Category Archives: Unix Sysadmin

Unix System Administration

Happy System Administrator Appreciation Day!

Happy System Administrator Appreciation Day to all of you who keep the zettabytes of cat videos constantly streaming. Also known as Sysadmin Day, SysAdminDay or just a SAAD day. System Administrator Appreciation Day is celebrated on the last Friday in July.

Thank you for your service to the internets!

ThinkGeek may still have some SysAdmin Day survival packs laying around.

How to disable telnet, ftp and rlogin/rsh in Solaris 10

Should you disable telnet, ftp, rlogin/rsh in Solaris 10?

Yes! These services should be disabled by default on any public internet facing Solaris machines since they transmit login information in the clear and are also easily spoofed. You should already be using the built in secure protocols like SSH and SFTP if you are on anything other than a closed test network.

These commands will work with the services administration in Solaris 10 and Solaris 11. In previous versions of Solaris, these protocols can be disabled in the init.d start-up scripts. But if you’re still using Solaris 9 and below, what century are you in? Even Sun/Oracle Solaris 10 is pretty much relegated to legacy research systems these days.

/usr/sbin/svcadm disable svc:/network/telnet:default
/usr/sbin/svcadm disable svc:/network/login:rlogin
/usr/sbin/svcadm disable svc:/network/ftp:default

Check that the services are disabled using the following commands:

/usr/bin/svcs –a | grep telnet
/usr/bin/svcs –a | grep rlogin
/usr/bin/svcs –a | grep ftp

Have fun, but if you are really serious about system security, try using SELinux on Red Hat Enterprise Linux. Though even that can’t keep some administrators out of trouble. Be vigilant and update your servers often!

13 days until Fedora 19 release

Fedora 19’s final release date is set for 13 days from now on July 2nd. Fedora 19 will offer support for 3D printing, BIND 10, GLIBC 2.17, PHP 5.5 and many other improvements and updates. Many of the updates to Fedora 19 or “Schrödinger’s Cat” will be incorporated into Red Hat Enterprise Linux 7 (RHEL 7) to be released in the second half of 2013.

Update: Red Hat Enterprise Linux 7 was finally released on June 10th 2014. Read the Red Hat press release on RHEL 7 here.

 

 

 

How to determine OpenSSL version in Solaris 10

Finding your OpenSSL (Open Source Secure Sockets Layer) version in Solaris 10 Unix:

sunbox# /usr/sfw/bin/openssl version

OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)

The current stable release is OpenSSL 1.0.1c.

Don’t forget the space between the command path and “version”!

Update 9 April 2014: This post has received a lot of attention recently due to the OpenSSL heartbleed vulnerability (CVE-2014-0160). This OpenSSL vulnerability did not affect OpenSSL versions prior to 1.0.1, so if you are running the older versions packaged with Solaris, you might be OK. The heartbleed vulnerability is reportedly fixed in OpenSSL version 1.0.1g and affected in versions 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a and 1.0.1. But you better check and keep patching before your heart bleeds out!  The site Unixpackages.com now has an updated Solaris package for version 1.0.1g of OpenSSL.

Update April 18, 2014: And now Oracle finally releases an official patch for Solaris. I received an email at 2 pm Pacific time with their security alert:

http://www.oracle.com/technetwork/topics/security/alert-cve-2014-0160-2190703.html 

Seems a little late in the game for Oracle but there’s the update. Happy patching!

Oracle released another updated OpenSSL patch for Solaris 10 on June 13, 2014.

Here’s the readme file for patch 148071-13.

And another update to the ongoing OpenSSL patch saga:

February 2015:  OpenSSL packages 1.0.1j for Solaris 8-11 on SPARC and Solaris 10-11 on x86 have been updated to version 1.0.2. available from UnixPackages.com. Check out the OpenSSL patch changelog here.

Heartbleed.svg

Oracle’s legal team forces wesunsolve.net to shutdown

Another useful tool for Solaris Unix system administrators was crushed under the weight of Oracle. This tool was highly useful for digging through all of the  read me files to determine which patch might solve your problem and finding patch dependencies.

The site, wesunsolve.net, was regularly updated and linked to Oracles support page for the actual download of patches.

Yes, the site did copy Sun/Oracle read me files and patch information and put it in a more navigable format, but did not distribute any Sun/Oracle binaries. You still had to have an active support account with Oracle to download Solaris patches. But the company should have recognized that this was a tool that supported the Solaris community and made managing some aging Solaris machines a little easier. But moves like this are part of the reason those Solaris machines are aging and will be replaced by Linux machines.

wesunsolve.net-closed.png
wesunsolve.net shutdown by Oracle. Thanks for all of your hardwork on the site that has helped countless administrators. You will be missed!

Legal note:  Sun, Oracle and Solaris are registered trademarks of Oracle.
Linux is a trademark of Linus Torvalds.

Solaris 10 Passwd Permission Denied As Root

So you have a Solaris 10 operating environment and you’re getting “permission denied” errors when trying to change a users password while logged in as root.

So you check /var/adm/messages for some clues and you see a message like this:

sunbox# tail /var/adm/messages
Aug  1 13:31:08 sunbox yppasswdd[1221]: [ID 467562 auth.error] yppasswdd: user test_user: does not exist

You know that the user exists, and can still see the user in your NIS passwd files using a command like this:

ypcat passwd | grep test_user

So how do you fix it?

You can restart your NIS processes using this command:

svcadm restart nis/server

Sometimes that will resync the NIS files and processes and get things back in working order. Sometimes you still get the same error.

What finally fixed my “passwd change permission denied” error was actually quite simple once I figured out what the problem was.

At times your NIS map files can become out of sync and need to be rebuilt. This “Passwd Permission Denied” problem can be caused by a recommended Solaris security patch that may have replaced your custom NIS Makefile with a standard issue Solaris one that has PWDIR = /etc and not PWDIR = /var/yp. Using /var/yp instead of /etc is done to separate local system accounts such as root from the standard NIS user accounts of a workgroup.

If you find your NIS Makefile changed from PWDIR = /var/yp to PWDIR = /etc then your users may not be able to login at all and they’ve probably already come running for their system admin. You may need to recover your original NIS Makefile from the backup you ran before patching. You did make a backup right? Or the patch script may have taken you original Makefile and named it Makefile.old or something. You can run a “diff” on those two files to see what changed. If the Solaris patch made changes unhealthy to your career, replace the new Makefile with the Makefile.old file.

A restart of the NIS/YP services is necessary to bring all of the map files back into sync. If a restart of the services doesn’t work, check your NIS directory (usually /var/yp or /etc) for a lockfile.

sunbox# ls -al
-rw-------     1  root     root          0  Aug  1 09:42 .pwd.lock

I removed the lockfile and restarted the NIS/YP processes:

sunbox# rm .pwd.lock
sunbox# /usr/lib/netsvc/yp/ypstop
sunbox# /usr/lib/netsvc/yp/ypstart

You should see a message like this when restarting the NIS processes:

starting NIS (YP server) services:  ypserv ypbind ypxfrd rpc.yppasswdd rpc.ypupdated done.

After restarting, you should be able to see the processes running with “ps” command:

sunbox# ps -ef | grep yp

Now you should be able to reset your users NIS passwords without the “permission denied” error by running the “passwd” command:

sunbox# passwd -r nis <username>

Notes on NIS and YP:

NIS, or Network Information Service, was originally called Yellow Pages or YP, which is why the NIS commands begin with “yp”.  Since the term “Yellow Pages” is a registered trademark of British Telecom PLC for it’s non-digital, old school paper commercial telephone directory, Sun changed the name of its system to NIS.

NIS+ commands no longer use “yp” commands.

Since NIS was developed before the public internet, robust security was never a feature. NIS will work fine on a closed research network but is not recommended for any network that touches the internet. There are more modern options to choose from such as NIS+ and LDAP. But if you’re stuck administering a legacy research network that has no funding to upgrade, then you still have to know how to deal with the quirks of NIS.

Existing NIS maps can be (and should be) migrated to other systems such as NIS+ or LDAP

“Fibre” vs. “fiber” Explained

Know the difference between “Fibre” vs. “fiber” in connectivity hardware.

References to Fibre Channel can be confusing partly due to the use of the words “fibre” and “fiber” interchangeably.

Both spellings mean essentially the same thing, but have evolved with the technology to be used for more specific aspects of the architecture or hardware.

“Fibre” is used in non-US international English, and the spelling “fiber” is primarily used in US English. The official spelling of the FC technology is “Fibre Channel”. The word “fiber” is generally used more often when referring to the actual optical glass fiber cables used to facilitate high speed communication over long distances.

Now you know the common usage of the terms fibre vs fiber. Though making it all work together is a whole different matter which will be covered on this site soon.

NTP on Unix

Network Time Protocol (NTP) on Unix/Linux Machines is used to synchronize the system clock with accurate standardized clocks for precise time keeping needed in communication, scientific research and finance.

In this basic NTP on Unix example we’ll be using xntpd – Network Time Protocol daemon on Solaris 10

To see the time and date set on your Unix system type:

sunbox% date

Wed Feb 22 14:13:31 PST 2012

sunbox%

To see if ntp is already running on your Unix system type:

sunbox% ps -ef | grep ntp

    root   243     1   0   Feb 20 ?           0:14 /usr/lib/inet/xntpd

The default configuration file for the xntp daemon is /etc/inet/ntp.conf

sunbox% more ntp.conf

# ident “@(#)ntp.client 1.3     00/07/17 SMI”

#

# /etc/inet/ntp.client

#

# An example file that could be copied over to /etc/inet/ntp.conf; it

# provides a configuration for a host that passively waits for a server

# to provide NTP packets on the ntp multicast net.

#

#multicastclient 224.0.1.1

server xxx.xxx.xxx.x

sunbox% nslookup xxx.xxx.xxx.x

Server:         xx.xx.x.x

Address:        xx.xx.x.x#53

Non-authoritative answer:

x.xxx.xxx.xxx.in-addr.arpa      name = time.time.timeserver???.com.

Authoritative answers can be found from:

xxx.xxx.xxx.in-addr.arpa        nameserver =

sunbox%

Many other settings are available in NTP to tweak the accuracy of the received time signal and to provide authentication of the time signal to enhance security. These are typically used in the banking and financial industries where accurate and authenticated transaction time stamps are critical. The “fudge” command in NTP can be used to take in account signal delays and cable lengths between the master clock and the NTP client.

Cable loss calculation errors can cause your time signal to be off causing significant errors in your data. Especially if you require timing precise enough to measure the velocity  of particles traveling at the speed of light. This happened recently at the particle accelerator CERN, prompting a friendly reminder from Forbes:  Always Check the Cable Before Doubting Einstein.

It is also possible to have NTP running on an Android or iOS powered smart phone which I’ll cover in another post.

 

Solaris Fibre Channel Commands

Here’s a few Solaris commands that are useful for determining what type of Fibre Channel adapters you have installed in your system.

The ifconfig command won’t show fibre interfaces unless they are configured for IP over FC.

There is a Solaris 10 command called ‘fcinfo’ that will give you more information on your fibre devices.

Command usage for fcinfo (must be root to get results from this command, it won’t return an error, just the message; “No Adapters Found.”, when the command is not run as root. This can be confusing and frustrating if you know that FC adapters are installed on your system. Trust me. I’ve been there in my early days of plodding through fibre channel connectivity.

Fcinfo as a standard user:

Sunbox%  fcinfo hba-port

No Adapters Found.

As root:

sunbox#  fcinfo hba-port

HBA Port WWN: 2100001b………

“Fibre” vs. “fiber”

References to Fibre Channel can be confusing partly due to the use of the words “fibre” and “fiber” interchangeably.

Both spellings mean essentially the same thing, but have evolved with the technology to be used for more specific aspects of the architecture or hardware.

“Fibre” is used in non-US international English, and the spelling “fiber” is primarily used in US English. The official spelling of the FC technology is “Fibre Channel” The word “fiber” is generally used more often when referring to the actual optical glass fiber cables used to facilitate high speed communication over long distances.

More Solaris fibre channel commands coming soon!

FTP ASCII vs. Binary transfer modes

FTP ASCII vs. Binary transfer modes

In this demonstration we will be using ftp to transfer files from a Solaris 10 workstation to a Windows workstation using the dos command prompt ftp program to connect to the ftp port of the Solaris machine.

The two primary modes of transferring files via FTP are ASCII and binary. ASCII is an acronym for the American Standard Code for Information Interchange, an early standard of character encoding. ASCII mode in FTP is meant to transfer text files. Examples of ASCII files are .asp, .html, .php, .pl and .txt files. Binary mode in FTP is meant to transfer raw data files. Examples of binary files are .gif, .jpg, music and video files, as well as zipped (compressed) tar files. Be sure you understand the ftp ASCII vs binary differences so you know which file transfer mode to use.

 

ftp-transfer-ascii

Transferring a jpg file in ASCII mode, will get you something that looks like a screenshot of the game Pitfall! on the Atari 2600, circa 1982. It won’t look anything like the original file.

unix-cal-2012-black-ascii
Snapshot of a 2012 Unix Calendar jpeg transferred via FTP ASCII mode--psychedelic eh?
Pitfall_game_cartridge
Pitfall! Game Cartridge from Activision for the Atari 2600

So to transfer a non-text file with all the bits intact, use the binary mode by typing ‘binary’ at the ftp command prompt. In the dos version, you’ll see the “Type set to I” message rather than the “Type set to A” message for ASCII mode.

ftp-transfer-binary

Use binary transfer mode for your non-text files and they should arrive fully intact and legible:

unix-cal-2012-black-binary
Snapshot jpeg of a unix 2012 calendar transferred via FTP binary mode