Archive for December, 2003

Locking/Unlocking a user account

Sunday, December 21st, 2003

Sometimes it is very useful to be able to temporarily block an user account for maintenance purposes. The passwd utility provides a set of functionalities to do so.

To lock an account simply type:

passwd -l user_login_name

Now check the status of the account:

passwd -S user_login_name

and you’ll get something like this…

user_login_name L 12/09/2003 0 99999 7 -1

From the passwd man page:

The account status may be given with the -S option. The status information consists of 6 parts. The first part indicates if the user account is locked (L), has no password (NP), or has a usable password (P). The second part gives the date of the last password change. The next four parts are the minimum age, maximum age, warning period, and inactivity period for the password.

To unlock the user account…

passwd -u user_login_name
passwd -S user_login_name

And as a result…

user_login_name P 12/09/2003 0 99999 7 -1

Posted in Security | No Comments »

The “at” command

Saturday, December 20th, 2003

The at command is very useful when you want to submit a job at a later time. at reads commands from standard input or a specified file which are to be executed at a later time.

For example, if you want to run script.sh at 4:15 AM…

at 4:15am < script.sh

Note that if the time is already past, the next day is assumed.

If you want to run a job in 15 minutes…

cat script.sh | at now + 15 minutes

at now +” allows you to specify minutes, hours, days, or weeks. You could even tell at to run the job today or tomorrow by changing now with today or tomorrow.

at -f script.sh tomorrow 1:30pm

References:

Posted in Tips and Tricks | No Comments »

Resolving package conflicts

Sunday, December 7th, 2003

Imagine this situation when you try to emerge a package:

emerge xfree

Calculating dependencies …done!

!!! Error: the x11-libs/xft package conflicts with another package.
!!! both can’t be installed on the same system together.
!!! Please use ‘emerge –pretend’ to determine blockers.

(more…)

Posted in Linux Gentoo | No Comments »

Injecting a package with Emerge

Sunday, December 7th, 2003

Sometimes you’ll want to emerge a set of packages but skip one of them. For example, if you…

emerge -p world

you could get something like this…

Calculating world dependencies …done!
[ebuild U ] sys-devel/gnuconfig-20030708
[ebuild U ] sys-devel/libtool-1.4.3-r1
[ebuild U ] sys-libs/db-1.85-r1
…..
[ebuild U ] dev-perl/Digest-MD5-2.26 [2.24]
[ebuild U ] dev-perl/Digest-SHA1-2.04 [2.02]

Now suppose that you want to emerge all of these packages but, say, Digest-MD5.

To do that, simply inject the desired package, so emerge thinks that it is already installed.

emerge -i dev-perl/Digest-MD5

According to the man pages…

Injecting a package inserts a 'stub' for that package so that Portage thinks that it is installed. It is handy if you need, say, a binary version of XFree86 for esoteric hardware, or you just like to roll your own packages. You must specify a category and particular version of a package for injecting.

Posted in Linux Gentoo | No Comments »

rsync.gentoo.org rotation server compromised

Wednesday, December 3rd, 2003

From Gentoo Linux Security Announcement 200312-01…

On December 2nd at approximately 03:45 UTC, one of the servers that makes up the rsync.gentoo.org rotation was compromised via a remote exploit. At this point, we are still performing forensic analysis. However, the compromised system had both an IDS and a file integrity checker installed and we have a very detailed forensic trail of what happened once the box was breached, so weare reasonably confident that the portage tree stored on that box was unaffected.

(more…)

Posted in General, Linux Gentoo, Security | 2 Comments »

OpenSSH at port 6010, 6011…?

Monday, December 1st, 2003

Why is it that your ssh server open a port starting with 6010? When an ssh connection is stablished it is supposed to be at port 22 as netstat should report:

kranpak root # netstat -tanp | grep ssh
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 26580/sshd

This is a normal behaviour and is related to the X11 forwarding.

When an application wants to write to the screen (really a TCP port), it determines the host:port pair by looking for the value of DISPLAY environment variable (normally 6000 + display_number).

If, for instance, DISPLAY=localhost:0, it really tells the X client that the X server it needs to connect to is running on the local machine at port 6000. When you start an X server, it will usually take the first display 0 (port 6000 + 0) for applications to connect to. When you SSH to a server with X forwarding enabled, OpenSSH needs to open a display on the local machine for the X applications to connect, it will then forward these connections to the connecting client’s display over the secure tunnel.

By default, OpenSSH will normally start at display 10 (6000 + 10, or port 6010), or the next free display after that (11, 6000 + 11). The end result is that SSH will make a tunnel from 6010:localhost:6000 (presuming that ssh takes display 10 on the server and the client is running under display 0). So if then on those ssh sessions you were to run “echo $DISPLAY” you should see that they are “localhost:10″ and “localhost:11″ respectively.

Thanks to Chris Hendrickson.

Posted in Security | No Comments »