Nate Silva

Aug 30 2011

In CentOS Linux 6.0, you can’t SSH using authorized_keys

The problem

Using CentOS Linux 6.0, you’ve created a ~/.ssh/authorized_keys file on the host and placed your RSA key in that file.

However, when you ssh to the host, you are still prompted for your password. If you enable debug logging on the server, you might see something like this:

Aug 30 21:31:37 mysql sshd[4331]: debug1: userauth-request for user nate service ssh-connection meth
od publickey
Aug 30 21:31:37 mysql sshd[4331]: debug1: attempt 1 failures 0
Aug 30 21:31:37 mysql sshd[4331]: debug1: test whether pkalg/pkblob are acceptable
Aug 30 21:31:37 mysql sshd[4330]: debug1: temporarily_use_uid: 500/500 (e=0/0)
Aug 30 21:31:37 mysql sshd[4330]: debug1: trying public key file /home/nate/.ssh/authorized_keys
Aug 30 21:31:37 mysql sshd[4330]: debug1: restore_uid: 0/0
Aug 30 21:31:37 mysql sshd[4330]: debug1: temporarily_use_uid: 500/500 (e=0/0)
Aug 30 21:31:37 mysql sshd[4330]: debug1: trying public key file /home/nate/.ssh/authorized_keys2
Aug 30 21:31:37 mysql sshd[4330]: debug1: restore_uid: 0/0
Aug 30 21:31:37 mysql sshd[4330]: Failed publickey for nate from 10.33.204.4 port 49454 ssh2

Cause and solutions

This problem may be caused by the SELinux security layer in CentOS. SELinux is not allowing the SSH daemon to read files in your ~/.ssh directory.

There’s more than one way to solve it.

Solution 1 (the “right” way)

Tell SELinux to “label” your ~/.ssh directory such that the SSH daemon is allowed to see it. The following command will re-label everything under /home, including user .ssh directories, with labels as defined in your security policy:

restorecon -R -v /home

In addition, SELinux provides a daemon that is supposed to monitor the filesystem and automatically set the correct labels, so this problem might not happen in the first place. The daemon is called restorecond. You can enable it in the usual manner (for example, chkconfig restorecond on followed by service restorecond start).

Solution 2 (the “wrong” way)

An alternate solution is to put SELinux in permissive mode, where it warns about rule violations but does not enforce them. Be aware that this effectively disables a key security layer! To do this temporarily (until reboot), type:

setenforce Permissive

To make this permanent, edit /etc/selinux/config and change the SELINUX line to permissive.

11 notes

May 06 2011

How to preview a Markdown document in Vim

I write a lot of stuff in Markdown using TextMate. Now I’m using Vim, but I need a way to preview what the Markdown will look like.

There are several Vim plug-ins that can do this, but all have limitations. For example, this one is nice, but it requires Ruby and doesn’t properly deal with embedded Unicode characters.

So I wrote my own Vim plug-in that previews Markdown documents. It is tested on Mac OS X and Windows (and should work on Linux, though I don’t have a GUI-based Linux box to test on). It works even if your document contains Unicode text.

The only prerequisite is that you have a markdown command installed (Discount, python-markdown, or John Gruber’s original are good choices).

https://gist.github.com/960015

Apr 18 2011

A fix for slow connections to SMB file shares on Mac OS X Snow Leopard

In Mac OS X 10.6 Snow Leopard, I found it takes a long time (30 seconds or more) to connect to a shared folder on my Windows server.

Once connected, everything works fine, but the initial delay is a big hassle.

Please note: There is a different problem where the actual file sharing is slow (or browsing between folders is slow). I have not had that problem so I don’t know the solution. The problem I am fixing is that the initial connection to the SMB share takes a long time.

The Solution

Ignore what I wrote before. I have found the definitive solution (for my network, at least).

The solution is: don’t use a .local name for your Windows domain. .local for your Windows domain is evil. Use a real domain name that you control.

Yes, I know that the example documentation shows domains named company.local. I know it can be a major pain-in-the-tuchus to change the Active Directory domain name (and may not even be possible if you’re using Exchange Server).

But after changing our AD domain name from company.local to hq.company.com, our Macs were miraculously faster at mounting network shares, browsing the network, and joining the domain.

Note that hq.company.com is a DNS subdomain of our real DNS domain name (obviously replace company.com with the company name that I work for). It is only resolvable by our internal AD DNS servers, so there’s no chance of exposing internal hostnames to the world.

The solution (for me) was to create a file called /Library/Preferences/edu.mit.Kerberos with the following contents:

[libdefaults]
default_realm = your-domain.local
dns_fallback = no

Replace your-domain.local with your Windows/Active Directory domain name.

After saving the file, the fix takes effect immediately. Connecting to the share dropped from about 30 seconds to about 5 seconds.

Some notes:

* The server is Windows Server 2008 R2. * The Mac is not joined to the domain. (I am authenticating as a domain user, of course.)

I originally found this information on MacWindows. There is an extremely long thread there and this was one of the solutions that came up.

## Update ##

At some point under 10.6 this stopped working. I am now running 10.7 Lion and this solution no longer works. I am back to slow connections.

2 notes

+

If the Mac App Store is slow, it’s probably because of your Keychain CRL setting

Recently I had an issue where the Mac App Store became almost unusably slow. It took more than a minute to start up. During that time it would appear completely frozen.

This was caused by enabling a security setting called “certificate revocation list,” or CRL, in Keychain Access.

You can disable this feature and the Mac App Store will become much faster. However—and this is a big one—the CRL is a security feature that you may not want to disable.

A CRL helps your system to detect fraudulent TLS certificates (also known as SSL certificates). While this type of fraud is rare1, a recent security breach allowed a criminal in Iran to generate these certificates (news story) and enabling the CRL protects you against this.

The Keychain Access CRL feature is disabled by default, but several recent Mac blog articles suggested that you enable it. Here’s one such article.

If you still want to disable it:

  1. Open the Keychain Access app.
  2. From the menu, choose Keychain Access > Preferences.
  3. On the Certificates tab, change the CRL setting to “Off.” (You can leave the other settings as-is.)

1 Fraudulent certificates may not be so rare (they can be injected using man-in-the-middle attacks), but this type of fraudulent certificate—signed by a legitimate root authority—is rare.

1 note

Apr 10 2011

How to upgrade CentOS Linux running under Hyper-V

When CentOS Linux, running under Hyper-V, is upgraded to a new kernel, it will probably fail to reboot. Open Hyper-V Manager and look at the CentOS server’s screen. Most likely you will see the following error:

switchroot: mount failed: No such file or directory
Kernel panic - not syncing: Attempted to kill init!

Cause

The error is caused by the Microsoft Hyper-V Linux Integration Components not loading properly under the new kernel.

Solution

  1. From the Hyper-V Manager, reboot the server. At the moment when it says “Booting CentOS in 3…2…1…,” press any key. You’ll see several kernels listed, including the newest one and the previous one.
    • Make a note of the full, exact version number of the newest kernel.
    • Select the previous kernel and press Enter. It should boot successfully under the old kernel.
  2. Log in as root.
  3. Use Hyper-V Manager to attach the Microsoft Linux Integration Components CD (LinuxIC v21.iso, available from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=eee39325-898b-4522-9b4c-f4b5b9b64551).
  4. Mount and copy it to the Linux server.
    1. mkdir -p /mnt/cdrom
    2. mount /dev/cdrom /mnt/cdrom
    3. cp -rp /mnt/cdrom /opt/linux_ic
    4. umount /mnt/cdrom
  5. By default the Linux IC will build for the currently-running kernel. We want to build for the newer kernel instead. Make this happen:
    1. cd /opt/linux_ic
    2. [substitute the new kernel’s version in the following command]
      grep -ilR uname * | xargs sed -i 's/uname \-r/echo "2.6.18-238.5.1.el5"/g'
    3. make && make install
    4. reboot

Your server should now boot under the new kernel.

(Found in this message thread on the CentOS user forums.)

Mar 25 2011

In Sophos Control Center, all computers are greyed out or have hourglass icons

I recently ran across this issue when installing Sophos Control Center on Windows Server 2008 R2, and the corresponding Sophos Endpoint Security on various client PCs.

After installing the Control Center, the PCs would never receive the central configuration from the server, and they never showed up as active in the Control Center. They were able to update, but used default configurations.

The solution was to open the following ports on the server’s firewall:

  • TCP 8192
  • TCP 8193
  • TCP 8194

After opening the ports, the clients will begin to show up in the Control Center after 5-10 minutes.

For some reason the Sophos Control Center installer doesn’t open the ports for you. Also, this was my first Sophos installation on Windows Server 2008 R2, which has a fairly rigorous built-in firewall. The previous installation was on a Server 2003 system with a deactivated firewall, so we never encountered the issue.

A full list of ports for all of Sophos products is available here:

http://www.sophos.com/support/knowledgebase/article/38385.html

Dec 28 2010

Using ping6 on Mac OS X or Linux

The problem

In experimenting with IPv6, one of the first things I tried was to ping computers on my LAN using the ping6 command. For example, this pings the loopback interface (equivalent of 127.0.0.1):

ping6 ::1

To see your IPv6 address(es), go to a Terminal prompt and type ifconfig. If you try to ping6 any address—even your own link-local address that starts with fe80::—you’ll get the following error:

ping6: UDP connect: No route to host

Or on Linux:

connect: Invalid argument

The solution

The solution is to pass the -I command-line argument. Give it the name of the interface you want to ping from. For example, the first ethernet port on Linux is usually called eth0. On a Mac, it’s usually en0 or en1.

ping6 -I en1 fe80::…

Windows

Note that Windows doesn’t have this problem. On Windows, you use the regular ping command for both IPv4 and IPv6 addresses, and it automatically detects which interface to use.

Firewall issue

If you continue to have problems, make sure you can ping6 your own IPv6 address. This is the address that starts with fe80:: and can be seen by typing ifconfig. Try to ping that from the same interface that the address is assigned to (you’ll see the interface name, usually en0 or en1 shown in ifconfig).

And make sure your firewall is not blocking ping requests. The Mac OS X firewall will not respond to pings if “Stealth Mode” is turned on.

Nov 22 2010

How to install a Rocketfish Bluetooth keyboard in Windows 7

I’m posting this here because every time I re-install my OS I forget how to do it. I originally found this in a comment by KAMOTEQ here.

  • Problem: Rocketfish (Best Buy) Bluetooth keyboard, model RF-BTKB2, doesn’t work in Windows 7. When you try to pair it, nothing happens and eventually it times out or tells you “Device driver software was not successfully installed.”
  • Solution:
    1. Go to “Add a device”
    2. Right-click on “Rocketfish Bluetooth Keyboard” and choose “Properties…”
    3. Check the box that says “Drivers for keyboard, mice, etc. (HID).”
    4. Click OK and your keyboard will be recognized.

Jun 03 2010

How to destroy your database in two clicks using Querious

Open your database in Querious. Then:

  1. Click “Users.”
  2. Say to yourself, “I wonder what the button with two squares on it does.” Please don’t click the button. Because the instant you do, all of your rights are revoked and there is no way to recover them.

I hope you have another admin login. Otherwise you’re screwed.

Yes, I did this on an Amazon RDS instance. Thank goodness it was a test database and I was just experimenting with Querious. I never imagined such a dangerous operation would happen without warning.

Why on Earth doesn’t Querious have a warning or an “Apply” button so the change doesn’t happen instantly?

See the equivalent screen in Sequel Pro, which has an “Apply” button, making it much safer.

(I suspect you could also screw up your database by un-checking some of the other boxes. Again, there is no “Apply” button in Querious, so you will instantly change your rights.)

Don’t click this button in Querious

Mar 29 2010

How to build the pscyopg2 Python PostgreSQL interface on Mac OS X Snow Leopard

These instructions may work on earlier versions of OS X, but I’ve only tested on Snow Leopard.

A common problem for Python programmers using Mac OS X is how to install psycopg2, the standard Python interface for PostgreSQL.

If you Google for the instructions, you’ll get all kinds of advice, most of which involves using MacPorts or installing a complete server installation of PostgreSQL on your Mac.

I don’t want to do that.

I don’t want to run a database server on my local Mac. I want only the necessary PostgreSQL client libraries and I want to use the OS X native build system, not MacPorts.

It’s actually easy to do this. The instructions may look complicated, but it’s only because I’ve added a lot of explanation to them.

Step 1: Install the PostgreSQL client library

  1. Download the PostgreSQL source code from http://www.postgresql.org/ftp/source/. Don’t download Mac OS X binaries, as that would be a complete server installation.
  2. Un-tar the source code and cd into its directory. Then run:
    • CFLAGS="-arch i386 -arch x86_64 -arch ppc" ./configure --with-openssl
      • This CFLAGS setting will get you a universal binary. Without it you would only get a 64-bit Intel binary (assuming you have a 64-bit Intel Mac), or a 32-bit Intel binary (if you have a 32-bit Intel Mac). We also include PowerPC support, for the unlikely event that you have a program that runs under Rosetta that needs to use the PostgreSQL libraries.
  3. We are going install only the client parts of PostgreSQL. These instructions are based on the PostgreSQL manual, section 15.5.:
    • sudo make -C src/bin install
    • sudo make -C src/include install
      • In my experience, the error about utils/fmgroids.h can be ignored.
    • sudo make -C src/interfaces install
    • sudo make -C doc install

Step 2: Install Psycopg2

  1. Download and un-tar the Psycopg source code.
  2. Edit the psycopg2 setup.cfg file. Add or update the following lines:
    • have_ssl=1
    • pg_config=/usr/local/pgsql/bin/pg_config
  3. Build and install it:
    • python setup.py build
    • sudo python setup.py install
  4. Test it:
    • $ python
    • >>> import psycopg2
    • >>> psycopg2.__version__
      '2.0.14 (dt dec ext pq3)'

Looks good!

3 notes

Page 1 of 4