MENTAL NOTE from http://moze.koze.net/?p=81
Converting SSL-certificates from CRT format to PEM
Dovecot, for example, seems to expect pem-files, while RapidSSL only issues
crt-files. The solution? Use OpenSSL to convert (via the DER-format) to pem:
openssl x509 -in input.crt -out input.der -outform DER
then
openssl x509 -in input.der -inform DER -out output.pem -outform PEM
Today Oracle launched a paper that focus the gains of Oracle solutions over Solaris VS IBM solutions over AIX.
You can find the paper here.
After reading the entire paper I find it quite tendentious.
I’m not a Oracle/SPARC fan nor a IBM/Aix fan, although I’ve worked with both for years, my favorite OS is Linux, and well i also Solaris a bit.
So why do I find it tendentious:
1 – The way it’s written, for every user comment they say a slightly positive thing about IBM, but the really good thing is Oracle/Solaris.
2 – I don’t doubt that the interviews were conducted I’m almost sure the people were selected. As I told before I like Linux, if i want i can manage to get 20 sys admins that will focus that Linux is better than Solaris, I just have to select the right ones. Although I know it’s not the case in many issues, it is others.
Everyone likes to defend it’s favorite technology.
3 – Who ordered the study? The study costs money and with so many interviews who payed for it?
4 – It’s not possible that an independent study interview dozens of people and they all point in the same direction, even on the price issue that flavors IBM it’s not good because there are hidden costs. I know the costs are there, but for experts they aren’t that hidden.
5 – Why does it says it’s confidential on the front page and it’s published on Facebook.com? If it was a true confidential report it wouldn’t be widely spread by Oracle.
I don’t want to look picky but as a piece of marketing this is a no go, at least in my opinion.
I like Oracle products like Unbreakable Linux, Solaris, MySQL, Oracle DB, OpenOffice and so on, I just don’t like companies that try to make you a fool with propaganda.
Cheers,
Pedro Oliveira
It’s been a while since I last wrote about ssh, one of my favorite applications.
SSH is extremely versatile and although the use of tunnels is a well know feature of ssh the reverse tunnel is not.
First where can you use a reverse tunnel? Imagine that you need to service a server/desktop that is behind a firewall and the only communication available is must be started on the host behind the firewall.
Look at the diagram bellow:
Now you are sitting on PC B and your mother in law is sitting on PC A (familiar story?? And yes my mother in law uses Linux), I don’t have direct access to her laptop (PC A) but I still need to install her skype to talk to the family.
First on PC B I create a dummy user for the connection:
useradd -m motherinlaw
passwd motherinlaw
Then tell someone on PC A to do the following (or create you own script to do it automatically, I’m also assuming that both PCs have sshd running)
ssh motherinlaw@PC-IP-B -R 2000:localhost:22
Let me explain it, the -R sets a remote tunnel, the 2000 is the port to be opened on the remote computer and the 22 is the port where the communication is going to on the local computer (PC A)
So after a successful ssh login from PC A to PC B (you may check it for instance with who), you will be able to login in PC A from PC B issuing:
ssh root@localhost -p2000
Hope this helped someone out there.
Cheers,
Pedro Oliveira
Usually I write about technical stuff, or my rc cars, but this time I’m going to write about cloud computing, which isn’t that technical.
While reading two magazines today one had in the cover “Cloud computing you can’t afford to leave this one out” and the other “Cloud computing a must for every company”.
So, if your in IT certainly heard about cloud computing, but lets start by defining cloud computing; cloud computing is is a style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure in the “cloud” that supports them (Wikipedia definition).
Having said this you probably are using the cloud, if you use gmail,hotmail, or something like that, apart from the mail service you may be using picasa storage, dropbox, or even HI5 or Facebook to share photos and if you use a blog is probable that’s on the cloud too. But the cloud concept is wider. Imagine that your company as all the info on the cloud, all the applications that support your business, and that your systems are on the cloud too. You just leave your cheap PC clients, or thin clients, or whatever equipment you use to connect to the Internet and your piece of the cloud.
In theory this is a great tool, you won’t have to worry about uptime, backups, system maintenance, sys admins, power failures,air conditioning, but on the other end you’ll be dependent on your providers and your ISP. You won’t be free to change and you won’t be so versatile, your choices will be your providers choices and in the end applications and systems won’t be made to suit your needs but they’ll suit part of your needs and all your provider needs. Apart from that you’ll probably end spending more than you would if you had your own IT.
Sometime ago I was thinking in using amazon S3 for backing up my personal data, photos, personal movies, my documents, as well as my family ones. Right now I’ve a BackupPC on a server to do it all and backing up about 3.5TB of info. With my usage profile amazon would cost me about 350€ a month, so as fast as I though in using amazon I lost the idea of using it, with 2 month of service I could buy a new server to do all the backup and with another month of service I could pay electric bill,space, and man work hour for a year.
Then a client that happily uses Sugar CRM, heard about “the cloud” and thought that easily could migrate sugar to SalesForce and all the applications on the company to Google Apps. So we asked for prices and the price of the cloud was about 960% more than the regular prices of applications and Sugar licenses, and this including all the system maintenance, space and electric costs.
So I started wondering, in the end I don’t see people pay less for the cloud usage, I see people having a smaller initial cost that in the end will be much greater than the original one.
I’m sure many of you had already made your own investigations about the cloud? Are you getting to the same conclusions?
Till now I’ve been writing about costs, now lets get to flexibility and limitations.
Usually when talking about the cloud everyone sells you that the cloud is flexible, that the cloud will suit your needs and that it will grow when your business grow and get smaller when your business is going through a bad time.
In the end your cloud won’t be that flexible, most of “cloud providers” will have well established limits on amount of CPU usage/time, there will be limits on bandwidth, limits on connections per second and if you need to pass those limits you’ll be paying a lot for it. Then the small letter of the contract, sometimes you can have more processor power because you needed it but then you have to keep it for the minimum period, sometimes a year or even more.
But well the cloud is cutting edge innovation so this is something worth paying for. Once again this isn’t totally true, IBM as a cloud scheme running for decades, corporate clients may pay for processor, MIPs, processor time and memory usage. Apart from IBM, other companies worked like this for ages, companies like HP, SUN, and others.
So what’s new? In my opinion the news are the way you interact with the cloud, making the browser the central part and unification point. The larger bandwidth available today also made this possible and the content is much richer.
I can see a really good usage for the home user who don’t want to worry with tech things, I see youtube, twitter, hi5, facebook and others growing and companies using those with a business mind, honestly I don’t see companies putting their secrets, their know how, their experience, and their core on the hand of a cloud, I may be wrong but right now I don’t see it moving that way (maybe I need glasses). I see a big fuss on the cloud as I’ve seen the .com bubble and IT recession, I’ve seen the thin-client revolution and the virtualization boom, now I see the cloud hype and in a few months or years something new will come up and all this will be forgotten. I’ll see companies moving towards a new hype and I investors spending they bucks on something else.
So to conclude; I don’t think the cloud is a must, I think it’s something that you already had with a different name, and it became an hype because of a lot of marketing and publicity. If you think a little bit you’ll see who wins with all the hypes, usually isn’t your company nor mine.
Cheers,
Pedro Oliveira
My last post was quite controversial as I wrote about an authentication form using the password on the command line. Today I’ll be writing about how to login without password prompting but also about ssh-agent, secure RSA keys and how to execute remote commands with ssh.
First of all you need to generate a RSA key:
ssh-keygen -t rsa
accept the default location, and then protect the certificate with a password.
By now in your $HOME/.ssh folder you have at least these two files id_rsa.pub and id_rsa. The .pub file is the file that contains your public RSA key part, as the name says it’s public and you can use it to authenticate with remote hosts, the id_rsa file is the private part of your key and no1 else besides you should have access to it. Nevertheless we also protect the key with a password so if someone access it it won’t be a big problem.
Now, to use the “passwordless” authentication you need to copy the content of id_rsa.pub to the $HOME/.ssh/authorized_keys on the remote machine, if the file doesn’t exists please create it before.
If you want do this in a simple command line just type the following:
cat $HOME/.ssh/id_rsa.pub | ssh YOUR_USER@REMOTE_SERVER “cat >> ./ssh/authorized_keys”
It will ask you the password just the first time. And your done.
But now every time you use the certificate it will ask you for the certificate password not the user at server one (and this because you protected your certificate, if you didn’t protect it you would be logged in by now).
If you want a totally automated process you can use ssh-agent. This way you’ll be able to put your certificate password only one time (for instance at session start) and use it when logged in.
To use ssh-agent just do the following:
cp /etc/X11/xdm/sys.xsession ~/.xsession
edit the .xsession file so some variables look like the following:
usessh=”yes”
sshagent=”yes”
now you need to reset your X (just logout and login).
Now to use ssh-agent and having your certificate available just type:
ssh-add
This will ask you for your certificate password and now you may use it for login into remote servers without using passwords anymore (until the next logout or shutdown).
Cheers,
Pedro Oliveira
Sometimes theres a need to use ssh with the password as a command line parameter, I know keys do exist and may be used for a “passwordless” login, I know you may use expect to create a script to type the password for you. But if you just want a plain simple tool to do it you may use plink.
Usually plink isn’t available in the distro (at least with SuSE and Fedora) so you may need to download it’s source and compile it.
Get it from http://the.earth.li/~sgtatham/putty/latest/putty-0.60.tar.gz
Untar it with: tar -zxvf
Sometimes theres a need to use ssh with the password as a command line parameter, I know keys do exist and may be used for a “passwordless” login, I know you may use expect to create a script to type the password for you. But if you just want a plain simple tool to do it you may use plink.
Usually plink isn’t available in the distro (at least with SuSE and Fedora) so you may need to download it’s source and compile it.
Get it from http://the.earth.li/~sgtatham/putty/latest/putty-0.60.tar.gz and follow the commands:
tar -zxvf putty-0.60.tar.gz
cd putty-0.60/unix
./configure ; make ; sudo make install
and your done compiling.
Now lets talk about using plink, you may use plink as a regular ssh client, something like; plink pedro@192.168.1.1 and it will behave as your regular ssh client. Now try plink user@server -pw your_password and “voilá” you logged in. For safety issues type “history -c” (this will cleanup your history).
If you want, and this is the main use of plink, automate and ssh script to run in batch mode as for instance in a cron script your may use something like (lets suppose you have a text file called login_data.txt, with 2 entrances by line separated by spaces, the first entrance will be the host and the second the password) and you want to login with root and execute the command poweroff:
#!/bin/bash
cat login_data.txt | while read LINE ; do
CLEANED=`echo $LINE | tr -s ” ” LINE ; # this will clean the extra spaces
HOST=`echo $CLEANED | cut -d ” ” -f 1`; this will extract the host
PASSWD=`echo $CLEANED| cut -d ” ” -f 2`; this will extract the passwd
plink root@$HOST -pw $PASSWD shutdown ;
done
Just be very careful with permissions on files that have clear text passwords, ideally they shouldn’t exist but sometimes every sysadmin as such needs.
If you want you may check further info on plink on putty web site or by just typing plink on the command line.
The above scrip only works if you had already logged in at least one time (you still need to accept the ssh server key) if you totally want to automate it you may use expect (I’m hopping to write about it sometime soon).
Cheers and see you next time