Published May 14th, 2008 by admin

How to Patch Ubuntu for openSSL and openSSH Vulnerability

I’m sure you have heard by now that there is a reported vulnerability in openSSL and openSSH. This only affects Debian and its variants for now (ie:Ubuntu).

This is a pretty serious issue so it should be patched ASAP.

Follow the instructions below to guard your Debian and Ubuntu machines from the vulnerability.

Run the following to find out if you are affected:

wget -c http://security.debian.org/project/extra/dowkd/dowkd.pl.gz
gunzip dowkd.pl.gz
chmod u+x dowkd.pl
./dowkd.pl user
./dowkd.pl host hostname

If either the 2nd to last or the last command issued above shows something similar to the following:

.ssh/id_dsa.pub:1: weak key

…then you are affected by the vulnerability. If you do not see “weak key” reported then you are OK.

Otherwise follow below:

Apply any updates by entering the following at a command line:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

You should see an update for openssl and openssh packages (along with anything else available).

After these new packages have been installed you will want to regenerate any keys that you’ve generated (ie; openssh keys, CA cert, etc).

To generate a new openssh key for your user: (This only required if ‘./dowkd.pl user‘ reports weak)

ssh-keygen -t dsa -b 1024

To generate a new openssh key for your server: (This only required if ./dowkd.pl host hostname reports weak)

sudo rm /etc/ssh/ssh_host_{dsa,rsa}_key*
sudo dpkg-reconfigure -plow openssh-server

You should now run the validation script again and make sure it does not report any errors. If you still see reported warnings such as:

.ssh/authorized_hosts:1: weak key

…this means that you have keys saved that are still affected, in this case in the authorized_host file. The easiest way to solve this is issue the following:

rm .ssh/authorized_hosts

This will remove the file, which will be recreated the next time it is needed or you can delete the line in the affected file using your favorite text editor. The line is indicated by the ending “:1” which maps to the affected line number.

Continue to run the ./dowkd.pl script until no weaknesses are reported.

Published February 13th, 2008 by admin

Time to Update – Now!

I can’t add anymore than wonderful Mackenzie already did:

A new kernel update just went out yesterday or the day before (not
sure), but it fixes the vmsplice proof-of-concept exploit that was
released two days ago. The exploit would allow someone at a non-root
console to elevate themself to root without using sudo or su or knowing
any passwords at all.

Check out Mackenzie’s site: Ubuntu Linux Tips & Tricks

Technorati Tags: ,

Published February 9th, 2008 by admin

How-To: Migrating Amarok Playlists and Collection Data to a New Computer

So you have your Amarok playlists and collection set up all how you want and now you want to migrate everything over to a new computer, but don’t want to start from scratch? Read on for instructions on how to pull off this task with ease.

In my example I had all my music saved on an external hard drive that mounted itself as “disk”. I wanted to change it over to a new computer and a new external drive that mounts itself as “OneTouch1” (Maxtor external drive). It doesn’t matter where your music is and where you want it to go (maybe you just want to connect the same drive to a new computer) but in either case this is how I did it:

First off I mounted both drives on the computer that had the current configuration I wanted to save.

Then I ran an rsync command to transfer all my music from the old external drive to the new one:

rsync -av /media/disk/Music/ /media/OneTouch1/Music

This copied all my music from disk/Music to OneTouch1/Music.

Then I needed to grab the current mySQL database, so I fired up webmin on the localhost and did a backup of my “amarok” database I had all my collection data stored in. One more thing you will need for all your playlist and configuration settings is the app settings folder located in your home directory in a hidden directory. You can grab it like so:

rsync -av /home/yourusername/.kde/share/apps/amarok/ /media/OneTouch1/amarok

Make sure you substitute your username and new drive name above.

Now we should be ready to configure the new computer with your old computer’s settings. The next steps assume you have Amarok installed and running.

Make sure Amarok is closed and not running and then plug in your external drive.

Create a symbolic link to map everything up like it was before. In my case it was done like so:

ln -s /media/OneTouch1/ /media/disk

The above is needed even if you want to use the same drive, but only in the case that it mounts itself on the new computer with a different name than it does on the old computer.

Now we want to create an empty database called amarok (or whatever your previous db was called) (I used webmin for ease of use) and create the same user id and credentials that you had used on your previous computer.

The next step is open your home directory and hit ctrl “h” to show hidden files and browse to .kde/share/apps and rename the amorak folder to amorak_old (just so we can revert later if needed). Then copy the amorak folder we had backed up from your old computer onto the external drive to replace the folder we just renamed.

Once this is all complete, we can open Amarok and go to Settings -> Configure Amarok and navigate to the Collection tab on the left. Make sure that the correct directory is selected (using the symbolic link to select it) and also that the correct db and user credentials are entered.

After the above is done, go to Tools -> Rescan Collection. This may take awhile, depending on the size of your collection, but when it is complete you should see that everything is how it was on your old computer!

Technorati Tags: , , , ,

Published December 17th, 2007 by admin

How to Connect To Linux Hosts Without a Password (Key Authentication)

This how-to will show you how to connect to a Linux machine via SSH using a key rather than entering your password. This comes in very handy to build scripts that connect to machines for file transfer, backup and more and also saves you the hassle of entering your password every time you SSH into a machine.

This guide assumes that you have an SSH server setup on your “server” and an SSH client set up on your client. (sudo apt-get install openssh-server & sudo apt-get install openssh-client respectively)

First from the client run the following command logged in as your normal user account:


(Leave the password blank if you do not want to supply it on login, but remember to guard the created cert with your life as it opens the door to anyone that finds it…)

This creates id_rsa and id_rsa.pub in the ~/.ssh directory.

Next we want to upload the pub file to the remote server/host that you want to connect to:

scp ~/.ssh/id_rsa.pub remoteuser@remotehost:~/

Now that it is uploaded we have to authorize it by connecting to the remote machine (ssh user@remotehost) and running the following on the remote host:

cat id_rsa.pub >> ~/.ssh/authorized_keys

and then:

rm id_rsa.pub

to delete the uploaded file.

If the remote host does not have key authentication enabled (should be by default), ssh the machine and edit the config file like such:

nano /etc/ssh/sshd_config

and add/change the following to options as such:

RSAAuthentication yes
PubkeyAuthentication yes

then reload the config:

/etc/init.d/ssh reload

At this point you can check to make sure that you are allowed to log in via your key and if that is the case you can disable password authentication.

Edit the config again:

nano /etc/ssh/sshd_config

and set the following:

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

reload the config:

/etc/init.d/ssh reload

That it. You are now on your way to more secure/hassle free SSH authentication.

Technorati Tags: , ,