Friday, October 23, 2009

Apache:SSH Public key based authentication – Howto

This howto covers generating and using ssh keys for automated:

a) Login

b) Make backups

c) Run commands from shell etc
Task: Generating ssh keys



1) Log on to your workstation ( for example log on to workstation called admin.fbsd.nixcraft.org as vivek user). Please refer the following sample setup - You will be log in, on your local system, AS THE USER you wish to make passwordless ssh connections.

My Setup
(Click image to enlarge)

2) Create the Cryptographic Key on FreeBSD workstation, enter:

$ ssh-keygen -t rsa

Assign the pass phrase (press [enter] key twice if you don't want a passphrase). It will create 2 files in ~/.ssh directory as follows:

* ~/.ssh/id_rsa : identification (private) key
* ~/.ssh/id_rsa.pub : public key

3) Use scp to copy the id_rsa.pub (public key) to rh9linux.nixcraft.org server as authorized_keys2 file, this is know as Installing the public key to server.

$ scp .ssh/id_rsa.pub vivek@rh9linux.nixcraft.org:.ssh/authorized_keys2

4) From FreeBSD workstation login to server:

$ ssh rh9linux.nixcraft.org

5) Changing the pass-phrase on workstation (if needed):

$ ssh-keygen -p

6) Use of ssh-agent to avoid continues pass-phrase typing
At freebsd workstation type:

$ ssh-agent $BASH
$ ssh-add

Type your pass-phrase

From here, whenever connecting to server it won’t ask for password.
Above two commands can be added to ~/.bash_profile so that as soon as I login into workstation I can set the agent.

7) Deleting the keys hold by ssh-agent

a) To delete all keys

$ ssh-add -D

b) To delete specific key

$ ssh-add -d key

c) To list keys

$ ssh-add -l

Apache:Howto Linux / UNIX setup SSH with DSA public key authentication (password less login)

I have Linux laptop called tom and remote Linux server called jerry. How do I setup DSA based authentication so I don’t have to type password?

Solution:

DSA public key authentication can only be established on a per system / user basis only i.e. it is not system wide. You will be setting up ssh with DSA public key authentication for SSH version 2 on two machines:

#1 machine : your laptop called tom
#2 machine : your remote server called jerry
Command to type on your laptop/desktop (local computer)

First login to local computer called tom and type the following command.
Step #1: Generate DSA Key Pair

Use ssh-keygen command as follows:
$ ssh-keygen -t dsa
Output:

Enter file in which to save the key (/home/vivek/.ssh/id_dsa): Press [Enter] key
Enter passphrase (empty for no passphrase): myPassword
Enter same passphrase again: myPassword
Your identification has been saved in /home/vivek/.ssh/id_dsa.
Your public key has been saved in /home/vivek/.ssh/id_dsa.pub.
The key fingerprint is:
04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01 vivek@vivek-desktop

Caution: a) Please enter a passphrase different from your account password and confirm the same.
b) The public key is written to /home/you/.ssh/id_dsa.pub.
c) The private key is written to /home/you/.ssh/id_dsa.
d) It is important you never-ever give out your private key.
Step #2: Set directory permission

Next make sure you have correct permission on .ssh directory:
$ cd
$ chmod 755 .ssh
Step #3: Copy public key

Now copy file ~/.ssh/id_dsa.pub on Machine #1 (tom) to remote server jerry as ~/.ssh/authorized_keys:
$ scp ~/.ssh/id_dsa.pub user@jerry:.ssh/authorized_keys
Command to type on your remote server called jerry

Login to your remote server and make sure permissions are set correct:
$ chmod 600 ~/.ssh/authorized_keys
Task: How do I login from client to server with DSA key?

Use scp or ssh as follows from your local computer:
$ ssh user@jerry
$ ssh user@remote-server.com
$ scp file user@jerry:/tmp

You will still be asked for the passphrase for the DSA key file each time you connect to remote server called jerry, unless you either did not enter a passphrase when generating the DSA key pair.
Task: How do I login from client to server with DSA key but without typing a passhrase i.e. password-less login?

Type the following command at shell prompt:
$ exec /usr/bin/ssh-agent $SHELL
$ ssh-add
Output:

Enter passphrase for /home/vivek/.ssh/id_dsa: myPassword
Identity added: /home/vivek/.ssh/id_dsa (/home/vivek/.ssh/id_dsa)

Type your passhrase once. Now, you should not be prompted for a password whenever you use ssh, scp, or sftp command.

If you are using GUI such as Gnome use the command:
$ ssh-askpass
OR
$ /usr/lib/openssh/gnome-ssh-askpass

To save your passphrase during your GNOME session under Debian / Ubuntu, do as follows:
a) Click on System
b) Select Preferences
c) Select Session
d) Click on New
e) Enter "OpenSSH Password Management" in the Name text area
f) Enter /usr/lib/openssh/gnome-ssh-askpass in the command text area.
Howto Linux / UNIX setup SSH with DSA public key authentication
g) Click on close to save the changes
h) Log out and then log back into GNOME. After GNOME is started, a dialog box will appear prompting you for your passphrase. Enter the passphrase requested. From this point on, you should not be prompted for a password by ssh, scp, or sftp.

Apache:How To Back Up a Web Server ?

I'm busy experimenting with Red Hat Enterprise Linux based Apache web server. I want to backup my Apache webserver, MySQL and PostgreSQL database to another disk called /backup and then copy it to other offsite backup ssh server called backup.example.com.
I started this morning with a piece of refreshment in Breakfast and soon caught hold of one of my friend online.He was Domino from Netherland and we met through one of linux forum. He wanted me to help him with the same and I started writing.

Here we go...

There are many tools under Linux / UNIX to backup a webserver. You can create a simple shell script to backup everything to /backup directory. You can also copy /backup directory content offsite using ssh and scp tool.

Step # 1: Create /root/backup.sh script

Use the following shell script:

#!/bin/bash
# A Simple Shell Script to Backup Red Hat / CentOS / Fedora / Debian / Ubuntu Apache Webserver and SQL Database
# Path to backup directories
DIRS="/home/vivek/ /var/www/html/ /etc"

# Store todays date
NOW=$(date +"%F")

# Store backup path
BACKUP="/backup/$NOW"

# Backup file name hostname.time.tar.gz
BFILE="$(hostname).$(date +'%T').tar.gz"
PFILE="$(hostname).$(date +'%T').pg.sql.gz"
MFILE="$(hostname).$(date +'%T').mysql.sq.gz"

# Set Pgsql username
PGSQLUSER="ajeet"

# Set MySQL username and password
MYSQLUSER="ajeet"
MYSQLPASSWORD="myPassword"

# Remote SSH server setup
SSHSERVER="backup.example.com" # your remote ssh server
SSHUSER="ajeet" # username
SSHDUMPDIR="/backup/remote" # remote ssh server directory to store dumps

# Paths for binary files
TAR="/bin/tar"
PGDUMP="/usr/bin/pg_dump"
MYSQLDUMP="/usr/bin/mysqldump"
GZIP="/bin/gzip"
SCP="/usr/bin/scp"
SSH="/usr/bin/ssh"
LOGGER="/usr/bin/logger"

# make sure backup directory exists
[ ! -d $BACKUP ] && mkdir -p ${BACKUP}

# Log backup start time in /var/log/messages
$LOGGER "$0: *** Backup started @ $(date) ***"

# Backup websever dirs
$TAR -zcvf ${BACKUP}/${BFILE} "${DIRS}"

# Backup PgSQL
$PGDUMP -x -D -U${PGSQLUSER} | $GZIP -c > ${BACKUP}/${PFILE}

# Backup MySQL
$MYSQLDUMP -u ${MYSQLUSER} -h localhost -p${MYSQLPASSWORD} --all-databases | $GZIP -9 > ${BACKUP}/${MFILE}

# Dump all local files to failsafe remote UNIX ssh server / home server
$SSH ${SSHUSER}@${SSHSERVER} mkdir -p ${SSHDUMPDIR}/${NOW}
$SCP -r ${BACKUP}/* ${SSHUSER}@${SSHSERVER}:${SSHDUMPDIR}/${NOW}

# Log backup end time in /var/log/messages
$LOGGER "$0: *** Backup Ended @ $(date) ***"

Customize it according to your needs, set username, password, ssh settings and other stuff.

Step # 2: Create ssh keys


Create ssh keys for password less login from your server to another offsite server hosted at your own home or another datacenter. See following faqs for more information:

http://linuxhunt.blogspot.com/2009/10/apachehowto-linux-unix-setup-ssh-with.html

http://linuxhunt.blogspot.com/2009/10/apachessh-public-key-based.html
Step #3: Create Cron job

Setup a cronjob to backup server everyday, enter:
# crontab -e
Append following code to backup server everyday at midnight:
@midnight /root/backup.sh

Apache: Giving Users their Own URL

Exploring more on Apache and continuing with my Cookbook, I started with this topic and set it up in just 5 minutes. This time I tried setting up webpage for all users and this is what I finally got it working !!!

File: /etc/httpd/conf/httpd.conf


Line 352:
UserDir public_html

And remove the hash sign:


368 AllowOverride FileInfo AuthConfig Limit
369 Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
370
371 Order allow,deny
372 Allow from all
373

374
375 Order deny,allow
376 Deny from all
377

378

379

Restart the Apache Service.

Try Browsing : http://localhost/~ajeet
But it wont work.

Reason: Permission Issue

Create few users like ajeet, john, eric etc

#useradd ajeet
#passwd ajeet
#cd /hom/ajeet
#mkdir public_html
#cd public_html
#mkdir {ISO1,ISO2,ISO3)

Grant Permission:

#chmod o+x /home /home/ajeet
#chmod o+x /home/ajeet/public_html

Try Browsing http://localhost/~ajeet

Index of /~ajeet
[ICO] Name Last modified Size Description
[DIR] Parent Directory -
[DIR] ISO/ 23-Oct-2009 23:11 -
[DIR] ISO2/ 23-Oct-2009 23:11 -
[DIR] ISO3/ 23-Oct-2009 23:11 -
Apache/2.2.11 (Fedora) Server at localhost Port 80

So User can have their own Webpage.
Happy Apaching !!!

Apache: Authenticating Directory Structure

This morning I started with authenticating the portion of my Directory Structure.
This is what I did:

File: /etc/httpd/conf/httpd.conf

Directory /
Options FollowSymLinks
AllowOverride All
/Directory

Directory "/var/www/html"
Options Indexes FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from all

/Directory

Thats what we really need to be done with httpd.conf

Lets Create a New Directory Structure:

#cd /var/www/html
#mkdir pdfs
#cd pdfs
#mkdir (RHEL4,RHEL4.2,RHEL5,RHEL5.2}
#cd RHEL5
#mkdir {RPMS,SRC,SOURCE,ISO}
#cd ISO
[root@localhost RHEL5]# ls -la
total 24
drwxr-xr-x. 6 apache apache 4096 2009-10-23 19:02 .
drwxr-xr-x. 6 apache apache 4096 2009-10-19 09:41 ..
drwxr-xr-x 5 apache apache 4096 2009-10-23 19:35 ISO
drwxr-xr-x 2 apache apache 4096 2009-10-23 18:08 RPMS
drwxr-xr-x 2 apache apache 4096 2009-10-23 18:08 SOURCES
drwxr-xr-x 2 apache apache 4096 2009-10-23 18:08 SRC
[root@localhost RHEL5]#
[root@localhost ISO]# ls -la
total 24
drwxr-xr-x 5 apache apache 4096 2009-10-23 19:35 .
drwxr-xr-x. 6 apache apache 4096 2009-10-23 19:02 ..
-rw-r--r-- 1 root root 106 2009-10-23 19:35 .htaccess
drwxr-xr-x 2 apache apache 4096 2009-10-23 19:02 ISO1
drwxr-xr-x 2 apache apache 4096 2009-10-23 19:02 ISO2
drwxr-xr-x 2 apache apache 4096 2009-10-23 19:02 ISO3
[root@localhost ISO]#
[root@localhost ISO]# ls -la
total 24
drwxr-xr-x 5 apache apache 4096 2009-10-23 19:35 .
drwxr-xr-x. 6 apache apache 4096 2009-10-23 19:02 ..
-rw-r--r-- 1 apache apache 106 2009-10-23 19:35 .htaccess
drwxr-xr-x 2 apache apache 4096 2009-10-23 19:02 ISO1
drwxr-xr-x 2 apache apache 4096 2009-10-23 19:02 ISO2
drwxr-xr-x 2 apache apache 4096 2009-10-23 19:02 ISO3
[root@localhost ISO]#

Under .htaccess file entry includes:

[root@localhost ISO]# cat .htaccess
AuthType Basic
AuthName "Authentication Required"
AuthUserFile /var/www/html/htpasswd
Require user jan


[root@localhost ISO]#


Now Create htpasswd file under /var/www/html directory as:

htpasswd -bcm /var/www/html/htpasswd jan jan123

Now Try Browsing :

http://localhost/pdfs