Archive for category *NIX

Recent issues with SSH

userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

And it will not allow to connect using older, SSH-1 keys.

The temporary solution is to add


PubkeyAcceptedKeyTypes +ssh-rsa


to the /etc/ssh/sshd_config and restart the SSH daemon. Well, it’s advisable not to use weaker keys for a long time.

Thanks to the Archlinux forum for the info

Tags: ,

OpenSSL certificate generation

You must hae the CA configured properly, this no not the scope of this post.

For self-signed certificate

The self-signed certficate is in the <hostname>.crt, the private key is in the <hostname>.key

openssl req -x509 -newkey rsa:4096 -keyout <hostname>.key -out <hostname>.crt -days 365

For CSR (Client Certificate Request)

The request is in the <hostname>.csr, the private key is in the <hostname>.key.

-nodes option will turn off the password request, which is a Bad Idea for personal certificates and is sometimes used for server sertificates.

openssl req -newkey rsa:4096 -sha256 -nodes -out <hostname>.csr -outform PEM

mv mv privkey.pem <hostname>.pem

To generate a DH key

Make sure to adjust the Apache configuration accordingly, https://httpd.apache.org/docs/trunk/ssl/ssl_faq.html and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

To sign a CSR

The request is in the <hostname>.csr, the signed certificates is in the <hostname>.crt.

openssl ca -policy signing_policy -extensions signing_req -out <hostname>.crt -infiles <hostname>.csr

To verify a certificate or request

The request is in the <hostname>.csr, the certificates is in the <hostname>.crt.

openssl x509 -in <hostname>.crt -text -noout
openssl req -text -noout -verify -in <hostname>.csr

Tags: ,

SSL, Postfix and IMAP

When setting up authenticated SMTP service, be sure your IMAP server is accessible. The reason for this is Postfix will check the username using SASLauth daemon. And SASLauth damon uses “rimap” method for checking the username. Rimap is “remote IMAP”, and it tries to log into the configured IMAP service, which by default is defined as ‘localhost’.

Read the rest of this entry »

Tags: , ,

The Power of Pipes

Okay guys, the log if filling with

sshd[20117]: Invalid user pi from 142.93.118.186 port 50416
sshd[20117]: input_userauth_request: invalid user pi [preauth]
sshd[20117]: Received disconnect from 142.93.118.186 port 50416:11: Bye Bye [preauth]
sshd[20117]: Disconnected from 142.93.118.186 port 50416 [preauth]
sshd[20119]: Invalid user cubie from 5.189.227.161 port 39772
sshd[20119]: input_userauth_request: invalid user cubie [preauth]
sshd[20119]: Received disconnect from 5.189.227.161 port 39772:11: Bye Bye [preauth]
sshd[20119]: Disconnected from 5.189.227.161 port 39772 [preauth]
sshd[20121]: Invalid user guest from 208.68.37.169 port 42858

Read the rest of this entry »

Tags: , ,

Postfix and virtual SMTP users

Short how-to use the save virtual users both for receiving emails via IMAPS, and sending via SMTP, or just rants for myself:

Source for the ideas and setup

/etc/postfix/main.cf must contain:
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes

Read the rest of this entry »

Tags: , , ,

Rant on Apache2

Recently I was trying to move my sites to SSL – for various reasons.
The test site went fluently, while the work machine refused to serve SSL content. While testing with ‘wget’, the error I received was

GnuTLS: An unexpected TLS packet was received.

Read the rest of this entry »

Tags: , ,

pull

is the only missing keyword, OpenVPN client-to-server config need to work correctly on the client.
It took me 3 days to figure this out, a lot of RTFM’ing and head-banging.

Full client config looks this way:
[ad#ad-lb]
Read the rest of this entry »

Tags: , , , , , ,

IPsec to Sonicwall appliance

Just a note:
when you need to establish IPsec connection to Sonicwall NSA 3500 firewall, here’s working config:
Linux side:
/etc/ipsec.conf :


include /etc/ipsec.d/*.conf

Read the rest of this entry »

Tags: , , ,

Get rid of removed packages in Debian

Every time package is removed via `apt-get remove`, a tiny piece of its configuration can be kept in your system. If you ever need to reinstall the package, this information can be re-used. These packages has status ‘rc’ in the output of `dpkg -l`. But if you want to keep your system tidy and clean, you may want them to be removed.

The miraculous command is

dpkg -l | egrep ^r | cut -d ‘ ‘ -f 3 | xargs apt-get remove –purge -y

Read the rest of this entry »

Tags:

Running VirtualBox guests from physical drive

Dual boot is perfect solution in most cases.

On the other hand, if you need to peep into the other system’s files, you need to re-boot. Or use sometimes not so stable filesystem utilities.
Running fully virtualized OS, using eg Xen as supervisor, creates additional load an hardware, maybe not too big when running multiple OS’es on the pretty new server, but significant, if it is a laptop. And yes, you NEED to keep data in-sync between virtual and real OS. Read the rest of this entry »