Tag Archives: linux

Authenticating users with freeradius on Centos

You may want to authenticate users with radius at some point, perhaps your backend stores all your users there, perhaps you do not want to login to many boxes to change password for same user, I will describe here how to authenticate users with almost any service.

First setup some repository depending on if your running 64 bit or not:
#64 Bit

rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm

#32 Bit

rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-7.noarch.rpm

Install it and configure it:

yum install pam_radius
alias pico='nano -w'
pico /etc/pam_radius.conf

Setup your radius details here
#server[:port] shared_secret timeout (s)
127.0.0.1 your_radius_secret_password 3

Add radius authentication to SSH

cd /etc/pam.d
pico sshd

#now for any users you want to authenticate, just toss following line as second line in any service
auth sufficient pam_radius_auth.so debug

Just open any file and edit it and its authenticating off radius
IMPORTANT NOTE: Do NOT think you can just add users to radius and login, you must actually create the user first! This is not LDAP, we are simply just providing another place to store passwords for users, nothing more, you can lockout the account on the system and still login with users radius passsword.

To add a user is simple as : adduser username
Delete a user just as simple : userdel -r username

Verify everything is ok:

ssh -l radius_user localhost 
exit
tail -100 /var/log/secure

You hopefully see something as follows:
pam_radius_auth: Got RADIUS response code 2

Exactly what we want, response code 2 from radius is Accept-Accept, so we typed in right password and should have been logged in.

Try some other services, pop open dovecot for instance:

pico /etc/pam.d/dovecot (add the same line)
telnet localhost 110
user radius_user
pass radius_pass
retr 1

You can do this for all your services,

Until Next Time,

SunSaturn.com

Linux ISCSI with FreeBSD ZFS

How many of you would love to use ZFS on linux for its excellent snapshot features, but cannot? How about we setup a FreeBSD host with ZFS, then on linux we mount the ZFS as ISCSI, format it as ext4 then we can snapshot that partition anytime we want and roll it back anytime we want? I have been using FreeBSD for years on ZFS with over 10TB of data, its very stable on this OS, let’s see how I’d go about accomplishing keeping ZFS for backup snapshots:

#ISCSI
#Freebsd- Lets Setup Server Portion Of ISCSI:
#notice how df will not show data/iscsitest, as we creating a block device

zfs destroy data/iscsitest
zfs create -V 20G data/iscsitest
zfs list -o name,used,avail,volsize
cd /usr/ports/net/istgt; make install
cd /usr/local/etc/istgt/
cp auth.conf.sample auth.conf
cp istgt.conf.sample istgt.conf
cp istgtcontrol.conf.sample istgtcontrol.conf
pico istgt.conf

[PortalGroup1]

Portal DA1 192.168.0.3:3269 …

[InitiatorGroup1]

Netmask 192.168.0.0/24 …

[LogicalUnit1]

LUN0 Storage /dev/zvol/data/iscsitest Auto

/usr/local/etc/rc.d/istgt start

#Linux:
yum install iscsi-initiator-utils
service iscsi start

iscsiadm -m discovery -t sendtargets -p 192.168.0.3
fdisk -l(find the new device…perhaps it is /dev/sdf)
gdisk /dev/sdf (partition it…maybe sdf1 as ext4)
mkfs.ext4 /dev/sdf1
mkdir /mnt; mount -t ext4 /dev/sdf1 /mnt

(toss in /etc/fstab if you like as: /dev/sdf1 /mnt ext4 _netdev 0 0) #notice the _netdev option is needed
chkconfig iscsi on

#OPTIONAL: How would we change size of partition?: (can delete old targets with : iscsiadm -m node -p 192.168.0.3 –op=delete)
Freebsd:

zfs set volsize=40G data/iscsitest
zfs list -o name,volsize
/usr/local/etc/rc.d/istgt restart

Linux:
(umount any iscsi partitions)
service iscsi restart
fdisk -l (check what /dev/sdaX it is and new size to confirm)
gdisk /dev/sdf (delete all partitions and save)
gdisk /dev/sdf (recreate it with max size and save)
resize2fs /dev/sdf1
(go ahead and mount it again, should have new size)

#FreeBSD snapshot test:
zfs snapshot data/iscsitest@test

(now time goes on and data gets written to /mnt on linux box, but something happens and we want to roll back)

#rollback:
Freebsd:
/usr/local/etc/rc.d/istgt stop
zfs rollback data/iscsitest@test
/usr/local/etc/rc.d/istgt start

Linux:
umount /mnt
mount /mnt
(should be recovered)

#make your life easier crontab the snapshots Daily and Monthly:
21 4 * * * (/usr/local/etc/rc.d/istgt stop; zfs destroy data/iscsitest@`/bin/date +\%A`; zfs snapshot data/iscsitest@`/bin/date +\%A`; /usr/local/etc/rc.d/istgt start) > /dev/null 2>&1
0 0 1 * * (/usr/local/etc/rc.d/istgt stop; zfs destroy data/iscsitest@`/bin/date +\%B`; zfs snapshot data/iscsitest@`/bin/date +\%B`; /usr/local/etc/rc.d/istgt start) > /dev/null 2>&1

Until next time,

Dan.

CPanel FFMPEG and Centos 6.3 setup

Install a pre-requisite for perl-SGMLSpm

 
yum install openjade
alias pico='nano -w'</code>

Install some decent repositories:
64 Bit:

 
rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm -Uvh ftp://rpmfind.net/linux/centos/6.3/os/x86_64/Packages/perl-SGMLSpm-1.03ii-21.el6.noarch.rpm

32 Bit:

 
rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm
rpm -Uvh ftp://rpmfind.net/linux/centos/6.3/os/i386/Packages/perl-SGMLSpm-1.03ii-21.el6.noarch.rpm

Install Dag repository

pico /etc/yum.repos.d/dag.repo

Insert:

 
[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
enabled=1

Install CPanel Ruby and flvtool2

 
/scripts/installruby
gem install flvtool2

Next lets install base we need:

yum install ffmpeg ffmpeg-devel mplayer mencoder gpac gpac-libs

Lets get ffmpeg-php

 
wget http://downloads.sourceforge.net/ffmpeg-php/ffmpeg-php-0.6.0.tbz2
tar xjf ffmpeg-php-0.6.0.tbz2
cd ffmpeg-php-0.6.0
sed -i 's/PIX_FMT_RGBA32/PIX_FMT_RGB32/g' ffmpeg_frame.c
phpize
./configure
make

Note: If you are running php5.4 you may need to make following change then run “make” above again:

 
pico ffmpeg_movie.c

in ffmpeg_movie.c: row 311: list_entry *le; TO zend_rsrc_list_entry *le; row 346: list_entry new_le; TO zend_rsrc_list_entry new_le; row 360: hashkey_length+1, (void *)&new_le, sizeof(list_entry), TO hashkey_length+1, (void *)&new_le,sizeof(zend_rsrc_list_entry),
Now let’s really install everything

 
make install
Installing shared extensions:     /usr/local/lib/php/extensions/no-debug-non-zts-20090626/
pico /usr/local/lib/php.ini

Now add following to end of file but substitute no-debug-non-zts-20090626 below for where it installed it in your “make install” command above

 
extension_dir = "/usr/local/lib/php/extensions/no-debug-non-zts-20090626"
extension="ffmpeg.so"

Restart Apache

 
/scripts/restartsrv_httpd

Now go check a php script with this in it to verify it worked:

 
phpinfo();

DKIM and postfix setup on centos 6.3

This is meant as a quick 5 min get it going, and a 5 min quick testing to get dkim going.I do recommend actually reading man pages etc if you have extra time, but this guide should get you going.

Install EPEL repository:
64 bit:
# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm
32 bit:
# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-7.noarch.rpm

Install DKIM:
# yum install opendkim
# export domain=YOURDOMAIN.com
# mkdir /etc/opendkim/keys/$domain
# cd /etc/opendkim/keys/$domain
# opendkim-genkey -d $domain -s default
# chown -R opendkim:opendkim /etc/opendkim/keys/$domain
# echo "default._domainkey.$domain $domain:default:/etc/opendkim/keys/$domain/default.private" >> /etc/opendkim/KeyTable
# echo "*@$domain default._domainkey.$domain" >> /etc/opendkim/SigningTable

If you have internal hosts relaying through that you want to sign mail for to:
# echo "192.168.0.0/24" >> /etc/opendkim/TrustedHosts

Edit DNS:
# cat /etc/opendkim/keys/$domain/default.txt >> /var/named/master/YOUR_DOMAIN_DNS_ZONE_FILE
(what I normally do at this point is increment serial number in DNS zone file, login to slaves, delete their zone files and restart named there to get it going quickly)
# nano -w /etc/opendkim.conf
◦Mode sv
◦Domain YOURDOMAIN.com
◦uncomment everything except KeyFile
(Find this line: SigningTable /etc/opendkim/SigningTable and change it to:
SigningTable refile:/etc/opendkim/SigningTable to enable regex wildcards on SigningTable)

Configure Postfix
# nano -w /etc/postfix/main.cf (add following)
# opendkim setup
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
milter_default_action = accept

Restart Services
# service opendkim start
# service postfix restart
# service named reload
# chkconfig opendkim on

Test our setup
# echo "DKIM Test" | mail -s "DKIM Testing" SOMEUSER@gmail.com
# tail -100 /var/log/maillog

Now make sure maillog log shows it signed, check gmail headers of email you sent, make sure everything passes fine


Dan