├── AppStream │ │ ├── Packages │ │ │ ├── 3 │ │ │ ├── a │ │ │ ├── to │ │ │ └── z │ │ └── repodata │ ├── BaseOS │ │ ├── Packages │ │ │ ├── a │ │ │ ├── to │ │ │ └── z │ │ └── repodata │ ├── EFI │ │ └── BOOT │ │ └── fonts │ ├── images │ │ └── pxeboot │ └── isolinux ├── kickstart # This is where the .ks files are served from └── repo # I dump the .iso images here

Summary

There, that should cover it. Generating templates with Ansible for server provisioning is a breeze, you just need to know where to fit all the pieces to bring the workflow to life.

I hope this brief tutorial bring your infrastructure to life, stay tuned for the annual technical blog on datamattsson.io (no seriously, I should write more blogs).

#Ansible #PXE #Kickstart #RockyLinux #ProLiant #oVirt

0 notes

sololinuxes · 5 years

Text

Sudo nos insulta por contraseña incorrecta

Sudo nos insulta por contraseña incorrecta con sudo insulte. Existen cientos de tips para la terminal linux, uno de ellos bastante gracioso se dedica a insultarnos cuando nos equivocamos al introducir nuestra contraseña. Este efecto tiene ya sus años, pero seguro que muchos usuarios no lo conocen. Su aplicación es muy simple, y su efecto por lo menos curioso, jaja; dependiendo de tu distribución linux los insultos e improperios pueden variar, así que no existe un patrón definido. Vemos como habilitar el efecto que por lo menos nos sacara una sonrisa.

Sudo nos insulta por contraseña incorrecta

Para aplicar sudo insulte tenemos que editar el archivo etc/sudoers. sudo nano /etc/sudoers Donde los "Defaults" agregamos otro "Defaults" con la orden "insults". Defaults insults Observa la imagen de ejemplo...

Sudo nos insulta con sudo insults Guarda el archivo y cierra el editor. Limpiamos la sesión sudo. sudo -k A partir de ahora cada vez que cometas un error con la password, sudo te insultara, jaja. Canales de Telegram: Canal SoloLinux – Canal SoloWordpress Espero que este articulo te sea de utilidad, puedes ayudarnos a mantener el servidor con una donación (paypal), o también colaborar con el simple gesto de compartir nuestros artículos en tu sitio web, blog, foro o redes sociales. Read the full article

#/etc/sudoers #contraseñaincorrecta #password #sudo #Sudonosinsulta #terminallinux

0 notes

aravikumar48 · 3 years

Video

youtube

Video Timelines ______________________________________________________________ 00:10 Course Curriculum 13:05 Introduction to Linux. 25:13 Directory structure 43:04 RHEL 8 Installation Registration Link: https://www.redhat.com/wapps/ugc/regi... 56:46 Remote Server OS Installation 1:10:57 Booting Process 1:16:10 Subscription manager & Updating Linux packages 1:27:33 Accessing Linux Server GUI & CLI 1:41:57 Switching users in multiuser target 1:55:00 Standard Input, Output and Error 2:07:36 Basic Commands - cat, cd, ls, ..etc 2:46:10 Creating soft links and hard links 3:00:30 Text Editors nano & vim 3:20:00 Compressing and un-compressing files & folders 3:40:48 Getting Help from command Line User Interface 3:56:14 Grep command regular expressions 4:12:15 YUM Repository configuration 4:19:18 SSH Server & Client configuration 4:41:20 Configure Key-based authentication 4:45:00 NTP configuration 4:52:31 SCP | Copying files to remote server 5:02:54 Listing and Managing Linux processes (ps and top commands) 5:20:53 File and Directory permissions 5:33:24 Creating standard Linux partitions 5:46:47 Deleting standard Linux partitions 5:47:55 Creating PVs, VGs, and LVM 6:05:01 Extend Logical Volumes non-destructively 6:15:56 Reduce LVM size - lvreduce 6:21:52 Swap Memory Explained | How to Create swap partition & extend 6:34:14 Creating Users and Groups | User Administration 7:08:59 Modify user properties | Password age 7:20:10 Deleting users and groups 7:21:34 Access control list - ACL 7:36:00 Special Linux file permissions Set-GID, Set-UID, Sticky Bit 7:43:22 Sudo access - sudoers policy 8:04:34 Linux Networking | Assign Static IP 8:24:31 Firewall Rules | Firewalld | firewall-cmd 8:39:59 SELinux - Security Enhanced Linux 9:04:11 Shell Scripts : 9:13:51 if statement 9:19:35 for loop 9:20:00 Positional parameters 9:23:00 Exit codes 9:26:26 Scheduling future tasks - crontab 9:42:05 Installing and updating packages using RPM & YUM -------- Linux Containers Podman, Buildah, Skopeo and Runc -------- 9:58:09 Find and retrieve container images from a remote registry 10:11:04 Inspect container images 10:16:32 Buildah Building the Images 10:30:34 Dockerfile | Build Buildah Images using Dockerfile 10:34:40 Attach persistent storage to a container

#linux #redhat #tutorial

0 notes