The Sys Admin

A serious vulnerability has been reported in the Debian and Ubuntu distributions of Linux. The vulnerability is a security problem with OpenSSL and OpenSSH which are used to encrypt your data when connecting to secure web pages and when connecting via ssh to other nodes and servers. The issue has been described as a weakness in the random number generator that is used to create the OpenSSL and OpenSSH cryptographic keys. Apparently the initial cryptographic key was too random and susceptible to brute force attacks.

This is a vulnerability for all Debian and Ubuntu systems installed since 2006. RedHat and other Linux distributions are not impacted by this OpenSSL and OpenSSH vulnerability. Fixes are available and the appropriate Ubuntu packages have already been updated. If you manage Debian and Ubuntu systems, you should consider investigating this issue and upgrading your packages. I pulled down the new packages today and regenerated my SSH cryptographic keys.

Here are four links that will help you test and resolve this vulnerability:

http://www.debian-administration.org/articles/596

http://www.ubuntugeek.com/fix-for-opensslsshvpn-vulnerability-in-ubuntu-704710804.html

http://ubuntu-tutorials.com/2008/05/13/openssh-openssh-vulnerabilities-confirm-fix-instructions/

https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/229964

If you are considering installing and using Ubuntu, there are many great Ubuntu resources available to check out, and here is a quick little video that walks you thru the installation process, and shows us how easy the Linux and Ubuntu installation process has become.

I prefer Ubuntu over RedHat for day to day functionality and have Gusty Gibbon running in a VM on my laptop. Here is an older video of Mark Shuttleworth the creator of Ubuntu.

I came across another great Unix Support site that I thought I would share with you. Brandon Hutchinson is a Senior Unix Engineer who started to document his work for reference by himself and coworkers. The site is http://www.brandonhutchinson.com/ and he has also started to wiki to better manage changes and allow others to contribute. His wiki is here http://brandonhutchinson.com/wiki/index.php5?title=Main_Page and is well worth checking out.

Technorati : Unix Linux Solaris Ubuntu

Since starting at MIT my support focus has been on the Linux and Solaris environments as opposed to Microsoft environments from my last position. Getting reacquainted with SSH, SSL and Apache has been fun and picking up Kerberos, PGP, GPG, and Oracle Application Server has been great. I wanted to share an SCP problem that I was having that had me stumped for a couple of days.

Our environments are locked down and for the most part individual accounts are restricted. We use Kerberos authentication for access to restricted accounts and because of this SCP is not a good solution to use directly between servers, as we do not have a full username and password access. What we do is push and pull files to a staging server, and then push or pull the files to the default location. I built a desktop running RedHat Enterprise Server 5.0 and was using this new environment as my staging server. I ran into a problem on the RedHat Enterprise Server when attempting to SCP to and from Solaris environments. I would receive the following error:

"scp bad packet length problem"

I could scp between all of my RedHat servers and all of my Ubuntu desktops however I could not push or pull to a Solaris server. After some research, the error appeared to be caused by different versions of ssh. I found a link on the openbsd.org site explaining all all ssh parameters . Here is the reference to the Protocol Parameter:

Protocol

Specifies the protocol versions ssh(1) should support in order of
preference. The possible values are `1' and `2'. Multiple ver-
sions must be comma-separated. The default is ``2,1''. This
means that ssh tries version 2 and falls back to version 1 if
version 2 is not available.

I looked at the ssh config files located in /etc/ssh and found the Protocol parameter in sshd_config. "Protocol 2,1" was commented out and "Protocol 2" was uncommented. I commented out the "Protocol 2", uncommented "Protocol 2,1" and restarted ssh "/etc/init.d/sshd restart".

This solved the problem.

Technorati : scp ssh RedHat

I am sorry for the lack of posts here, I recently changed positions which has kept me fairly busy. I just started at MIT in their application infrastructure services group and have been focusing on my new position more than my blogs. This weekend I started reading and came across a post from Kris at Geekbits³ that was relevant to me and I am sure will be relevant to all admins that manage a large number of UNIX hosts.

On most Corporate networks, telnet is disabled and ssh is required for connectivity between Unix hosts. SSH requires a password and depending on how it is configure, could also require a key phrase.

Kris outlines a secure configuration of connecting to your hosts with SSH that eliminates the need for a password or an SSH key phrase. This process needs to be followed on all of your servers, however once in place will increase your efficiency and provide you with extend remote support on all of your servers.

Here is an overview of Kris's post ......

Passwordless Login For SSH

I've recently set-up a new backup server, I wanted to be able to automate backups from my workstations to the server. I will be using OpenSSH (scp) as the transfer agent between the workstations and the server. By default the OpenSSH server asks for a password every time you login, therefore automation is impossible, without a bit of tweaking.

Creating an environment where passwords are unnecessary can be achieved using public-key cryptography. In this process we create unique identification between workstation (or other system) and server. The server can then recognize the user using a private/public key pair.

There are a number of steps that need to be completed, on both workstation and server, to achieve password-less logins. I have written the required server commands within the `ssh' command, to simplify the process. You will need to have a working OpenSSH server, and user login before beginning.

Read the rest of Kris's SSH entry ...

Technorati : Support, System Administration, Unix

I will be at the Podcamp Boston2 which is an UnConference this weekend. I am facilitating a talk on Web2.0, Enterprise 2.0 and Beyond which will host discussions about Web 2.0, Enterprise 2.0, Web 3.0 and the Semantic Web.

We will be in Room 204B and here is a link to my SlideShow called Web20Web30.

Podcamp is not restricted to folks that Produce Podcasts, it is an event for anyone looking to learn more about the New Media Space which includes Blogging, Podcasting, Videocasting and Social Networking.

Join us for this free conference at the Bayside Convention and Expo Center this weekend for a great event.

Technorati : Podcamp Boston

I have had a couple inquiries and suggestions after my last post however I have had no real written contributions. The one bright spot is a note that I received from Kris at Geekbits³. Kris is a system administrator and blogger from Australia that publishes a great blog that focuses on Unix and Linux management. Kris is passionate about technology, system administration and sharing her tips, tricks and documentation.

She has written many posts on FreeBSD, OpenBSD VMWare on Ubuntu and a couple on windows support. If you are currently supporting a Linux community, I would encourage you to check out her blog at http://geekybits.blogspot.com/

Technorati : Linux, System Admnistration, Unix

I started this blog in April with the intent of providing additional resources to Linux, Unix, Windows and Network community. After taking inventory of all of my posts since April, most posts are Link related as opposed to content and discussion related. I have been focusing more on links as opposed to writing about How-To's or in depth configuration discussions. To better understand the difference that I am referring to, please look at my blog and compare it to any of the following System Admin Blogs:

Linux Screw, My SysAd Blog, The ITidiots, Ed's System Admin Blog, Bowulf Network Admin Blog

My Syadmin.net blog does not come close to these guys when it comes to in depth discussions, explanations and configuration information, and I would like to try and make up for some of that. However, I have certain time constraints and a couple of other blogs that I am contributing to, so I would like to ask for help from my readers, or others in the System Admin community that may want to write a post or discussion. I am willing post contributions and distribute id's on my blog to all those that would like to contribute. I would like to try and tap into the system admin community and especially the folks that have not posted or penned their own blogs.

This could be a great way to start writing and sharing what you know, and if you are like me, once you get the feel for writing and expressing your thoughts, you will probably want to start your own blog.

So to summarize, I am looking for contributors to help share discussions and thoughts about System Management Topics via my blog, and I will give each contributor full credit for each post and access to publish your own posts on my blog. I feel confident that this could work and point to a couple of examples like Friends in Tech and FastForward Blog as two successful blogs, with multiple contributers that manage content very well.

Please feel free to comment or send your thought to me at kevin@kmmm.net .

Technorati : Linux, Microsoft, System Administration, Unix

I came across a great little Linux/Unix blog that is worth checking out. It's called the Linux Screw and there is plenty of great Linux and Unix content, presented in a nice clean looking blog, with plenty of graphics.

Check it out ......

Technorati : Linux, Unix