Saturday, June 9, 2018

How do I login over ssh without using password less RSA / DSApublic keys?


Linux system Admins  normally login to the linux  servers either supplying a password,
or using keybased authentication. sshpass is a tool which allows us to automatically
supply password to the command prompt so that automated scripts can be run as desired
by users. sshpass supplies password to ssh prompt using dedicated tty , fooling ssh to
believe that a interactive user is supplying password.

Install sshpass under Debian / Ubuntu Linux

Type the following command:
$ sudo apt-get install sshpass

Install sshpass under RHEL/CentOS Linux

$ sudo yum install sshpass

If you are using Fedora Linux, type:
$ sudo dnf install sshpass

Install sshpass under Arch Linux

$ sudo pacman -S sshpass

Install sshpass under OpenSUSE Linux

$ sudo zypper install sshpass

Install sshpass under FreeBSD Unix

To install the port, enter:
# cd /usr/ports/security/sshpass/ && make install clean
To add the package, run:
# pkg install sshpass

Getting Help :
# sshpass -h
Usage: sshpass [-f|-d|-p|-e] [-hV] command parameters
  • -f filename   Take password to use from file
  • -d number Use number as file descriptor for getting password
  • -p password   Provide password as argument (security unwise)
  • -e         Password is passed as env-var "SSHPASS" With no parameters – password will be taken from stdin
  • -h         Show help (this screen)
  • -V         Print version information
At most one of -f, -d, -p or -e should be used


How do I use sshpass in Linux or Unix?

Login to ssh server called example.com with password called redhat@1234
$ sshpass -p 'redhat@1234' ssh username@example.com

For shell script you may need to disable host key checking:
$ sshpass -p 'redhat@1234' ssh -o StrictHostKeyChecking=no username@example.com

TO RUN SOME COMMAND ON THE REMOTE SERVER TO CHECKING UPTIME

$sshpass -p 'redhat@1234' ssh username@example.com  "uptime"

Sample output
01:04:35 up 126 days,  3:34, 2 users, load average: 0.50, 0.54, 0.55

Reading password from file

Another option is to read password from file using the -f option.
The syntax is:
sshpass -f fileNameHere ssh user@server





How to Disable Root SSH Login on Linux ?


One of the biggest security holes you could open on your server is to allow directly
logging in as root through ssh, because any cracker can attempt to brute force
your root password and potentially get access to your system if they can figure out your password.

It’s much better to have a separate account that you regularly use and simply
sudo to root when necessary. Before we begin, you should make sure that
you have a regular user account and that you can su or sudo to root from it.

To fix this problem, we’ll need to edit the sshd_config file, which is the main configuration
file for the sshd service. The location will sometimes be different, but it’s usually in /etc/ssh/.
Open the file up while logged on as root.

$ vi /etc/ssh/sshd_config

Find this section in the file, containing the line with “PermitRootLogin” in it.

#LoginGraceTime 5m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

Make the line look like this to disable logging in through ssh as root. Uncomment that line

PermitRootLogin no

Now you’ll need to restart the sshd service:

/etc/init.d/sshd restart

Now nobody can brute force your root login, at least.

Friday, May 25, 2018

how to force user to change their password on next login in linux ?


Method 1:
To force a user to change his/her password, first of all the password must have expired and to cause a user’s password to expire, you can use the passwd command, which is used to change a user’s password by specifying the -e or --expire switch along with username as shown.
#passwd --expire ravi
#chage -l ravi
Last password change                                                           : password must be changed
Password expires                                                                    : password must be changed
Password inactive                                                                   : password must be changed
Account expires                                                                       : never
Minimum number of days between password change    : 0
Maximum number of days between password change    : 99999
Number of days of warning before password expires       : 7
After running the passwd command above, you can see from the output of thechage command that the user’s password must be changed. Once the userravi tries to login next time, he will be prompted to change his password before he can access a shell .
Method 2:
Using chage command:
chage command – Change user password expiry information
Use the following syntax to force a user to change their password at next logon on a Linux:
# chage -d 0 user-name
In this example, force ravi to change his password at next logon, enter:
# chage -d 0 ravi
  • -d 0 : Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in the format YYYY-MM-DD. By setting it to zero, you are going to force user to change password upon first login.


Friday, March 16, 2018

how to check physical network cable connection status on linux ?

Method 1

Using dmesg

Using dmesg is one of the 1st things to do for inquiring current state of system:

Example:

dmesg | sed '/eth.*Link is/h;${x;p};d'
[1667676.292871] e1000e: eth0 NIC Link is Up 100 Mbps Full Duplex, Flow Control: Rx/Tx

Method 2

/sys/class/net/

cat /sys/class/net/eth0/carrier
1

The number 1 in the above output means that the network cable is connection physically
to your's network card slot.

Or

cat /sys/class/net/eth0/operstate
up


Method 3

Using ethtool command

Syantax : ethtool interface_name | grep Link\ d

Example:

ethtool eth0 | grep Link\ d

Link detected: yes

we can use bash for loop again to check all network interfaces it once:

for i in $( ls /sys/class/net ); do echo -n $i; ethtool $i | grep Link\ d; done

Sample output:

eth0 Link detected: yes
eth1 Link detected: no
lo Link detected: yes
wlan0 Link detected: no

NOTE:

The only problem with the above ethtool output is that it will not detect connected
cable if your network interface is down. Consider a following example:
# ethtool eth0 | grep Link\ d
       Link detected: yes
# ifconfig eth0 down
# ethtool eth0 | grep Link\ d
       Link detected: no
# ifconfig eth0 up
# ethtool eth0 | grep Link\ d
       Link detected: yes



Tuesday, February 27, 2018

How to tune the NIC Ring Buffers (RX,TX) on network interface ?


Modern and performance/server grade network interface have the capability of using transmit and receive buffer description ring into the main memory. They use direct memory access (DMA) to transfer packets from the main memory to carry packets independently from the CPU.
The usual default buffering values for regular desktop NICs are 256 or 512 bytes. High performances NICs can achieve up to 4096 and/or 8192 bytes.
To view the capability and the current values of your interface, you’ll need “ethtool”. Simply do the following command :
ethtool -g interfacename
           g  --show-ring
ethtool -g eth0

This will output something like this :

ethtool -g eth0
Ring parameters for eth0:
Pre-set maximums:
RX: 4096
RX Mini: 0
RX Jumbo: 0
TX: 4096
Current hardware settings:
RX: 256
RX Mini: 0
RX Jumbo: 0
TX: 256

Here we have two sections in our output. The first section is “Pre-set maximums” which tells us the maximum values that could be set for each available parameter. The second section shows us to what each parameter is currently set. We are most interested in the top most parameter labeled simply “RX” which is our receive ring buffer.
Buffers are generally tuned small for latency reasons. The smaller the buffer the lower the latency. But low latency comes at a price and that price is maximum throughput. For greater throughput we need a larger buffer. Factory defaults are good, generally, for most systems but don’t be afraid to tune this for your own scenario.


We can see here that both RX and TX values are set to 256 but the interface have the capability of 4096 bytes.
To increase the buffers, do the following :
ethtool -G|--set-ring devname [rx N] [rx-mini N] [rx-jumbo N] [tx N]
ethtool -G eth0 rx 4096 tx 4096

This will output something like this :

ethtool -g eth0
Ring parameters for eth0:
Pre-set maximums:
RX: 4096
RX Mini: 0
RX Jumbo: 0
TX: 4096
Current hardware settings:
RX: 4096
RX Mini: 0
RX Jumbo: 0
TX: 4096