Tracy Phillips

While in a CentOS OpenVZ virtual machine the other day, I had setup sudo to root and encountered the following message:

[server][user][~]$ sudo su -
Password:
audit_log_user_command(): Connection refused

No harm in that, but it was unpleasant to look at none the less.

It finally got the better of me and I finally decided to go about fixing it.

This bug is in Redhat’s bugzilla located here. The fix is to patch your current version of sudo or use a newer version of sudo than sudo-1.6.9.p13. I opted to install the latest version of sudo as of t his writing, sudo 1.7.

This was a fresh install, so I needed to install a few rpm’s with yum.

[server][root][~]# yum install gcc pam-devel make

Then I did the build

[server][root][~]# wget http://www.gratisoft.us/sudo/dist/sudo-1.7.0.tar.gz
[server][root][~]# tar xzvf sudo-1.7.0.tar.gz
[server][root][~]# cd sudo-1.7.0
[server][root][~]# ./configure
[server][root][~]# make
[server][root][~]# make install

That’s all there was to it. Now you can sudo til’ your hearts content without that annoying little message.

Now I can finally get ready for the Super Bowl party

Have you ever seen this in your logs:

10:55:18 [server] nfslock: rpc.statd startup failed

If you have, you might want to check and make sure that you have portmap running

[server][root][~]# service portmap status
portmap is stopped

Oppps. Portmap is not running. Let’s check and see if portmap is configured to start at boot?

[server][root][~]# chkconfig --list portmap
portmap        	0:off	1:off	2:off	3:off	4:off	5:off	6:off

And if it’s not (as is our case), configure it to start at boot:

[server][root][~]# chkconfig portmap on

Ahhhhh, thats more like it. This is how it should look:

[server][root][~]# chkconfig --list portmap
portmap         0:off   1:off   2:on    3:on    4:on    5:on    6:off

And crank it up

[server][root][~]# service portmap start
Starting portmap:                                          [  OK  ]

Now you can make sure it is running

[server][root][~]# service portmap status
portmap (pid 15384) is running...

Just the other day I was moving /home out of the / partition and in doing so I wanted to record all of the actions and output so that I could save them for later user… or to blog about ;)

There are a couple of ways to go about saving all of that output.

The easiest way is to do this is to run the script command

[server][root][~]# script

By default, this creates the output as typescript

If you wanted to change the name of the output file, you would invoke it as

[server][root][~]# script output.txt

or any other file of your choosing.

That starts a recording session that will record what goes on during your terminal session.

If you want to record users shell session from login to exit

In the user’s .bash_profile, put something like

exec /path/to/ttyrec session-log-$(date +%Y%m%d-%H%M)

That will create a log file in the form of session-log-YYYYMMDD-HHMM

Pretty nifty stuff.

On Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5, LVM2 can be configured via the /etc/lvm/lvm.conf file to exclude devices that the volume manager is not allowed to access. To exclude a list of devices, use the filter keyword to specify a list of accessible devices.

An example of the filter keyword is shown below:

[server][root][~]# grep filter /etc/lvm/lvm.conf
filter =[ "a|loop|", "r|/dev/hdc|", "a|/dev/ide|", "r|.*|" ]

Pattern matching is based on the following logic:

• If any name matches any ‘a’ pattern, the device is accepted
• Otherwise if any name matches any ‘r’ pattern it is rejected
• Otherwise it is accepted.

NOTE: Be sure to only specify one filter line in /etc/lvm/lvm.conf since only one filter pattern is expected.

After changes are made to the lvm configuration file, it will be necessary to run the command vgscan in order for the changes to become active. Shown below is an example of running vgscan in extended debug output mode to activate the changes in the configuration file.

[server][root][~]# vgscan -vvvv

Have you been getting the following error in your log files?

Jan  7 14:10:30 [server] sendmail[2822]: sql_select option missing
Jan  7 14:10:30 [server] sendmail[2822]: auxpropfunc error no mechanism available
Jan  7 14:10:30 [server] sendmail: sendmail startup succeeded
Jan  7 14:10:30 [server] sendmail: sm-client startup succeeded

The reason is that if the plug-in is installed, SASL tries to load and initialize all plug-ins that it finds. When the SQL plug-in is initialized, it needs a valid sql_engine (which defaults to ‘mysql’) and sql_select options.

So what is the solution? If you do not need the cyrus-sasl-sql rpm, then you can remove it like so:

[server][root][~]# rpm -e cyrus-sasl-sql

You could also do the following instead:

[server][root][~]# rm /usr/lib/sasl2/libsql.*

Have you ever been sifting through your log files, and seen this little jewel:

Now are we listing on port 22 or not? I know I am logged in via ssh right now, so I know sshd is working correctly. Lets do a little investigation shall we? Lets see what is listing on port 22.

[server][root][~]# netstat -an | grep 22
tcp        0      0 :::22                      :::*                        LISTEN

[server][root][~]# lsof -i | grep 22
sshd        3449     root    3u  IPv6   7505       TCP *:22 (LISTEN)

Ahhhh HA! Just as I suspected, IPv6 is listening on port 22 so IPv4 can’t listen on port 22. Whew. I thought there might be something really serious going on.

Open up /etc/ssh/sshd_config in your favorite text editor and slap this snippet (or uncomment it if it is already there) into it.

ListenAddress 0.0.0.0

If you have this in your sshd_config, make sure that it is commented like so, by putting a hash (#) in front of it.

#ListenAddress ::

That should do it… restart sshd and that should take care of that little error… errrrr I mean jewel :-)

You can also disable IPv6 instead, but that’s taking things a little bit far if you ask me.

echo "alias net-pf-10 off" >> /etc/modprobe.conf

If you do disable IPv6, don’t forget to restart your server.

Scale 7.x will be February 20th – 22nd, 2009 at the Westin LAX Hotel and tickets are on sale now.

SCALE will co-op with LOPSA to make Linux training available at the Linux Expo. SCALE University will again convene at SCALE 7x!

Register early, demand will be high for the classes:

• Introduction to Virtualized Storage
• Disaster Recovery: Will you survive?
• Internal documentation for SysAdmins
• Saving the World with Fedora Directory Server

See you there… Be there or be square.

If you generate quite a few CSR’s that are used to generate SSL certificates, you might have the need to view the contents of the CSR itself to see if it has valid information in it.

To do that, save your CSR to a file… I will call mine, hostvelocity.com.www.csr (yeah, I know its long… but if you have ton of certs and csr’s lying around, it helps to be able to identify them)

Here is my CSR:

-----BEGIN CERTIFICATE REQUEST-----
MIIBtjCCAR8CAQAwdjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQH
EwlPY2VhbnNpZGUxFTATBgNVBAoTDEhvc3R2ZWxvY2l0eTEQMA4GA1UECxMHSVQg
RGVwdDEdMBsGA1UEAxMUd3d3Lmhvc3R2ZWxvY2l0eS5jb20wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBALLHGFjPg3N6sq39e9cl6oGz214g/TgQW4wHwxlC0HLE
goMdjjReymgTYU8rsG3kJgoxGM5zd+wGgGzrlzKK06fep4gHH2QKYPvgvzNUpZKs
SmQC7rCu8VkBgmZTGAx1hQ2Yi9JUT8s4WjdTRYDrd0ZSOnG504pmEazDZwpysR1R
AgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQAyoAQkshdwXRniuNdKST35o+mftEz7
BruOiFn3B8W/O5ml3pLrhmYUHoOBpMb50H605QuWCwYYArhfSdFbCmjNfjaEqphU
eHG5HRzaMdyp6Imi7ZJUp5/rDGg1Idf+5v5zr5AwCVbjkPPLJEJnvjpn+XW+/5pO
joVymerQ/q2aHQ==
-----END CERTIFICATE REQUEST-----

Now to view the contents of it, just issue the following command

[server][root][~]# openssl req -text -noout -in hostvelocity.com.www.csr

and this is the output

Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=CA, L=Oceanside, O=Hostvelocity, OU=IT Dept, CN=www.hostvelocity.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b2:c7:18:58:cf:83:73:7a:b2:ad:fd:7b:d7:25:
ea:81:b3:db:5e:20:fd:38:10:5b:8c:07:c3:19:42:
d0:72:c4:82:83:1d:8e:34:5e:ca:68:13:61:4f:2b:
b0:6d:e4:26:0a:31:18:ce:73:77:ec:06:80:6c:eb:
97:32:8a:d3:a7:de:a7:88:07:1f:64:0a:60:fb:e0:
bf:33:54:a5:92:ac:4a:64:02:ee:b0:ae:f1:59:01:
82:66:53:18:0c:75:85:0d:98:8b:d2:54:4f:cb:38:
5a:37:53:45:80:eb:77:46:52:3a:71:b9:d3:8a:66:
11:ac:c3:67:0a:72:b1:1d:51
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: md5WithRSAEncryption
32:a0:04:24:b2:17:70:5d:19:e2:b8:d7:4a:49:3d:f9:a3:e9:
9f:b4:4c:fb:06:bb:8e:88:59:f7:07:c5:bf:3b:99:a5:de:92:
eb:86:66:14:1e:83:81:a4:c6:f9:d0:7e:b4:e5:0b:96:0b:06:
18:02:b8:5f:49:d1:5b:0a:68:cd:7e:36:84:aa:98:54:78:71:
b9:1d:1c:da:31:dc:a9:e8:89:a2:ed:92:54:a7:9f:eb:0c:68:
35:21:d7:fe:e6:fe:73:af:90:30:09:56:e3:90:f3:cb:24:42:
67:be:3a:67:f9:75:be:ff:9a:4e:8e:85:72:99:ea:d0:fe:ad:
9a:1d

This is a good way to see if your customers have all the valid info required to order an SSL certificate. Things to look for:


C=Country
ST=State
L=City
O=Organization
OU=Department
CN=Common Name


You can see that I have that info in the output of the CSR above.

You need to run this as root:

[server][root][~]# for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l; done

that will loop over each user in /etc/passwd listing out their crontab. The crontabs are owned by the respective users so you will not be able to see another user’s crontab without doing this as root.

Have you ever looked at your email headers to see that sendmail was attaching an X-Authentication-Warning warning because Apache is the sender of an email as a different user other than the system user “apache”?

This is what the email header would look like:

X-Authentication-Warning: mail.domain.com: apache set sender to sales@domain.com using -f

To keep sendmail from adding the warning, you need to setup your apache user as a trusted sender. In my case my apache user is “apache”. Sometimes the user might be called httpd.

You will need to add your apache user to /etc/mail/trusted-users

[server][root][~]# vi /etc/mail/trusted-users

Your sendmail.cf should be ready for that:

[server][root][~]# grep trusted /etc/mail/sendmail.cf
Ft/etc/mail/trusted-users

Otherwise force the trusted user with a line like:

Tusername

If you build your sendmail.cf from sendmail.mc, use:

FEATURE(use_ct_file)dnl